Sony Music Greece Falls To Hackers 303
xsee writes "Hackers: 6, Sony: 0. It appears an attacker has performed a SQL injection attack against SonyMusic.gr. The latest attack has exposed usernames, real names, email addresses and more. Is Sony's network being used as the world's largest public penetration test?"
SQL Injection... (Score:5, Funny)
Re:SQL Injection... (Score:4, Interesting)
I'm enjoying this for the lulz and the epic security fail. I just wish I could buy a drink for whomever it is that's doing this to Sony.
people are stealing user info (Score:3, Insightful)
And you're egging them on?
They aren't just doing this to Sony, they're doing this to the people who use the services too.
Take it from a person had a gawker account. When they were hacked, it caused a great inconvenience for me.
Re:people are stealing user info (Score:5, Insightful)
In this case....I don't feel sorry for anyone doing business with sony. From my point of view, they made their bed, now they get to lay in it.
Re:people are stealing user info (Score:4, Insightful)
Re: (Score:3)
http://xkcd.com/327/ [xkcd.com]
They probably wanted to save money (Score:4, Insightful)
It's cheaper not to hire or pay for information security.
And when they do they probably don't hire the best. Let's face it, Sony is not innocent and I could care less what happens to Sony. I don't own Sony stock, I don't work for Sony, and I don't own any Sony products except for an old PSX. So I just don't care what happens to Sony.
Maybe other companies will now give a shit about information security.
Re:could NOT care less!! (Score:5, Funny)
ftfy
Re: (Score:3, Informative)
Re: (Score:3)
In other news, when people say they "literally" did something when obviously they didn't, they don't misunderstand what the word "literally" means, they are just exaggerating. By correcting them you either come off as a jackass, or you come off as somebody that really struggl
Re: (Score:2)
its about time the cracks were shown to customers
I think Geohot already did that, quite literally.
Re: (Score:3)
You're right. While we might enjoy this bullying because we dislike a company there is a larger context than, OMGZ 0WN3D!1!!!!11
I had a gawker account as well and, while it wasn't a problem for me to change my level lame password for that and other sites, it might turn out worse for other people.
Re: (Score:3)
The same can be said for Microsoft and Apple.
mmm, I find it sad, on the one hand I want to play the big hit games and I want to reward the developers for what they have created (I don't want to pirate stuff). OTOH I find the direction the gaming market is going with forced firmware updates on consoles and online activation (or worse) on the PC very unattractive.
If anything the XBOX seems to be the lesser of three evils at the moment, afaict they aren't requiring online activation (though they are taking steps towards it with in-box DLC) and afaict the
Re:people are stealing user info (Score:5, Insightful)
So your saying, by doing this they're going to drive customers away from Sony, reduce their income stream, and eventually remove them from the world of global commerce?
Wow, that sounds...terrible
Re:people are stealing user info (Score:5, Insightful)
ohh, wait I have to say something about this!!!!
I was in a bank once, while it was being robed! Ok, it wasn't the nicest experience I ever had and I might have been inconvenienced a bit.
Did I lose the money I had in the bank? No.
Did I loose the info I had stored in it? No.
Did I manage to do the jobs I had with the bank? Yes, I just went to another branch.
So if you are going to create a service infrastructure that hasn't enough failsaves and backup plans to deal with a simple digital break in then you damn well deserve to be reduced to the economic equivalent of decarbonized organic material... And all people who trusted your Services (including Yours truly) deserve a very big refund for your incompetence and a big slap in the face for being such fools!
Re:people are stealing user info (Score:5, Interesting)
Honestly is this really that much worse than when Sony decides to vandalize customer equipment?
Re:people are stealing user info (Score:4, Interesting)
It's heading rapidly towards the level of incompetence that the rootkit fiasco was...
It would be funny if the vulnerability that was exploited came from that very rootkit, installed by some unsuspecting employee putting a Sony CD into the computer ...
Re: (Score:2)
Browsers could do a lot to mitigate the damage if they just enabled some basic password protection features. Firefox, for example, has a master password system but it isn't enabled by default, and even when it is on there is no secure password generator. It can all be done with add-ons but should really be the default so everyone starts using it.
In case you don't know what I am talking about the ideal way for a browser to manage passwords is for it to generate a random secure password for each site. It stor
Re: (Score:2)
That sounds great, that way nobody can logon to any site from a machine that is not theirs because they won't have the password safe on that machine and don't know any of the passwords. We might as well just forget this whole cloud thing and go back to fat clients for every service. Oh and before you say lastpass, we all know how well that worked out for people recently; also a service like that presents to valuable a target, even if its a hard one it will be attacked often.
Re: (Score:2)
Re:people are stealing user info (Score:4, Informative)
Re: (Score:2)
Oh dear, I had to wait until they got the system back up and change my password.
My PSN account has been compromised.
Oh dear. I had to wait a couple of weeks for them to bring their service up again.
In both cases the password change was done in seconds. I went to the web page, entered my old password, clicked the "Password Hasher" icon next to the "new Password" box, clicked "Bump" and entered my passphrase. Click OK. Completely new 26 character UPPER/lower/1234/!"
Sorry, but.. (Score:3)
Anybody who trusts Sony after all the various customer-rapings Sony has committed in the last ten or fifteen years deserves to have their data stolen.
Fool me once, shame on you. Fool me twice, shame on me. If you buy Sony you're begging to be abused.
Re:people are stealing user info (Score:4, Insightful)
There are no Sony fanboys. There are people who are addicted enough to their games that they can't see who is behind them or that they don't care who they work with or where the data flows. But to call them fanboys is a stretch of the imagination. Sony doesn't have "fans." Just consumers.
Re: (Score:3)
It is Sony's fault, but it's not the victims fault. I still remember when I moved from small town New Mexico to Cleveland. It wasn't very long before my car was broken into, and it was "my fault" for leaving valuables in it. How is what happened to the victims of Sony's inept security, and victims of criminals who violated said inept security, their fault. That's akin to saying it's the fault of a rape victim for happening to be attractive towards a rapist. I'm not necessarily saying this is what you m
Sell short SNE (Score:2)
Time to sell short Sony stocks while we are at it.
Re:SQL Injection... (Score:5, Informative)
I thought the most preventable of all security holes was blank administrator passwords. Granted, the most notorious instance of this was the default install of SQL Server 2000's sa account....
Re:testing whether Slashdot... (Score:5, Interesting)
I know you were trying to make a joke, but since about 2-3 weeks ago, if I click my username in the top right, I get "The user you requested does not exist, no matter how much you wish this might be the case. "
It's just a theory, but I think the != in the middle of my username has something to do with it.
But... why?! (Score:2)
The Application String Interface was a poor idea from the start. It's the 21st century, we shouldn't be building strings to do DB queries.
Re:But... why?! (Score:4, Insightful)
SQL injection attacks fixed long ago (Score:5, Informative)
I suspect that it will be a while before we see a real fix to the SQL injection problem as well.
It's called a paramterized query and pretty much every language on the planet supports this mechanism.
SQL injection is mostly a solved problem, except for programmers.
Re: (Score:3)
Parameterized queries by themselves aren't the panacea that people make them out to be. They still allow attack code to be stored in the database. Bad handling of the data deeper in the application stack, where protections aren't expected, might still choke on the code. You need 100% of the SQL queries in the system to be parameterized. Even then, they do nothing to prevent other language injection attacks to pass through, such as XSS attacks.
As you say, it's a solved problem, if the programmers use it.
Re: (Score:2)
Indeed you can inject JS or whatever if data isn't parsed correctly, but using parametrized queries will at least never ever expose the users credit cards, username, passwords etc.
Re: (Score:2)
But should not encourage laziness (Score:2)
Re: (Score:2)
Parameterized queries still don't keep you off the hook from sanitizing your database inputs. Even if you're using something like the PDO object to generate and prep DB queries, in the end, MySQL's looking for a string for input.
The real solution is getting away from sending SQL queries to DBs in string format, as the root poster hinted at, but, sanitizing DB inputs really isn't the hardest job to do, nor is it the biggest problem we face.
Re: (Score:2)
I wouldn't go so far as to use the comparison to in band signalling for this particular problem. After all, that comparison might be more fitting for the notoriously sloppy way modern PCs fail to distinguish between program storage and data storage.
Re: (Score:2)
Not distinguishing between program storage and data storage permit all kind of nice meta programming. LISP is beautiful in its kind for that. But not checking your inputs is the worst offender and the source of all sins. It is so easy to cut corners on input validation :-(
Re:Being positive here... apk (Score:5, Insightful)
SONY now knows 1 good thing from this: How to stop it from happening again on this and other sites/domains they own & host websites from.
How to stop this particular attack.
Available evidence suggests they have no shortage of dailyWTF-worthy screwups that people can continue to exploit.
Re: (Score:3)
SONY now knows 1 good thing from this: How to stop it from happening again on this and other sites/domains they own & host websites from.
Well, if the recent weeks told us one thing then that they do NOT learn anything from the penetrations. PSN was penetrated and they took it down, but it seems they didn't really learn much from it, since SOE followed. PSN went back up, only to be torn down again near instantly because it was AGAIN penetrated with an allegedly similar attack. And now that. An SQL injection, the one attack that can be prevented the easiest and with the least hassle (hell, there's even free frameworks for nearly every script l
Public penetration test (Score:5, Insightful)
Isnt every network exposed to the public (esp. mid size or larger commercial ones) continously under attempted attack?
Re: (Score:3)
Yes, of course they are. However, there are examples of SQL injection attacks [wikipedia.org] going back to November, 2005. There's no excuse for a company as big as Sony to be vulnerable to them almost five years later.
Re: (Score:3)
Re: (Score:2)
What surprises me is that it took this long to uncover the vulnerability. I would expect every script kiddie to be testing for SQL injections and ancient versions of software.
Re:Public penetration test (Score:5, Insightful)
Karma's a bitch, Sony. (Score:4, Insightful)
Re: (Score:2, Insightful)
+5.
Remember when Sony products were cool because they were innovative? Today you're outing yourself as a mindless consumer if you buy anything Sony.
Re:Karma's a bitch, Sony. (Score:5, Insightful)
Remember when Sony products were cool because they were innovative?
Yes, I'm actually that old.
I guess we should explain for the kids here since I guess they can't even imagine it: Sony was cool. Not just like Apple today, with fanboys liking it and everyone else hating it, it was THE cool brand. They had innovative products with never seen before features and a kickass support that didn't bother to ask for details, they just threw a new model at you if the old one croaked, which was actually unlikely because, hey, it was a SONY, they don't fall apart! People were proud to have Sony speakers and Sony radios in their cars, they were proud to have a Sony walkman (as if you could get any others, after all it was a brand name) and they had every right to be proud, they bought something of lasting value!
I admit, it's very hard to believe that today.
Re: (Score:2)
Remember when Sony products were cool because they were innovative?
Yes, I'm actually that old.
That's OK. I'm old enough to remember before Sony meant good. I remember when Sony meant cheap knock-off from Japan.
Re: (Score:3)
I remember Sony and Sanyo transistor radios from 1960. Used to listen to one crossing Bosphorus every night on a ferry. All the onlookers were mesmerized by it.
Re: (Score:3)
Yup, I loved my walkman and and then discman. And decent earbuds. I tried to love minidisc, but it was just too painful to keep using sony's proprietary bullshit. Between the minidisc fail, the memory stick fail, and the general shit-tastic quality of stuff these days I've just given up.
Re: (Score:2)
I have two Sony Walkmans (Walkmen?) and they are very good and solidly built (quite a lot of metal parts, compared to today's mostly plastic devices). Whatever they make now will most likely break beyond repair before the cassette players do. Yes, the players needed a belt change, but that was relatively easy to do and the new belts should last a long time. I still listen to cassette, since I have a lot of tapes so it makes sense to record new stuff to tape instead of copying all tapes to a digital format,
Re: (Score:2)
Re: (Score:3)
We had a Sony receiver from the early-mid 80's that my girl friends parents gave us. I was a wondrous thing. Then it died, and we replaced it with a second-hand high-end Pioneer receiver from the early 80's, which is a slightly more wondrous thing, though it doesn't turn on with the nice "brang!" noise the Sony had.
Sony used to be a good brand, they were known for their quality, and long life. This started to go away in the mid-90s, though. I had a Sony stereo (over grown boombox) from 1992, hooked to
Re: (Score:3, Insightful)
Sony LCD TV one of the better ones. (Score:2)
Don't even bother with the Sony TVs. They do make some nice TVs, but so do Samsung and Sharp (Aquos anyway, their budget sets don't hold the same value proposition) for quite a bit less money. I can't think of a single line of Sony products that doesn't butt up against better and cheaper competition. They are just coasting and selling the name to people old enough to have bought their first nice TV 20+ years ago when Sony actually gave a crap.
When I was shopping for TVs last year the Sony was one of the better ones for input lag. Not great mind you. The Aquos was great for input lag but had terrible sharpening artifacts. It was like watching a cheap and cheerful Chinese brand TV and I couldn't stand it in the store so I didn't buy it. Samsung has become awful for input lag - as in unplayable on a console.
I ended up with the Sony 55ex500. Not a bad tele but some annoyances. Definitely would do better with a second tuner as the guide sucks, and so
Re: (Score:2)
How much time did you spend playing with the controls on the Aquos? Mine was a bit that way when I got it but I was able to tone it down. I had a 32", traded it for a compressor and air tools, and now we have a larger one in the living room. (The 32" was in my room, then it migrated out, then it was too small for the living room... it worked out great.) This set (which we got at costco) seems to have just one problem, getting input7 and input8 (both hdmi) confused on occasion. It would be hilarious if it we
Re: (Score:2)
I only spent a minute or 2. I didn't need to tweak the other TVs in the shop, nor was I confident that I would find a set of settings that would work well for all movies etc. It really was awful. ANY of the other sets - even the cheap ones - looked stellar compared to that grainy pixelated picture. I was horrified and ran a mile in the opposite direction.
I really do wish they'd fix those 2 issues on a newer firmware...but I'm not holding my breath. Sony seems to only take things away with firmware upgrades.
Re:Karma's a bitch, Sony. (Score:5, Informative)
professional theatrical projection equipment
There was an interesting story in the Boston Globe [bo.st] this weekend about how Sony projectors are projecting 2D digital movies up to 85% darker than they should.
The reason? It turns out to be Sony DRM, although the article doesn't ever come out and say it directly. Basically, there's a special 3D lens required to display 3D movies, but this lens reduces the brightness of 2D movies.
So why aren't theater personnel simply removing the 3-D lenses? The answer is that it takes time, it costs money, and it requires technical know-how above the level of the average multiplex employee. James Bond, a Chicago-based projection guru who serves as technical expert for Roger Ebert's Ebertfest, said issues with the Sonys are more than mechanical. Opening the projector alone involves security clearances and Internet passwords, "and if you don't do it right, the machine will shut down on you."
In other words, you have to deal with Sony DRM. Rather than jump through the Sony-imposed hoops, theaters just leave the 3D lens on all the time.
Why bother with Sony projectors at all if they have this problem and others don't?
The reason appears to be a basic business quid pro quo. Sony provides projectors to the chains for free in exchange for the theaters dedicating part of their preshow ads to Sony products.
So, yeah. Another wonderful example of Sony in general and Sony DRM in specific giving customers an inferior product.
Obviously the theaters deserve some blame for this too.
Re: (Score:3)
"Opening the projector alone involves security clearances and Internet passwords"
Is it a projector or an ATM?
Re: (Score:2)
this only needs to be done when changing the movie (Score:2)
And to get a digital movie to play also requires security clearances and internet passwords, it won't simply play on any projector, you need to get it authorized. So not changing the lens at the same time is a problem with incompetence or sloth.
No, it isn't the Sony DRM giving customers an inferior product, it is the theaters. Analog projection showed us they don't really see image quality as a big factor in their business success. You were lucky to get a projector with the film held steady in the gate, wel
Re: (Score:2)
And to get a digital movie to play also requires security clearances and internet passwords, it won't simply play on any projector, you need to get it authorized.
The normal theater staff have the authorizations for that, though. I'm not sure what Sony, theater chain or distributor policy is on giving access to projector innards, and I suspect this is a closely guarded secret.
Re:Karma's a bitch, Sony. (Score:5, Informative)
No, that is just the polarising lens/filter combo needed for passive 3D glasses. Like sunglasses polarisation makes the image darker.
Yes, that would be the technical reason why the image is darker, but that's not the DRM part. The DRM is the reason that the projectionist doesn't simply replace the lens: if they do, they risk tripping Sony's DRM and locking the projector out.
Rather than risk that, they just leave the lens on. Thereby making the movie look absolutely horrible.
So it may not be DRM making the movie dark directly, but DRM is the root cause: Sony doesn't trust the people who own the projector to change the lens, and it's DRM that enforces that policy.
Re: (Score:2)
The point is that Sony DRM freaks out if you screw up when reconfiguring the projector for the 2D lens.
Re: (Score:3)
That's what American management does to you.
Re: (Score:2)
No, somewhere more cold. Bacteria and virii that cause various diseases that go under "cold" umbrella enter state similar to hibernation at around -5C.
Sony = Consistent (Score:5, Insightful)
Re: (Score:2)
Yeah, because "basic security" does not involve sanitizing your sql queries...
Re: (Score:2)
Simplicity is beauty -- at least it comes from the mouth of those who are against spaghetti and obfuscated code.
There are still places for spaghetti and obfuscated code, and this is why.
Sony will be secure? (Score:2)
Is there any evidence to back this up? I keep thinking of counter examples, the best one being Sony. They've been attacked how many times now, and they are still leaving security holes of this nature up? One would think after the first attack a company wide IT effort to harden their servers would have been given something other than
Re: (Score:2, Insightful)
Yes, and you would think the airlines would strengthen the door after the first cockpit invasion back in the 30s or 40s, whenever it was, but we had to wait until the mother of all hijackings before this most basic move was undertaken.. What we will probably get is some kind of 'TSA' for the internet instead. History repeats itself in many ways.
Re: (Score:2)
Give Sony a bit of a break, it's only been a month, and SCE & Sony Music are far enough apart within the overall Sony group for it to not necessarily have filtered all the way to testing the vulnerabilities in Hungary.
Re: (Score:2)
Probably about 840 hours worth. I can't tell if you think thats a lot or a bit. Seems like a lot to me. Reckon they could at least have looked over all the code they have in that time, and spotted anything basic like, you know, SQL injection ...
Like it matters. (Score:5, Interesting)
They decided that since people download stuff anyways, might as well save on the bandwidth and store it locally. Any time you download a file its mirrored in the cafes file server, so others can copy it without having to re-download.
And if you dont go that route, you can buy bootleg copies from any number of African immigrants on the street for just a few euro. Many times for better quality than available in stores for retail price.
Re:Like it matters. (Score:4, Interesting)
Especially about the better quality, is the ironic truth. Remember those who were copying Star Wars Laserdiscs and making them into movie files, because the DVDs were often so slow in coming, and then the DVD releases were only of the new doctored versions and the original versions of star wars were impossible to purchase? The Laserdiscs of Star Wars were also reported to have better special features compared to the later DVD releases.Often times its impossible to get movies on DVDs from the companies, which basically is the companies tell fans, screw you, so fans just share the copies with themselves. For years companies have treated their customers like shit, and they then expect people to love them?
Re: (Score:2)
I can verify that if you have the fat boxed set there are some nifty features. It also came with a big picture book if you bought the extra-fat boxed set.
I only wish I had an LD player that would play more than 1 disc 2 sides. All the LD players which play 2 discs that I see any more are Karaoke units and they want real money for them... as if that were a selling point.
Re: (Score:3)
I don't think the music piracy is the point. I think that the point is that the public perception on Sony is being degraded; it has nothing to do with piracy as far as I can see. This is being reported in mainstream media now... would I trust Sony with any of my details? Not a chance. Additionally, these "attacks" must be costing Sony money... probably a lot of money due to not only customer's trusting them less, but the extra employees (or current employees overtime) and resources they need to spend to fix
Re: (Score:2)
Rip the thing to your hard drive if you want to have a copy of the latest Euro-pop to give your nephew/neice in a couple of months to keep them ahead of the curve and make them sound cool by having it before everyone else has it.
But FGS, once your holiday drinkfest is over you won't ever want to hear that squeaky trash again.
Plain text passwords?? (Score:5, Informative)
The linked article also provides a screen shot with obscured personal information.
It appears the passwords are stored in plain text, not as hash: formatting makes it unclear but it seems the length varies, and the password fields are short (6-10 characters or so), while hashes are much longer than that.
Bad bad security! No wonder they also fall victim to the age-old SQL injection attack... which I thought most SQL interface libraries can automatically intercept by adding the appropriate escaping... many years ago I used Pythons MySQLdb and they were doing that for very very long already... so there should be no excuse for allowing this to happen still.
expect more (Score:3)
"Is Sony's network being used as ..." (Score:5, Insightful)
No, every other scriptkiddie is just joining in on teh lulz of flogging the dead horse. "ZOMG I sql injectioned a SONY site! Yeah, it's got nothing to do with PS3 or PSN, and yeah it's some site in Greece, but lulz amirite!?"
It's even in the bloody article, isn't it?
I mean.. honestly?
They could be running this against $random_site and try to hit the news with it, too.. but they wouldn't.. because nobody cares about a random hack at a random site right now.. but if it's got SONY attached to it.. well.. lulz rules the news.
None of which excuses the poor security.. but none of which excuses the submitter from his choice of words either.
Re: (Score:2, Insightful)
Jesus Christ, man. How far did that stick get wedged up your ass?
Re:"Is Sony's network being used as ..." (Score:4, Insightful)
Re:"Is Sony's network being used as ..." (Score:5, Insightful)
As long as it is popular within the hacker community to expose Sony's flaws, we are likely to continue seeing successful attacks against them.
It almost seems as if deliberately screwing people over doesn't really pay off, doesn't it?
Re: (Score:3)
There's a difference between "running a totally secure web presence" and "exploited by an automated SQL injection tool". If an auomated tool could find it, then you have to wonder why the hell Sony hadn't just run the damn tool themselves. There are levels of insecurity, and this level is well below what a company like Sony should be at.
Almost (Score:2)
I almost feel bad for Sony.
Almost.
public penetration test (Score:3)
Heh heh, Sony's gettin' shafted!
Sony should have learned from Little Bobby Tables (Score:2, Redundant)
This never gets old to me.
http://xkcd.com/327/ [xkcd.com]
I love the smell of napalm in the morning (Score:5, Insightful)
No more than HB Gary was.
To wit: This is the prescription for being attacked mercilessly, for months on end:
At that point you will discover what sort of damage a bunch of really pissed off top notch programmers can do.
With luck all the other psychopathic mega corporations around the world are watching and learning. The lesson is simple: don't poke a hornets nest.
Re: (Score:3)
> This isn't about other OS, it is about blocking people like you who don't think that they should have to pay for games. Freeloading pirate.
There seems to be absolutely no evidence to support this statement. The position of Sony on illegal games has not changed, but the position on other OS has. And the whole thing started just weeks after other OS was disabled - is that a coincidence? I don't think so.
How does this even happen? (Score:4, Insightful)
I really *really* wish... (Score:2)
That would be completely worth the development effort.
Only six? (Score:2)
I'm going to stop being a blatant sony fanboy and defend the ridiculous shit they've done, but, only six?
between PSP releases 1.50 and 6.20, there's way more than just six points for the hacker team.
Re: (Score:2)
Actually, I think it's Lisa Sparxxx [wikipedia.org] at 919 guys.
Re:PPT?! (Score:4, Funny)
i'm sorry, but was the phrase: "world's largest public penetration test?" really necessary?
Sony acts like the world's largest orifice so it's only fitting.
Re: (Score:2)
"Sony acts like the world's largest orifice so it's only fitting."
It's not a trick, it's a Sony!
Re: (Score:2)
Sony acts like the world's largest orifice so it's only fitting.
Sarah Palin's mouth?
Re: (Score:2)
http://pastebin.com/WqLysjiN [pastebin.com]
Re: (Score:2)