Sony's Security Losing Streak

After all the chatter over Sony, I had to expand on Sony's recent losing streak. You can check details over Sony suffering DDoS attacks this month in April's Hacker News. Today, I want to talk about Sony's mistakes from a security perspective, and show why the mistakes they made were avoidable if they only had serious security professionals working for them. Recently, Sony settled out of court with GeoHot, the hacker that jailbroke the PS3. In my mind, I view this as a loss for Sony, as they are the ones that initiated the lawsuit and paid out a settlement fund. Although all of these lawsuits would have never been an issue if Sony had merely built the PS3 with security in mind. There is no redundancy in place for checking run time code other than checking hash keys with the running software (digital signatures). And there is the argument that anything can be jailbroken, to that I suggest reading my Host-Based Intrusion Detection article, that references the DroidX's model of execution integrity. Proper host-based security implementations can raise the bar for remote code execution. Instead, Sony takes extreme legal actions against it's users sharing the keys. So now, after the most resent DoS attacks, Sony reveals that they were hacked and lost all confidential customer data. Of all the PII (Personally Identifiable Information), only the credit cards numbers were encrypted. This is reckless and dangerous considering each customer's personal information, has an estimated value at $318, class-action ppl. Supposedly, they were running old versions of apache with known vulnerabilities.

On 5/1, Sony executives apologized for the data breach.



This apology is of no use, as talk of the credit card numbers being sold have been circulating The Internet. These could be phishing attempts, but either way there have been real backlashes from this incident. The lesson should be learned: It's the responsibility of the corporation to utilize real digital protections, such as encryption, to protect both corporate interests and customer information. They should work diligently for the customers rather than failing their responsibilities and apologizing afterwards. Rather, they should invest in some serious risk assessment.