Shocking: Sony Learned No Password Lessons After The 2011 PSN Hack

from the sony-is-as-sony-does dept

The great Sony hack of 2014: what's it all about? Is it a subversive plot by North Koreans operating out of China in revenge for a film starring two guys from Freaks and Geeks? Or maybe it's simply fodder for stupid politicians to remind us that all the world's ills could be cured if only internet service providers took on the challenge of fixing all the things in all the places? No, my dear friends, no. The Sony hack of 2014 is a beautiful Christmas gift (your religious holiday may vary) of a wake-up call to anyone silly enough to think that Sony would bother to learn the lessons very recent history has tried to teach it.

To prove this, one need only review the latest file dump in the leak, which features the wonderful naivete of whatever bright minds are in charge of Sony's internal password conventions and storage policies.

In a small file titled "Bonus.rar," hackers included a folder named "Password." It's exactly what it sounds like: 140 files containing thousands upon thousands of private passwords, virtually all of them stored in plaintext documents without protection of any kind. Some seem personal in nature ("karrie's Passwords.xls") while others are wider in scope ("YouTube login passwords.xls"). Many are tied to financial accounts like American Express, while others provide access to corporate voicemail accounts or internal servers, and come conveniently paired with full names, addresses, phone numbers, and emails.


In case you're unfamiliar with the hack against Sony's Playstation Network a mere three years ago, the problem was -- you guessed it -- the exact same thing. In that case, the hack produced customer names, addresses, emails and login/password information because that information was stored in plain text, contrary to the advice of every competent network security person on the planet. Take, for instance, one security researcher quoted in the link above:

Passwords in plaintext? These guys are pretty bad - I don't think I've ever encountered this before. What's the point of using common password storage/hashing techniques if your staff is keeping all your passwords in plain text on open fileshares? Shit, why bother having locks on the doors at all?
The worst of all the problem's this hack revealed is that this question should have been answered in the wake of the events of three years ago. It's one thing to screw up. It's quite another to screw up in a manner that went public in a spectacular way and simply refuse to take measures to ensure it doesn't happen again. But that's Sony for you: long live plain text.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: hack, password, sony hack
Companies: sony, sony pictures


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 5 Dec 2014 @ 4:22am

    Normally I'd recommend using an encrypted password manager, such as Bruce Schneier's Password Safe or KeePass. But since all the computers on Sony's networks were already compromised by backdoors, keyloggers and disk wipers. It probably would have made little difference. At least it would have made stealing passwords a little harder for the hackers. Maybe.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Dec 2014 @ 5:59am

      Re:

      Meanwhile, governments are trying to outlaw encryption.

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 5 Dec 2014 @ 8:05am

      Re:

      "At least it would have made stealing passwords a little harder for the hackers. Maybe."

      There's a truism in the security world: if something can be accessed legally, it can be accessed illegally. My personal corollary to that is: even if you can't stop the intruder, you can at least make his life harder.

      link to this | view in chronology ]

  • identicon
    Nate, 5 Dec 2014 @ 4:25am

    I'm confused; I thought we were supposed to use open standard formats for string information rather than proprietary formats.Isn't that what Sony is doing here?

    link to this | view in chronology ]

    • icon
      Jeff Green (profile), 5 Dec 2014 @ 4:30am

      Re:

      There's a difference between open standards and open!

      Everyone can look up on the interwebs how to make a tumbler lock. But best of luck to you in opening a 7 lever one without the key!

      link to this | view in chronology ]

    • icon
      PaulT (profile), 5 Dec 2014 @ 5:26am

      Re:

      Sarcasm noted, I hope. Sadly, some people at Sony might well be stupid enough to believe that "open standard" is a synonym for "unencrypted/unprotected".

      link to this | view in chronology ]

      • identicon
        coward (anon), 5 Dec 2014 @ 3:36pm

        Re: Re:

        As far as I know there was no customer information exposed, Sony Pictures doesn't do business directly with the public. The only data exposed was employee data. So, no, I wouldn't expect this to have any affect on Sony's liability protection.

        link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 5 Dec 2014 @ 4:31am

    Until the cost of being stupid reaches X, they will keep being stupid.

    X is an amount where shareholders might lose value, or actually take the board to task if they figure out they did nothing after the last time.

    So first it was random hackers, then North Korea, then a variant of some other malware... anyone notice a theme?
    Facing harsh well financed hackers their systems fell after the security was breached.
    They spent more on PR after Sownage than on fixing the issues. They will never have to pay themselves for the failures, the costs will be passed down to those people they managed to screw while keeping the bosses country club memberships up to date. Politicians are blaming anything remotely related to the internet as being at fault, it lets them push other pet projects they have going.

    This company failed to learn from over 20 lessons, and once again wants to play the we are the poor victims card. If you forget to lock your door and get robbed, you are a victim. If you fail to lock your door 23 times, you are an idiot... especially in a world where you can buy a lock off the shelf that self locks... but that was to expensive to bother with, and now you want people to feel sorry for you.

    Perhaps one should question any pay raises or bonuses that were given, and ask could they have paid for actual security with it. But multimillion dollar liability and lawsuits from not only the little people but other millionaires perhaps maybe the message will make it across exactly how badly they screwed this up and THIS time they might tie a string on their finger to remind them to lock the door.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2014 @ 5:27am

    Does this open up Sony to the same things that the 2013 Target hacking has had? I'm pretty sure that this is the third time Sony have done this, so eould that be enough to remove the liability barriers?

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Dec 2014 @ 10:33am

      Re:

      Does this open up Sony to the same things that the 2013 Target hacking has had?

      This is different.

      Target had their customer's credit card information exposed. The news of this directly impacted their revenues and profits. Subsequently this led to their executive overseeing IT leaving the company. The liability of this is over customer protection laws.

      Now Sony had their HR and payroll data exposed. That won't impact their customers directly. But it will affect their workforce morale. Can't say how much this will indirectly impact their revenues or costs. Any liability here will be over worker protection laws...

      The effect of having their internal people up in arms over IT will be interesting to observe.

      link to this | view in chronology ]

  • identicon
    Matthew A. Sawtell, 5 Dec 2014 @ 6:08am

    If one division in a large corporation sneezes, it does not mean the rest gets shots

    Hate to say this, but... if you have a large enough corporation like Sony, with a lot of separate divisions that normally do not "talk to each other", things like this occur much too often.

    link to this | view in chronology ]

    • identicon
      coward (anon), 5 Dec 2014 @ 3:46pm

      Re: If one division in a large corporation sneezes, it does not mean the rest gets shots

      Well said. As someone who worked for Sony Network Entertainment during the 2011 hack I can tell you that while SNEI made a lot of long overdue changes following that hack, other Sony properties, like Sony Pictures (SPE), probably weren't even aware that we had been hacked. Other than licensing issues related to selling/renting SPE movies there is no communication or commonality between the 2 divisions.

      I also believe that this hack and the sorts of data that were stolen is far less due to it being Sony and more a common problem with movie studios. The people who work at studios are extremely both non-technical and not interested in becoming technical. Passwords only exist because the IT nerds like making everyone else's life miserable. So the simplest way to keep track of multiple passwords is to put them in a text file and share them. What I find far more unfathomable is why were there DVD quality digital copies of upcoming movies accessible on a network connected to the internet? Normally one would expect those sorts of assets to be kept isolated via an air gap.

      link to this | view in chronology ]

      • identicon
        Matthew A. Sawtell, 5 Dec 2014 @ 6:36pm

        Re: Re: If one division in a large corporation sneezes, it does not mean the rest gets shots

        It would be nice to think that 'non-technical people' would not do silly things like storing entire movies in odd places, yet that was the one thing that saved Pixar's collective behinds with Toy Story 2 when they lost a server farm, and realized their backups were nothing. Again, have a large enough organization - you will have instances of 'shadow IT' and 'rogue data operations' with divisions and smaller organizations, good or bad. Throw into this mix an IT staff that is mostly outsourced contractors, and we get to see more issues arise.

        link to this | view in chronology ]

  • identicon
    Rich Kulawiec, 5 Dec 2014 @ 6:35am

    Time for a change of viewpoint

    PiracXXXXXSony is killing the movie business.

    link to this | view in chronology ]

  • identicon
    Michael, 5 Dec 2014 @ 7:23am

    If they weren't doing anything wrong, they had nothing to hide with these passwords anyway.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2014 @ 8:30am

    Disagree with the anonymous security researcher

    Passwords in plaintext? These guys are pretty bad - I don't think I've ever encountered this before. What's the point of using common password storage/hashing techniques if your staff is keeping all your passwords in plain text on open fileshares? Shit, why bother having locks on the doors at all?
    Anonymous security researcher misses a critical point here. Yes, passwords should be stored hashed when you are the password authority, since you only need to verify the other party knows it. However, all of the passwords referenced in this article are used to authenticate to services that Sony cannot readily configure to use hashing: other corporations, which despite years of advice to the contrary, continue to use plaintext-password-in-the-form authentication (usually, but not always, delivered over https to prevent passive snooping); closed systems (e.g. Windows shares) which take directory credentials; etc. If the referenced web services authenticated via client certificates or encouraged delegation methods to readily support the idea that each Sony employee would have unique credentials for authenticating to a single external account, I would be less sympathetic to Sony. Sony showed poor discipline by getting breached and by storing the data in a form which requires minimal effort to abuse, but I don't see that they could have kept the passwords private once the attackers breached the Sony network.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Dec 2014 @ 9:01am

      Re: Disagree with the anonymous security researcher

      There are ways to securely share a common password to a group of people. passpack.com and lastpass.com have a way to do this.

      There is no valid excuse/reason to store passwords in plain text.

      Why is a company like Sony, with lots of money, not implementing Two-Factor authentication? Passwords will get compromised, if you do not have protections against that you will get P0wned.

      Reading some RSA token device and typing the code IS too hard for some drones. There are other two factor devices such as Yubikeys that even a monkey could be taught to do, plug into USB port, press button.

      There is no excuse to NOT have two-factor auth. Technology is readily available and cheap.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Dec 2014 @ 9:52am

        Re: Re: Disagree with the anonymous security researcher

        One interesting question is if they encrypted the doc files or not? Perhaps at the very least they did password protect the doc files. Does anyone know?

        link to this | view in chronology ]

      • identicon
        Michael, 5 Dec 2014 @ 11:27am

        Re: Re: Disagree with the anonymous security researcher

        There are ways to securely share a common password to a group of people

        If you are using a common password for a group of people you already lack any real security.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2014 @ 8:59am

    they should've just used post-it notes

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2014 @ 9:46am

    Put the Company on the line

    I think it's time to start putting companies on the line. If they can't keep data secure, replace the C-board, or force Chapter 7. That'll get their attention.

    Bottom line: Everyone is going to get hacked sometime. The real issue is how quickly do you discover it, and how do you handle it once you find out?

    If your company sucks at security, so should your business prospects.

    link to this | view in chronology ]

    • icon
      Mason Wheeler (profile), 5 Dec 2014 @ 11:13am

      Re: Put the Company on the line

      Agreed. Having it happen the first time was bad enough, but when it happens again, that goes beyond simple stupidity; it's hard to regard this level of incompetence as anything other than an act of malicious, willful negligence.

      With this, Sony has proven themselves to be a menace to the community. If I were a regulator, I'd be looking real hard right about now at the possibility of revoking their corporate charter.

      link to this | view in chronology ]

    • identicon
      Michael, 5 Dec 2014 @ 11:29am

      Re: Put the Company on the line

      I think it's time to start putting companies on the line.

      Absolutely. Don't buy anything from Sony and this will be the result.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2014 @ 10:15am

    but it will allow Sony to come back with some other hair-brained scheme that will fuck the customers up more! something like forcing changes to the O/S or making it compulsory to install new firmware that does absolutely nothing except allow Sony to go after people using big sticks against them in case one of each million are using a cloned handset or something! like other areas of the entertainment industries, nothing that should be done is ever done! and when something is done, it's always to screw over the people that are relied on to keep the business going!!

    link to this | view in chronology ]

  • icon
    JoeCool (profile), 5 Dec 2014 @ 10:35am

    Only logical

    They HAVE to keep their passwords in a plain-text file! They're writing them down because they can't remember them, so what makes you think they'd remember the password to the encrypted file storing their passwords? When they forget, they need it in plain text so they can read it and see what their passwords were.
    :)

    link to this | view in chronology ]

  • identicon
    Irving, 5 Dec 2014 @ 11:20am

    When I hear "The Great Sony Hack"

    ...all I can think of is Sony's rootkit injection scheme.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2014 @ 11:28am

    Double Bogey is par

    These are the same people who thought putting rootkits on millions of customer computers was a good idea. Did anyone really expect them to do better?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2014 @ 3:39pm

    This article has shown me that using encrypted password managers on computers with any kind of online capabilities is a very bad idea. Once the hackers breach your system, all they need to do is install a keylogger to get your master password. At which point they'll have unfettered access to the rest of the password stored in the password manager.

    I really need to upgrade to a computer with hardware visualization support. Then I can run my password manager in a virtual machine that has no network access. Then just copy/paste username/passwords between VMs using the clipboard. Hackers might intercept a few of my passwords through the clipboard, but at least they won't get my master password.

    A more secure alternative is buying a dedicated offline computer for password management. This approach is rather inconvenient though. I'd have to manually type each username/password in by hand, in order to transfer the passwords between the offline machine and the online machine.

    Perhaps I can refactor a smartphone into an offline computer for dedicated password management. I'd have to disable the the cellular baseband modem, wifi, and bluetooth on the phone. But at least it's small enough for me to carry around so I have my passwords everywhere I go.

    I think I'll go with the dedicated computer method. That way I always have my passwords on me in the form of a pocket sized offline computer. Now I just need to find a reliable password manager compiled for Arm processors.

    The only thing to watch out for is losing your pocket sized computer which holds all your passwords on it. I'll have to make regular backups of the password manager's encrypted database, stored on the phone's SD card, and store it in the cloud or a some other location in case my house burns down.

    I'm learning a lot for the Sony breach. I wonder if Sony is too.

    link to this | view in chronology ]

    • icon
      Eldakka (profile), 7 Dec 2014 @ 5:01pm

      Re:

      Time to dig out my old palmpilot that doesn't have any wireless connectivity (except an infra-red port, but at least that's line of site and I can cover it), and install a password manager on there and use it only for retrieving my passwords, no wireless connections, never plug it in to another device, just use the monochrome LED screen for input/output.

      Or maybe get out an old smartphone and physically disconnect the antennas.

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 8 Dec 2014 @ 9:12am

      Re:

      Or, even easier, just keep your passwords written down on a piece of paper you keep in your wallet. Keep a second copy of that list somewhere safe, preferable not in your home.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2014 @ 6:07pm

    I think the most important information retrieved from the "hack" is the list of Adventure Time episodes downloaded by staff.

    Why aren't average_joe and Rudyard Holmbast up in arms about this copyright infringement?

    link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    iCare service center, 6 Dec 2014 @ 5:44am

    Sony mobile service center in chennai

    Thanks for giving this useful information
    Sony mobile Service center in Chennai

    link to this | view in chronology ]

  • icon
    Sheogorath (profile), 9 Dec 2014 @ 4:04am

    Hey, you wanna know the best thing about this hack? I can claim my PS3 is less than a year old, and Son¥ no longer have anything on their database to prove otherwise! };D

    link to this | view in chronology ]

  • identicon
    juli, 19 Nov 2015 @ 12:07am

    thanks

    Thanks for the valuable information it's useful need Online grocery Store Chennai

    link to this | view in chronology ]

  • identicon
    tretdm9, 22 Jan 2016 @ 1:22pm

    add me

    plz

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.