Sony is either the most unfortunate or the most careless company to fall for simple SQL injection attacks – again and again, says Eric Doyle
Sony’s hack-target misery has reached a new low as a group of cyberpunks has published several lists with extracts from over a million compromised user accounts it claims to have stolen from SonyPictures.com.
If Sony was a boxer, it would be punch drunk by now after so many beatings in the past six weeks. Just as the company gets its Playstation Network sites back up and running on 2 June, it is back on the ropes, hit by another sucker punch.
SQL Injection? What A Lot Of Pricks
Once again the winner is SQL injection, one of the most rudimentary hacks around. It does not take a genius to launch an attack and protection is well-documented but the fact that the stolen data was unencrypted made the exploit even easier.
Sony Pictures, Sony Playstation Network, Sony BMG Music Entertainment, Sony Qriocity, the Sony-run Japanese service provider So-net, the Canadian Sony Ericsson eShop, and a company server in Thailand have all been hacked in the past six weeks.
In typical lethargic style, Sony has yet to confirm or deny that the data from the latest exploit belonged to their site but the lists that were published on the hacker’s Lulz Security (LulzSec) site certainly looked genuine.
To paraphrase Oscar Wilde: to lose one database may be regarded as a misfortune; to lose so many looks like carelessness. Surely, the company realised that after one successful hack it would become a target for every cyberpunk looking for street cred and had better get all of its houses in order.
Obviously not. So along comes the pirate ship Lulz (the plural of the acronym lol or “laugh out loud”) to give Sony Pictures a jolly rogering. The booty not only included a million user account details but also its database structures, administrator details (including passwords) and access to Sony special discount vouchers – 75,000 music codes and 3.5 million music coupons.
So much was available to LulzSec that it had to make do with the million or so user accounts and leave the rest to any foolhardy hackers who might follow in their wake.
LulzSec does not pose as a highly specialised crew and, before its closure, the website humbly proclaimed:
“Our goal here is not to come across as master hackers, hence what we’re about to reveal: SonyPictures.com was owned [hacked] by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?”
This should be essential reading for the government bodies that are investigating Sony’s culpability.
LulzSec Site Blocked
The user accounts which were on display until the site was blocked around 04:00 GMT on Friday were a mixed bunch. Most were linked to special Sony promotions and competitions. One only disclosed usernames and passwords but others contained addresses, dates of birth and phone numbers. Enough detail for malicious social engineering or spear phishing attacks.
Even more worrying is that many people only use one username/password combination for all of their accounts so it should have been even more important for Sony to act swiftly to notify its trusting customers that something was awry.
To take so long to admit or deny ownership of the stolen details is bordering on the criminal. The only defence that springs to mind is that the lack of confirmation casts doubt on the veracity of the data while the company contacts the victims– but Internet crime rings are not going to sit around waiting for Sony.
Whether this will hurt Sony in the long run has yet to be seen but many of the Playstation Network users will want to play online games and will not desert the Japanese company.
It does cast a shadow over closed markets such as the Sony Network where users have no other option to gain access to resources. Just imagine if, instead of being Sony, it was Apple’s App Store that had been hacked. Hundreds of millions of users of iPhones, iPads and iPods would have been without access to their apps downloads and, upon the site being fixed, device users would have little choice but to sign up with a company they had come to distrust rather than trashing their expensive hardware.
But that would never happen, would it?