Sony is not having a good year. As the company scrambles to get the
PlayStation Network and Qriocity music service back online, it's suffering
from yet another security breach.
This time it's a hacker attack on various websites associated with Sony
Pictures.
A team of individuals going by the name LulzSec, who recently managed to
deface PBS.org's homepage, announced that they have broken into
SonyPictures.com and compromised more than 1 million user accounts. An
additional 75,000 music codes and 3.5 million coupons were also uncovered.
The attack, part of a campaign known as Sownage, was announced on Twitter
and on the LulzSec website.
LulzSec said that it didn't have enough resources to copy all the data that
it was able to access. But the group did manage to grab a collection of
databases that contain thousands of usernames.
The accounts, presumably associated with any sort of registered activity on
SonyPictures.com (or its subsidiaries or partners), contain information like
passwords, email addresses, dates of birth and other Sony opt-in data.
This certainly isn't as dangerous as the information that was exposed during
the PSN hack, but it could still be used to gather access to more important
accounts elsewhere.
The scariest part of this attack isn't what was taken, but how easy it was
for the LulzSec members to take it. According to the groups own press
release, access to the main Sony Pictures website was gained using a very
basic tactic called a SQL injection.
We haven't had a chance to examine the released files to see what this
injection was, but it's likely that an out-of-date software stack and
relatively unprotected web server made passing the injection trivial.
LulzSec says that all of the information it took was unencrypted.
"Sony stored over 1,000,000 passwords of its customers in plaintext," says
the hackers' press release, "which means it's just a matter of taking it. "
Seeing as this is the second security breach of a major Sony-branded website
in just outside of a week, we have to ask: Is anyone at Sony employed to
handle web security?
Sure, managing a large number of brands and properties that are often
connected in name only has to be a challenge, not to mention the logistical
and administrative challenges of managing websites that can store millions
of user profiles. Still, that doesn't make up for what by all appearances is
an abysmal security record.
LulzSec has been on a tear, infiltrating the websites and databases for the
UK television program, "The X Factor," parts of Fox.com, Sonymusic.co.jp and
many parts of PBS.org in the past three weeks alone.
The attacks, while often juvenile in nature and execution (the
Lulzsecurity.com website plays the theme from "The Love Boat"), underscore
just how important it is for brands to keep their web servers updated,
hardened and monitored. In the age of simple publishing tools like
WordPress, it's easy for managers to underestimate the importance of having
someone on contract or on staff to keep data encrypted and protected.
We can only hope the most recent cyber attacks convince executives to think
seriously about investing in online security.
0 件のコメント:
コメントを投稿