Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sony Music Greece Falls To Hackers

Posted by samzenpus on from the kicking-them-while-they're-down dept.

xsee writes "Hackers: 6, Sony: 0. It appears an attacker has performed a SQL injection attack against SonyMusic.gr. The latest attack has exposed usernames, real names, email addresses and more. Is Sony's network being used as the world's largest public penetration test?"

27 of 303 comments (clear)

  1. SQL Injection... by yarnosh · · Score: 5, Funny

    The most preventable of all security holes. How sad.

    1. Re:SQL Injection... by hedwards · · Score: 4, Interesting

      I'm enjoying this for the lulz and the epic security fail. I just wish I could buy a drink for whomever it is that's doing this to Sony.

    2. Re:SQL Injection... by Bacon+Bits · · Score: 4, Informative

      I thought the most preventable of all security holes was blank administrator passwords. Granted, the most notorious instance of this was the default install of SQL Server 2000's sa account....

      --
      The road to tyranny has always been paved with claims of necessity.
  2. Public penetration test by mehrotra.akash · · Score: 4, Insightful

    Isnt every network exposed to the public (esp. mid size or larger commercial ones) continously under attempted attack?

    1. Re:Public penetration test by MagusSlurpy · · Score: 5, Insightful

      Yes, but to be fair to Sony (which really pains me), they are currently the focus of every bored script kiddie in the world right now, as well as most of the legitimately pissed-off, skilled hackers. While there may not be such a thing as "security through obscurity," there is a lot to be said for not having a target the size of Montana painted on your servers.

      --
      My sister opened a computer store in Hawaii. She sells C shells by the seashore.
  3. Karma's a bitch, Sony. by jaskelling · · Score: 4, Insightful

    Years of half baked products, poor reliability, hostile customer service, lazy innovation, and a general disdain for security are what your customers have had to deal with. I really don't care who is doing it to you or why - but I applaud them teaching you the hard lessons of the evolving technological age. You can't keep repeatedly flipping people the finger anymore and tell them to deal with it. Evolve or die. And no, my loathing isn't related to just the recent PS3 debacle. It extends to experiences with consumer audio, professional theatrical projection equipment, and so on right down the line. The fact that you're being taken out by the simplest of attacks in most cases just makes my smile grow a little more.

    1. Re:Karma's a bitch, Sony. by Opportunist · · Score: 5, Insightful

      Remember when Sony products were cool because they were innovative?

      Yes, I'm actually that old.

      I guess we should explain for the kids here since I guess they can't even imagine it: Sony was cool. Not just like Apple today, with fanboys liking it and everyone else hating it, it was THE cool brand. They had innovative products with never seen before features and a kickass support that didn't bother to ask for details, they just threw a new model at you if the old one croaked, which was actually unlikely because, hey, it was a SONY, they don't fall apart! People were proud to have Sony speakers and Sony radios in their cars, they were proud to have a Sony walkman (as if you could get any others, after all it was a brand name) and they had every right to be proud, they bought something of lasting value!

      I admit, it's very hard to believe that today.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Karma's a bitch, Sony. by _xeno_ · · Score: 5, Informative

      professional theatrical projection equipment

      There was an interesting story in the Boston Globe this weekend about how Sony projectors are projecting 2D digital movies up to 85% darker than they should.

      The reason? It turns out to be Sony DRM, although the article doesn't ever come out and say it directly. Basically, there's a special 3D lens required to display 3D movies, but this lens reduces the brightness of 2D movies.

      So why aren't theater personnel simply removing the 3-D lenses? The answer is that it takes time, it costs money, and it requires technical know-how above the level of the average multiplex employee. James Bond, a Chicago-based projection guru who serves as technical expert for Roger Ebert's Ebertfest, said issues with the Sonys are more than mechanical. Opening the projector alone involves security clearances and Internet passwords, "and if you don't do it right, the machine will shut down on you."

      In other words, you have to deal with Sony DRM. Rather than jump through the Sony-imposed hoops, theaters just leave the 3D lens on all the time.

      Why bother with Sony projectors at all if they have this problem and others don't?

      The reason appears to be a basic business quid pro quo. Sony provides projectors to the chains for free in exchange for the theaters dedicating part of their preshow ads to Sony products.

      So, yeah. Another wonderful example of Sony in general and Sony DRM in specific giving customers an inferior product.

      Obviously the theaters deserve some blame for this too.

      --
      You are in a maze of twisty little relative jumps, all alike.
    3. Re:Karma's a bitch, Sony. by _xeno_ · · Score: 5, Informative

      No, that is just the polarising lens/filter combo needed for passive 3D glasses. Like sunglasses polarisation makes the image darker.

      Yes, that would be the technical reason why the image is darker, but that's not the DRM part. The DRM is the reason that the projectionist doesn't simply replace the lens: if they do, they risk tripping Sony's DRM and locking the projector out.

      Rather than risk that, they just leave the lens on. Thereby making the movie look absolutely horrible.

      So it may not be DRM making the movie dark directly, but DRM is the root cause: Sony doesn't trust the people who own the projector to change the lens, and it's DRM that enforces that policy.

      --
      You are in a maze of twisty little relative jumps, all alike.
  4. Sony = Consistent by alphax45 · · Score: 5, Insightful

    Well at least they are consistent - none of their systems seem to have more than basic security.

    --
    K Man
  5. Re:people are stealing user info by fotbr · · Score: 5, Insightful

    In this case....I don't feel sorry for anyone doing business with sony. From my point of view, they made their bed, now they get to lay in it.

  6. Like it matters. by MrQuacker · · Score: 5, Interesting
    Anyone who's ever visited Greece knows nobody buys music there. For 2euro an hour you can visit an internet cafe, get the password from the guy at the front desk, and connect to the cafes local file server. Last time I was there they had something like 20TB+ worth of movies, music, tv shows, games, and porn.

    They decided that since people download stuff anyways, might as well save on the bandwidth and store it locally. Any time you download a file its mirrored in the cafes file server, so others can copy it without having to re-download.

    And if you dont go that route, you can buy bootleg copies from any number of African immigrants on the street for just a few euro. Many times for better quality than available in stores for retail price.

  7. Plain text passwords?? by wvmarle · · Score: 5, Informative

    The linked article also provides a screen shot with obscured personal information.

    It appears the passwords are stored in plain text, not as hash: formatting makes it unclear but it seems the length varies, and the password fields are short (6-10 characters or so), while hashes are much longer than that.

    Bad bad security! No wonder they also fall victim to the age-old SQL injection attack... which I thought most SQL interface libraries can automatically intercept by adding the appropriate escaping... many years ago I used Pythons MySQLdb and they were doing that for very very long already... so there should be no excuse for allowing this to happen still.

  8. Re:people are stealing user info by Killerchronic · · Score: 4, Insightful

    It maybe a problem for users but this is a serious wakeup call to said users, no your data is not as safe as you think it is when you are handing it over to all these companies, its about time the cracks were shown to customers and just how slack these companies can be in keeping their protocols and systems running correctly. I am still laughing, im not a sony fan in any way, shape or form, obviously its bad its happening but its hilarious that a company this big has such lax security and is being exposed on an almost daily basis.

  9. "Is Sony's network being used as ..." by QuasiSteve · · Score: 5, Insightful

    Is Sony's network being used as the world's largest public penetration test?

    No, every other scriptkiddie is just joining in on teh lulz of flogging the dead horse. "ZOMG I sql injectioned a SONY site! Yeah, it's got nothing to do with PS3 or PSN, and yeah it's some site in Greece, but lulz amirite!?"

    It's even in the bloody article, isn't it?

    As I mentioned in the Sophos Security Chet Chat 59 podcast at the beginning of the month, it is nearly impossible to run a totally secure web presence, especially when you are the size of Sony. As long as it is popular within the hacker community to expose Sony's flaws, we are likely to continue seeing successful attacks against them.

    It appears someone used an automated SQL injection tool to find this flaw. It's not something that requires a particularly skillful attacker, but simply the diligence to comb through Sony website after website until a security flaw is found.

    I mean.. honestly?

    They could be running this against $random_site and try to hit the news with it, too.. but they wouldn't.. because nobody cares about a random hack at a random site right now.. but if it's got SONY attached to it.. well.. lulz rules the news.

    None of which excuses the poor security.. but none of which excuses the submitter from his choice of words either.

    1. Re:"Is Sony's network being used as ..." by LordLucless · · Score: 5, Insightful

      As long as it is popular within the hacker community to expose Sony's flaws, we are likely to continue seeing successful attacks against them.

      It almost seems as if deliberately screwing people over doesn't really pay off, doesn't it?

      --
      Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
  10. Re:Being positive here... apk by compro01 · · Score: 4, Insightful

    SONY now knows 1 good thing from this: How to stop it from happening again on this and other sites/domains they own & host websites from.

    How to stop this particular attack.

    Available evidence suggests they have no shortage of dailyWTF-worthy screwups that people can continue to exploit.

    --
    upon the advice of my lawyer, i have no sig at this time
  11. SQL injection attacks fixed long ago by SuperKendall · · Score: 5, Informative

    I suspect that it will be a while before we see a real fix to the SQL injection problem as well.

    It's called a paramterized query and pretty much every language on the planet supports this mechanism.

    SQL injection is mostly a solved problem, except for programmers.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  12. Re:people are stealing user info by LordLucless · · Score: 5, Insightful

    So your saying, by doing this they're going to drive customers away from Sony, reduce their income stream, and eventually remove them from the world of global commerce?

    Wow, that sounds...terrible

    --
    Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
  13. I love the smell of napalm in the morning by ras · · Score: 5, Insightful

    Is Sony's network being used as the world's largest public penetration test?"

    No more than HB Gary was.

    To wit: This is the prescription for being attacked mercilessly, for months on end:

    1. 1. Produce an item that is clearly advertised as having feature X, where feature X is useful only to really, really good programmers. You know - the ones who spend their time cracking the hardest problems using array of specialised parallel processors.
    2. 2. Sell the item to lots of people, who hand over their money on the basis of having feature X.
    3. 3. Some years later, withdraw feature X, so the all the software these people have invested years in creating is blown away.
    4. 4. When said programmers then fairly legitimately, extract your secret keys so they can restore feature X, unleash a phalanx of lawyers to peruse them within an inch of their financial lives, until they recant.

    At that point you will discover what sort of damage a bunch of really pissed off top notch programmers can do.

    With luck all the other psychopathic mega corporations around the world are watching and learning. The lesson is simple: don't poke a hornets nest.

  14. Re:people are stealing user info by hedwards · · Score: 4, Interesting

    Honestly is this really that much worse than when Sony decides to vandalize customer equipment?

  15. How does this even happen? by rebelwarlock · · Score: 4, Insightful

    One of the first things you learn about web programming is to clean any string a user touches. If there's even a remote possibility that a user submitted something, clean it before putting it in your query. How is it even possible that someone would be given money for web programming before learning this? That's not even a rhetorical question; I'm genuinely interested in the answer.

  16. They probably wanted to save money by elucido · · Score: 4, Insightful

    It's cheaper not to hire or pay for information security.

    And when they do they probably don't hire the best. Let's face it, Sony is not innocent and I could care less what happens to Sony. I don't own Sony stock, I don't work for Sony, and I don't own any Sony products except for an old PSX. So I just don't care what happens to Sony.

    Maybe other companies will now give a shit about information security.

  17. Re:people are stealing user info by justforgetme · · Score: 5, Insightful

    ohh, wait I have to say something about this!!!!

    I was in a bank once, while it was being robed! Ok, it wasn't the nicest experience I ever had and I might have been inconvenienced a bit.
    Did I lose the money I had in the bank? No.
    Did I loose the info I had stored in it? No.
    Did I manage to do the jobs I had with the bank? Yes, I just went to another branch.

    So if you are going to create a service infrastructure that hasn't enough failsaves and backup plans to deal with a simple digital break in then you damn well deserve to be reduced to the economic equivalent of decarbonized organic material... And all people who trusted your Services (including Yours truly) deserve a very big refund for your incompetence and a big slap in the face for being such fools!

    --
    -- no sig today
  18. Re:could NOT care less!! by Lillebo · · Score: 5, Funny

    endlessly

    ftfy

  19. Re:people are stealing user info by maxwell+demon · · Score: 4, Interesting

    It's heading rapidly towards the level of incompetence that the rootkit fiasco was...

    It would be funny if the vulnerability that was exploited came from that very rootkit, installed by some unsuspecting employee putting a Sony CD into the computer ...

    --
    The Tao of math: The numbers you can count are not the real numbers.
  20. Re:testing whether Slashdot... by Posting=!Working · · Score: 4, Interesting

    I know you were trying to make a joke, but since about 2-3 weeks ago, if I click my username in the top right, I get "The user you requested does not exist, no matter how much you wish this might be the case. "

    It's just a theory, but I think the != in the middle of my username has something to do with it.

    --
    This sentence no verb.