Letter to Sony

 

Dear Sony,

   It's been a rough spring for you, hasn't it?  First, back on April 19 attackers broke into your online PlayStation Network and Sony Online Entertainment network and took the personal information and credit card numbers of 100 million of your customers.  So you had to shut down these networks to try to fix the issues, and just now they're starting to come back online.  Yet you didn't tell anyone about it until a week later.  And even though you said it was a "highly targeted and sophisticated cyberattack", it doesn't appear to be that sophisticated at all but instead were just SQL injection attacks {Chapter 3 Security+ 3ed}.

  And then this week another group broke into several of your Sony Pictures websites and accessed unencrypted personal information on over 1 million of your customers, including their names, addresses, phone numbers, e-mail addresses, and passwords--and then posted this information on the Internet for everyone to see.  And what's worse, you had over one million customer passwords stored in cleartext and not even encrypted {Chapter 11 Security+ 3ed}.  The attackers also claimed they had managed to compromise administrator passwords and steal 75,000 "music codes" and 3.5 million "music coupons" from Sony networks and websites.  And again a simple SQL injection attack was used.  

   So what were you thinking?  Don't you do penetration testing on your on systems to check for things like SQL injection attacks?  Shouldn't you inform customers immediately if there has been a security breach?  And don't you know to encrypt sensitive information?

   Sony, you really do need to stay secure!

http://community.cengage.com/infosec