Sony Network Said to Have Been Invaded by Hackers Using Amazon.com Server

[xytrius]

Excerpts from Bloomberg:

Amazon.com Inc. (AMZN)’s Web Services cloud- computing unit was used by hackers in last month’s attack against Sony Corp. (6758)’s online entertainment systems, according to a person with knowledge of the matter.

Hackers using an alias signed up to rent a server through Amazon’s EC2 service and launched the attack from there, said the person, who requested anonymity because the information is confidential. The account has been shut down, the person said.

The development sheds light on how hackers used the so- called cloud to carry out the second-biggest online theft of personal information to date. The incursion, which compromised the personal accounts of more than 100 million Sony customers, was “a very carefully planned, very professional, highly sophisticated criminal cyber attack,” Sony has said.

...

The hackers didn’t break into the Amazon servers, the person said. Rather, they signed up for the service just as a legitimate company would, using fake information.

...

Amazon fell $3.51, or 1.7 percent, to $202.56 yesterday in Nasdaq Stock Market trading. The shares have added 13 percent this year. Sony lost 23 yen to 2,241 yen in Tokyo and have slid 23 percent in 2011.

Sony offered customers a free year of identify-theft protection after its PlayStation Network and Qriocity entertainment networks were crippled by the attack. Thieves may have stolen credit-card, debit records and other personal information from customers of Sony Online Entertainment, a third service. The New York Attorney General’s office has subpoenaed Sony, according to a person familiar with the probe.

Source and full information: http://www.bloomberg.com/news/2011-0...om-server.html

[nn_step]

1) it wasn't done by hackers. It was done by criminals.
2) Hackers create and invent. [Hackers are the roots of all technological and social advancement in the history of mankind.]
3) Criminals that use computers are just that criminals. Nothing else and nothing more.
4) Mistaking the two is like mistaking a doctor and a pedophile. Just because they both see kids, doesn't mean they are the same thing.

[god_43]

1) it wasn't done by hackers. It was done by criminals.
2) Hackers create and invent. [Hackers are the roots of all technological and social advancement in the history of mankind.]
3) Criminals that use computers are just that criminals. Nothing else and nothing more.
4) Mistaking the two is like mistaking a doctor and a pedophile. Just because they both see kids, doesn't mean they are the same thing.

i give you all the internets!

[stangracin3]

1) it wasn't done by hackers. It was done by criminals.
2) Hackers create and invent. [Hackers are the roots of all technological and social advancement in the history of mankind.]
3) Criminals that use computers are just that criminals. Nothing else and nothing more.
4) Mistaking the two is like mistaking a doctor and a pedophile. Just because they both see kids, doesn't mean they are the same thing.

they did make sony re invent there lack of security. so you cant say they didn't do something good LOL

[Generic user #2]

i know what you're trying to say...but really: hackers and criminals aren't exactly mutually exclusive descriptions.

[Dainas]

Sony is learning the hard way that in a world of crooks you don't leave your pants down.

[zanzabar]

amazon was shown to have easy access to cpu time for brute force decryption but i dont see how this is anything more than a proxy as it was not a brute force attack. and the sony attack was supposed to be an inside job from the data center so i dont see how this is related other than being japanese companies in the normal get your data stolen and send out mass emails about it.

Sony is learning the hard way that in a world of crooks you don't leave your pants down.

isnt that, in a world of rapist dont leave your pants down, or, in a world of thieves dont leave your door unlocked, i dont see how crooks would care about pants unless thats what they wanted.

[BatteryOperated]

1) it wasn't done by hackers. It was done by criminals.
2) Hackers create and invent. [Hackers are the roots of all technological and social advancement in the history of mankind.]
3) Criminals that use computers are just that criminals. Nothing else and nothing more.
4) Mistaking the two is like mistaking a doctor and a pedophile. Just because they both see kids, doesn't mean they are the same thing.

You make it sound so antiseptic and black/white. Life is not like that.

[Mech0z]

You make it sound so antiseptic and black/white. Life is not like that.

It IS black and white

There are Whitehats and blackhats (Good and bad) and Hackers and Crackers (Same thing)

[Serra]

amazon was shown to have easy access to cpu time for brute force decryption but i dont see how this is anything more than a proxy as it was not a brute force attack. and the sony attack was supposed to be an inside job from the data center so i dont see how this is related other than being japanese companies in the normal get your data stolen and send out mass emails about it.

+1


I actually have first-hand experience with Sony's network from a global perspective, and I can say with confidence that this attack was not carried out by "sophisticated" people... or if it was they went out of their way to make their job unnecessarily complicated. Without even sitting down to really mull it over I'm pretty sure I can come up with at least a dozen ways to severely cripple their network or steal data from it.

Doubly so now that they recently (in the last 18 months) brought all of their equipment in-house, as opposed to having outside companies handle most of it... training and experience takes time to build and has undoubtedly left them more vulnerable over the transition period.

So yeah, take it from someone with first hand experience in their environment... this was surely not a difficult accomplishment at all. Unless the "hackers" had no idea what they were doing and tried breaking in through the worst possible vector.

[HotGore]

amazon was shown to have easy access to cpu time for brute force decryption but i dont see how this is anything more than a proxy as it was not a brute force attack. and the sony attack was supposed to be an inside job from the data center so i dont see how this is related other than being japanese companies in the normal get your data stolen and send out mass emails about it.



isnt that, in a world of rapist dont leave your pants down, or, in a world of thieves dont leave your door unlocked, i dont see how crooks would care about pants unless thats what they wanted.

It is possible Sony was using Amazon to host some services and used Amazon to get access to some Sony services.

[SabreWulf69]

All the information that I have collected on this so far can be found here if people would like to have a look --> http://www.nrnl.org/psn-network-breach-thread-t705.html

[orson]

1) it wasn't done by hackers. It was done by criminals.
2) Hackers create and invent. [Hackers are the roots of all technological and social advancement in the history of mankind.]
3) Criminals that use computers are just that criminals. Nothing else and nothing more.
4) Mistaking the two is like mistaking a doctor and a pedophile. Just because they both see kids, doesn't mean they are the same thing.

It was done by hackers some are criminals and some aren't. As far as I am concerned these ones aren't unless they plan to use the information they stole for their personal monetary gain. If it was simply a hack to embarrass Sony then it's a grey area.

It's also nothing like comparing a pedophile and doctor it's more like comparing a paediatrics doctor and Josef mengele "the angel of death" both are doctors but in very different ways.

[davidkozat]

Is quite dissapointed that a company like Sony cant seem to fix a their Security/Network problem.... is been a while now and their network still down (so I heard) I mean I know even the greatest have to learn from others... And to be honest they had it coming for not listening to their customers and keep dismissing them like that.... BUT I spected more from Sony...

[WangChung]

I logged into PSN yesterday afternoon and there was a console update and forced password change waiting for me. I'm just glad I don't have to go through all the BS just to watch Netflix now. I'm also glad I didn't pay for anything with Sony, including the PS3 itself.

[zanzabar]

I logged into PSN yesterday afternoon and there was a console update and forced password change waiting for me. I'm just glad I don't have to go through all the BS just to watch Netflix now. I'm also glad I didn't pay for anything with Sony, including the PS3 itself.

you should not need psn to use netflix though, u dont need it be logged in but it naggs at u, and there is no need for it to be logged in at all.

[saaya]

I love this whole thing... karma is a ... Sony got what it deserved imo

[Dainas]

Some hackers like a challenge true; but even with the most sophisticated hackers, had Sony not been so complacent the damage would have been far more limited. And yet here we are, a month later and they've just finished up the fixes they've deemed necessary; a bit more time than needed check the old locks.

[IronWarrior]

1) it wasn't done by hackers. It was done by criminals.
2) Hackers create and invent. [Hackers are the roots of all technological and social advancement in the history of mankind.]
3) Criminals that use computers are just that criminals. Nothing else and nothing more.
4) Mistaking the two is like mistaking a doctor and a pedophile. Just because they both see kids, doesn't mean they are the same thing.

The correct term is "crackers" to be honest.

[SMTB1963]

I wonder whether the attackers used a gift card or a stolen card to establish EC2 services? If Amazon still allows the use of gift cards for EC2, they might want to re-think that policy. In any event, it's another (albeit small) black eye for their web services.

I actually have first-hand experience with Sony's network from a global perspective, and I can say with confidence that this attack was not carried out by "sophisticated" people... or if it was they went out of their way to make their job unnecessarily complicated. Without even sitting down to really mull it over I'm pretty sure I can come up with at least a dozen ways to severely cripple their network or steal data from it.

Doubly so now that they recently (in the last 18 months) brought all of their equipment in-house, as opposed to having outside companies handle most of it... training and experience takes time to build and has undoubtedly left them more vulnerable over the transition period.

So yeah, take it from someone with first hand experience in their environment... this was surely not a difficult accomplishment at all. Unless the "hackers" had no idea what they were doing and tried breaking in through the worst possible vector.

Wow. If a network with tens of millions of users run by one of the largest corporations in the world can be brought down by unsophisticated criminals, it kinda makes you wonder how many others are vulnerable. And surprise, Sony has a very different opinion of their attackers abilities. From the Bloomberg article:

The incursion, which compromised the personal accounts of more than 100 million Sony customers, was “a very carefully planned, very professional, highly sophisticated criminal cyber attack,” Sony has said.

Looks like judging the sophistication of this attack is a matter of one's perspective and level of knowledge in these matters. Unlike a lot of folks here, I barely know enough to setup/run my home's LAN. So, I'll judge the level of sophistication of Sony's attackers by the amount of time it takes for them to get caught. Caught tomorrow...unsophisticated. Caught never...pretty damn sophisticated. I guess time will tell.

[Craftyman.]

I love this whole thing... karma is a ... Sony got what it deserved imo

I don't think you understand saaya, Sony's CUSTOMERS have been screwed over. People with bills to pay. That's not something to be celebrating over.

That said, Sony is gonna be feelin' this one for a long time and with some of the they've pulled maybe they did deserve a little slap across the face. But this is just a bad situation for PSN subscribers...

[madcho]

no code are safe, ...

and more your add code, more your code is unsafe ...

so, just be carefull, when a company sell you CDs with rootkits ....

[mutantmagnet]

1) it wasn't done by hackers. It was done by criminals.
2) Hackers create and invent. [Hackers are the roots of all technological and social advancement in the history of mankind.]
3) Criminals that use computers are just that criminals. Nothing else and nothing more.
4) Mistaking the two is like mistaking a doctor and a pedophile. Just because they both see kids, doesn't mean they are the same thing.

Guess what? You lost the PR war in the 90s. Very few care for the distinction between Crackers and Hackers made in the the 80s. Crackers/Black Hats are now synonymous with Hackers. Grow up with the times and the way our language has evolved.

[WangChung]

you should not need psn to use netflix though, u dont need it be logged in but it naggs at u, and there is no need for it to be logged in at all.

That's what I'm talking about though, having to go past the "You must be logged into the PlayStation Network to continue" nagging that it was doing. I had to force it like 8-10 times to finally get to the Netflix menu, just a nuisance more than anything. And now I don't have to deal with that.

[lutjens]

What's most exasperating is Sony's lax attitude toward security, continuing to run unpatched servers even after being informed of this fact.

Yet, they're willing to remove and viciously defend the removal of the "Other OS" option on the PS3, arguing that the option posed a security risk!!

I'd say the "Other OS" option is far less of a risk than Sony's poor attitude toward security.