Shocking: Sony Learned No Password Lessons After The 2011 PSN Hack

from the sony-is-as-sony-does dept

The great Sony hack of 2014: what's it all about? Is it a subversive plot by North Koreans operating out of China in revenge for a film starring two guys from Freaks and Geeks? Or maybe it's simply fodder for stupid politicians to remind us that all the world's ills could be cured if only internet service providers took on the challenge of fixing all the things in all the places? No, my dear friends, no. The Sony hack of 2014 is a beautiful Christmas gift (your religious holiday may vary) of a wake-up call to anyone silly enough to think that Sony would bother to learn the lessons very recent history has tried to teach it.

To prove this, one need only review the latest file dump in the leak, which features the wonderful naivete of whatever bright minds are in charge of Sony's internal password conventions and storage policies.

In a small file titled "Bonus.rar," hackers included a folder named "Password." It's exactly what it sounds like: 140 files containing thousands upon thousands of private passwords, virtually all of them stored in plaintext documents without protection of any kind. Some seem personal in nature ("karrie's Passwords.xls") while others are wider in scope ("YouTube login passwords.xls"). Many are tied to financial accounts like American Express, while others provide access to corporate voicemail accounts or internal servers, and come conveniently paired with full names, addresses, phone numbers, and emails.

In case you're unfamiliar with the hack against Sony's Playstation Network a mere three years ago, the problem was -- you guessed it -- the exact same thing. In that case, the hack produced customer names, addresses, emails and login/password information because that information was stored in plain text, contrary to the advice of every competent network security person on the planet. Take, for instance, one security researcher quoted in the link above:

Passwords in plaintext? These guys are pretty bad - I don't think I've ever encountered this before. What's the point of using common password storage/hashing techniques if your staff is keeping all your passwords in plain text on open fileshares? Shit, why bother having locks on the doors at all?
The worst of all the problem's this hack revealed is that this question should have been answered in the wake of the events of three years ago. It's one thing to screw up. It's quite another to screw up in a manner that went public in a spectacular way and simply refuse to take measures to ensure it doesn't happen again. But that's Sony for you: long live plain text.

Filed Under: hack, password, sony hack
Companies: sony, sony pictures

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    That Anonymous Coward (profile), 5 Dec 2014 @ 4:31am

    Until the cost of being stupid reaches X, they will keep being stupid.

    X is an amount where shareholders might lose value, or actually take the board to task if they figure out they did nothing after the last time.

    So first it was random hackers, then North Korea, then a variant of some other malware... anyone notice a theme?
    Facing harsh well financed hackers their systems fell after the security was breached.
    They spent more on PR after Sownage than on fixing the issues. They will never have to pay themselves for the failures, the costs will be passed down to those people they managed to screw while keeping the bosses country club memberships up to date. Politicians are blaming anything remotely related to the internet as being at fault, it lets them push other pet projects they have going.

    This company failed to learn from over 20 lessons, and once again wants to play the we are the poor victims card. If you forget to lock your door and get robbed, you are a victim. If you fail to lock your door 23 times, you are an idiot... especially in a world where you can buy a lock off the shelf that self locks... but that was to expensive to bother with, and now you want people to feel sorry for you.

    Perhaps one should question any pay raises or bonuses that were given, and ask could they have paid for actual security with it. But multimillion dollar liability and lawsuits from not only the little people but other millionaires perhaps maybe the message will make it across exactly how badly they screwed this up and THIS time they might tie a string on their finger to remind them to lock the door.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.