Slashdot Mirror
Sony Music Greece Falls To Hackers
xsee writes "Hackers: 6, Sony: 0. It appears an attacker has performed a SQL injection attack against SonyMusic.gr. The latest attack has exposed usernames, real names, email addresses and more. Is Sony's network being used as the world's largest public penetration test?"
The most preventable of all security holes. How sad.
Time to sell short Sony stocks while we are at it.
New Economic Perspectives
LOLZZZZZ!!!!!!
seriously sony?
RONFLMFAO!!!!!!
hahahahahahahahahah!!!!!!!!!!!!
SONY now knows 1 good thing from this: How to stop it from happening again on this and other sites/domains they own & host websites from.
That's the only good result.
Now, they ought to do fixes based on that data for their own good now that it's been pointed out & for the good of their viewers.
(I hope that this thing wasn't anything that puts worse crap onto others' systems that visit it. Imo, those are the worst - spreads like plague).
I haven't read the "detailed findings" so far, only the summary type articles...
APK
P.S.=> In any event here, I'd think it's good to stay positive when things are looking down, & then do something about it once you're armed with data to look for, + fix it!
apk
Isnt every network exposed to the public (esp. mid size or larger commercial ones) continously under attempted attack?
Years of half baked products, poor reliability, hostile customer service, lazy innovation, and a general disdain for security are what your customers have had to deal with. I really don't care who is doing it to you or why - but I applaud them teaching you the hard lessons of the evolving technological age. You can't keep repeatedly flipping people the finger anymore and tell them to deal with it. Evolve or die. And no, my loathing isn't related to just the recent PS3 debacle. It extends to experiences with consumer audio, professional theatrical projection equipment, and so on right down the line. The fact that you're being taken out by the simplest of attacks in most cases just makes my smile grow a little more.
The Application String Interface was a poor idea from the start. It's the 21st century, we shouldn't be building strings to do DB queries.
There's no -1 for "I don't get it."
i'm sorry, but was the phrase: "world's largest public penetration test?" really necessary?
Well at least they are consistent - none of their systems seem to have more than basic security.
K Man
And you're egging them on?
They aren't just doing this to Sony, they're doing this to the people who use the services too.
Take it from a person had a gawker account. When they were hacked, it caused a great inconvenience for me.
http://lkml.org/lkml/2005/8/20/95
Is there any evidence to back this up? I keep thinking of counter examples, the best one being Sony. They've been attacked how many times now, and they are still leaving security holes of this nature up? One would think after the first attack a company wide IT effort to harden their servers would have been given something other than the lowest priority...
Established company seeking security professionals, all positions open
They decided that since people download stuff anyways, might as well save on the bandwidth and store it locally. Any time you download a file its mirrored in the cafes file server, so others can copy it without having to re-download.
And if you dont go that route, you can buy bootleg copies from any number of African immigrants on the street for just a few euro. Many times for better quality than available in stores for retail price.
Reading the last line of the description, I can guess what Sony's comeback line is going to be
The linked article also provides a screen shot with obscured personal information.
It appears the passwords are stored in plain text, not as hash: formatting makes it unclear but it seems the length varies, and the password fields are short (6-10 characters or so), while hashes are much longer than that.
Bad bad security! No wonder they also fall victim to the age-old SQL injection attack... which I thought most SQL interface libraries can automatically intercept by adding the appropriate escaping... many years ago I used Pythons MySQLdb and they were doing that for very very long already... so there should be no excuse for allowing this to happen still.
the world's largest public penetration test?
That title belongs to Snookie
Evidently, the playstation 3 firmware/network isn't the only instance where sony totally fails at securing their shit. SQL injection? Really? In this day and age? I'm simply shocked that it hasn't happened a lot earlier; they've been pissing people off for years now, its amazing its taken this long for a collective group to make a serious effort to try and break in.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Penetration test? Try Public Shaming test.
It's simple. Piss off enough of the wrong people for reasons nothing more than you can, and you think it protects your bottom line, and they will embarrass you. Be it a Corporation, Government, or private citizen. The net is the ultimate perceptive level playing field. What we perceive as justice on-line, is in fact retribution.
No, every other scriptkiddie is just joining in on teh lulz of flogging the dead horse. "ZOMG I sql injectioned a SONY site! Yeah, it's got nothing to do with PS3 or PSN, and yeah it's some site in Greece, but lulz amirite!?"
It's even in the bloody article, isn't it?
I mean.. honestly?
They could be running this against $random_site and try to hit the news with it, too.. but they wouldn't.. because nobody cares about a random hack at a random site right now.. but if it's got SONY attached to it.. well.. lulz rules the news.
None of which excuses the poor security.. but none of which excuses the submitter from his choice of words either.
I suspect that it will be a while before we see a real fix to the SQL injection problem as well.
It's called a paramterized query and pretty much every language on the planet supports this mechanism.
SQL injection is mostly a solved problem, except for programmers.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I almost feel bad for Sony.
Almost.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
...they would do this against Islamic sites. But like I say, no balls.
Double penetration test, i'd say...
*facepalm*
Don't even bother with the Sony TVs. They do make some nice TVs, but so do Samsung and Sharp (Aquos anyway, their budget sets don't hold the same value proposition) for quite a bit less money. I can't think of a single line of Sony products that doesn't butt up against better and cheaper competition. They are just coasting and selling the name to people old enough to have bought their first nice TV 20+ years ago when Sony actually gave a crap.
When I was shopping for TVs last year the Sony was one of the better ones for input lag. Not great mind you. The Aquos was great for input lag but had terrible sharpening artifacts. It was like watching a cheap and cheerful Chinese brand TV and I couldn't stand it in the store so I didn't buy it. Samsung has become awful for input lag - as in unplayable on a console.
I ended up with the Sony 55ex500. Not a bad tele but some annoyances. Definitely would do better with a second tuner as the guide sucks, and some annoying bugs on the menu (like most recently watched channels don't work). Apart from these 2 annoyances and first unit replaced due to dead pixels in the first week, the TV has been trouble free and served my young family well. Great sound and picture (with minor tweaking to set up). Great fun with the Wii. Fantastic Bluray. Lots of inputs. (Some slight picture stutter in full res panning for some titles, even with 100Mhz gimmick, but livable). And it was the cheapest of the bunch. The geek in me also hates that you can't downgrade firmware - new firmware always a risk with the tele. If I could find better I would have bought it. I have no love of Sony.
What was striking was how bad input lag had gotten on most models, and how quality had gone down even quicker than price for all manufacturers. Few now have decent dead pixel policies.
These posts express my own personal views, not those of my employer
Sorry, Sony deserves it all. Root kit!
so is the tags for this article really just a game of "one of these things is not like the other"?
Heh heh, Sony's gettin' shafted!
This never gets old to me.
http://xkcd.com/327/
... that the first thing I thought of upon reading the article summary found myself thinking that it was a lead-in to a "that's what she said" joke.
No more than HB Gary was.
To wit: This is the prescription for being attacked mercilessly, for months on end:
At that point you will discover what sort of damage a bunch of really pissed off top notch programmers can do.
With luck all the other psychopathic mega corporations around the world are watching and learning. The lesson is simple: don't poke a hornets nest.
Poor Sony.
Maybe if they cared as much about their customers as they do about profits and making money, this could have been avoided or at least negotiated. But now it's out of control. It's game over.
The hackers aren't going to stop. Sony needs to hire cyber warriors.
One of the first things you learn about web programming is to clean any string a user touches. If there's even a remote possibility that a user submitted something, clean it before putting it in your query. How is it even possible that someone would be given money for web programming before learning this? That's not even a rhetorical question; I'm genuinely interested in the answer.
From the original source:
Yesterday , we have reported that On 5th May, 2011 - Sony BGM's Greek website was also got hacked. One of Them Provided the Full extract database from the site. b4d_vipera was the hacker who Deface the site using SQL injection method. There are 8385 users on this website. Sample of hacked Database was leaked at http://pastebin.com/WqLysjiN. This was 7th Attack on Sony.
It's cheaper not to hire or pay for information security.
And when they do they probably don't hire the best. Let's face it, Sony is not innocent and I could care less what happens to Sony. I don't own Sony stock, I don't work for Sony, and I don't own any Sony products except for an old PSX. So I just don't care what happens to Sony.
Maybe other companies will now give a shit about information security.
About time someone went after Apple? Comparatively Sony isn't THAT evil.
... is vulnerable... ' ; SELECT * FROM master.dbo.tables; DROP DATABASE master;
And to get a digital movie to play also requires security clearances and internet passwords, it won't simply play on any projector, you need to get it authorized. So not changing the lens at the same time is a problem with incompetence or sloth.
No, it isn't the Sony DRM giving customers an inferior product, it is the theaters. Analog projection showed us they don't really see image quality as a big factor in their business success. You were lucky to get a projector with the film held steady in the gate, well lit and in focus, so is it a surprise theaters don't take their responsibilities any more seriously for digital?
As a person who is sensitive to flicker (a bit) and to jumpy film images, I have to say the rock-steady images of digital (and with quite even brightness usually too!) is not an inferior product. It's a greatly superior product. I don't know who is making the projectors I'm seeing though, could be Sony, could be anybody.
http://lkml.org/lkml/2005/8/20/95
How about Sony come out, publicly apologize, disintegrate their entire company, and give all their money to a fund to help end corporate power globally.
Until they do all that, I fully applaud Anonymous. ROCK ON BROTHERS! FREEDOM!
I hold very few opinions. I hold information based on observation and fact. If you wish to disagree, please use facts.
...they used my scanner. It would be so fitting. Sony BMG Greece hacked by a vulnerability found by a scanner written by a Greek dude.
That would be completely worth the development effort.
world's largest public penetration test
Dude, that's my sister you're talking about!
As much as I love watching Sony get their comeuppance, I find a report of "Hackers: 6, Sony: 0" to be a bit sensationalistic. Are we to believe that Sony hasn't beaten any hacker attempts? We only hear about the ones that work in favor of the hackers, so a more believable record is likely to be "Hackers: 6, Sony 10000".
For the love of God, the saying is COULD NOT CARE LESS!
Think about it. By saying, I could care less, you are saying that it is possible for you to care less then you do, which means you do care what happens to Sony.
It is endless annoying that people cannot get the simplest things right.
People need to learn that "they get what they deserve".
When dealing with a corporation (or any corporation, for that matter), one only needs to look at their history of behavior. Almost all behave "badly". Years ago I took this to a personal extreme: I explained to my family that if they decided to continue supporting certain corporations by purchasing their products or services, that upon my passing they would be required to submit to an audit of their purchases for the preceding 3 years. For every dollar they spent with a corporation that I did not approve of, they would forfeit $5 of potential inheritance. They were flabbergasted, to say the least. Sony was one of the listed companies. My decision to add Sony to my list of banned economic entities was initially based upon their inclusion of the now infamous music CD root-kit. In hindsight, a good decision. They have not learned from their mistakes. IMO, they deserve to lose their charter.
Having said all of this, if the average Joe decides to continue to support a company that obviously has no scruples, then Joe gets what Joe deserves. Better sign up for that identity theft insurance ASAP, Joe. That's my advice. /anon.
Here it is: http://pastebin.com/WqLysjiN
You can thank me later...
I'm going to stop being a blatant sony fanboy and defend the ridiculous shit they've done, but, only six?
between PSP releases 1.50 and 6.20, there's way more than just six points for the hacker team.
Non impediti ratione cogitationus.
Obviously a parameterised[sic] query prevents the most obvious forms of injection attack, but it alone does not protect against everything. Although it can be tedious, all data returned in forms should really be checked for syntactical legitimacy. Apart from anything else, this makes it easy to distinguish between accident and malice, and so know when to pop up a box saying "please check that the contents of each box make sense before clicking Submit" and when to put up a 404 and block the IP for a while. On a large commercial website, the development cost per submission is quite low, and failing to validate data is a stupid corner to cut.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
http://pastebin.com/WqLysjiN
If these is actually an excerpt of the actual data, then it looks like test data for me. Look at the passwords. They repeat a lot but grouped with ascending order. For example in the middle of the file there are a lot of "123456" passwords, but nowhere else. As the data seems to be ordered by u_usr this seems to be very unlikely.
And to get a digital movie to play also requires security clearances and internet passwords, it won't simply play on any projector, you need to get it authorized.
The normal theater staff have the authorizations for that, though. I'm not sure what Sony, theater chain or distributor policy is on giving access to projector innards, and I suspect this is a closely guarded secret.
Yes... yes it was... as it was funny as shit. :)
Stone
Well, Sony has a skilled security staff, the only issue is that they are too busy implementing DRM in the PS3 and all their other products to have some time left to secure their web servers.
Think about it.
There are 2 types of people in this world. Those who understand ternary and those who don't.
When was the last time you applied for a job that didn't require dumping all you're info into some company's (or their 3rd party contractor’s) website?
But I'm sure they have way better security than that small under funded company from Japan hardly anyone had heard of before the last month. /snark
In the Robin Hood stories, Little John was actually a rather large person.
Anybody who trusts Sony after all the various customer-rapings Sony has committed in the last ten or fifteen years deserves to have their data stolen.
Fool me once, shame on you. Fool me twice, shame on me. If you buy Sony you're begging to be abused.
Free Martian Whores!
How is that new PR plan going?
was it really a good idea to make everyone hate you?
Do not look at laser with remaining good eye.
One user, when he registered in Sony's site, entered this "8elo pl na ma8o pios diavazei ayta ta e-mail" which is greek for "i would really like to know who's reading these emails".
There's no patch for stupidity
sql injection? since it's a greek site maybe they were only worried about... trojan horses?
sag
Little Bobby Tables' mom strikes again.
"The knee is the elbow of the leg." -- My wife
Sony just doesn't get it. They don't know how to do business online. The internet has been a pain in the side of their movie and record labels, so Sony neglects it as much as they can get away with and this is what happens.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
If Sony DRM is involved, it probably is closer to an ATM than a generic projector. Need I remind you about the insane Sony rootkit disaster? They have a history of going overboard on such things.
Stored Procedures &/or Bind Variables are that lesson:
"I'd say if one thing's certain, then that Sony doesn't learn jack from the attacks." - by Opportunist (166417) on Monday May 23, @12:41AM (#36214128)
I think that by THIS point though, they will have. It's very "public" @ this point, & embarassing.
Imo @ least? For SONY to "stall out" the possibility of SQL Injection attacks, they need to check on their sites + implement the techniques I noted above, keeping as much business logic out of their "front ends" on their sites & do more server-side too (being sure said DB engines & webservers are secured also, of course).
APK
P.S.=> Not a SONY user here (well, I do have a SONY burner but it's been problem-free for ages now, since 2006 iirc?), so this doesn't affect ME personally or directly.
I hope the same holds true for you folks also, & if not? I hope some of you have @ least written them as to what needs doing (e.g.- stored procs + bind variables usage on interactive data utilizing websites)... apk
What I find most intriguing in all of this is that "security of their product" is more important than the "security of their customers information". I mean seriously how many millions did SONY spend on securing their music, videos, and other "media". I forget what device it was but I remember my last SONY product was one where the data could only be read by a SONY reader... I think it was a voice recorder I bought for a client. None the less, their products are secured from the user, but the user is not secured at all. Maybe if they spent the money they wasted on DRM on securing their network and innovating like they did in the past they would be a viable company, but i guess that being greedy got in the way of their profits. Didn't they recently try and jail/sue some kid for modding his PS3? I mean seriously, shame on you SONY. Get your house in order and try to remember that your customers wants and needs dictate your ability to do business. Your profits will soar if you bring back your old ways of being innovative, delivering quality and most importantly delivering what the customers want. Your lawyers and money guys should be the ones jailed for your pathetically weak grip on reality. Forcing people to buy your crap will never equate to growth... instead it will be a slow downward spiral like a dookie in a toilet bowl. On the topic of DRM also, wasn't it sony who's profits soared through blank cassettes? That was thinking outside the box and winning on both sides of the coin. DRM, suing modders, proprietizing every piece of media (ie: mini-disk, memory stick, etc) is certainly the fastest way to the bottom of the bowl. JMHO As for HiFi audio, SONY never peaked my interest... I went Denon long ago and ill prolly never go back.
Some "FYI" above in my subject-line: Though HOSTS files are excellent for giving users more speed & security online, and vs. many things like malware or adbanners that may be infested with malscripted content (& just slow you down as is and you pay for it literally in your billing from your ISP/BSP, worse if they go by "bandwidth cap used" billings)? This is 1 circumstance where a HOSTS files' versatility is not helpful really.
APK
P.S.=> I also realize that you're trying to "troll me"... do something useful with your life instead of attempting to bother myself, or others, with b.s. trolling & sarcasm! apk
Either way? Those "generic procedures" should cover OTHER attacks like this one!
Until then?? They'll either:
---
1.) Learn by it & correct it (stored procedures &/or bind variables usage in website code, for starters)
OR
2.) Keep looking poorly!
---
Then, it's a matter of gaining back folks' trust... the hardest part I imagine!
APK
P.S.=> It's not THAT "big of a deal", nowadays @ least, to create a bind variable + stored procedures driven site that uses DB access...
(Heck - I've done it myself professionally, a few times, since 1998 for various businesses, & if I can manage it? So can the coding teams for SONY!)
* After all - It's not as if they don't have the coin to hire on teams for it, or even license softwares IF needed (if they're not using a LAMP/WAMP stack that is) in DB engines &/or WebServer programs! apk
What goes around, comes around.
Hackers: 6, Sony customers: 0
Let's not lose sight of who's actually being hurt here.
Visit the
Talk about "tipping your hand' troll! To wit:
"Some (many) of us are tired of you're trolling and would like to be able to mod you down." - by Anonymous Coward on Monday May 23, @01:08PM (#36219132)
Speaking for "everyone" now? Why don't you GET ON TOPIC instead, first of all... &, LMAO - Well, the "TRUTH COMES OUT": You're only out to "down mod" me... lol, how badly have I utterly kicked your ass on things technical here that you have to resort to THAT "old troll trick"? Pretty badly evidently!
Well, too bad: You're not going to EVER 'get your wish'...
So I get that "last laugh" on THAT account, easily!
(And, I get to post as much as I like as well, as AC... no stupid "10 posts per 24 hr. period" unfair discrimination of AC's holds me down on that note either!)
---
Secondly: Quit giving orders & acting as if you are "the master of life", ok? New NEWS/Newsflash: You're not!
"First off, why don't you just get an account instead of posting AC?" - by Anonymous Coward on Monday May 23, @01:08PM (#36219132)
Why? I post as much as I like as AC, & I don't give a hoot about "mod points". If I have something good to say, I say it in reply. I do the same even if I have critique. I.E.-> I gain NOTHING by being a registered user, and if anything based on what you state below? I gain hugely by posting as AC instead!
---
"I realise that you honestly believe what you say APK, but you don't think before you post, and you do stupid things." - by Anonymous Coward on Monday May 23, @01:08PM (#36219132)
Stupid according to you, but what's even more stupid is saying you want to "mod me down"? For what?? B.S. reasons??? Too bad. You can still mod me down even if I post as AC... I just make it harder for you fools that stalk me here doing it is all, by my posts as AC instead!
(Tough cookies for you).
---
"Like sign the above post twice. " - by Anonymous Coward on Monday May 23, @01:08PM (#36219132)
Oh, yes, I see: YOU are the "master of things posting", right? Just like you are the "master of living life" too, right??
(WRONG! Get over yourself, lol!)
---
"Hell, I am posting AC, since I know how you will stalk people, and I can't think of the last time I did, because I don't really care about hiding my identity. " - by Anonymous Coward on Monday May 23, @01:08PM (#36219132)
Then why are you trolling me as AC then?
(No, your b.s. here, it doesn't fool anyone... give up, lol!)
---
"But you scare me, and others too." - by Anonymous Coward on Monday May 23, @01:08PM (#36219132)
Well, "you & yours" troll? You don't scare me in the least... especially with your typical "off topic trolling" replies like this one!
---
"Some look at your posting history (way before /.)and laugh. " - by Anonymous Coward on Monday May 23, @01:08PM (#36219132)
Oh, really? I have hundreds of mod ups, even as an AC poster.... would you like to see them??
---
"I just get concerned. " - by Anonymous Coward on Monday May 23, @01:08PM (#36219132)
No, you're a troll that's off topic & full of it... and you KNOW it.
You "tipped your hand" above, with saying you want to "down moderate me" IF I had a registered account. Give us a break - talk about a "very telling reply" on your part!
---
"Not sure if this helps, but I'll put it this way. From reading someone's collection of posting links and your hatred of certain people you claim that have impersonated you" - by Anonymous Coward on Monday May 23, @01:08PM (#36219132)
I don't "hate" anyone here. I merely find them amusing and VERY easy/simple to get the better of on t
Learn to write English properly
Some (many) of us are tired of you're trolling and would like to be able to mod you down.by Anonymous Coward on Monday May 23, @01:08PM (#36219132)
You need to stay on topic here, troll. In that statement of yours quoted above alone, You've given away your motivations by saying you want to down mod the person you replied to.
You are the one who is off topic here and deserve the down moderation.
Between you're stating you're down modding him and want to continue to do so, offtopic as you are
Some look at your posting history (way before /.)and laugh. by Anonymous Coward on Monday May 23, @01:08PM (#36219132)
That gives me the impression you've been stalking him online for quite a while now. Your posting as ac and not even giving anyone an indication of who you are only furthers that impression in fact. You've given yourself away as just another offtopic stalking online troll.
Comment removed based on user account deletion
tomhudson's coming around here trolling myself via AC posts again, AND TELLING OTHERS TO JOIN him in it also!
Proof?
Ok, I'll let tomhudson speak for himself on that very account:
"Wait until he starts on another kick, then reply to him as an AC. It's the new meme". - by tomhudson (43916) on Sunday May 09 2010, @08:29PM (#32150544) Homepage Journal
QUOTED VERBATIM FROM -> http://slashdot.org/comments.pl?sid=1646272&cid=32150544
AND, "True to AC STALKING TROLL FORM"?
Tomhudson did so again, repeatedly, here:
http://slashdot.org/comments.pl?sid=2086424&cid=35841122
and here also:
http://slashdot.org/comments.pl?sid=2086920&cid=35840680
It's obvious this is you yet again, tomhudson.
(You can stop now, the jig's up: Your own words did you in, as per your usual!)
APK
P.S.=> tomhudson - If the "best you've got" is AC stalking & trolling me, instead of disproving any technical points I make? LOL @ U, tomhudson
... apk
Whoever modded me down as redundant really should have noticed that my post was 40 minutes before the other one. The other just happened to be in response to one of the first threads posted. Bah, oh well!
I hope this has nothing to do with the Qriocity or Music Unlimited because its working great now! I don't want to get bad news again from Sony! Also damn you kids or hacker's for messing up the PlayStation Network! You should all be put in prison for hacking it! maybe you should look it up Invasion of Privacy act!