No this is not the Sony hacked again blog, but Sony got hacked again and this time it’s Canadian.
Today another hit on Sony‘s web properties as the Canadian version of the Official Sony Ericsson eShop was attacked successfully. A “grey hat” calling himself Idahc has posted the names and e-mail addresses and a hashed version of users’ passwords to the web. He says he used an SQL injection attack, which anyone over 8 should be able to defend against, just like some of the other attacks against Sony.
And I now find out that Sony BMG Japan also got attacked, and it was also an SQL injection. The group involved, Lulz Security – a group that hacks into systems just for fun.
I was explaining the defense against sql injection this morning to a small group and how just escaping all inputs or use of canned queries for sql access would make these attacks moot. I’m hoping that someone at Sony gets a clue and they get this fixed asap.
As for why these types of attacks work in a company as large as Sony and how come no-one there seems to have found and fixed these security issues before they got attacked. As far as I am concerned the problem has to be not the guys doing the implementation of the web sites but the managers and executives above them. People do what they see their chain of command wants. If there is apathy at upper levels even a go-getter will become apathetic if they are not getting the support from the people above them or if they don’t get the feedback they need for doing things right. I suspect that Sony executives don’t care and or thought no-one would ever attack them so never took security seriously and so the people below them did the same thing.
Sony has repeatedly shown disdain for their customers and probably ahs the same disdain for their employees especially ones who are invisible like web development and it security. They will notice them now and probably blame them for this when the real blame must land directly on the heads of the executive who don’t seem to think that they have to be the ones who drive it security.
So the executive of the corporation are probably open to whaling and harpooning attacks. It would be very funny if someone could do a targeted (but harmless) social engineering prank on one or more top level executives at Sony. Wouldn’t that be fun… as long as it’s embarrassing but harmless that is.
- Sony Music Japan hacked (ubergizmo.com)
- Sony security FAIL AGAIN!! (echlinm.wordpress.com)
- Sony Fails again… (echlinm.wordpress.com)