Home Business IT Security Sony falls victim to ANOTHER simple SQL injection attack

Subscribe now and get the news that matters to your industry.

* Your Email Address:
* First Name:
* Last Name:
Industry:
Job Function:
Australian State:
Country:
Email marketing by Interspire
weebly statistics

This is becoming something of a broken record.  Did any part of Sony have a clue about protecting their on-line assets?

Overnight, we hear of the latest attack on Sony.  This time, although the hackers claimed they could have taken "the farm" they didn't due to lack of time and disk space.  What a relief!

The group, calling itself LulzSec announced via their "Pretentious Press Statement" that they managed to break into SonyPictures.com and accessed, "over 1,000,000 users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 "music codes" and 3.5 million "music coupons."

They continue, "SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now.  From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?"

Why indeed.

The group also observed that none of the data was encrypted in any way and even user passwords were stored in plain text' a major problem for the privacy and identities of the affected customers.  More information on what was exposed (and a sample of the data extracted) may be found on the LulzSec website (iTWire does not intend accessing any of it).

Chester Wisniewski of Sophos observed the counter-point of the attack, "Worst of all the hackers are exposing over a million people to having their accounts compromised and identities stolen simply to make a political point."

That's certainly true, but when a company as large as Sony is susceptible to a trivial SQL Injection, there's something seriously wrong.  To counter his own statement, Wisniewski  also noted, "Companies collecting information from their customers have a duty to protect that information as well."  Mind you, if a reader were to look at Wisniewski's blog, clearly he did look at the stolen data.

Sony has brought in at least three external security organisations to improve things and also hired a CISO to manage the process.  Let's hope they start to fix things before they get worse.

 

PROTECT YOURSELF AGAINST BANDWIDTH BANDITS!

Don't let traffic bottlenecks slow your network or business-critical apps to a grinding halt. With SolarWinds Bandwidth Analyzer Pack (BAP) you can gain unified network availability, performance, bandwidth, and traffic monitoring together in a single pane of glass.

With SolarWinds BAP, you'll be able to:

• Detect, diagnose, and resolve network performance issues

• Track response time, availability, and uptime of routers, switches, and other SNMP-enabled devices

• Monitor and analyze network bandwidth performance and traffic patterns.

• Identify bandwidth hogs and see which applications are using the most bandwidth

• Graphically display performance metrics in real time via dynamic interactive maps

Download FREE 30 Day Trial!

CLICK TO DOWNLOAD!

ITWIRE SERIES - IS YOUR BACKUP STRATEGY COSTING YOU CLIENTS?

Where are your clients backing up to right now?

Is your DR strategy as advanced as the rest of your service portfolio?

What areas of your business could be improved if you outsourced your backups to a trusted source?

Read the industry whitepaper and discover where to turn to for managed backup

FIND OUT MORE!

David Heath

joomla statistics

David Heath has over 25 years experience in the IT industry, specializing particularly in customer support, security and computer networking. Heath has worked previously as head of IT for The Television Shopping Network, as the network and desktop manager for Armstrong Jones (a major funds management organization) and has consulted into various Australian federal government agencies (including the Department of Immigration and the Australian Bureau of Criminal Intelligence). He has also served on various state, national and international committees for Novell Users International; he was also the organising chairman for the 1994 Novell Users' Conference in Brisbane. Heath is currently employed as an Instructional Designer, building technical training courses for industrial process control systems.

Connect