Hatriot Games? Sony Hacked Again, Nintendo a Wii Bit Compromised

fail-boatIn what’s rapidly becoming a cliché of the direst proportions, Sony gets yet another dose of what some consider Karma. Not to be left out, however, Nintendo suffers the wrath of the group claiming to have taken Sony down. Which leads everyone to ask: Is Microsoft next? If so, when will the other shoe drop? And more importantly: When does the phishing expedition begin?

What a difference a week makes. In case you weren’t tuned in last week at this time, Sony had just moved its hundred millionth PS3 console, gamers everywhere were cheering the mammoth entertainment provider for its second-to-none gaming experience, and cures for cancer and the common cold left mankind with the incontrovertible belief that we are all destined to live long and prosperous lives.

Oh, wait. That was the Bizarro world. Over here in the land of reality and taxes, Sony didn’t sell its hundred millionth console, but it did cough up another million user accounts, albeit unwillingly. In what’s quickly becoming (or has already become) something of a joke ending with a simple punch line – ‘Sony’ – another hack attack saw the entertainment giant scrambling to quietly warn users that another breach in its security, this time of Sony BMG Music’s website, had occurred. The announcement seemed like it came from the Bizarro world, considering that over at Playstation.com, splashed in prominence on the main page is the announcement of Sony’s ‘Welcome Back’ program, designed to mollify irritated users whose access to the Playstation Network and Qriocity had been down for a month.

The group LulzSec claimed responsibility for the hack, and this time, even though the result doesn’t seem nearly as severe – one million accounts, compared to 78 million in the PSN/Qriocity breach – this one has increasingly chilling implications. First, LulzSec, which wasted no time in reporting its success, stated in an anonymous post, “We just want to embarrass Sony some more. Can this be hack number eight? Seven and a half?!”

Second, the LulzSec team gives a detailed account of the fruits of their labors: “Personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 “music codes” and 3.5 million “music coupons”.

Third, they went and posted the data for everyone to see, ready for phishing enthusiasts, spam artists and identity thieves everywhere to just pluck the data out of the cloud and go to work. All this while the U.S. Congress is grilling Sony and email marketing company Epsilon about their recent security woes.

Fourth – and maybe most disturbing – was how LulzSec claims they went about it. “Our goal here is not to come across as master hackers, hence what we’re about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?” Ohhh, man. For Sony, this must seem like the makings of a script for the sequel to The Hangover 2 (too bad they don’t own the rights to the blockbuster movie series – it would have made for good irony).

Word on the street, however, suggests that Sony brought it on themselves, and that maybe this is just Karma coming back to roost. Speculation has been that both Anonymous – the hacktivist group which laid claim to the PSN breach – and LulzSec were striking a blow in the name of solidarity for the way Sony has been treating George Hotz, better known as iPhone hacker extraordinaire GeoHot. In February, a premonition of what was to come showed up in a warning from Paul Roberts at ThreatPost, who wrote about the early February security breach at HBGary: “Don’t kick the hornet’s nest.” Interestingly enough, the hornets he referred to were none other than Sony’s newest, bestest nemesis,  Anonymous.

But wait, there’s more! It seems that LulzSec wasn’t happy just taking Sony down. Last week, Nintendo Corp. announced that it was stung by the hornets when LulzSec posted a server configuration file on its website as proof that they hacked another of the three giants in the gaming arena, a claim that was confirmed by Nintendo. Nintendo stated that no user data was compromised in the attack, which actually happened weeks before (question: are these companies really helping their own cause by sitting on this information?) In a strange message on Twitter, LulzSec sounded charitable when the group tweeted, “We’re not targeting Nintendo. We like the N64 (gaming console) too much – we sincerely hope Nintendo plugs the gap.”

Is Microsoft next? International Business Times reports that, “it is because of the random nature of LulzSec’s attack on Nintendo that certain analysts and industry commentators have speculated that a future cyber attack on Microsoft may be in the works,” and there’s a lot of truth in those words, if recent activity is any indicator. Perhaps Microsoft has already been hit, and like their counterparts have chosen to sweep it under the carpet. Whichever the case, the question here is: what’s the real story in all this? That a mega corporation like Sony can be embarrassed – repeatedly – so easily, if LulzSec’s claims are true? That if companies like the ones being breached aren’t safe, then how can the average IT manager expect to protect her company’s networks? That the frequency of these security breaches has media in general taking a ‘ho-hum’ approach to new occurrences? That hackers are so ambivalent toward what they do that in one breath they can take down one gaming giant for fun and another for vengeance? Or – getting back to Sony and considering LulzSec’s claims – how in the heck could Sony let themselves be taken down again and so easily?

You choose.

Leave a Reply