Just when Sony appeared to be getting back on the right
track with the full
restoration of its PlayStation Network, LulzSec struck again hitting Sony
right between the eyes. The group once again used an SQL
injection tactic to gain access to the Sony Pictures account database.
This time around, LulzSec manage to obtain:
In addition, there was even opt-in data that was accessible,
which gives even more information about Sony's customers and their preferences.
The part that amazes LulzSec (and us for that matter) is
that fact that Sony stored all 1 million user passwords in simple plain text
files -- no encryption whatsoever was used. "It's just a matter of taking
it," stated LulzSec in a press release. "This is disgraceful and
insecure: they were asking for it."
The group went on to express its disdain for Sony and its
security practices (or lack thereof):
Our goal here is not to come across as master hackers, hence
what we're about to reveal: SonyPictures.com was owned by a very simple SQL
injection, one of the most primitive and common vulnerabilities, as we should
all know by now. From a single injection, we accessed EVERYTHING. Why do you
put such faith in a company that allows itself to become open to these simple
LulzSec has provided evidence of their latest
"Sownage" on its site, which can be accessed here.
quote: Sony can't fix all of their SQL injection vulnerabilities overnight, but given that they're the hackers' whipping boy they should take down all of the sites that have the vulnerability BEFORE they get hacked! But it'd cost them money so they'd rather leave our data at risk. And SQL injection attacks? Seriously? That's the FIRST thing you learn to protect against! And it's EASY!