Judgment Day for Sony Brings Hackfest

Judgment Day was in the all the news recently since the world as we know it was supposed to end on May 21, 2011. When it didn’t I’m sure Sony wished it had as the company continues to suffer a brutal hackfest around the world.

At least 11 breaches have occurred in the last six weeks at Sony companies. Lets’ recap some of the carnage in just April and May 2011:

  • April 4th: Several Sony websites go down amid denial of service attacks
  • April 26th: After a PlayStation Network outage of more than a week, Sony reveals that malicious hackers have gained access to 77 million users accounts
  • May 3rd: Sony reveals that in the days before the PSN breach, hackers compromised another 24.6 million users’ records on the Sony Online Entertainment network
  • May 5th: Intruders stole the names and e-mail addresses of about 2,000 customers at Sony Ericsson Mobile Communications AB’s Canadian website
  • May 18th: An unidentified source digs up a vulnerability in Sony’s password reset page, which allows anyone to change a user’s password using only his or her email address and date of birth
  • May 20th: Sony is hit on the same day with a hack of its Internet service provider and news of a phishing site hosted on its Thai website

In underground online forums last week, hackers said Sony’s servers were severely outdated and infiltrating them was relatively easy.  Eugene Spafford, a security expert and professor at Purdue University, told a House subcommittee that computer security experts had been aware for months that the PlayStation’s Web servers were outdated and that the company’s network lacked sufficient security — which he said Sony must have also known.

The new intrusions indicate Sony is failing to contain the situation,  and cybercriminals are being attracted to them like sharks sensing fresh blood. So what can Sony do?

The first question I have is were external risk assessments and penetration testing of these sites conducted? Sony’s response has been to move to new data centers and add more encryption and firewalls. But is that enough? We’ll have to wait and see. Until the next Judgment Day.