Slashdot Mirror
Phishing Site Discovered On Sony Thailand Servers
mcgrew tips news that security firm F-secure has found a live phishing site running on Sony's Thailand servers. "Basically this means that Sony has been hacked, again. Although in this case the server is probably not very important." This comes alongside news that a point service run by So-net, a Sony subsidiary, was accessed by an unknown intruder, who stole about $1,200 worth of virtual tokens. "The intrusions are believed to have taken place on May 16 and 17. So-net discovered the breach on May 18, after receiving consumer complaints. So-net halted the point redemption service following the discovery of the breach. The latest breaches are relatively minor in scale compared to the massive breach at PSN and Sony Entertainment Online. Even so, it only adds to the company's embarrassment."
Ivan Vanko: [laughs] If you could make God bleed, people would cease to believe in him, there will be blood in the water, the sharks will come. All I have to do is sit back and watch as the world consumes you. Not that Sony was ever a God but the idea holds for any giant corporation with enough money buy the best security in the world. They were made to bleed and this won't be the last of these.
"Chinese Amazons, power armor, laser swords.... things just meant to be." - Shampoo, A Very Scary Bet
The only way to deal with a mad dog is to kill it, without hesitation... Eat it raw, Sony!
For justice, we must go to Don Corleone
Seems Sony in Thailand uses a shared hosting setup. More details @ ThreatSTOP's Blog
Make. Believe, indeed.
Sony definitely have a mountain to climb if any consumer is really going to believe in them again. They haven't just dropped the ball in regards to a few basement dwelling geeks, but have dropped the ball in-front of a crowd the tens of million.
You've got a point.
I work in Australia for a company that does a lot of business throughout Asia, I've been on the internets for ages, and have a background in programming and finance, so I've got a weird diverse IT/Business background. So, I sometimes get assigned to figure out weird problems which the other guys can't figure out, despite the fact that I don't do that job.
Anyhow, every now and then I get given a job of "Somethings wrong with x system, when working with our y asian supplier/partner/customer/etc". These suppliers/partners/customers/etc, aren't small little back offices either, they're usually handling at least a several hundred thousand dollar piece of business, and at most they're handling a several million dollar piece.
The first one I got, I put a lot of effort in, and spent heaps of time looking at our side, getting as much information as possible, resolving that nothing was wrong on our side, and realizing what was happening on their side, then sending it to everyone concerned, which included their sides IT department. To the extent that I'd even figure out what software their running, find the manual, and find the section which dealt with this problem.
This inevitably resulted in them coming back to me with "No, it your side". It was literally that small and simple a response. I took them seriously, went off, tried to see if I could resolve it, and ... nope. Still definitely their side.
So, I got in contact with them, and tried to explain what was happening. At which point I noticed "Holy shit, these guys really don't know anything, I'm going to have to walk them through this".
A couple of days later, they still couldn't get it done, so instead they just gave me remote root/Administrator access to their entire network, with absolutely no oversight, so I can go through and make changes to their system, so it was setup correctly.
I shit you not. Sometimes this would mean changing their ssh setup, their sales/orders processing setup, their email server, their domain, everything and anything.
We use many suppliers, and when something changes with our products/services/internally, we often have to change suppliers. So, I've now done this about 5 times, for 5 different companies, throughout Asia. After the first time, I now don't hesitate to ask for root access, and I always get it. Without so much as a small amount of verification, sometimes they hadn't even been told internally of the problem. Although know is "There's this Australian guy, who's confident, and adamant that we've got a problem, and needs access to our systems".
It never ceases to amaze me.
I've thought about this a fair bit over the years, and I think it's apart of the honour/pride culture, where they don't want to have to admit to their managers that they did something wrong, so instead of admitting it, then working to fix it themselves (even with my guidance), they'd rather give a relative stranger complete access. From what I read, this is the sort of cultural problem that was seen at Fukishima, an inability to admit when they were wrong, such that only dodgy patches are undertaken, or possible problems are covered up, to save face.
I know one time when I did this, it got back to us through our customer, that "their IT department had worked with us to resolve issues on our end", which cracked us up. For the sake of getting the job done, we don't care if we take the blame, we just want it up and running smoothly.
This is my footer. There are many like it, but this one is mine.
Man, that's a bit amateurish on the side of the phishers.
They had access to a *SONY* server. The same Sony who just admitted issues on their systems. Surely they should've just set up a fake phishing site imitating Sony? I mean, set up a realistic looking Sony form asking for way more information than you need, host it on Sony server so Sony's domain points to it, put it in a plausible looking path, and send out an email faking a Sony return address.
Honestly, this would present such a great phishing and drive-by-download install opportunity, I'm surprised they didn't use it. It originates from a Sony email address, the link points to a Sony server (and even if they type it in themselves, it's still Sony's domain), but a third party is really phishing that information. I'd guess you'd get a good chunk of people filling that information in. Forward them to the real Sony login page...
If they had access to the Sony SSL server... oh my.
Something like this would pass most of the basic sniff tests for phish emails and make it almost impossible to determine if it's really Sony or a phisher using Sony's server.
Don't give me that shit about being 'a different part of Sony
Am i supposed to buy a Xbox360? I mean, MS has screwed me numerous times in the PC market. A few OEM products failed to reinstall after a PC repair. Neither MS nor the manufacturer could give me an explanation or solution. I have legit copies of Windows Vista Business and Windows 7 Professional purchased through the MSDNAA. I've lost access to that account(not a current student) and the product keys stored with it. No help there either
Should I avoid getting a xbox360? Where does that leave me if i wanna play games from this generation? PC? nope....I'd be giving into to Microsoft again. Oh, and Nintendo Wii is a joke.
I guess my point is that you can differentiate one product or service from another in regards to a big corporation. Do you think the guys tasked with improving the Windows user experience care about Xbox users? I doubt it, unless they're pushing for more seamless integration. Even then, theres another guy whose the "integration specialist"
I think Sony is making a blindingly clear case that there is room in the market for a 4th (3rd? do we even count the Wii anymore as a serious contender for the adult market?) serious gaming console with a more mature online presence than Sony does. Apple comes to mind, but still seems far fetched. Maybe we'll see Mitsubishi or some German company throw their hat in to the ring?
If someone had a product in development, we'd have heard their marketing machine start rumbling, but the lack of a third contender means that people are writing up business plans/proposals for VCs around the world. By day 30 of the outage people will be speculating what this third console will be.
moox. for a new generation.
LOL Yeah, I'm pretty sure that legally, I would have been liable, still. Even if they had of told me to wipe their drive, I'd probably still be liable, at least vicariously.
This is my footer. There are many like it, but this one is mine.
I think Sony is making a blindingly clear case that there is room in the market for a 4th (3rd? do we even count the Wii anymore as a serious contender for the adult market?) serious gaming console with a more mature online presence than Sony does.
Yes, that company would have been named Sega; they were the first to bring a console with an integrated modem and first to offer ethernet. Sony murdered them by knowingly publishing fraudulent specs for their console. I know I'm not the only one who didn't buy a DC because the PS2 was supposed to be better. The only way in which it was is that it was a DVD player... one of the worst ever made in terms of image quality.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Am i supposed to buy a Xbox360? I mean, MS has screwed me numerous times in the PC market...
Nothing you describe strikes me as anywhere near the malice of including a rootkit on a music CD, or removing a feature from a console which was a key selling point of said console, or the carelessness of exposing the sheer volume of personal information they have.
Should I avoid getting a xbox360? Where does that leave me if i wanna play games from this generation? PC? nope....I'd be giving into to Microsoft again.
Given that you need some sort of a PC -- that is, Personal Computer -- I don't really see how. You've still got Mac and Linux, and while I don't like the idea of paying for Windows any more than you do, it's at least an "open" platform in the sense that you get pretty much any indie game anyone wants to make for it.
Oh, and Nintendo Wii is a joke.
In what sense?
If it's graphics you care about, that's another point in favor of the PC, in theory. The problem here is that many modern games are designed for consoles, so there are a lot of PC games out there which, well, suck on the PC.
I guess my point is that you can differentiate one product or service from another in regards to a big corporation.
Yet what Sony's shown us lately is a lot of malice and contempt for their customers. Even if we ignore the rootkit, the PS3 shit so far has been far worse than Microsoft's typical MO.
For the moment, I'm alright with playing games on Windows using my "free" copy of Windows 7 provided by my school -- and I'm not likely to lose that product key, ever, Microsoft would have to actually invalidate it. Even here, it's the exception -- I booted Windows to play Portal 2, and then I went back to Linux. Busy as I am, I can't afford to spend much time gaming, which means I simply don't run out of games to play on Linux, DRM-free. It's not happening in the mainstream as much lately, but indie games seem to be using cross-platform support (Win/Mac/Linux) as a major selling point.
Whether they're from "this generation" depends what defines a generation. I mean, Aquaria is from 2007, years after this generation's consoles appeared -- and it's absolutely beautiful and really fun to play, and you absolutely should check it out, but it's still a side-scroller. Braid and Minecraft are like that, too -- not exactly state-of-the-art graphics, but cool concepts. Towards the higher end, there's stuff like Penumbra and Amnesia. And more than half the games I listed are open source, and I haven't even gotten into the well-known open source free-as-in-beer stuff -- Xonotic (was Nexuiz) is based on Darkplaces, which was based on Quake, but Nexuiz always felt like it had decently modern graphics, though most of it could be turned off for performance, and I imagine Xonotic will be the same. So there you go, there's even GPL'd games that could be considered "current-gen" unless you want to further define what you mean by that.
Don't thank God, thank a doctor!
I don't like Sony as a company, but this is one time I'm not sure if the claims against them are actually true. The article gave next to no details, and the site is already down so I can't look at it to see.
It's an Italian site and one of the words in the URL apparently translates to 'holder' - which makes me wonder if it was a development site that wasn't intended to be public. I'll admit it seems weird it's on a Thailand domain, but I would like a better explanation of what hdworld.sony is before I blame them for getting hacked. Are they providing shared hosting for some service and not checking the content regularly?
There just isn't enough information on this one.
This doesn't necessarily mean that Sony was hacked. Maybe Sony just decided to get into the phishing scam business...
First thing you should do is disable remote root login. Sudo motherfuckers, use it. If the logwatch server shows me you ran sudo su - , you get a swift fucking beating.
I don't want to do anything that goes past allowing us to talk to them, because if it's security related and I mess something up, or they don't understand what I've done, I could have created more of a problem for them. So I stay strictly to my mandate, and just comment on other things I find (these go ignored).
Because of the above mentioned security and IT problems, we don't trust them with anything valuable. I've seen this amongst many businesses, where Asian businesses aren't trusted to do any serious work, they just do the grunt work.
Usually they've just got integration problems (email, sftp, etc), as that's all that's needed for us, is the ability to tell them what to do. So, if someone breaks into their business and fucks their shit up, it doesn't really affect us, unless they also fucked up the hands of the workers on the floor, and the basic printed plans they have. Our IP, isn't really worth stealing, we're not Apple/Google/etc, so that wouldn't matter either.
This is my footer. There are many like it, but this one is mine.
I was being rather flippant.
I have worked in similar conditions and had to teach some nice Indian fellows how to make and use client side certs. Ended up basically doing for them. Their company had proposed using it for a job they were doing for a big box vendor we have as a customer. When they won the bid our customer, the big box, came to use and paid us to support this new marvel of security. As it turns out all the Indian contractors are swapped out so quickly the ones who bid knew how to do this and their replacements did not. I did not find this out until after had one of those "No, problem on your side" events you described.