From BBC news: Full story here: http://www.bbc.co.uk/news/business-13636704 ******** Good to see Sony are learning from their previous mistakes and protecting their custo...D'OH!
Well, if they really were storing passwords as text after what happened previously then it beggars belief. Good job I haven't added my new cedit card after my details were stolen and used last time!
Come on Sony, buck up your ideas because this is getting boring fast. That said, what chance do they have when every tosser with a pc is trying to make expose their frailties. How about pricks like them stop 'breaking in'?
Edit (just read the article): I'm kinda feeling sorry for Sony, they just don't seem to be able to get a break these days. It's one attack after another. I think they need to sit down and redo their security across all platforms from scratch to make sure there are less holes (or at least none that the hackers already know about).
I'm all for boycotting and verbally abusing Sony to no end over this pathetic display of security failures and for their shoddy responses to the problem. However, what this really makes me wonder is how many other big names would fail so spectacularly if they came into the crosshairs of vengeful hackers (either to make a point for the lulz). It's easy for us to write comments extolling the virtues of best practices in database security, sanitised inputs, prepared statements and the like.. But how much further than Sony does this kind of crappy IT practice go? How do we know that many of the other sites and services we regularly trust aren't every bit as bad (or worse, though I fail to see how that could be possible at this stage)? It doesn't absolve Sony of any responsibility just because many other big names could be just as pathetic at IT security as they are, but it does raise worrying questions for the security-conscious consumer. How do we not become paranoid about it when this kind of shite is going on? How many more precautions should the average security-conscious user be forced to take because of the failures of the businesses we're supposed to trust with our information?
At first i defended Sony, anything can be hacked and they seemed to be unlucky that it was them, now they're just being careless. So glad i've never actually bought anything off PSN.
Glad to see you skip the point that this was Sony Pictures, not the PSN. With a company the size of Sony, isn't it obvious that the IT team is not going to be the same from division to division? So the improvements made to the PSN aren't automatically going to be made to Sony Pictures, or Sony Music etc etc. This doesn't absolve Sony, as a whole, from responsibility for their IT network, but I think it is only fair to make clear that this isn't the PSN, and hence is not a repeat attack.
Regardless of where or what. Passwords as unencrypted text? This is not just careless, it is negligent. I am a developer by trade and it is just impossible to believe that they have done this. Consumers have got to be confident that Sony (or anyone else for that matter) is doing everything necessary to protect their data. Indeed this should be basic right.
Yeah, I was wondering why this was in gaming, with a 'Playstation 3' tag. Seems a lot of people above didn't read the article and realise that, so assume this is somehow related to PSN also
I'm still not quite sure why Sony are the targets of all these attacks. Have they done something specific to piss someone off? In any case, I'm glad I don't work at Sony, its going to be a red tape data protection nightmare. Even my company has messages all over the intranet saying 'be careful with data' etc etc, and we now have bitlocker encryption installed on every laptop.
While it looks bad on Sony, it does make me wonder how other companies would cope against this kinda barrage
1) If you can be hacked by SQL injection, then you are a idiot. There is no excuse. Pretty much all languages, all frameworks, all databases used on internet implement a protection against SQL injection (input filtering, parameterized SQL queries,...). If you don't use them, you are a bad programmer, period. 2) Passwords in clear text ? Superbad, superidiotic. Again, no excuse. Even using MD5 hashes is not a good idea ( http://en.wikipedia.org/wiki/MD5#Security ). @Cei: so other parts of corporate network are under attack, often losing the battle against the hackers, and you don't care about the security when pretty much all other services of your parent company were cracked open ? Hm, that sounds reasonable... not. That sounds like you are either blind or stupid.
Read below. I also said that it doesn't absolve Sony. They should have taken steps across the whole company to improve security - but people also have to realise it isn't a single IT team dealing with the whole company either.
The worst part is that not only are many companies as bad as Sony in terms of security but many doesn't report when they are hacked, this not only means that we do not know what sites are attacked, but also means that a coordinated effort against the hackers is impossible due to too little information.
It's become the "thing" to do as far as hacking Sony. Any hacker/script kiddie that wants their 15 minutes of fame is probing every website Sony has online regardless of what it is. It just gets reported on more because of Sony's massive hack, despite others occuring. Lulzsec also hacked PBS's website recently over a wikileaks special that was aired. Sony was simply a way for them to get more attention because hacking the Public Broadcast Service didn't make headlines for them. As long as Sony is a target, even with beefed up security they can and will be breached if a hacker with enough knowledge really wants in. Just ask Northrop Grumman if their SecureID tokens helped at all considering that hackers first breached the provider of the tokens, RSA Security, before using that to breach Northrop.
No sympathy from me Sony, this just proves their corporate greed put their money in the wrong place. As themax said there's nothing they can do about it either. Once you're targeted like that it becomes more of a social/psychological war than a direct matter of pure technical security.