Phishing Site Discovered On Sony Thailand Servers

mcgrew tips news that security firm F-secure has found a live phishing site running on Sony's Thailand servers. "Basically this means that Sony has been hacked, again. Although in this case the server is probably not very important." This comes alongside news that a point service run by So-net, a Sony subsidiary, was accessed by an unknown intruder, who stole about $1,200 worth of virtual tokens. "The intrusions are believed to have taken place on May 16 and 17. So-net discovered the breach on May 18, after receiving consumer complaints. So-net halted the point redemption service following the discovery of the breach. The latest breaches are relatively minor in scale compared to the massive breach at PSN and Sony Entertainment Online. Even so, it only adds to the company's embarrassment."

Thailand

[bleble]

Every year I spent half an year living in Thailand. With all the fine ladyboys and fun time around, I'm not surprised no one cares about the servers.

Re:Thailand

[definate]

You've got a point.

I work in Australia for a company that does a lot of business throughout Asia, I've been on the internets for ages, and have a background in programming and finance, so I've got a weird diverse IT/Business background. So, I sometimes get assigned to figure out weird problems which the other guys can't figure out, despite the fact that I don't do that job.

Anyhow, every now and then I get given a job of "Somethings wrong with x system, when working with our y asian supplier/partner/customer/etc". These suppliers/partners/customers/etc, aren't small little back offices either, they're usually handling at least a several hundred thousand dollar piece of business, and at most they're handling a several million dollar piece.

The first one I got, I put a lot of effort in, and spent heaps of time looking at our side, getting as much information as possible, resolving that nothing was wrong on our side, and realizing what was happening on their side, then sending it to everyone concerned, which included their sides IT department. To the extent that I'd even figure out what software their running, find the manual, and find the section which dealt with this problem.

This inevitably resulted in them coming back to me with "No, it your side". It was literally that small and simple a response. I took them seriously, went off, tried to see if I could resolve it, and ... nope. Still definitely their side.

So, I got in contact with them, and tried to explain what was happening. At which point I noticed "Holy shit, these guys really don't know anything, I'm going to have to walk them through this".

A couple of days later, they still couldn't get it done, so instead they just gave me remote root/Administrator access to their entire network, with absolutely no oversight, so I can go through and make changes to their system, so it was setup correctly.

I shit you not. Sometimes this would mean changing their ssh setup, their sales/orders processing setup, their email server, their domain, everything and anything.

We use many suppliers, and when something changes with our products/services/internally, we often have to change suppliers. So, I've now done this about 5 times, for 5 different companies, throughout Asia. After the first time, I now don't hesitate to ask for root access, and I always get it. Without so much as a small amount of verification, sometimes they hadn't even been told internally of the problem. Although know is "There's this Australian guy, who's confident, and adamant that we've got a problem, and needs access to our systems".

It never ceases to amaze me.

I've thought about this a fair bit over the years, and I think it's apart of the honour/pride culture, where they don't want to have to admit to their managers that they did something wrong, so instead of admitting it, then working to fix it themselves (even with my guidance), they'd rather give a relative stranger complete access. From what I read, this is the sort of cultural problem that was seen at Fukishima, an inability to admit when they were wrong, such that only dodgy patches are undertaken, or possible problems are covered up, to save face.

I know one time when I did this, it got back to us through our customer, that "their IT department had worked with us to resolve issues on our end", which cracked us up. For the sake of getting the job done, we don't care if we take the blame, we just want it up and running smoothly.

Re:Thailand

You should have done "sudo rm rf" for the lulz, and you wouldn't be liable legally. Of course, you would have probably lost your job, but it would be worth it.

Re:Thailand

[definate]

LOL Yeah, I'm pretty sure that legally, I would have been liable, still. Even if they had of told me to wipe their drive, I'd probably still be liable, at least vicariously.

Re:Thailand

[h4rr4r]

First thing you should do is disable remote root login. Sudo motherfuckers, use it. If the logwatch server shows me you ran sudo su - , you get a swift fucking beating.

Re:Thailand

[definate]

I don't want to do anything that goes past allowing us to talk to them, because if it's security related and I mess something up, or they don't understand what I've done, I could have created more of a problem for them. So I stay strictly to my mandate, and just comment on other things I find (these go ignored).

Because of the above mentioned security and IT problems, we don't trust them with anything valuable. I've seen this amongst many businesses, where Asian businesses aren't trusted to do any serious work, they just do the grunt work.

Usually they've just got integration problems (email, sftp, etc), as that's all that's needed for us, is the ability to tell them what to do. So, if someone breaks into their business and fucks their shit up, it doesn't really affect us, unless they also fucked up the hands of the workers on the floor, and the basic printed plans they have. Our IP, isn't really worth stealing, we're not Apple/Google/etc, so that wouldn't matter either.

Re:Thailand

[h4rr4r]

I was being rather flippant.

I have worked in similar conditions and had to teach some nice Indian fellows how to make and use client side certs. Ended up basically doing for them. Their company had proposed using it for a job they were doing for a big box vendor we have as a customer. When they won the bid our customer, the big box, came to use and paid us to support this new marvel of security. As it turns out all the Indian contractors are swapped out so quickly the ones who bid knew how to do this and their replacements did not. I did not find this out until after had one of those "No, problem on your side" events you described.

An Iron Man 2 quote comes to mind

[Shadowruni]

Ivan Vanko: [laughs] If you could make God bleed, people would cease to believe in him, there will be blood in the water, the sharks will come. All I have to do is sit back and watch as the world consumes you. Not that Sony was ever a God but the idea holds for any giant corporation with enough money buy the best security in the world. They were made to bleed and this won't be the last of these.

Re:An Iron Man 2 quote comes to mind

[drinkypoo]

The greatest trick the devil ever pulled was convincing the world he doesn't exist.

Hell, of course, was made up to scare the sheeple, but the Devil is real and he is laughing.

Re:An Iron Man 2 quote comes to mind

[kelemvor4]

You guys watch too many movies...

Re:An Iron Man 2 quote comes to mind

... the Devil is real and he is laughing.

I recommend you take a position between the Two, tell Them both to fuck off, and claim your independence of Them.

Boycotts and sanctions are for pussies

[countertrolling]

The only way to deal with a mad dog is to kill it, without hesitation... Eat it raw, Sony!

Re:Boycotts and sanctions are for pussies

[mcgrew]

I would have thought that after XCP they'd be done. So I'm not holding my breath.

Looks like a cross infection on a shared hoster

[ZWithaPGGB]

Seems Sony in Thailand uses a shared hosting setup. More details @ ThreatSTOP's Blog

Make. Believe, indeed.

[Paska]

Make. Believe, indeed.

Sony definitely have a mountain to climb if any consumer is really going to believe in them again. They haven't just dropped the ball in regards to a few basement dwelling geeks, but have dropped the ball in-front of a crowd the tens of million.

Re:Make. Believe, indeed.

Unfortunately the crowd of tens of millions has the memory of a potatoe. They'll have forgotten all about this by the time the next shiny, hyped game will be released. Hell, even geeks are not much better. Just look at how apologetic many of them are towards Microsoft, who hasn't become any less evil, just less relevant.

Re:Make. Believe, indeed.

They still have their fanboys. Who were without PSN for a month... And STILL will buy sony and support them.

I think theres enough plain ol sheeple in the world for any large company to stay afloat anymore.

Re:Make. Believe, indeed.

[Pieroxy]

Do you really think this will affect their sales in a significant manner? I don't think so.

Re:Make. Believe, indeed.

You are assuming that potatoes have a lot more memory than they do.

Give this 3 months. Heck, by the time college freshmen arrive at their dorms in the fall, the PSN issue will have been completely forgotten, and business as usual will continue.

Ask any computer security person who has worked in the private sector. Other than a few companies who actually try to keep their barn door shut, a goodly number of businesses know that they won't suffer much if there is a loss. At best they will say that they will be instituting "more aggressive encryption", "taller firewalls", or some meaningless buzzword-laden gobbledygook for the press and go back to business as usual.

If you want to know where I see security starting to be taken seriously, check government. Nobody working in the public sector wants to be the person who ends up being responsible for data winding up on WikiLeaks. That would be almost guaranteed a career ending move.

I hate advocating new laws, but the US desperately needs some laws like Europe making it a really bad thing (tm) if a company spills PII. This way, someone can't just dump all the leaked crap from torrents, blackhat sites, and start figuring out stuff that the US government really doesn't want people to know (such as who are families and friends of police, military personnel, judges, and lawmakers, and what their potential weaknesses are.) I'd advocate not just privacy, but mandatory data destruction after a period of time unless the records are used for taxes, regulations, or ongoing transactions.

Businesses can adapt to this. Sarbanes-Oxley made storage companies rich -- it wouldn't be hard to attach expiration dates to patient/people/visitor records and have a system do a periodic garbage collection pass, yanking records that are expired. Even an encryption layer could be added with keys for periods of time, and when it comes time to expire a set of records, trash the keys for that time period. That way, even if the records are on backup tapes, they are forever inaccessible.

Re:Make. Believe, indeed.

[h4rr4r]

Add in lack of choice.
I have a ps3, I got it for free. I don't use PSN and only play single player. I will continue to buy games because I will not buy anything MS. I use wine for gaming as well, and have a wii. When the Fallout NV game of the year edition comes out I will get that. I will not buy DLC that will go away when they close the service though.

Re:Make. Believe, indeed.

[lucian1900]

Their customers don't care. They're finding excuses for Sony and threatening to kill the developers that worked on restoring OtherOS on the PS3. Sony'll be fine.

Re:Make. Believe, indeed.

Or the crowd of tens of millions are like me, I'll still buy it if they make something I like. Fuck off with the heroics all of you, they're a corporation....hello. They're all fucking up all the time when they're that big. It's just the way things work.

Amateur Phishers...

[tlhIngan]

Man, that's a bit amateurish on the side of the phishers.

They had access to a *SONY* server. The same Sony who just admitted issues on their systems. Surely they should've just set up a fake phishing site imitating Sony? I mean, set up a realistic looking Sony form asking for way more information than you need, host it on Sony server so Sony's domain points to it, put it in a plausible looking path, and send out an email faking a Sony return address.

Honestly, this would present such a great phishing and drive-by-download install opportunity, I'm surprised they didn't use it. It originates from a Sony email address, the link points to a Sony server (and even if they type it in themselves, it's still Sony's domain), but a third party is really phishing that information. I'd guess you'd get a good chunk of people filling that information in. Forward them to the real Sony login page...

If they had access to the Sony SSL server... oh my.

Something like this would pass most of the basic sniff tests for phish emails and make it almost impossible to determine if it's really Sony or a phisher using Sony's server.

Re:Amateur Phishers...

[Runaway1956]

Man, that's a bit amateurish on the side of the phishers.

Well - what would you expect? It doesn't require a professional to "hack" into Sony's networks!

not that unusual

Back in the earlier parts of the century when I played a more active role in spam fighting I used to find all sorts of open relay servers and fishing sites. There was a time when all sorts of educational institutes on the American east coast and mid west were crawling with these. That was never headline news, that was also ignored by the institutes themselves, you had to shout at their upstream to get anyone to take action. This minor hack should not have been news, it would not have been if it wasn't for the playstation hack.

Re:Sony Embarrassment Online

[metalmaster]

Don't give me that shit about being 'a different part of Sony

Am i supposed to buy a Xbox360? I mean, MS has screwed me numerous times in the PC market. A few OEM products failed to reinstall after a PC repair. Neither MS nor the manufacturer could give me an explanation or solution. I have legit copies of Windows Vista Business and Windows 7 Professional purchased through the MSDNAA. I've lost access to that account(not a current student) and the product keys stored with it. No help there either

Should I avoid getting a xbox360? Where does that leave me if i wanna play games from this generation? PC? nope....I'd be giving into to Microsoft again. Oh, and Nintendo Wii is a joke.

I guess my point is that you can differentiate one product or service from another in regards to a big corporation. Do you think the guys tasked with improving the Windows user experience care about Xbox users? I doubt it, unless they're pushing for more seamless integration. Even then, theres another guy whose the "integration specialist"

Re:Sony Embarrassment Online

[Hadlock]

I think Sony is making a blindingly clear case that there is room in the market for a 4th (3rd? do we even count the Wii anymore as a serious contender for the adult market?) serious gaming console with a more mature online presence than Sony does. Apple comes to mind, but still seems far fetched. Maybe we'll see Mitsubishi or some German company throw their hat in to the ring?
 
If someone had a product in development, we'd have heard their marketing machine start rumbling, but the lack of a third contender means that people are writing up business plans/proposals for VCs around the world. By day 30 of the outage people will be speculating what this third console will be.

Re:Sony Embarrassment Online

[drinkypoo]

I think Sony is making a blindingly clear case that there is room in the market for a 4th (3rd? do we even count the Wii anymore as a serious contender for the adult market?) serious gaming console with a more mature online presence than Sony does.

Yes, that company would have been named Sega; they were the first to bring a console with an integrated modem and first to offer ethernet. Sony murdered them by knowingly publishing fraudulent specs for their console. I know I'm not the only one who didn't buy a DC because the PS2 was supposed to be better. The only way in which it was is that it was a DVD player... one of the worst ever made in terms of image quality.

Lesser of evils...

[SanityInAnarchy]

Am i supposed to buy a Xbox360? I mean, MS has screwed me numerous times in the PC market...

Nothing you describe strikes me as anywhere near the malice of including a rootkit on a music CD, or removing a feature from a console which was a key selling point of said console, or the carelessness of exposing the sheer volume of personal information they have.

Should I avoid getting a xbox360? Where does that leave me if i wanna play games from this generation? PC? nope....I'd be giving into to Microsoft again.

Given that you need some sort of a PC -- that is, Personal Computer -- I don't really see how. You've still got Mac and Linux, and while I don't like the idea of paying for Windows any more than you do, it's at least an "open" platform in the sense that you get pretty much any indie game anyone wants to make for it.

Oh, and Nintendo Wii is a joke.

In what sense?

If it's graphics you care about, that's another point in favor of the PC, in theory. The problem here is that many modern games are designed for consoles, so there are a lot of PC games out there which, well, suck on the PC.

I guess my point is that you can differentiate one product or service from another in regards to a big corporation.

Yet what Sony's shown us lately is a lot of malice and contempt for their customers. Even if we ignore the rootkit, the PS3 shit so far has been far worse than Microsoft's typical MO.

For the moment, I'm alright with playing games on Windows using my "free" copy of Windows 7 provided by my school -- and I'm not likely to lose that product key, ever, Microsoft would have to actually invalidate it. Even here, it's the exception -- I booted Windows to play Portal 2, and then I went back to Linux. Busy as I am, I can't afford to spend much time gaming, which means I simply don't run out of games to play on Linux, DRM-free. It's not happening in the mainstream as much lately, but indie games seem to be using cross-platform support (Win/Mac/Linux) as a major selling point.

Whether they're from "this generation" depends what defines a generation. I mean, Aquaria is from 2007, years after this generation's consoles appeared -- and it's absolutely beautiful and really fun to play, and you absolutely should check it out, but it's still a side-scroller. Braid and Minecraft are like that, too -- not exactly state-of-the-art graphics, but cool concepts. Towards the higher end, there's stuff like Penumbra and Amnesia. And more than half the games I listed are open source, and I haven't even gotten into the well-known open source free-as-in-beer stuff -- Xonotic (was Nexuiz) is based on Darkplaces, which was based on Quake, but Nexuiz always felt like it had decently modern graphics, though most of it could be turned off for performance, and I imagine Xonotic will be the same. So there you go, there's even GPL'd games that could be considered "current-gen" unless you want to further define what you mean by that.

Re:Lesser of evils...

[metalmaster]

I wont argue with you about Sony's recent PSN issues and exposing a bunch of data. That was a huge blunder and they deserve to be raked over the coals for it. However, they werent the first to fall victim to a data breach and they wont be the last. Im thankful that i only ever gave them a yahoo email, some bogus address infos and disposable VISA numbers. As per my evil MS rant, if I were to buy retail copies of MS products I've lost I'd probably be a bit over $1500. Sony hasnt taken that much out of my pocket yet. As far as the linux debacle is concerned, we gotta be honest with ourselves and admit that only the /. crowd lost on that. Should they remove features after sale? No, but its not going to impact their target audience all that much either. Im a bit more pissed off that users are now required to update to the latest firmware before playing offline games. I cant really comment on the whole rootkit incident because i've only read about it. Then again, think about all the nasty little surprises we've heard about with removable storage. Sony wasn't first there and they wont be the last.

Maybe it's because im typing this so early on a Saturday(forgive me. havent slept) but when I think of $evil_corp Sony isnt exactly #1. Somewhere in the top 10, but certainly not #1.

On the topic of PC gaming, yes, all you need is a beige box with some peripherals. However, just as you said that big studios program for the console first and think about PC later you gotta think those same studios are writing their games for Windows first. Max and linux ports are an afterthough if they're given attention at all. Indie games are great, I wont argue. Mainstream devs will always produce games for he largest target market and that happens to be Windows PC right now.

Re:Lesser of evils...

[devnull17]

Aquaria is awesome. Proof that it doesn't take a big studio to create a beautiful, deep, consistently engaging game. I think there are Linux and Mac ports of it, too.

Re:Lesser of evils...

[SanityInAnarchy]

As far as the linux debacle is concerned, we gotta be honest with ourselves and admit that only the /. crowd lost on that.

What about the cluster people? Or were you counting those as the slashdot crowd?

Should they remove features after sale? No, but its not going to impact their target audience all that much either.

They sold it, even to their target audience, as "It's not just a console, it's a computer, even a supercomputer." If they then turn around and remove the feature, even if their target audience doesn't notice or care, how is that in any way fair? If you sold minivans with turbochargers to a bunch of soccer moms, then went around stealing the turbochargers back, I think even the soccer moms (who really didn't need it to begin with) have the right to be outraged.

Im a bit more pissed off that users are now required to update to the latest firmware before playing offline games.

See, this wouldn't bother me at all, if it weren't for the fact that the latest firmware actually removes features. With the saner devices I buy, upgrading the firmware tends to improve the user experience, not randomly remove features.

I cant really comment on the whole rootkit incident because i've only read about it. Then again, think about all the nasty little surprises we've heard about with removable storage.

Well, which in particular? The most common thing I hear about is removable storage that comes with malware by accident. This was by design, as a DRM measure.

when I think of $evil_corp Sony isnt exactly #1. Somewhere in the top 10, but certainly not #1.

I might, at least among large technology companies. I don't see Microsoft doing anything close anymore -- the only real contender is Apple.

However, just as you said that big studios program for the console first and think about PC later you gotta think those same studios are writing their games for Windows first. Max and linux ports are an afterthough if they're given attention at all.

The difference between OpenGL and Direct3D is tiny compared to the difference between either of those and the most efficient ways to program for a console. Plus, you've got all the same hardware and interfaces. I'd be very curious to see how Valve games run on the Mac -- I can't imagine they'd be that much worse than in Windows.

I do miss the days when Linux had the advantage, though. Back when Quake 3 was the hot new shit that you'd use for benchmarking, we had the very interesting situation where it ran faster under Wine than Windows, and the native Linux port was faster still.

Mainstream devs will always produce games for he largest target market and that happens to be Windows PC right now.

And the more I support indie games, particularly Linux ones, the more I'm changing that trend, I hope. I'm certainly not content to take the approach that so many Linux users do -- give up on gaming on the desktop, thus removing one more reason to have Windows (and maybe never booting Windows at all after that), and get a console. As evil as Microsoft might be, the only modern console developer who doesn't seem to be actively evil is Nintendo -- I don't think the Wii is a joke (and I am still considering buying one), but I do think that if you're really going for gameplay over graphics, you get a lot of the same by sticking to Linux indie games on the PC.

Re:Lesser of evils...

[metalmaster]

Cluster people be damned, but anyone who bought their PS3 specifically for that purpose probably still has it running under 3.21 or maybe a CFW 3.55. I've read about a few mods that return linux support. It screwed the gamer+tinkerer that was bothered moreso by lost PSN access than loss of OtherOS. I reiterate though, anyone who wanted their cluster would have read the release notes where it stated clearly that OtherOS would be lost and chosen not to update. On the topic of removable storage, I always read about disgruntled employees. That's no accident just poor QA on the part of the manufacturer.

Re:Lesser of evils...

[SanityInAnarchy]

anyone who bought their PS3 specifically for that purpose probably still has it running under 3.21 or maybe a CFW 3.55.

Likely, and it's likely a best practice to not allow updates (firmware or otherwise) to a cluster without having someone review it and maybe test it out on a single node. But I also don't think that the cluster people should be penalized as severely as if they were pirates because they expected a firmware update to not remove a feature they were relying on -- that's a reasonable expectation, especially when (again) this was something Sony had as a bullet point in their "Why you should buy a PS3" pitch.

It screwed the gamer+tinkerer that was bothered moreso by lost PSN access than loss of OtherOS.

Well, or lost both. It's particularly troubling because the PS3 would've made a decent home theater PC, which is also something Sony seemed to be pushing, and it doesn't seem far-fetched at all that someone would make it easy to install MythTV or XBMC on it. Then, suddenly, you have a choice between having your passive video and having your video games, including single-player games which use PSN as additional DRM.

On the topic of removable storage, I always read about disgruntled employees. That's no accident just poor QA on the part of the manufacturer.

From the manufacturer's standpoint, then, it's an accident. In the case of the Sony rootkit, they did deliberately set out to put additional DRM on their music CDs, and while they contracted with a third party to do so, it really doesn't look at all like this is a disgruntled employee trying to make either look bad, and they'd probably both be happy about it if the tech community hadn't made such a fuss about it.

Re:Lesser of evils...

[SanityInAnarchy]

Not only Linux and Mac, but it's open source now. After being blown away at how successful the original Humble Indie Bundle was, four out of the original five games went open source -- the only one which didn't is World of Goo.

Re:Lesser of evils...

[sjames]

If Uncle Smiley's garage rips off hundreds of little old ladies, I will still be wary of them even though I'm not a little old lady. They will have revealed their moral and ethical character and I know that they WILL rip me off just as soon as they feel like they can get away with it.

The mass rootkit incident was not a small number of users and it wasn't a nich audience using the product in an unusual way.

Re:Sony Embarrassment Online

I can see it now:
2012 will be the year of Linux on the console (yes i know Sony yanked support for it)

A Console based on *BSD or Linux, I know there has been attempts. Screw em lets make it happen. Of course the hard part is DRM which many companies are afraid of leaving out of their product.

The trick to it would be get a chipmaker behind it, which makes me think we are a little short in the GPU market out there. The prior Apple comment might be somewhat right PowerVR is becoming quite the contender on the mobile end. Maybe they need to release a PCIe card to test the water.

Is it really?

[imunfair]

I don't like Sony as a company, but this is one time I'm not sure if the claims against them are actually true. The article gave next to no details, and the site is already down so I can't look at it to see.

It's an Italian site and one of the words in the URL apparently translates to 'holder' - which makes me wonder if it was a development site that wasn't intended to be public. I'll admit it seems weird it's on a Thailand domain, but I would like a better explanation of what hdworld.sony is before I blame them for getting hacked. Are they providing shared hosting for some service and not checking the content regularly?

There just isn't enough information on this one.

Not necessarily hacked

This doesn't necessarily mean that Sony was hacked. Maybe Sony just decided to get into the phishing scam business...

Re:Not necessarily hacked

They are already in the rootkit business.

This is Sony?

I for one, feel sorry for any company that gets infecte.... - what's that? Oh this is Sony? Fuck them.

I smell...

...impending doom for Sony/SoE.