Phishing Site Discovered On Sony Thailand Servers 44
mcgrew tips news that security firm F-secure has found a live phishing site running on Sony's Thailand servers. "Basically this means that Sony has been hacked, again. Although in this case the server is probably not very important." This comes alongside news that a point service run by So-net, a Sony subsidiary, was accessed by an unknown intruder, who stole about $1,200 worth of virtual tokens. "The intrusions are believed to have taken place on May 16 and 17. So-net discovered the breach on May 18, after receiving consumer complaints. So-net halted the point redemption service following the discovery of the breach. The latest breaches are relatively minor in scale compared to the massive breach at PSN and Sony Entertainment Online. Even so, it only adds to the company's embarrassment."
Re:Thailand (Score:5, Interesting)
You've got a point.
I work in Australia for a company that does a lot of business throughout Asia, I've been on the internets for ages, and have a background in programming and finance, so I've got a weird diverse IT/Business background. So, I sometimes get assigned to figure out weird problems which the other guys can't figure out, despite the fact that I don't do that job.
Anyhow, every now and then I get given a job of "Somethings wrong with x system, when working with our y asian supplier/partner/customer/etc". These suppliers/partners/customers/etc, aren't small little back offices either, they're usually handling at least a several hundred thousand dollar piece of business, and at most they're handling a several million dollar piece.
The first one I got, I put a lot of effort in, and spent heaps of time looking at our side, getting as much information as possible, resolving that nothing was wrong on our side, and realizing what was happening on their side, then sending it to everyone concerned, which included their sides IT department. To the extent that I'd even figure out what software their running, find the manual, and find the section which dealt with this problem.
This inevitably resulted in them coming back to me with "No, it your side". It was literally that small and simple a response. I took them seriously, went off, tried to see if I could resolve it, and ... nope. Still definitely their side.
So, I got in contact with them, and tried to explain what was happening. At which point I noticed "Holy shit, these guys really don't know anything, I'm going to have to walk them through this".
A couple of days later, they still couldn't get it done, so instead they just gave me remote root/Administrator access to their entire network, with absolutely no oversight, so I can go through and make changes to their system, so it was setup correctly.
I shit you not. Sometimes this would mean changing their ssh setup, their sales/orders processing setup, their email server, their domain, everything and anything.
We use many suppliers, and when something changes with our products/services/internally, we often have to change suppliers. So, I've now done this about 5 times, for 5 different companies, throughout Asia. After the first time, I now don't hesitate to ask for root access, and I always get it. Without so much as a small amount of verification, sometimes they hadn't even been told internally of the problem. Although know is "There's this Australian guy, who's confident, and adamant that we've got a problem, and needs access to our systems".
It never ceases to amaze me.
I've thought about this a fair bit over the years, and I think it's apart of the honour/pride culture, where they don't want to have to admit to their managers that they did something wrong, so instead of admitting it, then working to fix it themselves (even with my guidance), they'd rather give a relative stranger complete access. From what I read, this is the sort of cultural problem that was seen at Fukishima, an inability to admit when they were wrong, such that only dodgy patches are undertaken, or possible problems are covered up, to save face.
I know one time when I did this, it got back to us through our customer, that "their IT department had worked with us to resolve issues on our end", which cracked us up. For the sake of getting the job done, we don't care if we take the blame, we just want it up and running smoothly.
Re: (Score:2)
LOL Yeah, I'm pretty sure that legally, I would have been liable, still. Even if they had of told me to wipe their drive, I'd probably still be liable, at least vicariously.
Re: (Score:2)
First thing you should do is disable remote root login. Sudo motherfuckers, use it. If the logwatch server shows me you ran sudo su - , you get a swift fucking beating.
Re: (Score:2)
I don't want to do anything that goes past allowing us to talk to them, because if it's security related and I mess something up, or they don't understand what I've done, I could have created more of a problem for them. So I stay strictly to my mandate, and just comment on other things I find (these go ignored).
Because of the above mentioned security and IT problems, we don't trust them with anything valuable. I've seen this amongst many businesses, where Asian businesses aren't trusted to do any serious wo
Re: (Score:2)
I was being rather flippant.
I have worked in similar conditions and had to teach some nice Indian fellows how to make and use client side certs. Ended up basically doing for them. Their company had proposed using it for a job they were doing for a big box vendor we have as a customer. When they won the bid our customer, the big box, came to use and paid us to support this new marvel of security. As it turns out all the Indian contractors are swapped out so quickly the ones who bid knew how to do this and th
An Iron Man 2 quote comes to mind (Score:2)
Re: (Score:2, Insightful)
The greatest trick the devil ever pulled was convincing the world he doesn't exist.
Hell, of course, was made up to scare the sheeple, but the Devil is real and he is laughing.
Re: (Score:1)
Boycotts and sanctions are for pussies (Score:1)
The only way to deal with a mad dog is to kill it, without hesitation... Eat it raw, Sony!
Re: (Score:2)
I would have thought that after XCP they'd be done. So I'm not holding my breath.
Looks like a cross infection on a shared hoster (Score:5, Informative)
Make. Believe, indeed. (Score:2)
Make. Believe, indeed.
Sony definitely have a mountain to climb if any consumer is really going to believe in them again. They haven't just dropped the ball in regards to a few basement dwelling geeks, but have dropped the ball in-front of a crowd the tens of million.
Re: (Score:1)
Unfortunately the crowd of tens of millions has the memory of a potatoe. They'll have forgotten all about this by the time the next shiny, hyped game will be released. Hell, even geeks are not much better. Just look at how apologetic many of them are towards Microsoft, who hasn't become any less evil, just less relevant.
Re: (Score:1)
You are assuming that potatoes have a lot more memory than they do.
Give this 3 months. Heck, by the time college freshmen arrive at their dorms in the fall, the PSN issue will have been completely forgotten, and business as usual will continue.
Ask any computer security person who has worked in the private sector. Other than a few companies who actually try to keep their barn door shut, a goodly number of businesses know that they won't suffer much if there is a loss. At best they will say that they will
Re: (Score:2)
Add in lack of choice.
I have a ps3, I got it for free. I don't use PSN and only play single player. I will continue to buy games because I will not buy anything MS. I use wine for gaming as well, and have a wii. When the Fallout NV game of the year edition comes out I will get that. I will not buy DLC that will go away when they close the service though.
Re: (Score:2)
Do you really think this will affect their sales in a significant manner? I don't think so.
Re: (Score:1)
Re: (Score:2)
Don't give me that shit about being 'a different part of Sony
Am i supposed to buy a Xbox360? I mean, MS has screwed me numerous times in the PC market. A few OEM products failed to reinstall after a PC repair. Neither MS nor the manufacturer could give me an explanation or solution. I have legit copies of Windows Vista Business and Windows 7 Professional purchased through the MSDNAA. I've lost access to that account(not a current student) and the product keys stored with it. No help there either
Should I avoid getting a xbox360? Where does that leave me if i wanna
Re: (Score:2)
I think Sony is making a blindingly clear case that there is room in the market for a 4th (3rd? do we even count the Wii anymore as a serious contender for the adult market?) serious gaming console with a more mature online presence than Sony does. Apple comes to mind, but still seems far fetched. Maybe we'll see Mitsubishi or some German company throw their hat in to the ring?
If someone had a product in development, we'd have heard their marketing machine start rumbling, but the lack of a third con
Re: (Score:3)
I think Sony is making a blindingly clear case that there is room in the market for a 4th (3rd? do we even count the Wii anymore as a serious contender for the adult market?) serious gaming console with a more mature online presence than Sony does.
Yes, that company would have been named Sega; they were the first to bring a console with an integrated modem and first to offer ethernet. Sony murdered them by knowingly publishing fraudulent specs for their console. I know I'm not the only one who didn't buy a DC because the PS2 was supposed to be better. The only way in which it was is that it was a DVD player... one of the worst ever made in terms of image quality.
Lesser of evils... (Score:2)
Am i supposed to buy a Xbox360? I mean, MS has screwed me numerous times in the PC market...
Nothing you describe strikes me as anywhere near the malice of including a rootkit on a music CD, or removing a feature from a console which was a key selling point of said console, or the carelessness of exposing the sheer volume of personal information they have.
Should I avoid getting a xbox360? Where does that leave me if i wanna play games from this generation? PC? nope....I'd be giving into to Microsoft again.
Given that you need some sort of a PC -- that is, Personal Computer -- I don't really see how. You've still got Mac and Linux, and while I don't like the idea of paying for Windows any more than you do, it's at least an "open" platform in the sens
Re: (Score:2)
Re: (Score:2)
As far as the linux debacle is concerned, we gotta be honest with ourselves and admit that only the /. crowd lost on that.
What about the cluster people [umassd.edu]? Or were you counting those as the slashdot crowd?
Should they remove features after sale? No, but its not going to impact their target audience all that much either.
They sold it, even to their target audience, as "It's not just a console, it's a computer, even a supercomputer." If they then turn around and remove the feature, even if their target audience doesn't notice or care, how is that in any way fair? If you sold minivans with turbochargers to a bunch of soccer moms, then went around stealing the turbochargers back, I think even the soccer moms (who really didn't need it to begin with
Re: (Score:2)
Re: (Score:2)
anyone who bought their PS3 specifically for that purpose probably still has it running under 3.21 or maybe a CFW 3.55.
Likely, and it's likely a best practice to not allow updates (firmware or otherwise) to a cluster without having someone review it and maybe test it out on a single node. But I also don't think that the cluster people should be penalized as severely as if they were pirates because they expected a firmware update to not remove a feature they were relying on -- that's a reasonable expectation, especially when (again) this was something Sony had as a bullet point in their "Why you should buy a PS3" pitch.
It screwed the gamer+tinkerer that was bothered moreso by lost PSN access than loss of OtherOS.
Well,
Re: (Score:2)
If Uncle Smiley's garage rips off hundreds of little old ladies, I will still be wary of them even though I'm not a little old lady. They will have revealed their moral and ethical character and I know that they WILL rip me off just as soon as they feel like they can get away with it.
The mass rootkit incident was not a small number of users and it wasn't a nich audience using the product in an unusual way.
Re: (Score:2)
Re: (Score:2)
Not only Linux and Mac, but it's open source now. After being blown away at how successful the original Humble Indie Bundle was, four out of the original five games went open source -- the only one which didn't is World of Goo.
Amateur Phishers... (Score:4, Interesting)
Man, that's a bit amateurish on the side of the phishers.
They had access to a *SONY* server. The same Sony who just admitted issues on their systems. Surely they should've just set up a fake phishing site imitating Sony? I mean, set up a realistic looking Sony form asking for way more information than you need, host it on Sony server so Sony's domain points to it, put it in a plausible looking path, and send out an email faking a Sony return address.
Honestly, this would present such a great phishing and drive-by-download install opportunity, I'm surprised they didn't use it. It originates from a Sony email address, the link points to a Sony server (and even if they type it in themselves, it's still Sony's domain), but a third party is really phishing that information. I'd guess you'd get a good chunk of people filling that information in. Forward them to the real Sony login page...
If they had access to the Sony SSL server... oh my.
Something like this would pass most of the basic sniff tests for phish emails and make it almost impossible to determine if it's really Sony or a phisher using Sony's server.
Re:Amateur Phishers... (Score:4, Insightful)
Man, that's a bit amateurish on the side of the phishers.
Well - what would you expect? It doesn't require a professional to "hack" into Sony's networks!
Is it really? (Score:3)
I don't like Sony as a company, but this is one time I'm not sure if the claims against them are actually true. The article gave next to no details, and the site is already down so I can't look at it to see.
It's an Italian site and one of the words in the URL apparently translates to 'holder' - which makes me wonder if it was a development site that wasn't intended to be public. I'll admit it seems weird it's on a Thailand domain, but I would like a better explanation of what hdworld.sony is before I blame them for getting hacked. Are they providing shared hosting for some service and not checking the content regularly?
There just isn't enough information on this one.
Not necessarily hacked (Score:1)
This doesn't necessarily mean that Sony was hacked. Maybe Sony just decided to get into the phishing scam business...