Shocking: Sony Learned No Password Lessons After The 2011 PSN Hack - Polidicks

[quote][i]In a small file titled "Bonus.rar," hackers included a folder named "Password." It's exactly what it sounds like: 140 files containing thousands upon thousands of private passwords, virtually all of them stored in plaintext documents without protection of any kind. Some seem personal in nature ("karrie's Passwords.xls") while others are wider in scope ("YouTube login passwords.xls"). Many are tied to financial accounts like American Express, while others provide access to corporate voicemail accounts or internal servers, and come conveniently paired with full names, addresses, phone numbers, and emails.[/i][/quote] [quote]The great Sony hack of 2014: what's it all about? Is it a subversive plot by North Koreans operating out of China in revenge for a film starring two guys from Freaks and Geeks? Or maybe it's simply fodder for stupid politicians to remind us that all the world's ills could be cured if only internet service providers took on the challenge of fixing all the things in all the places? No, my dear friends, no. The Sony hack of 2014 is a beautiful Christmas gift (your religious holiday may vary) of a wake-up call to anyone silly enough to think that Sony would bother to learn the lessons very recent history has tried to teach it. To prove this, one need only review the latest file dump in the leak, which features the wonderful naivete of whatever bright minds are in charge of Sony's internal password conventions and storage policies.[/quote] Full story at [url=https://www.techdirt.com/articles/20141204/12032329332/shocking-sony-learned-no-password-lessons-after-2011-psn-hack.shtml]Techdirt[/url]

Different article: [url]http://www.cio.com/article/2439324/risk-management/your-guide-to-good-enough-compliance.html[/url] The good part: [quote]Although Spaltro declines to talk about Sony’s security practices, he says that while Sony Online Entertainment is fully compliant, every company weighs the cost of protecting personal data with the cost of what it would take to notify customers if a breach occurred. Spaltro offers a hypothetical example of a company that relies on legacy systems to store and manage credit card transactions for its customers. The cost to harden the legacy database against a possible intrusion could come to $10 million, he says. The cost to notify customers in case of a breach might be $1 million. With those figures, says Spaltro, “it’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss,” he suggests.[/quote]

Just so everyone's on the same page, the error isn't storing everything in a folder named "passwords", that's done automatically by a lot of systems for convenience. the error is storing them in plaintext.

[QUOTE=Remedial Math;46648630]Just so everyone's on the same page, the error isn't storing everything in a folder named "passwords", that's done automatically by a lot of systems for convenience. the error is storing them in plaintext.[/QUOTE] Since the hackers had access to supposedly practically entire network and many filesystems on it, it's likely that they would be able to find the encryption keys as well, were the passwords encrypted, wouldn't they? Either way the incompetence and even unwillingness to establish rudimentary security for their services which Sony has been showing off is outright disgraceful.

[QUOTE=Awesomecaek;46648653]Since the hackers had access to supposedly practically entire network and many filesystems on it, it's likely that they would be able to find the encryption keys as well, were the passwords encrypted, wouldn't they? Either way the incompetence and even unwillingness to establish rudimentary security for their services which Sony has been showing off is outright disgraceful.[/QUOTE] I may be wrong on this but I don't think passwords are encrypted these days. They are hashed, which is irreversable (assuming you're algorithm is good). When you type your password in to login it will hash what you type and compare it to the hashed password. You can't "unhash" the password to see what it actually is. The passwords are also 'salted' by adding another string (unique to each user) to it before hashing so that the same password has a different hash for each user. This will prevent the same hash showing up for each user that uses a common password. So if a salted hash is used then even if hackers get a list of the password hashes they will be pretty much meaningless. Obviously this isn't what Sony did.

This is why I have different generated 128 bit passwords for everything. On the off chance that one account is breached, they're stopped dead there and can't get anywhere else.

[QUOTE=Fredo;46648885]I may be wrong on this but I don't think passwords are encrypted these days. They are hashed, which is irreversable (assuming you're algorithm is good). When you type your password in to login it will hash what you type and compare it to the hashed password. You can't "unhash" the password to see what it actually is. The passwords are also 'salted' by adding another string (unique to each user) to it before hashing so that the same password has a different hash for each user. This will prevent the same hash showing up for each user that uses a common password. So if a salted hash is used then even if hackers get a list of the password hashes they will be pretty much meaningless. Obviously this isn't what Sony did.[/QUOTE] You're right that most places hash passwords, however by the name of these files ([I]Some seem personal in nature ("[B]karrie's Passwords[/B].xls") while others are wider in scope ("[B]YouTube login password[/B]s.xls").[/I]) it looks like they're meant to be kept in a recoverable way to be used. Of course, that still doesn't excuse not encrypting them at all (or storing them on an offline server). Yeah, the hackers could've gotten the encription keys, but at least they would've made an effort.

So when did this hack happen??

[QUOTE=Killuah;46648609]The good part: [quote]The cost to notify customers in case of a breach might be $1 million. With those figures, says Spaltro, “it’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss,”[/quote] [/QUOTE] We as customers have a choice to give Sony money, it's a valid consumer decision to not give Sony money instead.

So wait, are those Sony Pictures' passwords or do I have to change my PSN again?

[QUOTE=Durrsly;46649331]So wait, are those Sony Pictures' passwords or do I have to change my PSN again?[/QUOTE] If I'm reading the article correctly then it's against Sony Pictures, since they the mentioned "Sony Playstation Network" breach from 3 years ago, but just referred to this one as "Sony." I would still go ahead and change your password anyway, just to be safe, since I doubt there's much different from the way they're stored on PSN if this is the case.

[QUOTE=Fredo;46648885]I may be wrong on this but I don't think passwords are encrypted these days. They are hashed, which is irreversable (assuming you're algorithm is good). When you type your password in to login it will hash what you type and compare it to the hashed password. You can't "unhash" the password to see what it actually is. The passwords are also 'salted' by adding another string (unique to each user) to it before hashing so that the same password has a different hash for each user. This will prevent the same hash showing up for each user that uses a common password. So if a salted hash is used then even if hackers get a list of the password hashes they will be pretty much meaningless. Obviously this isn't what Sony did.[/QUOTE] So there's actually a point to turning my password into dots?

[QUOTE=Killuah;46648609]Different article: [url]http://www.cio.com/article/2439324/risk-management/your-guide-to-good-enough-compliance.html[/url] The good part:[/QUOTE] But this is like hack number 4 now? That's 4 million dollars already wasted. Just pay the fucking 10 million instead of having to worry about getting hacked and spending a million each time.

[QUOTE=Awesomecaek;46648653]Since the hackers had access to supposedly practically entire network and many filesystems on it, it's likely that they would be able to find the encryption keys as well, were the passwords encrypted, wouldn't they? Either way the incompetence and even unwillingness to establish rudimentary security for their services which Sony has been showing off is outright disgraceful.[/QUOTE] As a comp sci. student who had to make a login system for a project once, I can tell you that hash/salt is not even 1 days work for a decent programmer to implement. Hashes are irreversible (there's no point to ever retrieve the 'true' password), and salts are just there to prevent rainbow table attacks (it's basically like a bruteforce for hashes). This is silly lazy.

So their is no law to force them to store financial information encrypted/hashed? Starting in 2015 all banks in MN need to encrypt or secure their information, the states are so behind the times.

[QUOTE=Jojje;46648957]This is why I have different generated 128 bit passwords for everything. On the off chance that one account is breached, they're stopped dead there and can't get anywhere else.[/QUOTE] Don't most services limit you to have a password between 8-32 characters at most though?

How can such a big company like Sony & subsidiaries manage to be so [I]lazy[/I] with sensitive information like that??

[QUOTE=ZestyLemons;46651446]Don't most services limit you to have a password between 8-32 characters at most though?[/QUOTE] Wouldn't that be 16 (ASCII) characters?

[QUOTE=ZestyLemons;46651440]As a comp sci. student who had to make a login system for a project once, I can tell you that hash/salt is not even 1 days work for a decent programmer to implement. Hashes are irreversible (there's no point to ever retrieve the 'true' password), and salts are just there to prevent rainbow table attacks (it's basically like a bruteforce for hashes). This is silly lazy.[/QUOTE] This is true, however, salting+hashing all those passwords is not desirable if you would want to ever use those passwords again. Say, if you were to store your FP password for fear you might forget it, it's stupid to hash it, because then you wouldn't be able to go back to the original password and actually use it; See the file that was named "youtube passwords" or whatever. Still dumb to not at least run some kind of encryption on them, but hashing isn't the way to go.

[QUOTE=Jojje;46648957]This is why I have different generated 128 bit passwords for everything. On the off chance that one account is breached, they're stopped dead there and can't get anywhere else.[/QUOTE] as paranoidly useful as it sounds, don't most websites have a limit on password size?

[QUOTE=Fredo;46648885]So if a salted hash is used then even if hackers get a list of the password hashes they will be pretty much meaningless. Obviously this isn't what Sony did.[/QUOTE] Salted Hash? Why does that sound like a delicious meal to me?

[QUOTE=SlyManx;46651698]Salted Hash? Why does that sound like a delicious meal to me?[/QUOTE] Holy crap now I know why I made this for breakfast Now I have to ask, does "cheesy hash" have a technical definition? "Cheesy hash with scrambled eggs"?

[QUOTE=Merijn;46651519]This is true, however, salting+hashing all those passwords is not desirable if you would want to ever use those passwords again. Say, if you were to store your FP password for fear you might forget it, it's stupid to hash it, because then you wouldn't be able to go back to the original password and actually use it; See the file that was named "youtube passwords" or whatever. Still dumb to not at least run some kind of encryption on them, but hashing isn't the way to go.[/QUOTE] Yeah, you have to remember, these are passwords which the company used to login to other systems - not customer passwords. Pretty much every company will have a set of employees who do this - either for convenience or just because they don't know any better. In some situations, it's almost unavoidable, especially if you've got company logins for ordering products, banking, social media, intranet administration, etc. etc. Of course the passwords should never be unencrypted, but try telling Bob from marketing to stop storing passwords in plaintext on his system, and Mandy from accounting to keep the financial login details out of the internal servers. What it requires is educating the staff, and that is a difficult task to do especially when it's less convenient for them

“I will not invest $10 million to avoid a possible $1 million loss,” This is true however, you wouldn't put a titanium-alloy indestructible lock on a rusty old bicycle; it just wouldn't be worth it. I just wonder why they decided they just wouldn't do anything at all. I'm sure you could afford some form of protection with a budget of 1 million?

[QUOTE=Killuah;46648609]Different article: [url]http://www.cio.com/article/2439324/risk-management/your-guide-to-good-enough-compliance.html[/url] The good part:[/QUOTE] Unless people decide to sue the shit out of them I guess.

[QUOTE=Killuah;46648609]Different article: [url]http://www.cio.com/article/2439324/risk-management/your-guide-to-good-enough-compliance.html[/url] The good part:[/QUOTE] That's an asinine way to go about things, though. You're not spending ten mil to avoid a 1 mil loss, you're spending ten mil to secure customer trust in your system, to ensure unreleased projects stay unreleased until they're ready, to ensure those unreleased projects stay off the Pirate Bay, to secure your own future. If I were head of Sony Pictures in 2011 I would have spent that ten mil the moment the PlayStation division realized they'd been hacked. The money would have been made back overnight. Literally overnight. And the peace of mind it bought would have been priceless. Sony Pictures was already facing issues with customer opinion as it is, this hack is the last thing they needed. [QUOTE=Awesomecaek;46648653]Since the hackers had access to supposedly practically entire network and many filesystems on it, it's likely that they would be able to find the encryption keys as well, were the passwords encrypted, wouldn't they?[/QUOTE] If you know what you're doing the encryption keys won't be stored on a publically networked server. Also, as Fredo said, the passwords would be salted and hashed into uselessness for anyone who happens to hack in and get that key anyway.

[QUOTE=martijnp3000;46652102]“I will not invest $10 million to avoid a possible $1 million loss,” This is true however, you wouldn't put a titanium-alloy indestructible lock on a rusty old bicycle; it just wouldn't be worth it. I just wonder why they decided they just wouldn't do anything at all. I'm sure you could afford some form of protection with a budget of 1 million?[/QUOTE] In this case it's more like putting a rusty old lock on a titanium allow indestructable bicycle.

[QUOTE=Greenen72;46651758]Holy crap now I know why I made this for breakfast Now I have to ask, does "cheesy hash" have a technical definition? "Cheesy hash with scrambled eggs"?[/QUOTE] Yes its when you take the Hash, salt it, then store it on a database in the server, then physically shake the server rapidly to jumble the bits around for better protection.

[QUOTE=RayvenQ;46653160]In this case it's more like putting a rusty old lock on a titanium allow indestructable bicycle.[/QUOTE] The metaphor is pretty bad considering the "bike" isn't theirs to begin with. If I borrowed someone else's bike and was trusted to keep it safe or face repercussions then you bet your ass I'd lock it up tight.

[QUOTE=Jojje;46648957]This is why I have different generated 128 bit passwords for everything. On the off chance that one account is breached, they're stopped dead there and can't get anywhere else.[/QUOTE] That's great and all but you probably have them saved somewhere as there is no way you are remembering them all.. There is a point where password complexity causes insecurity.