The Core Issues
Sony was attacked in a number of areas, including their website, network and gaming platform. The hackers from the Lulz hacking group had decided that Sony was fair game by the nature of their lapse security, and indeed they claimed that the objective was to prove that the Sony systems were easily breakable. They published names, personal details and user account details of people entering contests provided by Sony.
Several security problems were identified simply by entering specific searches in Google. The research undertaken by John Bumgarner of the Unites States Cyber-Consequences Unit (US-CCU), an independent research institute, identified numerous loopholes in various pages from Sony websites able to be exploited. The Java security console was easily accessible on several web pages. This provides access to underlying functions of the website including information. This is normally unavailable on a secure website server. Another aspect is easily available access to the identity management system indexed by Google.
The information gleaned from these lapses could be used to access servers, databases and other high value security resources. It seems that in the case of Sony, the hackers could virtually access any technology they wanted within the Sony infrastructure.
It has been stated that the security levels and infrastructure of an organization like Sony, containing several million accounts should (ideally) be comparable to an organization such as the Department of Homeland Security servers. Specifically, the list of issues included the following:
- Access available to the Sony management console.
- Sony network sites such as Sony Corporation of America, Sony Electronics, Sony Pictures and old websites such as Sony Santa including personal information were all accessible.
- Employee information available via an access point in the identity management system.
- Information available on IT managers which could be exploited to launch phishing attacks on the sites.
- Hidden files could be accessed containing items such as links to password protected applications.
- Servers providing information on Sony customers linking their information to Facebook.
- The Riverbed Technology security management appliance had a user-id already populated, accessible to anyone through one of the Sony servers.