Print 60 comment(s) - last by BansheeX.. on Jun 7 at 8:01 PM

Another day, another SQL injection exploit

Just when Sony appeared to be getting back on the right track with the full restoration of its PlayStation Network, LulzSec struck again hitting Sony right between the eyes. The group once again used an SQL injection tactic to gain access to the Sony Pictures account database.

This time around, LulzSec manage to obtain:   

  • 1 million user accounts (including passwords, email and home addresses, and data of birth)
  • All admin account details and passwords
  • 75,000 music codes
  • 3.5 million music coupons

In addition, there was even opt-in data that was accessible, which gives even more information about Sony's customers and their preferences.

The part that amazes LulzSec (and us for that matter) is that fact that Sony stored all 1 million user passwords in simple plain text files -- no encryption whatsoever was used. "It's just a matter of taking it," stated LulzSec in a press release. "This is disgraceful and insecure: they were asking for it."

The group went on to express its disdain for Sony and its security practices (or lack thereof): 

Our goal here is not to come across as master hackers, hence what we're about to reveal: was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks? 

LulzSec has provided evidence of their latest "Sownage" on its site, which can be accessed here.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Sony Press Conference in 5, 4, 3, 2, 1..... Lol
By bgm063 on 6/2/2011 6:46:01 PM , Rating: 2
Okay, I don't know if we'll be seeing one soon, but they really need to apologize to the hacker community or somebody because Sony is looking more and more like a bunch of fools here with each new hack...

RE: Sony Press Conference in 5, 4, 3, 2, 1..... Lol
By JakLee on 6/2/2011 6:50:44 PM , Rating: 4
ok - this went from Funny that Sony was so pathetically protected and got kicked in the face, to disgusted that they were so shoddy and angry at these types of things happening, back to funny. How bad can this get? Everytime I look Sony is back to dropping something..... this is like one of those accidents that is horrible yet you can't stop watching....

By phatboye on 6/2/2011 8:23:42 PM , Rating: 5
What I don't get is why don't they just take down everything with user info on it. Don't put it back up until there is a security review.

By geddarkstorm on 6/3/2011 5:13:20 PM , Rating: 3
Obviously their common sense was hacked and stolen a long time ago.

By wvh on 6/4/2011 1:15:04 PM , Rating: 2
I'm a sys/network admin and used to work as security consultant doing penetration testing. Checking shitloads of crappy code spread over many systems and services takes a long time. We shouldn't doubt the quality of the code that gets Sony hacked over and over again isn't exactly top-shelf. Wading through other people's code – produced by some out-sourcing, uncaring and unrelated company that was pressed for time and eager for the pay check – isn't easy. You need to analyse the architecture, the network, the setup of individual systems and their services and daemons, the code itself including the choice of libraries and frameworks, and all this in different languages on different operating systems written by different (in general mostly incompetent) people.

That's not mentioning it might be easier to get access by hacking the systems yourself than to find out who legitimately can give you access to which systems and networks. It wouldn't be the first time that all employees that worked on the systems have left, the out-sourcing company that built them doesn't exist anymore, and no manager remembers anything about any setup or passwords.

Unplugging and redoing everything isn't exactly a 5 minute job, so I guess Sony – being focussed on making profit – doesn't want to put down all of their services for an indefinite amount of time.

By Darkefire on 6/2/2011 7:20:37 PM , Rating: 3
Forget a press conference, given the events of the past couple of months I wouldn't be surprised if they had their entire IT staff commit seppuku on national TV. This is Network Security 101, storing passwords and user info as plain text is about as secure as leaving a key under the doormat or putting the valet key to your car in the (unlocked) glove compartment.

By danobrega on 6/2/2011 8:37:57 PM , Rating: 5
IT is not responsible for sql injection vulnerabilities. Its the web and db development teams fault.

By vision33r on 6/2/2011 8:56:28 PM , Rating: 1
It is IT's fault. Since they are the gatekeepers.

By RadnorHarkonnen on 6/2/2011 10:01:34 PM , Rating: 2
Its not the fault of IT,DB or Web Dev. As i said before Sony is a mesh of (outsourced) companies. Different companies probably did the different parts of the web site/DB/network and systems infrastructure. And i bet they did it according to Sony requests.

Encrypted data ? Adds too much overhead on multi-sites, whether its a replication, backups or just IO. You save on CPU,HDD and RAM. Weak Security ? Lousy contract.

They entered by a simple SQL injection. Afterwards they just went nicely through the network and systems infrastructure and basically downloaded everything in plain text. Sony just saved major dollars on R&D(DB,Web), deployment and infrastructure (network and systems) and maintenance (Network/Systems/DB/Web).

IT are the gatekeepers yes, but i believe there is none in this case. You might have one problem, a crack on your armor in one point, but from what I've read, Sony had no armor. This was almost child's play.

By EricMartello on 6/3/2011 1:34:22 AM , Rating: 4
SQL Injection attacks can be avoided with simple input scrubs on the data. Anyone running a popular website should be sanitizing user input fields and stripping unauthorized commands.

When I program a site that accepts user data, I use a simple exclusion process where the data for the particular field must conform to a specific format else it is rejected. So for example, the ZIP code field could be like 10 alphanumeric chars only, and everything else would return an error.

It's not really hardcore security that will cause's common sense.

By RadnorHarkonnen on 6/3/2011 4:30:54 AM , Rating: 2
I a am more a Network and sys admin, but as far as i know, web implementation on a larger scale is segmented on different "sites" with different "parts" of the site in a layered approach. One of the reasons we do this is to load balance between "sites" and another is security. You can't Query/DDoS the total DB/Web, because of its layered approach.

I've been a sys admin for some time now, or working indirectly through various forms, and honestly while attacks are quite frequent, never had this type of problems. And surely not this massive.

By EricMartello on 6/3/2011 6:40:20 AM , Rating: 2
Load balancing happens on the back end, and smart companies would use a reverse proxy like nginx...but that is the infrastructure level and SQL injection is an application level attack.

SQL injection is an exploit within HTML code and the server's particular script engine (i.e. PHP,ASP,CF) where the hacker can actually use non-santized input fields to execute arbitrary SQL queries.

For example, if you have a field for "first_name" on a web form which gets POSTed to the server, the value of "first_name" could be an arbitrary SQL query if the data is not cleaned by the application first, simply by issuing a command that tells the script to execute only the submitted "hack" code while ignoring the actual remaining code within the script. Since all script engines have standard SQL functions built in, that's how you can access passwords and dump the entire database.

By inighthawki on 6/2/2011 8:48:21 PM , Rating: 2
No, it's more akin to placing the key next to the lock with a large sign that says "KEY HERE ->"

By Samus on 6/3/2011 1:15:51 AM , Rating: 3
Or just leave the key in the lock like Homer Simpson asking to get hit by the Cat Burgler!

By RW on 6/2/2011 7:22:51 PM , Rating: 1
Once I did asked myself why is SONY in such a big trouble ?
Then I realized why, the fact is that when you're meshing with the bests the bests are meshing with you, that's why.

By icanhascpu on 6/3/2011 4:44:27 AM , Rating: 2
Really? We're gonna equate this to terrorism now? LOL

Showing people how shitty and how little Sony cares about your vital information. I guess that IS a terror to some ignorant saps.

But to a degree I agree; Sony need not sorry it up to anyone on the scene, they should be saying sorry to their consumers. As it is I know people are going to boycott sony even more than ever, and they have good reason.

The truth will out.

By Reclaimer77 on 6/3/2011 12:16:19 PM , Rating: 2
As far as I know, there is no law that puts the blame on Sony here. You COULD argue negligence, but again, there are no legal standards for required security. Hacking and stealing private information, is of course, illegal. This is a no brainer.

Sony is most certainly being terrorized by this group, how you can look at it any other way only shows bias.

What should Sony apologize for exactly? Being hacked? Having exploitable security? Technically there is no such thing as a hack proof system if it's connected to the Internet in any way.

This is just more anti-corporatism. If Sony was a small company, they would be pictured as the underdog being kicked around by the mean old hackers. But because Sony is a multinational conglomerate, the hackers are almost looked upon as vigilantes for truth and justice, and Sony the big bad fatcat who needs to be taken down a few pegs.

Hacking is illegal, and this group has hurt millions of innocent individuals who have NOTHING to do with Sony or their quarrel with them. Any other opinion is simply wrong.

By JDHack42 on 6/3/2011 1:45:55 PM , Rating: 1
As far as I know, there is no law that puts the blame on Sony here.

Look up SAS70 audit standards. These apply to data centers. Now if the servers were hosted outside the US, maybe the standards don't apply.

By geddarkstorm on 6/3/2011 5:22:53 PM , Rating: 2
There's a difference between things being impossible to hack proof and someone making it through your best defenses with some clever tricks; and simply NOT HAVING DEFENSES.

There WAS no security to speak of, that's the point. Here we consumers are, being forced to give out private information so we can use the company's resources, and that company is doing nothing to safe guard this information which could be used to compromise other more important accounts. This is gross negligence. How easy would it be for another amoral company, or country, to steal this information quietly and use it for their gain, without anyone noticing? Lulz announced it on purpose, to get Sony to actually protect its stuff.

Heck, you can encrypt files on your home computer with three or four simple clicks under Windows 7. Sony has no excuse of any sort to leave such important personal data in plain text.

By The Raven on 6/3/2011 10:34:13 AM , Rating: 1
They shouldn't negotiate with terrorists. It gives them credibility

Umm... these attacks give them credibility. Sony is the one without credibility.

Go out there and give 110% while you are at it lol.

By chick0n on 6/3/2011 8:02:11 AM , Rating: 2
why would they need to apologize to them ?

so if some serial killer keep killing people, nobody knows who he/she is, he/she is running loose all the time and challenge everybody with a "catch me if you can," we should beg/apologize to them saying that "oh please don't kill anymore, we're sorry that we're trying to catch you"

Sony is a bitch I know, but that does not mean these people have to right to do all these shit.

What Sony did wrong was they hired a bunch of idiots who can't secure shit. maybe they should hire me instead, I'm sure I know how SQL injection works and I'm sure I will encrypt all passwords and crap.

By dagamer34 on 6/2/2011 7:56:33 PM , Rating: 4
If they ever catch these idiots, expect some jail time.

Just because a company has shitty security doesn't give you the right to hack it for lulz (pun intended).

RE: Yep
By 2bdetermine on 6/2/2011 8:26:19 PM , Rating: 4
Talking about “idiots” if the company are so competent, these idiots wouldn’t be able to compromise they system in the first place.

RE: Yep
By Reclaimer77 on 6/3/2011 1:00:31 PM , Rating: 4
Talking about “idiots” if the company are so competent, these idiots wouldn’t be able to compromise they system in the first place.

That's not a valid argument, sorry. If I think the locks on your house aren't good enough, that doesn't give me the right to bash them in and break into your house.

RE: Yep
By geddarkstorm on 6/3/2011 5:27:47 PM , Rating: 1
If you leave the keys to your car in the ignition and the engine running, then you are also held responsible if it gets stolen. Insurance sure won't pay you a dime, as the blame is equally on you.

What Lulz is doing is forcing Sony to actually use the most basic, simplest security measures to protect consumers; before someone with nefarious intents actually come along and take that information. If it hasn't happened already.

RE: Yep
By jkostans on 6/2/2011 8:30:12 PM , Rating: 5
Well I'm glad they are at least opening the eyes of people who blindly trust these companies with their private information.

RE: Yep
By danobrega on 6/2/2011 8:40:53 PM , Rating: 3
If they were real idiots, they would steam the information and not leave a trace. Then they would use the info to profit at the Sony's consumer expense.

All they did was expose Sony's faults.

The question is:

What if the data been stolen BEFORE without anyone knowing about it?!

RE: Yep
By Motoman on 6/3/2011 9:19:24 AM , Rating: 3
Ding ding ding!

These guys are doing this to show the world how stupid Sony is...we have no reason to believe that someone else didn't already hack Sony and just not tell us about it.

RE: Yep
By TSS on 6/2/11, Rating: 0
Get off the internet!
By BugblatterIII on 6/2/2011 7:12:44 PM , Rating: 2
If you get mugged eight times walking through the park you stop walking through the park until you've got some protection.

Sony can't fix all of their SQL injection vulnerabilities overnight, but given that they're the hackers' whipping boy they should take down all of the sites that have the vulnerability BEFORE they get hacked!

But it'd cost them money so they'd rather leave our data at risk.

And SQL injection attacks? Seriously? That's the FIRST thing you learn to protect against! And it's EASY!

RE: Get off the internet!
By MeesterNid on 6/2/2011 11:41:10 PM , Rating: 2
And SQL injection attacks? Seriously? That's the FIRST thing you learn to protect against!

Yes, indeed! But in an outsourced sweatshop setup, where you're mostly worried about making some artificial deadline so you can eat that week, who has the time to scrub query parameters?!

RE: Get off the internet!
By omnicronx on 6/3/2011 1:22:05 AM , Rating: 2
Sony can't fix all of their SQL injection vulnerabilities overnight, but given that they're the hackers' whipping boy they should take down all of the sites that have the vulnerability BEFORE they get hacked! But it'd cost them money so they'd rather leave our data at risk. And SQL injection attacks? Seriously? That's the FIRST thing you learn to protect against! And it's EASY!
You are making it out to be some generic vulnerability, but it only takes one line of poorly written sql and most likely had nothing to do with the previous injection attacks.

I would be very interested in knowing where the actual attack occured. If it was something as simple as a logon form, Sony should be ashamed, third party services or not..

RE: Get off the internet!
By BugblatterIII on 6/3/2011 4:04:03 AM , Rating: 2
I manage a team of 7 developers that have written a number of commercial websites. There's not a single line of code that selects directly from a table (or inserts, deletes, updates).

All data access is done through stored procedures, and it's the middle-tier that calls them, the websites call the middle-tier through a web service so the websites have NO direct database access. The middle-tier has NO table-level access; it's only able to call the specific stored procedures it needs. Don't give the middle-tier select permissions and the devs have no choice but to do it properly.

All stored procedures are called using parameterised through using ADO.NET, which therefore protects us from SQL injection attacks.

None of this is at all difficult and prevents that one line of poorly-ritten SQL.

We don't even hold credit card details on our servers (and Sony didn't need to either), but we still take these basic steps to protect our data (oh, and we have firewalls!).

It's shameful that Sony doesn't do the same. My data was amongst that stolen.

Plain text...
By Aihal on 6/2/2011 6:51:54 PM , Rating: 3
It's unbelievable. I have more chances of having my info safe in a freaking small community phpbb based forum than in the servers of a multinational corporation.

SONY really dropped the ball here.

RE: Plain text...
By someguy123 on 6/2/2011 7:31:32 PM , Rating: 2
Sad thing is that if sony never removed linux support from the ps3 these gaping holes in security would've never been brought to light. Yes, I know linux is just an excuse now to ruin sony's day, but it's what started this whole fiasco.

Who knows how much if this information has been leaked over the past few years and just not waved in the public eye?

RE: Plain text...
By kerpwnt on 6/3/2011 10:31:29 AM , Rating: 2
I think the thing that really put the bullseye on them was their lawsuit against George Hotz. They attacked a hacker with lawyers and the hacker community responded. Hackers don't have an army of lawyers and lobbyists, so they did what they know how to do.

eh, typical.
By choirbass on 6/3/2011 12:14:28 AM , Rating: 2
not surprised sony was hacked again. 'any' company that puts its main emphasis on just making money, to satisfy shareholders, quickest growth possible, is just asking for this.

making money is capitalist, that not the issue.. but when you make money at the needless expense of otherwise valuable integrity, stuff like this is bound to happen eventually.

hopefully sony learns from this mistake, its simply too 'important and powerful' not to. and if they dont learn what they should, sony is just going to keep falling farther and further down.

RE: eh, typical.
By gamerk2 on 6/3/2011 9:11:04 AM , Rating: 2
not surprised sony was hacked again. 'any' company that puts its main emphasis on just making money, to satisfy shareholders, quickest growth possible, is just asking for this.

So...every coorporation is asking to be hacked? What coorporation is NOT focused on maximizing shareholder value?

RE: eh, typical.
By Uncle on 6/4/2011 12:25:48 AM , Rating: 2
"sony is just going to keep falling farther and further down. "

By Roy2001 on 6/2/2011 6:34:25 PM , Rating: 4
or you will have more trouble :)

By greylica on 6/3/2011 8:05:15 AM , Rating: 1
You sir, deserves 8 !

By icanhascpu on 6/2/2011 6:56:48 PM , Rating: 1
Hopefully this past month is the kick in the ass Sony needs to understand what it means to be secure, and its consumers to understand how much effort Sony put into it in the past.

Also maybe other companies will take a note and start to get some activity going in their own security. The bottom line to all of this for the consumer is better security, though ignorance of the general populous to some extent is being destroyed, so sorry about the bliss thing.

RE: Good
By OAKside24 on 6/2/2011 7:54:33 PM , Rating: 2
Hopefully this past month is the kick in the ass Sony needs to understand what it means to be secure, and its consumers to understand how much effort Sony put into it in the past.

That's we were all hoping last month...

RE: Good
By icanhascpu on 6/3/2011 4:40:36 AM , Rating: 2
Take longer than a few months for big slow stupid corporations to get the ball rolling.

Plain Text?!
By derricker on 6/2/2011 8:54:20 PM , Rating: 2

RE: Plain Text?!
By BansheeX on 6/7/2011 8:01:03 PM , Rating: 2
I know, a child could do this.

By GTVic on 6/3/2011 1:54:54 PM , Rating: 2
I think this is a case where the hacker is trying to embarrass Sony but he's going after secondary systems, its not like he's hacking the PSN network that was just rebuilt.

RE: Secondary
By Jalek on 6/3/2011 4:42:07 PM , Rating: 2
In a logical twist, they probably see this as helpful. They're reminding Sony that they have servers everywhere, and when their CIO said they weren't convinced that unpatched server software was a problem, they now have problems everywhere.

If it convinces Sony that laying off IT and development people to hire new teams of lawyers isn't always the best path to future profits, then it's probably a net positive.

By Chaser on 6/4/2011 12:21:18 PM , Rating: 1
1. I'm growing tired of the sensationalizing of these sour grape sociopaths. They are angry lifeless cry babies that otherwise have lives beyond their keyboards and their their comic book t shirts. Ahhh upset because of no more Linux on a PS3? Oh boo freaking hoo. This is a gaming console which can also play video disks. Spend your unemployment check or allowance on another product.

2. Anyone that thinks thinks these morons provide some form of positive service to society? If they were that virtuous they'd privately forward their results to Sony so that Sony could address these vulnerabilities. But no, These "lolz" comic book stand nobodies would rather cheer behind a pathetic ansi image rather than save up $300.00 and buy their own rockin' Linux box -and some kleenex to blow their noses.

3. As it stands now it's the consumers that bought Sony products that suffer for this. So pointless analogies aside, no one deserves this. After Sony (AND IT'S AFFILIATES) get things in order and they can go back to full operation Sony should pursue these -yes- idiots to the fullest extent of the law and prosecute them. In other words Sony and their customers should tell them to kiss their ass. Then let them bitch about Linux behind bars while they apologize to the true victims, the consumer.

By Veerappan on 6/5/2011 10:17:42 PM , Rating: 2
1. Linux compatibility was a feature that the console was advertised as having upon initial sale. Sony removing this feature pissed a lot of people off.

2. If I had a PS3 and my credit card had been leaked as a result, I'd be more pissed at Sony than at the hackers. Safeguarding your customers' private data is vital to maintaining your customers' trust. Sony has failed here. Even if Anonymous hadn't targeted them, someone else would have eventually.

3. And if Sony wants its customers to stay loyal, they should upgrade the security on their network-connected services.

I've been staying away from Sony products since the rootkit fiasco a few years ago, and the more time goes by, the happier I am about that decision.

A conspiracy !
By Subzero0000 on 6/2/2011 9:28:30 PM , Rating: 2
Could this be a trap to lure him out ?

By vectorm12 on 6/3/2011 6:09:11 AM , Rating: 2
Although I am completely appalled by the lack of security in Sony's system I'm confident that this will result in much safer systems for most if not all consumers, not just Sony's.

This is proof of concept that any company can get hit by these hackers and that they can't skimp on poor security just because they haven't been hit yet.

Although I absolutely hate the fact that I lost PSN for the better part of a month and all the other headache related to these breaches at least I'm confident that the new systems are going to be much more secure once they are in place.

I will in no way condone these attacks, but unfortunately in this case I believe the end justifies the means.

By Sunagwa on 6/3/2011 11:11:26 AM , Rating: 2
First I'd like to say thanks to Sony for poking the bear. Second to the hacker community for bringing Sony's complete lack of security to light.

I was ready to forgive and forget against my better judgement but I promised myself any more serious security news and that's it, I'm done. I'll be finishing off Heavy Rain the next few days and then it's off to Ebay to "try" and sell my PS3.

I don't know anything about hacking but for them to be hacked again at this point using a method that is (according to people more educated then I) hacking 101 then I don't see any reason why I should ever trust them with my information again.

Checks and Balances
By Autisticgramma on 6/3/2011 1:25:15 PM , Rating: 2
These are growing pains. $ony, is in it for profit, and only profit. Security is secondary to profit.

The Law (as in whats illegal) is behind. This is why America needs a consumer protection agency. Then we could go to $ony and ask what their security practices are, and order then to shape up or find another market. Allowing yourself to be hacked this easy should be illegal. It's akin to me leaving a loaded gun next to a 7 year old's birthday cake, then complaining that not only do I have to clean the gun but all my ammo is gone. The other kids at the party, are just an after thought.

Locks only stop honest men - but that doesn't mean you don't have one on your front door. $ony's house obviously has no windows or doors - let alone locks. Even the police will tell you if your door is open there is no expectation of privacy.

If no one demonstrates this openly, would they have even known. Say $ony did figure it out, would $ony even have told us? Certainly not the third time.

Bobby Tables
By Visual on 6/3/2011 3:28:49 AM , Rating: 1
"Vista runs on Atom ... It's just no one uses it". -- Intel CEO Paul Otellini

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki