Sony PSN Hacked Again; 100-M Users' Info Stolen

NEW YORK — Sony Corp has been hacked again, exposing more security issues for the company less than a month after intruders stole personal information from more than 100 million online user accounts.

A hacked page on a Sony website in Thailand directed users to a fake site posing as an Italian credit card company. The site was designed to steal information from customers, Internet security firm F-Secure disclosed on Friday.

It is the latest in a series of security headaches for Sony, which discovered in April hackers had broken into its PlayStation Network and stole data from more than 77 million accounts. On May 2, Sony disclosed hackers had also stolen data from about 25 million user accounts of the Sony Online Entertainment website, a PC-based games service.

The PlayStation attack, considered the biggest in Internet history, prompted the Japanese electronics giant to shut down its PlayStation Network and other services for close to a month.

"It's a Sony security issue," said Jennifer Kutz, a representative for F-Secure, referring to the fraudulent website.

The latest hacking, which the security company said occurred separately from the April attack, was reported just hours after Sony told customers of another breach on one of its units.

So-Net, the Internet service provider unit of Sony, alerted customers on Thursday that an intruder had broken into its system and stolen virtual points worth $1,225 from account holders.

Critics have slammed the company for not protecting its networks securely and then waiting up to a week before telling its customers of the attack and the possible theft of credit card information, prompting lawmakers and state attorneys general to launch investigations.

Security experts said they were not surprised that the electronics company has not yet fixed weaknesses in its massive global network. Earlier this week, Sony shut down one of its websites set up to help millions of users change their passwords after finding a security flaw.

"Sony is going through a pretty rigorous process and finding the holes to fill," said Josh Shaul, chief technology officer for computer security firm Application Security Inc.

"The hackers are going through the same process and they're putting their fingers in the holes faster than Sony can fill them."

"What we've done is stopped the So-Net points exchanges and told customers to change their passwords," So-Net said in a statement in Japanese to consumers.

About 100,000 yen ($1,225) was stolen from accounts that were attacked. The company said there was no evidence other accounts in the online system had been compromised.

"At this point in our investigations, we have not confirmed any data leakage. We have not found any sign of a possibility that a third party has obtained members' names, address, birth dates and phone numbers."

Security experts have told Reuters Sony's networks around the world remain vulnerable to attack.

Sony's string of security problems could be attracting more hackers to attack its networks.

"I think it's now 'I'm a hacker and I'm bored, let's go after Sony,'" Shaul said.

A Sony representative in the United States could not immediately be reached for comment.

Sony Turned To Rootkits Again?

Sony’s problems with PlayStation 3 began when its root keys were discovered and published in the Internet. Today the company is making another effort to fight against jailbreakers – the rumors are that Sony is using the latest firmware update to upload rootkit on to the console in order to spy on users.

In fact, it seems like the troubles of 2005 are all over again. 6 years ago Sony tried to curb music piracy of its albums, encoding the CDs with the infamous SunnComm/MediaMaxx technology, which was highly questionable under law. Actually, the mentioned technology installed a rootkit on to users’ PCs, unable to be detected by any anti-virus and anti-spyware software. Once this was discovered in the technology, virus writers simply hid their malware in rootkits and anti-virus software had no power against it. In other words,

Sony’s protections schemes went too far, which led to litigation in many countries. Finally, by 2007, the lawsuits against the company were settled.

Now the situation is similar: after the root keys to Sony’s PS3 had been posted online by a user nicknamed GeoHot, it became clear that games not authorized by the company can now be played. The company required that the tools used to find the root keys be handed over, but the user said it makes no sense because the keys are now public.

Although it seemed like there’s little Sony can do about it, it was wrong. CNet suggested that the company has been distributing a new firmware update, which is reported to contain rootkit technology, again. It would spy on users’ consoles to make sure they are playing only authorized games. Meanwhile, the report of CNet mentions that Sony has yet to activate this code.

If it is really so, this could cause more legal problems for the company. First of all, the very idea that some piece of software could spy on gamers will raise several legal privacy concerns. So far it is doubtful that such technology would be legal in the United States. Meanwhile, Canada has even tougher privacy laws, which also decreases the chances of such scheme being legal. By the way, privacy concerns became a huge problem for the company in Canada 6 years ago.

Actually, it’s really quite striking that the company might even consider choose this way again. If Sony really decides to try this, it would have to go over privacy legislation in every country to ensure it isn’t breaking any laws, at the very least.