Perimeter
5/20/2011
02:59 PM
Rob Enderle
Rob Enderle
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Sony A Poster Child For Self-Destructive Security

Sony has repeatedly made poor decisions in security and control -- costing the company billions of dollars and giving critical markets it once controlled to Apple, Microsoft, and Nintendo

It is hard to not feel sorry for Sony.

Here is a company that owned the personal technology market in the '90s before Steve Jobs took over Apple, and then gave that market to Apple on a platter because of some misguided security solutions. Over the years in its attempts to secure control of its platforms, Sony has reduced its profits and gone into a long, slow decline. Finally, and recently, its current security breaches seem to be the result of Sony's trying to once again overly secure its consumer products and, in this case, undersecure its environment.

I’ve been watching Sony for a number of decades, and have seen it make incredibly foolish security decisions that, while they often accomplished the goal, also did horrid things to profits and revenue.

In the game console market in the '90s, for instance, there was an aftermarket product that allowed kids to play PlayStation games on their PCs, and Sony moved aggressively to kill it. Now recognizing that game consoles are sold at a loss, in the case of the latest platform, that loss was initially estimated at more than $500 per console. The companies make this up by getting royalties on the games. So you would think that every customer who bought something that consumed these very profitable games and eliminated the very unprofitable game console sale would be welcomed with opened arms. Not so with Sony.

Sony could have bought or emulated this technology and put it into its own PCs, giving those products an advantage in market. That would have made the game division more profitable and also would have benefited the VAIO division. But the two historically don’t like each other enough to coordinate a solution that would benefit both. In short, in order to secure the control of the game player, Sony gave up revenues and profits.

A few years after Sony had acquired a massive stake in music and movie properties, the company had the opportunity to create an ecosystem where Sony buyers could get easier access to this content. But Sony was so worried about theft that it wrapped the content and the Sony players with massive Digital Rights Management solutions, and even put rootkits onto music CDs, which opened PCs up to attack and had a number of prominent technology advocates calling for a general Sony boycott.

Apple, which had no content, took the market easily from Sony by providing a vastly better user experience and showcasing that Sony was its own worst enemy.

Now fast-forward to Blu-Ray, where the market was getting ready to move to the vastly less expensive and easier-to-use HD-DVD format. Sony bought the market for hundreds of millions of dollars in order to control the spec, put the hardware into its PlayStation 3, which caused it to be priced out of the market, stalled the move to HD on disks -- and now the market is moving to steaming and bypassing HD disks. The cost of this in terms of hard cash and lost revenue (Sony gave up game console market leadership to Nintendo and Microsoft) has to be in the billions.

And because Sony wanted to keep a single programmer from restoring a little-used Linux option that was discontinued in the PlayStation 3, Sony pissed off a large number of hackers who then attacked Sony. But that wasn’t the whole story: Evidently, Sony had been running unpatched and unsecured Apache servers for months, and this was widely known. Given how rabid Sony was about controlling its own stuff, one of the only conclusions you could draw is that the reason it didn’t properly secure its customer’s data is because it wasn’t Sony's data. Makes you feel warm and fuzzy about Sony, doesn’t it?

In other words, it never stepped back from the decision and looked at the total cost benefit analysis.

Sony hasn't shifted its PlayStation billing system and repository to a secure hosting company likely because it thinks it's maintaining control and containing costs, when instead it's on a path to go out of the gaming business. These are all penny-wise, pound-foolish decisions, and we should learn from them so we can both warn others and avoid them ourselves.

Just remember Sony, the company that pretty much has security'ed itself to death.

--Rob Enderle is president and founder of The Enderle Group. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.