bit-gamer.net

Sony Pictures hacked

Sony Pictures hacked

Hacking group Lulzsec has compromised Sony Pictures, leaking details of over 60,000 users.

Hackers have struck Sony once again, this time hitting Sony Pictures and Sony BMG and posting the email addresses and passwords of over 60,000 users. The hackers also posted details of how to carry out further attacks.

Data was posted to BitTorrent by a hacking group calling itself LulzSec. The group claims it was able to access the details of over a million customers, along with admin usernames and passwords for Sony staff. The group also accessed around 3.5 million music coupons and 75,000 music codes as well.

LulzSec released a statement saying that the hack was performed by an SQL injection and that Sony stored passwords in plain text, without encryption.

This is disgraceful and insecure,’ reads a Lulzsec statement. ‘They were asking for it...Why do you put such faith in a company that allows itself to become open to these simple attacks?'

The hacker group came to light earlier in the week for hacking US TV station PBS' website as retaliation for a Wikileaks documentary that they deemed to be unfair.

This attack hits Sony just after they have restored the PSN and updated many security systems. Sony is announcing the re-launch of the PlayStation Network by offering a free trial of their premium service and a selection of free games to customers as way of apology for the outage.

Let us know your take on the attacks against Sony in the forums.

41 Comments

Discuss in the forums Reply
V3ctor 3rd June 2011, 12:10 Quote
I guess now it's fashion among the hackers to hit sony's arse...
alpaca 3rd June 2011, 12:11 Quote
why did this post vanish from the front page?
CardJoe 3rd June 2011, 12:12 Quote
Quote:
Originally Posted by alpaca
why did this post vanish from the front page?

...it didn't?
alpaca 3rd June 2011, 12:13 Quote
Quote:
Originally Posted by CardJoe
...it didn't?

oh no sorry, my bad, it just got moved from the news section to the main articles section. my apologies.
WarrenJ 3rd June 2011, 12:41 Quote
Heard about this on the news this morning. It's amazing that a company of this size hasn't taken simple steps to secure users data. Reminds me of a Simpsons episode where Bart gets electrocuted every time he touches a certain cupcake. Will they ever learn?
cgthomas 3rd June 2011, 12:43 Quote
Who else wants to sign up to the 2011 Sonympics?
Captain Awesome 3rd June 2011, 12:51 Quote
They asked for it, ey? Do you rape a girl just because she dresses slutty?
In my opinion this is beginning to become stupid. The hackers don't give Sony a chance to improve before they strike them again. How are you supposed to get up if you keep getting kicked down?
Spreadie 3rd June 2011, 13:05 Quote
Quote:
Originally Posted by Captain Awesome
They asked for it, ey? Do you rape a girl just because she dresses slutty?
In my opinion this is beginning to become stupid. The hackers don't give Sony a chance to improve before they strike them again. How are you supposed to get up if you keep getting kicked down?

So we should give the massive tech company, with limitless resources, the benefit of the doubt for failing to adequately protect it's customers' details? Really?

I'm no fan of these large hacking groups, but they have at least highlighted just how lax and irresponsible Sony have been.
west 3rd June 2011, 13:12 Quote
Quote:
Originally Posted by Captain Awesome
They asked for it, ey? Do you rape a girl just because she dresses slutty?
In my opinion this is beginning to become stupid. The hackers don't give Sony a chance to improve before they strike them again. How are you supposed to get up if you keep getting kicked down?

They did ask for it.
As a costumer you expect that your private information will be at least encrypted.
There is an expectation of some kind of protection.
Without at least that how could you confidently give any financial or even personal information to companies?
Data privacy is a part of there service and they are ripping you off if they can't even manage that (in my opinion).
For a company this size there is no excuse.
Just be glad that Sony was not hacked by truly malicious people who might have done much worse with that or other information.
Fizzl 3rd June 2011, 13:15 Quote
They probably don't have a good idea of how much is out there and what is exposed.

As they dodn't seem to have had a security stratergy there are probably hundreds of these random small sites set up by some guy in marketing that aren't maintained properly.
Woodspoon 3rd June 2011, 13:16 Quote
Quote:
Originally Posted by Captain Awesome
The hackers don't give Sony a chance to improve before they strike them again. How are you supposed to get up if you keep getting kicked down?

Maybe by doing a proper security review after the first time they got hacked and keeping "at risk" or poorly secured systems off line until until they can be secured.
Given the recent spate of attacks on Sony, keeping passwords in plain text was just looking for trouble, switch it off if you cant keep it secure.
Grape Flavor 3rd June 2011, 13:16 Quote
Quote:
Originally Posted by Captain Awesome
They asked for it, ey? Do you rape a girl just because she dresses slutty?
In my opinion this is beginning to become stupid. The hackers don't give Sony a chance to improve before they strike them again. How are you supposed to get up if you keep getting kicked down?

Yeah, really. Will these kids just go away already. All their statements reek of flimsy rationalization to me. It's one thing to be a complete dick, and another to act all high and mighty about doing so. Infuriating.

This really is cyber terrorism, folks. Fear and intimidation used to coerce (companies, in this case) into their agenda. A vigilante group making all sorts of broad political demands and choosing to wreak havoc and destruction in ostensible support of those ends. We're even seeing the classic "fight them" vs. "appeasement" debate played out over the internet.

To me, it doesn't matter if you think Sony is evil. Just like it doesn't matter if you think Western society is decadent and our Middle East policy is screwed up. There are acceptable means of protest and then there's terrorism. And just because in this case they're not physically harming anyone doesn't mean it's okay.
Mentai 3rd June 2011, 13:16 Quote
As someone that doesn't own/care about any Sony products, this whole saga amuses me.
Showerhead 3rd June 2011, 13:17 Quote
Did they not learn from the first time to encrypt the users data?
Grape Flavor 3rd June 2011, 13:19 Quote
Quote:
Originally Posted by Woodspoon
Maybe by doing a proper security review after the first time they got hacked and keeping "at risk" or poorly secured systems off line until until they can be secured.
Given the recent spate of attacks on Sony, keeping passwords in plain text was just looking for trouble, switch it off if you cant keep it secure.

I don't think anyone is saying Sony has had ideal, or even acceptable security. These people though are actually trying to make the argument that if the vault doors weren't sturdy enough it's perfectly okay to stroll in and steal what you want. I reject that.
von_stylon 3rd June 2011, 13:20 Quote
Quote:
Originally Posted by Captain Awesome
They asked for it, ey? Do you rape a girl just because she dresses slutty?
In my opinion this is beginning to become stupid. The hackers don't give Sony a chance to improve before they strike them again. How are you supposed to get up if you keep getting kicked down?

Get it right first time?
west 3rd June 2011, 13:23 Quote
Quote:
Originally Posted by Grape Flavor
Quote:
Originally Posted by Woodspoon
Maybe by doing a proper security review after the first time they got hacked and keeping "at risk" or poorly secured systems off line until until they can be secured.
Given the recent spate of attacks on Sony, keeping passwords in plain text was just looking for trouble, switch it off if you cant keep it secure.

I don't think anyone is saying Sony has had ideal, or even acceptable security. These people though are actually trying to make the argument that if the vault doors weren't sturdy enough it's perfectly okay to stroll in and steal what you want. I reject that.

The fact that the act of hacking or stealing is immoral does not negate the responsibility of these companies to protect this data.
Just because the rain storm was not your fault or intention does not negate the need to shut your windows.
There will always be hackers and people who would do immoral things. To ignore this and to justify a lack of security in this way is just foolish.
Bungletron 3rd June 2011, 13:27 Quote
Quote:
Originally Posted by Captain Awesome
They asked for it, ey? Do you rape a girl just because she dresses slutty?
In my opinion this is beginning to become stupid. The hackers don't give Sony a chance to improve before they strike them again. How are you supposed to get up if you keep getting kicked down?

Your crude analogy is rather misleading, of course you should avoid criminal activity of any kind, however once you are aware of an issue then why not take steps to mitigate just in case? The hack is criminal, yes, however the mentality of the criminal is to go for the easy take down, you must conclude the reason Sony is being reported as being breached again is because compared to others it is possible.

Over a month ago it became clear, Sony does not encrypt sensitive data and has particularly weak network security on at least one of its networks. This failure should act as a stimulus to secure any other system that behavess like this immediately, Sony should take action but it will send shockwaves through the industry, everyone will be scrutinising their security. Scroll to today, a security breach has occured at Sony with entirely the same hallmarks, the passwords are unecrypted and out in the open, why wasn't this changed? The mind boggles.
WarrenJ 3rd June 2011, 13:28 Quote
Tbh, it's been over a month since the first attack. Though they are trying to make the Playstation network secure, they obviously didn't take into account other sections of the company would also be at risk. it doesn't take long for a good programmer to encrypt passwords. Doesn't take a month for a monkey to do it either. (citation needed)

I just hope other companies are learning from Sony's mistake and bolt all the doors shut on their systems.
azazel1024 3rd June 2011, 13:50 Quote
Maybe it is my perspective working in the public sector in IT, but things take time. Private sector can sometimes be more agile, but when you get to the really big companies they aren't much more agile than the public sector is, sometimes worse depending on the culture. Things just take time. Its not as simple as just saying "oh, we have a problem, lets hash our passwords". You might have to rework a dozen systems and a bunch of databases to handle the new way of storing passwords.

Should it have been done to begin with? Certainly, should they have set things up so that they weren't vulnerable to SQL injection attacks, deffinitely. That doesn't mean something wasn't overlooked and wasn't discovered in testing.

Once it is discovered it takes time to fix. Its not like we are talking a single system here that they haven't fixed. We are talking dozens and dozens of systems and hundred of applications. Probably that took a few tens of thousands of work years to put together all together. It doesn't take a single programmer 45 minutes to fix. It probably takes a couple of hundred several months to fix everything and that is assuming there is nothing preventing them from making the changes quickly (like having to implement a system wide change all at once instead of being able to roll it out piece meal).
Bungletron 3rd June 2011, 14:21 Quote
Quote:
Originally Posted by azazel1024
Maybe it is my perspective working in the public sector in IT,

As an IT worker your perspective is odd, it sounds more like a management perspective. I remember at my last firm the system was so old it creaked, passwords were not encrypted there either. Engineers and developers would be battling management everyday to try and get these things improved, they were mostly ignored and they made their feelings of frustration about how sh1t it was very vocal indeed! When the Risk team finally took interest and started to do some calculations the improvements very suddenly started to happen, new IT contractors appeared very sharply indeed.

You can do this in the technology industry in the private sector, just depends how serious you are about it. Sony could have taken down everything, checked it and put it back up when it was fixed like PSN, they decided it was cheaper not to.
will_123 3rd June 2011, 14:50 Quote
Quote:
Originally Posted by Mentai
As someone that doesn't own/care about any Sony products, this whole saga amuses me.

Welcome to my boat!
supermonkey 3rd June 2011, 15:34 Quote
I'm really getting tired of all these "hacker" groups. If they were at all interested in improving network security in the corporate world, they wouldn't be posting all the user names and passwords to the internet for all to see.

No, this is just criminal behavior coupled with publicly bragging about the results. You want to highlight the holes in Sony's security? Fine. Own up to it, put your name to the actions, and work with Sony to fix the problem.
Fizzban 3rd June 2011, 15:48 Quote
Quote:
Originally Posted by supermonkey
I'm really getting tired of all these "hacker" groups. If they were at all interested in improving network security in the corporate world, they wouldn't be posting all the user names and passwords to the internet for all to see.

No, this is just criminal behavior coupled with publicly bragging about the results. You want to highlight the holes in Sony's security? Fine. Own up to it, put your name to the actions, and work with Sony to fix the problem.

I agree. Both parties could gain. The company would gain by getting free information on how to secure their systems, and the hacker groups would gain by getting the recognition they seek. But the moment they post information online or use that info in any way, they are criminals.
Glix 3rd June 2011, 15:53 Quote
Quote:
Originally Posted by supermonkey
I'm really getting tired of all these "hacker" groups. If they were at all interested in improving network security in the corporate world, they wouldn't be posting all the user names and passwords to the internet for all to see.

No, this is just criminal behavior coupled with publicly bragging about the results. You want to highlight the holes in Sony's security? Fine. Own up to it, put your name to the actions, and work with Sony to fix the problem.

Your kidding right?

I've just hacked bit tech... oh you want proof, err, erm I don't really want to expose any info that could be used to prove I did it...

How do you propose they work with Sony? How do you know that they didn't already send a warning email?
This is what happens in the hacker world, they find an exploit, let the party know about it, then a week later release it to the public to speed up the addressing of said exploit. Where have you been these last few years?
geemsean 3rd June 2011, 17:45 Quote
Quote:
Originally Posted by Captain Awesome
They asked for it, ey? Do you rape a girl just because she dresses slutty?
In my opinion this is beginning to become stupid. The hackers don't give Sony a chance to improve before they strike them again. How are you supposed to get up if you keep getting kicked down?

This is one seriously flawed analogy. Your juvenile reasoning implies that Sony is the sole victim of the incident, whereas the true victims were the innocent customers who put their faith in Sony to keep their personal information secure. Sony has had enough time and resource to make corrections in their security, or lack thereof. This just proves that PSN wasn't just a freak accident, but a timebomb waiting to happen. If Sony doesn't wake up and tighten the security in the rest of their branches, the catastrophes would be massive.
Sloth 3rd June 2011, 18:06 Quote
I almost find the bit about having hacked PBS more shocking. A non-profit television station is "punished" for broadcasting a show the hackers don't agree with? First amendment anyone? Certainly not the kind of justice I'm interested in.
Quote:
Originally Posted by supermonkey
I'm really getting tired of all these "hacker" groups. If they were at all interested in improving network security in the corporate world, they wouldn't be posting all the user names and passwords to the internet for all to see.

No, this is just criminal behavior coupled with publicly bragging about the results. You want to highlight the holes in Sony's security? Fine. Own up to it, put your name to the actions, and work with Sony to fix the problem.
+1 to that. You can't claim to only want to reveal weaknesses when you're exploiting them as you speak!
Quote:
Originally Posted by Glix
Your kidding right?

I've just hacked bit tech... oh you want proof, err, erm I don't really want to expose any info that could be used to prove I did it...

How do you propose they work with Sony? How do you know that they didn't already send a warning email?
This is what happens in the hacker world, they find an exploit, let the party know about it, then a week later release it to the public to speed up the addressing of said exploit. Where have you been these last few years?
In reality where there is no email and the hacker just takes your credit card info to use your money. Robin Hood is a fairy tale, criminals exploit it and in turn get the respect and admiration of they very people they're harming. I sure as hell don't want some malicious group of people telling me who I should or should not do business with and ain't buying their noble claims.
llamafur 3rd June 2011, 18:57 Quote
Quote:
Originally Posted by Mentai
As someone that doesn't own/care about any Sony products, this whole saga amuses me.

Same here. I'm thoroughly enjoying this conniption.
themax 3rd June 2011, 19:28 Quote
Quote:
Originally Posted by Glix
Your kidding right?

I've just hacked bit tech... oh you want proof, err, erm I don't really want to expose any info that could be used to prove I did it...

How do you propose they work with Sony? How do you know that they didn't already send a warning email?
This is what happens in the hacker world, they find an exploit, let the party know about it, then a week later release it to the public to speed up the addressing of said exploit. Where have you been these last few years?

No, this doesn't happen in the hacker world. In the IT Security world, real poeple, with real names, own up to an exploit they find and inform the party invovled, not run off to twitter, first tweeting about said attack, then days later posting the stolen information. These guys just want attenttion, and are far from any sort of group fighting any "injustice". They are criminals at best.

I'll try to dig up the article, but I also read that these guys tried to drag a former member into this by outting his username as having paid them to do it. Seriously? People are rooting for that?

Edit: Unfortunately Fox is where I found the article so I'm not posting that because I can't say wether it's %100 true. The article states that Branndon Pike was the person Lulzsec identified on their twitter when they referenced Shadow DXS as having paid them to hack the PBS website.
supermonkey 3rd June 2011, 19:49 Quote
Quote:
Originally Posted by Glix
Your kidding right?

I've just hacked bit tech... oh you want proof, err, erm I don't really want to expose any info that could be used to prove I did it...

How do you propose they work with Sony? How do you know that they didn't already send a warning email?
This is what happens in the hacker world, they find an exploit, let the party know about it, then a week later release it to the public to speed up the addressing of said exploit. Where have you been these last few years?
No, I'm not kidding. I don't need proof because I don't care about your hypothetical reputation in the hacker world. If you found an exploit and hacked the Bit-tech server, you could very easily send an e-mail to the Bit-tech staff and provide them with whatever proof they desire. Posting all of Bit-tech's users' details online is utterly unnecessary. You could then work with them to patch the exploit.

Like I said, work with the company. The company being slow to react is not justification to screw over thousands of people who have nothing do with the company's IT security.

EDIT:
Quote:
Originally Posted by llamafur
Same here. I'm thoroughly enjoying this conniption.
Go ahead and have your laugh. When your bank gets hit and your credit card is stolen, be sure to let us know so we can be condescending in return. :)
SexyHyde 3rd June 2011, 22:15 Quote
Sony are not all innocent. remember not to long ago they hid a root kit in a product and didn't disclose it was there. They sold a product then retracted one of the features they used to sell it, then went after someone who tried to add these features back in. then they leave passwords unencrypted.

To the person saying they are trying to coerce them into doing something their way, it seems to me they are only trying to get them to upgrade their lax security which will only benefit Sony and their customers. if they just rang up and said "these accounts/sites need better security" what do you think Sony would do?
TWeaK 3rd June 2011, 22:35 Quote
How is it that everyone here seems to think an organisation that calls themselves 'LulzSec' has any particular demands for Sony, or even any particular motive?
SexyHyde 3rd June 2011, 23:21 Quote
everyone has a motive for doing something. the detective in me says "lulz" = for a laugh (by making someone look stupid) "sec" = security (where they did the lulz!). Hackers they are in Sony's servers, rofling. maybe even roflcoptering!
PaulC2K 3rd June 2011, 23:22 Quote
Will all users registered on there before the attack all get to pick 2 free photo albums to make up for this as a 'welcome back, no please come back' offer? :D

I wouldnt say its irresponsible of Sony not learning from the whole PSN saga, they must have hundreds of sites, and this is just one of them. What IS irresponsible is the fact that clearly Sony give no value to storing personal and confidential data in plain text, not encrypted. Store it backwards at least Sony, make some sort of effort with the data that people trust you to keep hold of and protect.

The whole hacking thing doesnt concern me at all either, if 1 Scottish chap can hack into servers used by NASA, CIA, FBA, US Military etc looking for proof of aliens and environmental coverups for over a YEAR... how is Sony meant to stay foolproof on a network designed to allow 77m people to connect to it?? The real concern is they clearly dont do all they can to ensure IF hacked, the data is worthless to those people.
Sloth 4th June 2011, 00:02 Quote
Quote:
Originally Posted by SexyHyde
Sony are not all innocent. remember not to long ago they hid a root kit in a product and didn't disclose it was there. They sold a product then retracted one of the features they used to sell it, then went after someone who tried to add these features back in. then they leave passwords unencrypted.

To the person saying they are trying to coerce them into doing something their way, it seems to me they are only trying to get them to upgrade their lax security which will only benefit Sony and their customers. if they just rang up and said "these accounts/sites need better security" what do you think Sony would do?
How are they benefitting customers? Thousands have had their accounts compromised. They are the people customers don't want to have hacking into anything.

And for some reason people want to glorify people terrorizing innocent customers. I don't even want to think about how many account holders are completely non-tech savvy and don't care or know about any of this yet end up having their account stolen thanks to their passwords being exposed because a group of neck-beards (no offense) want to tell them where to take their business.
themax 4th June 2011, 00:35 Quote
These guys are such class act "Hactivists" as Ars loves to label them that they won't even own up to the damage they have inadvertantly caused.

http://arstechnica.com/tech-policy/news/2011/06/lulz-sony-hackers-deny-responsibility-for-misuse-of-leaked-data.ars

According to LulzSec, hacks using the data have already begun—but don't blame them! Releasing all these e-mail addresses and passwords was Sony's fault.
Tulatin 4th June 2011, 07:32 Quote
You can blame the people who breached the security all you want for letting the information out into the world, but Sony's fully at fault for incompetence here. It's like saying the burglars are at fault when your home security system's monitoring center makes no effort to contact the police to stop them.

Oh, and trying to work "With" a company is a good way to have them litigate and report you. It's probably not a good idea. Now where's a handy class-action I can join against this lumbering company?
PCBuilderSven 4th June 2011, 07:47 Quote
Quote:
Originally Posted by supermonkey
No, I'm not kidding. I don't need proof because I don't care about your hypothetical reputation in the hacker world. If you found an exploit and hacked the Bit-tech server, you could very easily send an e-mail to the Bit-tech staff and provide them with whatever proof they desire. Posting all of Bit-tech's users' details online is utterly unnecessary. You could then work with them to patch the exploit.

Like I said, work with the company. The company being slow to react is not justification to screw over thousands of people who have nothing do with the company's IT security.

EDIT:

Go ahead and have your laugh. When your bank gets hit and your credit card is stolen, be sure to let us know so we can be condescending in return. :)

It's unlikely my bank will get hit because my bank (and basicly every single other one) stores data encrypted, not in plain text.

I agree with llamafur and Mentai, this is great fun:).

SexyHyde 4th June 2011, 09:37 Quote
Quote:
Originally Posted by Sloth
How are they benefitting customers? Thousands have had their accounts compromised. They are the people customers don't want to have hacking into anything.

And for some reason people want to glorify people terrorizing innocent customers. I don't even want to think about how many account holders are completely non-tech savvy and don't care or know about any of this yet end up having their account stolen thanks to their passwords being exposed because a group of neck-beards (no offense) want to tell them where to take their business.

Sony will or at least should shut it down and make it safe. As a lot of people have already said, they should also be liable for everything, they have been negligent, plain and simple. I'd love to live in a nice utopian world but I'm a realist, we simply don't. It's why I lock my house and car when I am not in them.
Glix 4th June 2011, 17:48 Quote
And now the apps side of Sony was also hacked supposedly by a SQL injection again... Anyone seeing a pattern here, like all these sites have the same validation.
demonisch 6th June 2011, 07:46 Quote
I am a website developer; the most newbie mistake to make is to use inline SQL with params from the query string/form post without validating them/quoting them. It is very easy to modify query string params or fake your own posts, you can even get an addon for Firefox to do it. This is not sophsticated hacking, it is Sony's website developers who have no clue on security
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums