14 comments

[ 2.1 ms ] story [ 35.7 ms ] thread
that's ridiculous! i wanna learn sql injection :))
And once again, a proof that to take security seriously, you need to have a security culture and policy in your whole company.

Else, many small Business Units of your International MegaCorp, who won't have the knowledge or the culture of security, will not care enough and might get hacked, in a way or another...

in a way or another...

In a way that you can eliminate using straightforward technical fixes.

I'm actually kind of curious about this now. Right now this is hack...5? against something under the Sony umbrella.

1. Just because it's got "Sony" in the name, how related are these, really? Does Sony actually have a hand in all of them, or were they just random companies that were acquired and picked up the "Sony" brand name, instead of keeping their own and saying "Owned by X", like (for example) Blizzard and Activision?

2. I realize that 90% of this is because apparently it's fun to kick Sony while they're down, both in terms of crackers saying "Let's poke at Sony sites until we find something, trololo" and media sites saying "Hey, people don't like Sony, let's get some free pagehits and report on this!" Would this hack in particular, and the Sony Thailand from earlier, have even been noted in any tech forum or news site anywhere before the PSN outage?

> 2. I realize that 90% of this is because apparently it's fun to kick Sony while they're down

Guess Sony isn't "down" yet. Also guess the attacks have less to do with Sony being "up" or "down" and more to do with Sonys history of attacking people held in high esteem by the ones who are capable and willing to attack.

Free advice for Sony: Stop harassing researchers. Measure hacking attempts before / after.

I would actually be curious how much of this is recourse for Geohot, although there's probably no possible way of empirically finding out. That said, I'd be willing to bet that "people who hack Sony to protest Geohot" and "people who hack Sony to steal other people's credit cards" are two different camps.

As to the Sony being "down", I'd contend they are. Their reputation for security is in the shitter, and any hacks executed now are going to have a far greater effect than they would at any other time (again, I doubt things like this or the Thailand hack would have ever made news sites in any fashion before the PSN outage).

They're all under the Sony umbrella, but Sony Music, Sony Pictures, Sony Computer (PlayStation), Sony Online (Everquest, etc.), and Sony Electronics (TVs, etc.) are all indeed separate companies. And, there are separate companies based on region; Sony Computer Entertainment America, Sony Computer Entertainment Japan, etc.
I was at a CIO conference a few weeks ago (just after PSN went down) and the Sony reps there stated that Sony was undertaking a massive effort to centralize all their servers across divisions into one group in a cost saving measure. Not sure how accurate that info is but it may be a contributing factor to these problems.
the example in the link (the image of the "hack") isn't sql injection - it's just reading a database table through the appropriate api.

the more detailed info at http://www.thehackernews.com/2011/05/lulzsec-leak-sonys-japa... again doesn't show any injection. all they are doing is reading the contents of various tables through a simple (REST-like) API/URL.

["IT security blog of the year" and they don't know what injection is? and what about all the "experts" in this thread? do any of you, so ready to pontificate, have proof this is a valid attack?]

It seems to work as designed, but its design is pretty stupid - it's arguably still a hole.

I'm with you on the "experts" though.

Big company with many independent websites has lots of independent vulnerabilities. OK, I get it already. Probably true for many companies.