Security Market Segment LS
Friday, 03 June 2011 13:02

Sony falls victim to ANOTHER simple SQL injection attack

By

This is becoming something of a broken record.  Did any part of Sony have a clue about protecting their on-line assets?

Overnight, we hear of the latest attack on Sony.  This time, although the hackers claimed they could have taken "the farm" they didn't due to lack of time and disk space.  What a relief!

The group, calling itself LulzSec announced via their "Pretentious Press Statement" that they managed to break into SonyPictures.com and accessed, "over 1,000,000 users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 "music codes" and 3.5 million "music coupons."

They continue, "SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now.  From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?"

Why indeed.

The group also observed that none of the data was encrypted in any way and even user passwords were stored in plain text' a major problem for the privacy and identities of the affected customers.  More information on what was exposed (and a sample of the data extracted) may be found on the LulzSec website (iTWire does not intend accessing any of it).

Chester Wisniewski of Sophos observed the counter-point of the attack, "Worst of all the hackers are exposing over a million people to having their accounts compromised and identities stolen simply to make a political point."

That's certainly true, but when a company as large as Sony is susceptible to a trivial SQL Injection, there's something seriously wrong.  To counter his own statement, Wisniewski  also noted, "Companies collecting information from their customers have a duty to protect that information as well."  Mind you, if a reader were to look at Wisniewski's blog, clearly he did look at the stolen data.

Sony has brought in at least three external security organisations to improve things and also hired a CISO to manage the process.  Let's hope they start to fix things before they get worse.

 

BUSINESS WORKS BETTER WITH WINDOWS 1O. MAKE THE SHIFT

You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer

Timezones

QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.

REGISTER!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments