LulzSec suspect pleads not guilty to Sony Pictures website hack

A 23-year-old man, suspected of being a member of the LulzSec hacking gang, has pleaded not guilty to an attack on the Sony Pictures website.

Cody Kretsinger, from Phoenix, Arizona, pleaded not guilty to conspiracy and unauthorized impairment of a protected computer during a hearing at Los Angeles District Court.

Kretsinger is alleged to be the LulzSec member known as “Recursion”, and is accused of being involved in an SQL injection attack that stole information from Sony Pictures in June, exposing users email addresses and passwords.

Approximately 150,000 confidential records were subsequently published online by LulzSec who mocked Sony’s weak security:

"SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?"

Prosecutors claim that Kretsinger used the HideMyAss.com proxy server website to disguise his IP address as he allegedly probed Sony Pictures’ computer systems in May 2011, hunting for vulnerabilities.

HideMyAss.com’s terms and conditions stipulate that their service is not to be used for illegal activity, however, and they co-operated with the authorities when a court order was received requesting information.

Kretsinger’s trial is scheduled to begin on December 13th. If convicted he faces up to 15 years in prison.SRC

Sony suffers another security scare – 93,000 user accounts broken into

Hackers successfully broke into 93,000 accounts at Sony over the last few days, once again impacting users of the Sony Entertainment Network, PlayStation Network (PSN) and Sony Online Entertainment services.

According to a blog post by Philip Reitinger, Sony’s Chief Information Security Officer, credit card details were not compromised.

As a precautionary step, Sony has frozen the compromised accounts and will email impacted users asking them to confirm their identity and reset their passwords.

Some compromised accounts “showed additional activity prior to being locked,” but the only hint from Sony as to what that activity might entail is that the company says it will “work with any users whom we confirm have had unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet.”

What’s interesting is that it appears that the hackers gained access to the Sony accounts by working through a large database of stolen usernames and passwords – believed to have been sourced from somewhere else. That suggests that the accounts which were broken into were using a non-unique password.

In other words, you were using the same password on the Sony PlayStation Network as you were on website X.

It’s never a good idea to use the same password in multiple places.

Sony’s security team were alerted to the intrusion when they noticed a high number of failed login attempts – so well done to those users who weren’tusing the same password.

At the end of its blog post, Sony’s Reitinger offers some sensible advice to users:

We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account.

The only silver lining for Sony is that this security breach appears to be much smaller in scale than the attacks which hit it earlier this year, where millions had their personal information stolen and the Sony PlayStation Network wasforced offline.

Sony’s reputation was badly harmed earlier this year by the series of hacking attacks. This latest incident certainly isn’t going to do them any favours – as customers will (rightly or wrongly) continue to associate the Sony brand with security breaches.

I’m sure Sony will be hoping that this is the last time a security incident will put their company in the news headlines for all the wrong reasons.

Hackers plant bogus celebrity stories on Sony Music Ireland website

If you went to the website of Sony Music Ireland (sonymusic.ie) earlier today you would have discovered some astonishing celebrity stories:

• Scientists have proved that the X Factor TV show is for the stupid.

• Two members of the Irish pop band “The Script” were found dead in their backstage dressing room.

• Rebecca Black (the teenage singer who became an internet meme after her phenomenally bad “Friday” video became a YouTube hit) has married R Kelly in Disneyland.

Perhaps most astonishingly of all, the story claims that Miss Black has joined Sony’s security team.

If it’s true that Rebecca Black is going to be helping Sony with their computer security, then she’s going to be kept busy.

But, of course, all of the stories are fake.

Hackers appear to have broken into Sony Music Ireland’s site and planted the bogus celebrity stories. It’s just the latest in a long line of attacks upon Sony websites, and further embarrasses the company as it tries to protect its online reputation.

Sony Music Ireland is presently redirecting visitors to its website to its Facebook page instead. Presumably they will bring the site back online once they are confident they have got its security under proper control.

If you run a website it’s essential that you ensure it is being kept as secure as possible. If you haven’t already done so, read this informative paper by SophosLabs, “Securing websites”, which covers some of the issues.

Why Hackers Hate Sony

It’s not such a happy time over at Sony these days thanks to the bull’s-eye on its back.

But why is Sony — a major player in the worlds of gaming, movies and music — suddenly in the crosshairs of hackers?

Sony’s reputation for aggressively trying to protect its intellectual property rights may provide some clues.

Purdue University security expert Gene Spafford, who testified before Congress about Sony’s security problems, said there are plenty of examples. He cited Sony banning users who modded their PlayStations, the infamous case of installing “rootkits” on PCs of users as copy control for CD, and lawsuits it has filed against the likes of George Hotz andJammie Thomas.

Hotz, a hacker known for unlocking the iPhone, riled up Sony when he started a blog to document his progress hacking the PlayStation 3, which was regarded as being a locked and secure system. Thomas got caught up in a music piracy case, accused by the recording industry of sharing songs on the file-sharing site Kazaa.

“The image that has emerged from all this is that Sony is a rapacious corporation with no heart,” Spafford said. “Thus, it is not surprising that they might be a target for hackers.”

Fast-forward and you have the malicious attack on the PlayStation Network that compromised millions of user accounts and identities. And once word got out that Sony was not doing as good a job on the security side as it should be, the sharks could smell blood in the water.

Sony became snarled in almost constant attacks on all fronts, from phishing sites running on the servers of its Thai website to the most recent breaches by the merry hacksters known as LulzSec.

Here’s a quick timeline of the attacks:

*June 2 — Lulzsec attacks Sonypictures.com, gains access to user information.

*May 24 — Sony confirms hackers stole 2,000 records from Sony’s Canadian site.

*May 23 — Sony BMG server in Greece hacked, user account info stolen.

*May 19-20 — $1200 worth of virtual tokens stolen from So-Net, a Sony subsidiary; phishing site found on Thai Sony server.

*May 2 — Sony acknowledges over 12,000 credit card numbers were stolen during initial PSN attacks.

*April 17 — PlayStation Network hacked, hackers gain access to personal info of over 77 million users.

Computer security expert and former hacker Gregory Evans said Sony would be well-served to hire ex-hackers instead of IT managers to help secure its networks.

“Anyone can configure a firewall, but (it) does not mean you are a security expert,” he said.

Contact me at : contactme.bijay@gmail.com

http://computeraddicted.wordpress.com

http://shenanigans-nepal.blogspot.com/

http://losthacker-deadbj.blogspot.com/

 

13th SONY HACK : Sony Europe hacked by Lebanese hacker… Again

By my count this is unlucky hack number 13 for Sony. A Lebanese hacker known as Idahc dumped another user database at Sony Europe containing approximately 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.

The attacker claims that he used standard SQL injection techniques to acquire the database. I think it is fair to say it appears that Sony has not learned anything from the previous 12 attacks.

SQL injection flaw? Check. Plain text passwords? Check. People’s personally identifiable information totally unprotected? Check.

Idahc is the same attacker who targeted the Canadian Sony Ericsson site in May, 2011. In his note on pastebin he states: “I was Bored and I play the game of the year : ‘hacker vs Sony’.” He posted the link to pastebin with the simple note “Sony Hacked: pastebin.com/OMITTED lol.”

If you are a database administrator (especially a Sony one) and want to avoid your sensitive data from ending up in the headlines I recommend you actually test your web applications for SQL vulnerabilities.

Contact me at : contactme.bijay@gmail.com

http://computeraddicted.wordpress.com

http://shenanigans-nepal.blogspot.com/

http://losthacker-deadbj.blogspot.com/

Sony Pictures attacked again, 4.5 million records exposed

The same hackers who recently attacked PBS.org have turned their attention back to Sony by releasing the latest dump of information stolen from Sony’s websites.

While the information disclosed includes approximately 150,000 records, the hackers claim the databases exposed contain over 4.5 million records, at least a million of which include user information.

The data stolen includes:

• A link to a vulnerable sonypictures.com webpage. 
• 12,500 users related to Auto Trader (Contest entrants?) including birth dates, addresses, email addresses, full names, plain text passwords, user IDs and phone numbers.
   
• 21,000 IDs associated with a DB table labeled “BEAUTY_USERS” including email addresses and plain text passwords.
   
• ~20,000 Sony Music coupons (out of 3.5 million in the DB).
   
• Just under 18,000 emails and plain text passwords from a Seinfeld “Del Boca” sweepstakes.
   
• Over 65,000 Sony Music codes.
   
• Several other tables including those from Sony BMG in The Netherlands and Belgium.

The attackers, LulzSec, stated in their file titled “PRETENTIOUS PRESS STATEMENT.txt”:

“SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?”

This sounds like a broken record… Passwords and sensitive user details stored in plain text… Attackers using “a very simple SQL injection” to compromise a major media conglomerate.

Worst of all the hackers are exposing over a million people to having their accounts compromised and identities stolen simply to make a political point.

The take away for the average internet users is clear. Don’t trust that your password is being securely stored and be sure to use a unique password for every website to limit your exposure if hacks like these occur.

I took a brief look at some of the information disclosed and many passwords used were things like “faithful”, “hockey”, “123456″, “freddie”, “123qaz” and “michael”.

Companies collecting information from their customers have a duty to protect that information as well.

In addition to employing proper encryption to protect against theft or loss, companies should work with reputable penetration testers to validate their security plans.

Interested in some practical help with data security? Download our Data Security Toolkit.

Interested in encrypting your own personal files? Try out Sophos Free Encryption.

Contact me at : contactme.bijay@gmail.com

http://computeraddicted.wordpress.com

http://shenanigans-nepal.blogspot.com/

http://losthacker-deadbj.blogspot.com/

Sony can not guarantee the PSN will not be hacked again.

In a open letter sent to members of Congress this week, Sony Computer Entertainment boss Kaz Hirai has said that he cannot guarantee the PlayStation Network will not be hacked again despite new policy changes and added security measures.

Last month, Sony took down the PSN following multiple security breaches that left 101 million gamers with their personal data stolen including addresses, phone numbers and even credit cards.

Wrote Hirai:

No security system is absolutely foolproof, and changing conditions in the future can make a currently secure environment less secure.

These gaps in what we know are not for lack of trying by experts, but rather an unfortunate testament to the skill of those who perpetrated the attacks. Some aspects of the intrusion may never be known.

Sony has still not found the identities of the hackers except to subtly accuse the hacking group “Anonymous.”

Contact me at : contactme.bijay@gmail.com

http://computeraddicted.wordpress.com

http://shenanigans-nepal.blogspot.com/

http://losthacker-deadbj.blogspot.com/

Sony Music Japan hacked through SQL injection flaw

Another day, another attack on Sony. I reported yesterday on the SQL injection attack exposing user information on SonyMusic.gr and today attackers have found flaws in SonyMusic.co.jp.

The Hacker News sent us a tip this eveningdocumenting a couple of vulnerable web pages on SonyMusic.co.jp that allowed hackers to access their contents through SQL injection.

The good news? The database information that was published does not contain names, passwords or other personally identifiable information. The attackers noted that there are two other databases on the site that are vulnerable and it remains unclear whether they contain sensitive information.

It isn’t clear whether the hackers are able to inject data into the database, or simply access the tables and records it contains. If they are able to alter the records, this could be used to insert malicious code that could be used to compromise people browsing the site.

The attackers appear to be the same crew who targeted Fox.com earlier this month. Known as Lulz Security, the group appears to attack sites primarily for fun and political reasons, not to steal credit cards and commit other types of fraud.

This doesn’t change the criminality of their behavior. Accessing systems without authorization is still a crime in most countries.

Will Sony stop the bleeding? The attackers stated in their message “This isn’t a 1337 h4x0r, we just want to embarrass Sony some more.”

While there is an enormous target on Sony’s back as a result of these very public attacks it is unclear why this is happening. Is Sony taking security seriously or are there simply so many flaws from the past that exist in their public facing sites that it will take them a long time to patch them all?

I hope this is the last time I have to report on a flaw at Sony. Sony has announced they are working with several professional organizations to get their security house in order and for their sake I hope this happens sooner rather than later.

Contact me at : contactme.bijay@gmail.com

http://computeraddicted.wordpress.com

http://shenanigans-nepal.blogspot.com/

http://losthacker-deadbj.blogspot.com/