The display of security incompetence Sony
Corp. (6758) is
astonishing. Weeks after losing the contents of its two largest databases
PlayStation Network (PSN) database and the Sony
Online Entertainment (SOE) database -- the company appears to have
lost yet more information after
experiencing an attack almost identical to one just days prior.
I. Sony Fails to Block Identical Attack
On Sunday, The Hacker News revealed
that Sony BMG Greece (the Greek unit of the company's music branch) was hacked
using an SQL injection attack and lost 8,000+ customer records.
It now appears that just days
later a group called LulzSecurity -- known for formerly hacking FOX.com's
login database -- has used an injection attack to compromise
databases on Sony BMG Japan.
Astonishingly, Sony appears to have done little to
nothing in the way of escaping or parameterization to protect its databases,
even in the wake of the SQL injection breach of its Greek property.
The hackers accessed an on-site tablet that did
not appear to contain any personally identifiable information. They
openly mocked Sony, posting to
Twitter, "LOL @Sony, Nice Japanese website dumbasses (sic)."
They later posted, "This isn't a l337 h4x0r,
we just want to embarrass Sony some more. Can this be hack number 8? 7
and a half?!"
While the hack itself was obviously just designed
to target Sony and not hurt its customers, the hackers did post publicly that
there was two other databases on the site that they did not look at, but should
be accessible using the injection attack.
This message was likely up for hours -- at least
-- before Sony heard about it and shut down access to its servers. In the
meantime it's very feasible that other users -- including outright malicious
ones -- could have stolen information from these tables. As tables on the
Sony BMG Greece website contained users' names, passwords, etc. it's quite
possible that one of these tables held similar information, and you can almost
guarantee that there would be many more records than in the Greece table, as
Japan is Sony's home nation.
II. Sony Intrusion Send Clear Message to
Customers -- You Can't Trust Sony
Sophos Security researcher Chester Wisniewski , who yesterday took a gentler tone when covering the Greece intrusion, this time firmly admonished Sony, writing:
While there is an enormous target on Sony's back as a result of these very public attacks it is unclear why this is happening. Is Sony taking security seriously or are there simply so many flaws from the past that exist in their public facing sites that it will take them a long time to patch them all?I hope this is the last time I have to report on a flaw at Sony. Sony has announced they are working with several professional organizations to get their security house in order and for their sake I hope this happens sooner rather than later.
While there is an enormous target on Sony's back as a result of these very public attacks it is unclear why this is happening. Is Sony taking security seriously or are there simply so many flaws from the past that exist in their public facing sites that it will take them a long time to patch them all?
I hope this is the last time I have to report on a flaw at Sony. Sony has announced they are working with several professional organizations to get their security house in order and for their sake I hope this happens sooner rather than later.
quote: after all the people bought and paid for the consoles so there should be no restrictions on what software can be used on there.
quote: It's a console. If you want to run ANYTHING on it you want with no restrictions, get a PC. Sony's only obligation is to make sure you have a fully working console. You make it seem like they told people they could no longer play games on it or something or broke key functionality.
quote: Oh please. Firmware updates routinely break functionality in devices. Hell my first Intel SSD was broken because of the TRIM firmware.If every company who made buggy firmware deserved to be hacked and shut down, we wouldn't have many tech companies left.