EH-Net

http://paidcontent.org/article/419-sony-hacked-again-but-this-time-comes-clean-quickly/

At least sony admitted the hacking a lot sooner than last spring. I dont know how they let this happen time after time.

Sadly, folks just don't always get it, or if / when they finally do, they don't put enough time and $$ into remediation and problem resolution.  Even then, attackers will continue to put a lot of effort into going after Sony, time and time again, because now, they have a huge target painted on them, for the world to see.

With Sony being a huge company, I would think they had an elite security team?

They very well might.

But here's the rub...

It happened once.  It happened twice.

Elite or not, SOMEBODY is still overlooking the holes, and they continue to do so.  Like I'd said, whether they like it or not, the target is there...

The thing about 'elite teams' is that sometimes they get so confident that they overlook little / simpler things.  I can't count on the fingers and toes, of my whole family, how many 'elite' network folks, for instance (the 'I'm a Cisco guy, and I know my setup is sound' types,) whom I've pointed out misconfigurations to, as well as the IT security teams, that often just don't understand that they DON'T know all there is to know, with regard to their network.

Fact / truth is, if they're THAT elite, they should be comfortable asking for help, because they should know that they don't know it all.  Sony needs to spend some serious time, energy and money on a total, top-to-bottom review of every system, every security measure, their security training... their entire security posture.  (You get the point.)

But when it's become a recurring event, not only is it embarassing, but it's a risk to your entire business, as well as the businesses of those that do business with you.

Sony'd better get on it.

So you think the hackers are using the same vulnerability every time?

No.  I think you misunderstood my point.  I was responding to your 'elite' remark.  Fact is, I doubt it was the same thing, twice (although anything is possible.)

The point I'm making is this...  IF you've been hacked and been put in such a bad situation, once, you put effort into fixing things, ASAP.  IF you've been hacked twice, you'd REALLY better get on it, and find it (whether the same or different issues) because, unless your systems are changing THAT dynamically, which I doubt, then somebody missed something that probably should've been spotted in the 'elite' team's review, after the first incident came to light.

Granted, nobody will EVER be impenetrable, but it's becoming inexcusable to let that many records get leaked, that often, if you want to 'save face,' and NOT become every hacker's dream target.

Here's an example from my past, where there WAS the same hole exploited.  I won't name the company, but let's just say I found a MAJOR security hole for them, and reported it straight to their top folks (it was that major, that it needed addressed, ASAP.)

The response I got was that their 'elite' team had been aware of said issue, for over a year, and 'decided' it was a calculated risk.  Didn't matter that it was massively hackable, and I could easily take everything from their network, top to bottom...  The 'elite' folks had already decided, in their minds, that it was a necessary risk.  So, in this case, they WERE aware of a hole, yet didn't fix it.  

That doesn't mean Sony was aware of the first or second (or any still unremedied) holes.  But as you pointed out, they are huge, and therefore, once hole one was publicly disclosed, their efforts to find and remediate any others should've gone into high gear, because common sense dictates that, now, they have that target hanging out there.

(edit - please excuse multiple posts tonight, in succession...  Working from my phone, remote, and if typing gets too long, it times out during reply, and I lose it all.  So better to 'chunk it up' into a couple posts, when necessary)

Thanks hayabusa, sorry I misunderstood.

To have a company take a "calculate" risk is crazy on security, who makes that kind of decision?

No need to apologize.  I just figured you missed what I was aiming at.   ;)

As for the 'calculated risk,' I think you'd be amazed at how often I've run into that.  You'd think they'd realize the position and risk they put themselves into, but sometimes, they'll amaze you.  I'm sure others here have similar war stories.  Just seems to be the norm, in the industry, and obviously, some folks need to pay more attention to regulations, as well as just apply some common sense.

Anyway, my two cents for the evening! 

You're only as strong as your weakest link.  I can't believe how weak of an attack though.  If I remember correctly, it was just a simple SQL injection for the 2nd hack of Sony.  As mentioned, Sony probably has a whole team of highly trained security pro's and they have an unencrypted database vulnerable to simple SQL injection?

Seems like Sony deserved what happened to them. Seems a little reckless for such a strong and well known company.

I wonder if they really care about the holes. There isn't an alternative to their network for the Play Station, and I've ran in to users that don't really care, they just want to play their game on line. It wouldn't surprise me if they put more into PR spin for being hack, than they do the security to prevent being hacked.

Sometimes the people in charge don't even understand the risks, and still claim it's acceptable. Mostly because they think it won't happen. I have a great example from my experience. Mission critical equipment and multiple week business is down failures. The ones they had been warned about and deemed "acceptable risk", but still blamed me for when they happened.

I dont know how users still give the playstation network personal information. I recently just bought ps3 but there is no way in hell my info is going in there. I rather max out my credit cards instead of someone else, thank you very much lol

Yuck,

I think you're an acceptation not the norm. Look at TJ-MAX...

If you haven't listend to it, go find Down the Rabbit Hole episodes 1 &  2.

Hear,hear!! I agree! I heard Marcus Carey say that the only card that should be used is gift cards.  It is easy and safer.

Damn thats a good idea Agoonie, thanks!

That is ture or sony should just not fail at security. I dont see how other companies can do it and yet one of the biggest companies in the world fail to protect end user data.

If a major company like Sony neglects security issues, I can only imagine what small companies do.

Exactly and the small companies are the ones who cant really afford to have pen test.

It is that point that made me wonder if there are PenTesters that do pro bobo work for the small business?  Or is it the high profile pentesters that do side work that help the small businesses?

At this point Sony's new motto should be:

Sony
Make Believe Security.

@ r2s lol  you should put that in their suggestion box

haha that would be funny