Sony hacked for the second time within two months
On May 27, the hacker group, Lulz Security, made public their intention and it seems that they kept their word. Known as LulzSec, they now claim they have obtained the account information of 1 million users. They have published on their website "We recently broke into SonyPictures.com and compromised over 1,000,000 users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 "music codes" and 3.5 million "music coupons". A portion of the group's exploit is posted online in a RAR file, which contains over 50,000 email/password combination of the users.
Despite the rough day for the Japanese electronic giant, the company held a hearing with the Subcommittee on Commerce, Manufacturing and Trade, part of the House of Representatives Energy & Commerce Committee. Tim Schaaff, president of Sony Network Entertainment International, defended Sony's delayed response to the breach, saying that it is counterproductive to issue vague or speculative statements before grasping specific and reliable information. The committee did not plan to invite Sony for further investigation again, even if it has criticized the company for lack of prompt and sincere response.
After their first attack in April, where more than 77 million users' account information were stolen, the hacker group announced for "another Sony operation" on May 27, on its page on Twitter. Some can even say that this time Sony cannot pretend to be the "victim". Actually, LulzSec have stated that it has obtained 1 million users' account information from servers at Sony Pictures and Sony BMG. The group went further by stating that it was quite an easy task as the data were not encrypted. LulzSec claims the heist was performed with a simple SQL injection and they were surprised to see that the information was stored in simple plain text format.
Kiyotada Kabutomori, a professional service senior specialist at McAfee Enterprise, pointed out the necessary lessons Sony needs to learn. The issue "what should be really protected" is ambiguous and deemphasized. What should be protected is obviously important information, but what information takes greater priority? In general, many businesses tend to prioritize usability and efficiency over security. If Sony hasn't learned the lesson, at least other businesses have. After Sony's incident, the number of inquiries from businesses to McAfee increased, with many managers now more alert in rechecking their attitudes toward security. "It is not exactly a new security measure that's necessary, but the point is how Sony can activate the existent information security management system effectively, in line with the PDCA (plan-do-check-act) cycle," he said.
The next day, June 3, Sony Pictures confirms hacking of its websites to Reuters. The company stated "On Thursday, a hacker group calling itself LulzSec said it broke into servers that run Sony Pictures Entertainment websites". The company is now working with the Federal Bureau of Investigation (FBI) to identify the attackers.
Despite the rough day for the Japanese electronic giant, the company held a hearing with the Subcommittee on Commerce, Manufacturing and Trade, part of the House of Representatives Energy & Commerce Committee. Tim Schaaff, president of Sony Network Entertainment International, defended Sony's delayed response to the breach, saying that it is counterproductive to issue vague or speculative statements before grasping specific and reliable information. The committee did not plan to invite Sony for further investigation again, even if it has criticized the company for lack of prompt and sincere response.
After their first attack in April, where more than 77 million users' account information were stolen, the hacker group announced for "another Sony operation" on May 27, on its page on Twitter. Some can even say that this time Sony cannot pretend to be the "victim". Actually, LulzSec have stated that it has obtained 1 million users' account information from servers at Sony Pictures and Sony BMG. The group went further by stating that it was quite an easy task as the data were not encrypted. LulzSec claims the heist was performed with a simple SQL injection and they were surprised to see that the information was stored in simple plain text format.
Kiyotada Kabutomori, a professional service senior specialist at McAfee Enterprise, pointed out the necessary lessons Sony needs to learn. The issue "what should be really protected" is ambiguous and deemphasized. What should be protected is obviously important information, but what information takes greater priority? In general, many businesses tend to prioritize usability and efficiency over security. If Sony hasn't learned the lesson, at least other businesses have. After Sony's incident, the number of inquiries from businesses to McAfee increased, with many managers now more alert in rechecking their attitudes toward security. "It is not exactly a new security measure that's necessary, but the point is how Sony can activate the existent information security management system effectively, in line with the PDCA (plan-do-check-act) cycle," he said.
The next day, June 3, Sony Pictures confirms hacking of its websites to Reuters. The company stated "On Thursday, a hacker group calling itself LulzSec said it broke into servers that run Sony Pictures Entertainment websites". The company is now working with the Federal Bureau of Investigation (FBI) to identify the attackers.
Source...