Sony Woes Continue With SQL Injection Attacks
Sony is not having a good spring at all. Just days after the PlayStation Network came back online after an attack compromised 77 million user accounts, two Sony properties were hit by SQL injection attacks.
The same group that targeted Fox.com earlier this month used a SQL injection attack to expose data on Sony Music Japan. The incident follows a similar SQL injection attack that exposed user information on Sony BMG Greece on May 21.
"This isn't a 1337 h4x0r ('elite hacker'), we just want to embarrass Sony some more," wrote Lulz Security, a group who seem more interested in attacking sites for fun and political reasons.
There were two PHP pages that were vulnerable to SQL injection on the Sony Music Japan site, according to The Hacker News reported on May 23.
"Another day, another attack on Sony," Chester Wisniewski, a senior security advisor at Sophos, wrote on the Naked Security blog.
The attack on the Japanese site marks the ninth known incident on Sony properties since unidentified attackers compromised the PlayStation Network on April 16. Sony Indonesia's Website was also defaced on May 21, and security firm F-secure discovered on May 20 a credit card phishing scam which had been running undetected on Sony's Thailand site.
Sony also discovered May 18 that So-net Entertainment, its mobile Internet service provider subsidiary, had been breached. Attackers accessed 128 user accounts and redeemend "So-net points" for goods worth about $1,225, 73 accounts where no points were redeemed and 90 e-mail accounts, Sony said on May 20.
In terms of scale, the So-net breach is minuscule as it affected only 200 user accounts, compared to the millions of users affected by other attacks. The breach took a lot of effort, as the offending IP address had made 10,000 attempts to break in, the company said.
Data leaked from the earlier attack on Sony BMG in Greece included usernames, real names and email addresses of users registered on the SonyMusic.gr site. This attack appears to have used an automated SQL injection tool to find the flaw, according to Wisniewski.
It remains unclear who was behind the SonyMusic.gr or So-net attacks. "As long as it is popular within the hacker community to expose Sony's flaws, we are likely to continue seeing successful attacks against them," Wisniewski said.
The database information that was published from Sony Music Japan did not contain names, passwords or other personally identifiable information. While Lulz Security noted there were two other databases on the site, it was unclear whether they contained sensitive information.
It also wasn't clear whether hackers could inject data into the databases, or if they merely accessed the tables and data within. Injecting data would have far-reaching consequences as that means they would be able to insert malicious code that could compromise site visitors.
"Is Sony taking security seriously or are there simply so many flaws from the past that exist in their public-facing sites that it will take them a long time to patch them all?" Wisniewski wrote.
While it is "nearly impossible" to run a totally secure Web presence, especially for companies as large as Sony, Wisniewski speculated that when "this is over, Sony may end up being one of the most secure Web assets on the net."
Relying on pranksters and malicious attackers to uncover the vulnerabilities in your applications and Web properties is an expensive way to make your systems secure. It's already costing Sony an estimated $171 million. It's far less costly to perform thorough penetration tests and regular audits to look for security bugs.