Sophos Cloud Optix
In what seems to be a neverending nightmare it appears that the website of Sony BMG in Greece has been hacked and information dumped.
An anonymous poster has uploaded a user database to pastebin.com, including the usernames, real names and email addresses of users registered on SonyMusic.gr.
The data posted appears to be incomplete as it claims to include passwords, telephone numbers and other data that is either missing or bogus.
As I mentioned in the Sophos Security Chet Chat 59 podcast at the beginning of the month, it is nearly impossible to run a totally secure web presence, especially when you are the size of Sony. As long as it is popular within the hacker community to expose Sony’s flaws, we are likely to continue seeing successful attacks against them.
It appears someone used an automated SQL injection tool to find this flaw. It’s not something that requires a particularly skillful attacker, but simply the diligence to comb through Sony website after website until a security flaw is found.
While it’s cruel to kick someone while they’re down, when this is over, Sony may end up being one of the most secure web assets on the net.
If you are a user of SonyMusic.gr, it is highly recommended that you reset your password. Expect that any information you entered when creating your account may be in the hands of someone with malicious intent, and keep a close eye out for phishing attacks.
The lesson I take away from this is similar to other stories we have published on data breaches. It would cost far less to perform thorough penetration tests than to suffer the loss of trust, fines, disclosure costs and loss of reputation these incidents have resulted in.
Want to learn more about securing your web servers and databases? Download our paper “Securing Websites” to learn some best practices to defend your organization against these types of attacks.
Update: The editors of The Hacker News have contacted Naked Security and indicated they were the source of the post to pastebin.com. The original hackers had contacted them with the dump.
It's cruel to kick one thats down, but its stupid to kick a hornets nest.
At this point I believe we can assume they’re down. The fact is these vulnerabilities have been exploited for years but have only recently come to light as per the PSN outage and various media swarms.
Lookout IGN!
Irony:
One user, when he registered in Sony's site, entered this
"8elo pl na ma8o pios diavazei ayta ta e-mail" which is greek for "i would really like to know who's reading these emails".
"it is nearly impossible to run a totally secure web presence, especially when you are the size of Sony"
Yeah? As a systems architect and programmer of all trades over the last 20 years, this is news to me.
Thanks for adding Source Link 🙂 Cheers from THN
Poor Sony
After Tsunami, they had 77 milllion users data leaked, and after that, they have this. Security is really the main thing everyone should look into seriously after seeing so many hacking news especially big corporation like Sony.
@JTrouble, then you should probably be a bit more aware. It's correct that it's nearly impossible, but that doesn't mean they should throw security out the window. Most of the recent breaches has been to lack of knowledge and stupidity, two things that Sony cannot afford right now.
"it is nearly impossible to run a totally secure web presence, especially when you are the size of Sony"
What a stupid stupid comment. How are Google, Twitter, IBM, etc… doing?
You are an idiot
they are getting hacked too genius. let me guess, you're the matt freeman who is a sales rep for symantec.
if you were truly in-tune with information security, you would admit the only "totally secure" information system is the one that's powered down, disconnected from all networking, degaussed, burned, locked in a safe, and pitched down the mariana trench.
Look up aurora attack to see googles moment
"it is nearly impossible to run a totally secure web presence, especially when you are the size of Sony"
This argument is fairly sound, no system is 100% secure or will ever be 100% secure. You can disconnect a computer from any/all networks and keep it in a safe only to find that someone steals the safe.
However you can make it as difficult as possible for hackers to penetrate your defences. ESPECIALLY! when your the size of Sony.
Sony has the finances to employ and contract the best security personnel available, buy the best equipment and hire the best in developing a secure methodology.
Such a large organisation has a duty to protect that data and do more than they have done so far.
In the case of the first breach they should have re-evaluated all aspects of their security.
Not to mention their poor response and timing to responding to the breach and warning/reassuring their customers.
"Nearly Impossible" shouldn't be an excuse…
Just because you don't know of the attacks against them doesn't mean they didn't occur.
For example, do you recall what recently happened in China with Google?
Google's gmail was hacked a year back remember?
All websites, especially internationally, will probably have SOME undiscovered vulnerability. This is a fact of security, because there are too many angles to cover and not enough manpower or resources.
A couple of weeks back some security firm announced they discovered an exploit in Google Chrome.
You should NEVER assume anything is totally safe and always be open to the possibility of an exploit, with all of Google's websites and presence I'm sure in some country on some web page someone could probably pull an SQL injection or other hack.
The reason this is happening to Sony so rapidly is because they garnered the anger of the hacker community and currently hacking Sony is the cool thing to do.
It is not "nearly impossible" to avoid being vulnerable to SQL injection attacks. It boggles the mind that programmers who are too lazy or incompetent to use parameterized queries manage to find employment.
There are really two issues here:
1) Sony is not one company… it's a patchwork of companies under one umbrella corporation, and they each have their own IT staff and ways of doing things.
2) Sony is in the habit of buying up up-and-coming companies, many of which had shoestring budgets and cowboy coders to get where they got to. It can take years so complete the asset management transfer, complete the audits and bring the new part of the company up to conformance with the core policies.
Put these two together, and you're guaranteed to get someone on one of their IT staffs who has implemented something in a less than stellar manner, somewhere that nobody's noticed yet (or at least had the time/resources to fix yet). For the most part, Sony actually does a good job of securing its assets.
Matt,
LMGTFY.
Google's big breach led to public awareness of Operation Aurora and birth of the term "Advanced Persistent Threat". Twitter settled with the FTC in March over breaches in 2009. IBM hasn't had a big publicized data breach, but they're listed on datalossdb.org as having lost backup tapes, server hard drives, and laptops with PII on at 6 occasions.
The reasoning in the article is solid. As the exposed attack surface of an organization grows, so does their potential for being exploited.
Also, companies tend to try and get by with as little security as possible until it bites them in the ass, then do a knee-jerk overcompensation towards extreme security. I agree with Wisniewski — Sony will likely throw massive resources at tightening security in the next 6-18 months.
This all started when Sony aggravated the hacking community by Spending tones of money to go after the man that releases the ps3 binary. most people feels that they can do whatever to their system if they want to once they purchase the ps3. BECAUSE WE PAY FOR IT. They need to embrace the hacker and learn from them. because you cannot stop them. there will always be a better hacker. they are the one that will teach you how to close those securities loop hole.
in the end its going to cost the customer more to make up for all the extra cost for added security. that will suck i hate paying 14.99 bucks a month for EQ 2 as it is.
Most hackers are trash. They are just seeking attention people with lots of insecurities. More attacks will come but I am pretty sure Sony will survive. Hackers need to realize one thing, a very simple one: when they die, Sony will still exist. Yep, just like Microsoft, that has been hacked to death. So if u want to attack Sony how about you take them to court or face them in person, and not cowardly. You guys are wasting your time.
Those attention seekers then are not hackers. Sony might still exist*. No one knows what would happen tomorrow or so on.. It's the internet.. It's like anyone's gonna harm you.. Lol.. People that hates hackers.. should try to stay on /b/ for a while… That's gonna be one funny day if I ever see that.
Hi I Just wanted to remark on the comments for this story, I followed a link from mcv.co.uk to this site and I am generally impressed by the level of common sense and balanced debate within the community.
It makes a change to finally read a more balanced and informative reaction to Sony’s current woes than the usual hype stirred up by most media outlets.