This was noted when someone started posting the details of usersof the Sony site. Everyone who is a member of that site is urged to change their password and look out for phishing attempts.
So lets go forward from here; First Sony seems to be imploding as far as security is concerned. An SQL injection attack in this day and age? Come on. All of the sites saying that it’s just because no site is ever fully secure is correct but an SQL injection attack?
SQL injection is caused by the site leaving itself open to an attack that has been known for years. This type of attack starts when a the attacker is on a site that allows user to input something that will then be stored into a database. The attacker formats their input in such a way as that it will end the sql statement that is using their input to either query or store the input and then the rest of the input is a statement. This is the injection. People use it to do all kinds of mischief and this attacker probably injected the select * from user; command. An example might be “Bob’;drop table users;–”
(No showing an example here is not a way to teach attackers how to attack, anyone who is thinking of doing any type of attack already knows this. You who are trying to stop such attacks need to know how they happen so you can stop them.)
Protection from this type of attack can be in a lot of forms such as encoding all input, searching input for the telltale ‘;’ or single or double quotes as well as checking all input is formatted correctly for the expected input. SQL injection has been around for so long that except for newby web developers everyone has heard of it and should be protecting themselves from this type of attack. For Sony to have fallen for the type of attack it shows that Sony has no idea about security at all.
Our advice to people who use any of Sony’s services, don’t. They are not secure, they seem to not care about their users and if this is how they treat security do they treat the rest of their technology the same way? Following the way they treat their Play Station users, suing them and telling them they can’t use the product they purchased and own in any way they like, are you sure you want to be one of their customers?
- Sony Fails again… (echlinm.wordpress.com)
- “Another day, another Sony breach?” and related posts (sunbeltblog.blogspot.com)