Sony Web Site Hack Compromises 1 Million Accounts4:11 PM EST Fri. Jun. 03, 2011
Sony is reeling from another data breach, when miscreants broke into the computer networks of Sony Pictures and exposed personal information of more than one million customers.
LutzSec, the hacker group behind the Sony Pictures attack, said in a Pastebin.com blog post, that they exploited a security vulnerability on the Sony Pictures Web site with an easily executed SQL injection attack. The LulzSec hacker group also claimed responsibility for a breach of the PBS Web site, which occurred over Memorial Day weekend.
Altogether, the hackers said that they accessed personally identifying information, including passwords, e-mail addresses, home addresses, dates of birth and all Sony opt-in data associated with the accounts of more than 1 million users.
The LulzSec hackers also said that they compromised all admin details of Sony Pictures, as well as 75,000 "music codes" and 3.5 million music coupons, while breaking into other tables from Sony BMG in the Netherlands and Belgium.
“SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING,” the hackers said. “Why do you put such faith in a company that allows itself to become open to these simple attacks?”
LulzSec said that they were only able to publish about 150,000 samples, due to “lack of resources."
Meanwhile, hackers said that they executed the attack in an effort to bring attention to glaring security vulnerabilities within Sony systems, while underscoring the fact that the company failed to adequately protect its sensitive customer data.
“What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it,” the hackers said, adding, “This is an embarrassment to Sony.”
LulzSec also boasted it broke into PBS.org over the holiday weekend to retaliate against a broadcast documentary that they contended was critical of WikiLeaks.
During that hack, attackers published customer and administrator Web site usernames and hashed passwords, along with a fake news story claiming that deceased rapper Tupac Shakur was still alive and living in New Zealand.
The attack against Sony Pictures is the latest in a long string against the electronics giant occurring over the last six weeks, kicked off by a hack against Sony PlayStation Network and Qriosity services in April that compromised at least 77 million customer records. Since then, Sony has been regularly assaulted by hackers in attacks targeting Sony BMG Greece, Sony Thailand, and Japanese subsidiary So-Net services.
Security experts contend that the seemingly endless series of attacks indicates a deep systemic problem in Sony’s security posture.
Next: Experts Say Sony Needs Security Overhaul
“Sony needs to find the advanced persistent threat or threats that likely are sitting deep in their network. The hacker community is not coming in through the front door -- they aren’t knocking holes in the firewall. It has to be some sort of back door into these networks and companies like Sony need to put some sort of protection mechanisms in place to identify these advanced persistent threats and shut them down,” said Stephen Gates, director of field engineering at Top Layer.
Gates said that specifically, Sony needed to identify compromised machines using some kind of intrusion prevention designed to analyze protocols coming in and out of the network, and subsequently identify the anomalies in order to shut them down.
“Most companies are concerned with what is coming and never look at what is leaving. If they were to look more closely at what was leaving their network, they would find these advanced persistent threats,” he said.
One security expert said that the string of Sony attacks called into question the strength and effectiveness of the Payment Card Industry Data Security Standard , in light of the fact that Sony had been compliant with its mandates.
“One question comes to mind. With all of this data lost, if a PCI compliant corporation can be this easily targeted and compromised, is PCI a good standard to measure security posture?” said Guy Bruneau, SANS Institute security researcher, in a blog post.
Meanwhile, Chester Wisniewski, senior security advisor at Sophos, said in a blog post the attack against Sony Pictures is more of the same for the company, but underscores the need for users to question the security of any organization housing sensitive or personal information and utilize strong passwords.
“The take away for the average Internet users is clear,” Wisniewski said. “Don’t trust that your password is being securely stored and be sure to use a unique password for every Web site to limit your exposure if hacks like these occur.”