Sony Ericsson Latest Victim of SQL Injection Attack

By Fahmida Y. Rashid  |  Posted 2011-05-26

In what is becoming a regular occurrence, Sony has shut down another service after another attack. This time, the vulnerability was in the Canadian e-commerce site for Sony Ericsson.

More than 2,000 customers have had their personal data stolen from the e-commerce store, including e-mail addresses, passwords, and telephone numbers, Sony told the BBC on May 25. No credit card information was accessed in the latest attack, according to Sony.

The electronics and entertainment giant has been under near-continuous attack since April, first by distributed denial of service attacks from hacktivist group Anonymous, followed by the April 16 attack that compromised over 100 million user accounts on Sony PlayStation Network, Qriocity music and video service and Sony Online Entertainment. Since then, various Sony servers and Websites have been compromised, including Sony Music Greece, Sony Music Japan and Sony Indonesia.

The e-commerce site was hit by a similar SQL injection attack used against Sony Music Greece and Japan, according to a screenshot posted on The Hacker News.

A Lebanese grey hat hacker "idahc_hacker" posted a database file containing password hashes, e-mail addresses and full names to the text-sharing site Pastebin. The hacker claimed to have discovered additional databases besides the one already posted that contained credit card numbers, telephone numbers, discount coupons and the administrator's username and password, but didn't take them because he wasn't "black hat."

Ethics amongst attackers? That's a new one.

The posted passwords were not hashed using MD5 or SHA1, so they are not easily cracked. If Sony has salted them, it would also make it harder to recover the password. Salts are randomly generated bits of data that is combined with a password before generating a cryptographic hash, which is saved in the database.

The hacked site was externally hosted by third parties and were not part of Sony Ericsson's main network, the company said. Sony is investigating whether the latest attacks on various properties are in related to each other or to the original PlayStation Network incident. This may be the tenth attack against Sony in the past month.

The attacks don't appear to be centrally coordinated, but are more likely opportunistic from those angry with Sony over the lawsuit against the PlayStation 3 hacker George Hotz earlier this year.

Sony chairman Howard Stringer said in an interview last week that the attack was a "hiccup" in its Internet strategy and that "Nobody's system is 100 percent secure." That may be so, but some statements in the past have hinted that Sony was running outdated Web server software and had no firewall.

Also, SQL injection attacks are fairly basic attacks, taking advantage of programming mistakes. Attackers insert some database queries are inserted on the Website, often masquerading as a comment or in one of the fields on a form. When the information is submitted, if the Website doesn't process the text properly, it will allow the malicious queries to execute on the database and return the results to the attacker.

Sony has hired three security firms to investigate the attack and to help remediate the issues. The company has spent an estimated $171 million to deal with the attacks.

Rocket Fuel