Latest Hack Shows Sony Didn't Plug Holes

Sony's PlayStation Store came back online this week, to the general approval of PlayStation fans.

The records of about 1 million Sony customers went up, too.

The records were posted by the hacking group LulzSec last week as a demonstration that Sony had not fixed the fundamental, enterprisewide security flaw that had allowed hackers to take over a series of its other networks.

Though the group said its intentions were pure, posting the private information of a million customers is at least as damaging as if the breachers had been committed data thieves.

"Uh-oh #SonyPictures... http://pastebin.com/Y38gCS82," the group tweeted at LulzSec The Lulz Boat Thursday afternoon.

The group is connected to Lulz Security Corp., which posted a press release about the hack, but was not responding due to what LulzSec tweeters said were "attacks [it had received] non-stop since literally 2 minutes after we tweeted [news of the data breach] - doesn't affect leaks in the slightest."

The leaks included usernames and passwords from Sony BMG and Sony Entertainment customers in the U.S., Netherlands and Belgium. The ridiculously long list, posted on the same public text-site as previous public-spirited breaches designed to show Sony's real security failures, is incomplete because LulzSec members couldn't copy the full content onto Pastebin.

Group members said their motivation was to show Sony execs weren't telling the truth when they tried to reassure customers they had revamped security to prevent the simple, almost identical exploits that allowed a range of hackers to take over one of its networks after another beginning in mid-April.

"We are taking aggressive action at all levels to address the concerns that were raised by this incident," according to a May 14 statement from Kaz Hirai, executive deputy president of Sony and head of its gaming division. "[We] are making consumer data protection a full-time, company wide commitment."

The commitment evidently didn't include making sure all its sites and servers had been updated or protected from simple SQL injection exploits nearly identical to those that succeeded in April or May.

It also didn't include the elementary precaution of encrypting or hashing usernames and passwords; previously only credit-card numbers had been encrypted.

"This is disgraceful and insecure," LulzSec's announcement said. "They were asking for it."

"Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now.

"From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?"

I dunno, Lulz, maybe you found something with an explanation in those Sony servers?

Until you find out, do you mind taking down enough of the data to keep all those victims you're protecting from being victimized all over again?

Subscribe to the Security Watch Newsletter

Comments