For those put off by the first 40 lines, here's the good part:
"SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?
"What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it.
ONE MILLION email addresses and clear-text passwords. Ouch.
That far surpasses the Gawker hack since all of Gawker's passwords were encrypted with a somewhat easily reversible hash (for simple passwords) and only a subset of those passwords were recovered.
Imagine what governments could do with all those email/password combinations. Cross reference email addresses with a target internal database and an agency could (is) within minutes begin to systematically download an enormous amount of emails and other private data.
And the spammers...
And nobody ever uses the same password across different systems, right?
> Imagine what governments could do with all those email/password combinations. Cross reference email addresses with a target internal database and an agency could (is) within minutes begin to systematically download an enormous amount of emails and other private data.
Sadly, governments don't need a hack like this to get at email.
Hard to believe after initial hack they didn't launch a group wide memo from the CEO to encrypt all personal data. Could have brought some DLP vendor in to find it and roll out rapid database level encryption without changing application code. SQL injection vulnerabilities in this day and age is unforgivable but unfortunatly not uncommon. Sony will not be the only global company with hundreds of such vulnerabilities
Yikes - I believe in the PSN hack there was some question as to whether the passwords were encrypted or not. I'm glad it's out in the open for this one. Think we'll see Sony changing their name any time soon?
> Think we'll see Sony changing their name any time soon?
Doubtful, 90% of people won't remember this in a year, just like barely anyone remembers about the BP oil spill or the Toyota brake incident.
Sony might drop their name from some of their tech enterprises. The next playstation will probably just be Playstation rather than Sony, but that's likely the biggest. Considering that Sony Bravia's are often sold as just 'Bravia', I don't see it as a huge change.
I'm not so sure. A lot of people still remember the fact that Sony smuggled a malware payload on to Audio CD's and that was in 2005 (http://en.wikipedia.org/wiki/Sony_rootkit).
I for one make it my business to remember people and to point what an evil company with a totally twisted mindset Sony actually is.
Add to that their mindboggling technical ineptitude, which is so bad that I'm sure this will be remembered in a year's time.
(I'm aware that technically Sony BMG was behind the rootkit scandal. But hey: there's the SONY brand name very clearly to see, here)
I know, I was calling bullshit on it the first time I heard it. What I liked was that the incidence of actual problems (IIRC dealerships installing the wrong size mat that would ride up) was almost identical for the rates found at other companies.
I honestly don't think any of this news makes it to the mainstream. Go ask your mom or non technical friend if they heard about the Sony hack. I'd bet they haven't a clue what you're talking about. This only hurts them in the tech circles and as a bunch of other people said, it will be forgotten by next year.
My mom has certainly heard about the Sony hack. My younger brother (still at home) has a PS3.
This is different though. It's not as newsworthy since Sony is getting hacked every other week at this point, and Sony probably won't shut down any services over it.
I hope they change the CEO at least. He has treated this situation with arrogance ("just a minor glitch") and it's not like he did an amazing job at Sony over the past few years in the business side either.
SonyPictures.com has been owned,
this is its SQLi hole:
## http://www.sonypictures.com/homevideo/ghostbusters/photoupload/view.php?id=12838 ##
TEAR THE LIVING SHIT OUT OF IT WHILE YOU CAN; TAKE FROM THEM EVERYTHING!
"SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?
"What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it.