Sony security FAIL AGAIN!!

OK last week we learned of more Sony security issues and Today yet another one. Today Sony’s Greece music site, Sony BMG Greece, was attacked successfully via an SQL injection attack.

This was noted when someone started posting the details of usersof the Sony site. Everyone who is a member of that site is urged to change their password and look out for phishing attempts.

So lets go forward from here; First Sony seems to be imploding as far as security is concerned. An SQL injection attack in this day and age? Come on. All of the sites saying that it’s just because no site is ever fully secure is correct but an SQL injection attack?

SQL injection is caused by the site leaving itself open to an attack that has been known for years. This type of attack starts when a the attacker is on a site that allows user to input something that will then be stored into a database. The attacker formats their input in such a way as that it will end the sql statement that is using their input to either query or store the input and then the rest of the input is a statement. This is the injection. People use it to do all kinds of mischief  and this attacker probably injected the select * from user; command. An example might be “Bob’;drop table users;–”

(No showing an example here is not a way to teach attackers how to attack, anyone who is thinking of doing any type of attack already knows this. You who are trying to stop such attacks need to know how they happen so you can stop them.)

Protection from this type of attack can be in a lot of forms such as encoding all input, searching input for the telltale ‘;’ or single or double quotes as well as checking all input is formatted correctly for the expected input. SQL injection has been around for so long that except for newby web developers everyone has heard of it and should be protecting themselves from this type of attack. For Sony to have fallen for the type of attack it shows that Sony has no idea about security at all.

Our advice to people who use any of Sony’s services, don’t. They are not secure, they seem to not care about their users and if this is how they treat security do they treat the rest of their technology the same way? Following the way they treat their Play Station users, suing them and telling them they can’t use the product they purchased and own in any way they like, are you sure you want to be one of their customers?

Advertisements

About echlinm

Computer Programmer/Systems Analyst/Hacker S31
This entry was posted in Computers and Internet, hackers, Security and tagged , , , , . Bookmark the permalink.

One Response to Sony security FAIL AGAIN!!

  1. Pingback: Oh Sony, not again, Rule 16 may apply… | Borg or No (S31)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s