Sony's headquarters in Tokyo, Japan
Sony has suffered another massive data breach, with a hacker group known as Lulz Security, or LulzSec, claiming to have stolen details about one million users from SonyPictures.com.
In a statement, LulzSec say they are not attempting to come across as "master hackers", but instead wish to highlight Sony's lax security. They say:
Every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it.
The group says the data stolen includes users' passwords, email addresses, home addresses and dates of birth, and has placed samples online for others to verify their claim.
LulzSec say they accessed SonyPictures.com with an SQL injection, in which attackers exploit vulnerabilities in a website and force it to run unauthorised code. The group calls this "one of the most primitive and common vulnerabilities", and asks: "Why do you put such faith in a company that allows itself to become open to these simple attacks?"
Sony says it is aware of LulzSec's statement and is investigating the issue. "We are looking into these claims," Jim Kennedy, executive vice president of global communications for Sony Pictures Entertainment, told the Associated Press.
AP also called a number listed by LulzSec and verified that it belonged to a woman in Minnesota, who confirmed the rest of her details.
This latest attack comes as Sony recovers from a previous hacking incident, with its PlayStation Network only just fully restored after a month-long outage.
It is also the latest in a string of security breaches carried out by LulzSec, who last weekend hacked into and defaced the website of PBS, the US public broadcasting organisation, and previously stole data from the Fox broadcasting company.
Meanwhile, infamous hacktivist group Anonymous today said it has stolen 10,000 emails from Iran's Ministry of Foreign Affairs as part of its latest endeavour, OpIran.
Anonymous carried out its attacks as a response to Iranian crackdowns on anti-government protests, with one member telling The Epoch Times they aimed to damage the image of Iran "both in cyber space and the real world." The emails were taken from the Iranian Passport and Visa Office, and appear to be mostly visa applications.
(Mashable) -- Sony is not having a good year. As the company scrambles to get the PlayStation Network and Qriocity music serviceback online, it's suffering from yet another security breach.
This time it's a hacker attack on various websites associated withSony Pictures.
A team of individuals going by the name LulzSec, who recently managed to deface PBS.org's homepage, announced that they have broken into SonyPictures.com and compromised more than 1 million user accounts. An additional 75,000 music codes and 3.5 million coupons were also uncovered.
The attack, part of a campaign known as Sownage, was announced on Twitter and on the LulzSec website.
LulzSec said that it didn't have enough resources to copy all the data that it was able to access. But the group did manage to grab a collection of databases that contain thousands of usernames.
The accounts, presumably associated with any sort of registered activity on SonyPictures.com (or its subsidiaries or partners), contain information like passwords, email addresses, dates of birth and other Sony opt-in data.
This certainly isn't as dangerous as the information that was exposed during the PSN hack, but it could still be used to gather access to more important accounts elsewhere.
The scariest part of this attack isn't what was taken, but how easy it was for the LulzSec members to take it. According to the groups ownpress release, access to the main Sony Pictures website was gained using a very basic tactic called a SQL injection.
We haven't had a chance to examine the released files to see what this injection was, but it's likely that an out-of-date software stack and relatively unprotected web server made passing the injection trivial.
LulzSec says that all of the information it took was unencrypted.
"Sony stored over 1,000,000 passwords of its customers in plaintext," says the hackers' press release, "which means it's just a matter of taking it. "
Seeing as this is the second security breach of a major Sony-branded website in just outside of a week, we have to ask: Is anyone at Sony employed to handle web security?
Sure, managing a large number of brands and properties that are often connected in name only has to be a challenge, not to mention the logistical and administrative challenges of managing websites that can store millions of user profiles. Still, that doesn't make up for what by all appearances is an abysmal security record.
LulzSec has been on a tear, infiltrating the websites and databases for the UK television program, "The X Factor," parts of Fox.com, Sonymusic.co.jp and many parts of PBS.org in the past three weeks alone.
The attacks, while often juvenile in nature and execution (the Lulzsecurity.com website plays the theme from "The Love Boat"), underscore just how important it is for brands to keep their web servers updated, hardened and monitored. In the age of simple publishing tools like WordPress, it's easy for managers to underestimate the importance of having someone on contract or on staff to keep data encrypted and protected.
We can only hope the most recent cyber attacks convince executives to think seriously about investing in online security
No comments:
Post a Comment