Re: Sony Pictures falls victim to major data breach

[Guest guest]

I can't help but think this is akin to saying, 'Look this house is vulnerable to

burglary and to prove it I'm going to break in and take as much as I can, only I

couldn't carry everything, so I'll give the address out in case anyone else

would like to steal anything'. Perhaps my line of reasoning is faulty? However

why couldn't the group LulzSec have just pointed out that there were

vulnerabilities in security and where they were, did they really have to go the

whole hog and break in? Just wodering.

>

>

http://www.computerworld.com/s/article/9217273/Sony_Pictures_falls_victim_to_maj\

or_data_breach?taxonomyId=142

>

> Sony Pictures falls victim to major data breach

>

> Hacking group LulzSec claims it has accessed personal data on more than 1

million people

>

> By Jaikumar Vijayan

>

> June 2, 2011 07:20 PM ET

>

> Computerworld - LulzSec, a hacking group that recently made news for hacking

into PBS, claimed today that it has broken into several Sony Pictures websites

and accessed unencrypted personal information on over 1 million people.

>

> In a statement released Thursday, the group claimed that it had also managed

to compromise all " admin details, " including administrator passwords, as well as

75,000 " music codes " and 3.5 million " music coupons " from Sony networks and

websites.

>

> The group has publicly posted a full list of compromised sites, along with

links to documents containing samples of what it claimed was material stolen

from Sony.

>

> The compromised databases included one that appeared to contain information

belonging to people who participated in a promotional campaign involving Sony

Pictures and AutoTrader.com, as well as another involving a Sony-sponsored

Summer of Restless Beauty campaign.

>

> Also compromised in the break-in, according to LulzSec, was a Sony music codes

database, a music coupons database, and databases from Sony BMG Belgium &

Netherlands.

>

> The compromised databases contained " varied assortments of Sony user and

staffer information, " the group said.

>

> " SonyPictures.com was owned by a very simple SQL injection, one of the most

primitive and common vulnerabilities, as we should all know by now, " LulzSec

said. " From a single injection, we accessed EVERYTHING. "

>

> " What's worse is that every bit of data we took wasn't encrypted, " the group

claims. " Sony stored over 1,000,000 passwords of its customers in plaintext,

which means it's just a matter of taking it. "

>

> LulzSec said that it had copied and published only a relatively small sample

of the information it had managed to access because it did not have the

resources to download everything. The group said that in theory it could have

" taken every last bit of information, " but that would have taken weeks.

>

> The group posted a link to the SQL injection vulnerability it had exploited

and invited anyone to verify it personally. " You may even want to plunder those

3.5 million coupons while you can. "

>

> In a brief comment sent by email, Jim Kennedy, Executive Vice President of

Global Communications for Sony Pictures Entertainment, said the company is

looking into the claims made by LulzSec, but offered no other comment.

>

> If the breach is as extensive as LulzSec has claimed, it would be the second

major compromise that Sony has suffered since mid-April, when intruders broke

into its PlayStation Network and Sony Online Entertainment networks.

>

> Those breaches resulted in the compromise of personal data belonging to nearly

100 million account holders.

>

> Since then, there have been a series of intrusions at various Sony websites

around the world.

>

> The attacks, such as the one carried out against Sony Pictures by LulzSec,

have been designed largely to embarrass Sony, which has sparked the wrath of

many hackers for its hard line stance over copyright and IP protection.

>

> The continuing attacks have become a huge issue for the company. Sony was

forced to shut down its PlayStation Network and Sony Online Entertainment

networks for several days to fix issues resulting from those intrusions. Even

now the networks are still limping back to normal.

>

> So far, Sony has hired at least three external security firms to help patch

its networks. It also recently hired a new chief information security officer to

help coordinate its security efforts. With the company's websites having been

routinely broken into, despite such measures, many wonder just how porous Sony's

networks are.

>

> Sony itself characterized the PlayStation Network and Sony Online

Entertainment intrusions as highly targeted and sophisticated cyberattacks.

However, all of the publicly disclosed ones since then appear to have been the

result of some fundamental security oversights on the part of the company.

>

> Several of the attacks have resulted from SQL injection flaws that hackers

have claimed were extremely easy to find and to exploit.

>

[Guest guest]

I could see them breaking in and leaving harmless message files to prove that they had been inside. Stealing though isn't a good thing. Maybe asking for a fee for their information, not blackmail mind you since nothing was stolen and no threat to pass on the information. If the fee is small, Sony might well pay to learn how to seal up their system as quickly as possible. Sony could also hire such people to attack their system from time to time, never letting Sony know when it is coming, to make sure the security is good.

I can't help but think this is akin to saying, 'Look this house is vulnerable to burglary and to prove it I'm going to break in and take as much as I can, only I couldn't carry everything, so I'll give the address out in case anyone else would like to steal anything'. Perhaps my line of reasoning is faulty? However why couldn't the group LulzSec have just pointed out that there were vulnerabilities in security and where they were, did they really have to go the whole hog and break in? Just wodering.