SONY gets hacked....again!!

[TecHNooB]

So, imagine Sony's servers are an AIDS-free asshole. And a hacker is diseased infected penis. The penis ejaculates ("injects") diseased infested semen ("SQL, or structured query language") into the asshole ("server"), rendering it diseased and vulnerable.

looool

 

[AyashiKaibutsu]

sql injection

If that's true I have no sympathy for Sony... Granted, most of what I'm doing now is fixing sql injection vulnerabilities...

 

[BladeVenom]

LOL! Sony's security is as bad as their products and policies.

 

[dwell]

In all fairness to Sony, it's a different division than the gaming one. With large companies, one hand has no idea what the other is doing.

I also think attacking a company like this is childish. If you don't like a company, vote with your wallet and don't buy their products.

 

[Aikouka]

Can someone paint a picture how they actually hack? Their techniques vs protection in layman's terms?

Well, Mr. Green had a very colorful analogy, but I'll try to explain it a little less... umm... explicitly 😛.

Based on sources, it looks like the hacker group used what's called a SQL Injection attack. First, SQL is a query language used for databases (subsequently called SQL databases). You may have heard of MySQL before, which is an example of a SQL database.

A SQL Injection attack is performed by finding a point in which a website accesses the SQL database but does not perform adequate checks on the user-provided data. For example, let's look at my current Anandtech Forums URL:

http://forums.anandtech.com/newreply.php?do=newreply&p=31798817

Everything after the question mark '?' is a variable (or multiple variables... separated by the ampersand '&') that is provided to the subsequent PHP (this is a web programming language) page. If I remember correctly, these are called ENV (environment) variables in PHP. That's getting a little too detailed, but let's say VBulletin did not perform proper data checking on the 'p' variable.

Chances are the 'p' variable is going to be used to access the database and retrieve the post that I am replying to (in this case, your post). What you usually do is prematurely end the command. This probably involves the SQL SELECT statement, which may look sort of like this:

SELECT post_text FROM forum_posts WHERE id=$p

If I remember correctly, in PHP, I would end a SQL command with a semi-colon ';' So, literally what you do is replace the variable 'p' with a valid value, an end of command character and other commands. With this, you end up executing the original command (probably with a fake value) and then whatever commands the hacker wants.

The hardest part is usually finding the hole, and then you need to figure out what commands you need to use to get the data you want. This isn't terribly hard since you can get SQL databases to list their tables and their information.

 

[Soccerman06]

yeah, besides staying off the internet, I do think that in theory, if quantum processing ever comes into the working stage, it is supposed to be hack proof, no?

Thats quantum cryptography... quantum mechanics guarantees that measuring quantum data disturbs that data; this can be used to detect an adversary's interference with a message.

 

[freegeeks]

If that's true I have no sympathy for Sony... Granted, most of what I'm doing now is fixing sql injection vulnerabilities...

that's what I have been reading plus the fact that Sony puts a lot of sensitive information unhashed in their databases

 

[spidey07]

They fell for a SQL injection? That's pretty lame. It means they didn't even do the basics for security. It's their programming that's at fault. But hey, it's free! Get what you pay for.

The ps3 being cracked could have something to do with it if they had access to the source code.

 

[PlasmaBomb]

So how many times has it been hacked now?

Is that number 3?

(dates of hackings too if you know :thanks: )

 

[Kadarin]

Saying that Sony is a pretty fucked up company is a lot like saying that Pakistan is a pretty fucked up country.

 

[NFS4]

So, imagine Sony's servers are an AIDS-free asshole. And a hacker is diseased infected penis. The penis ejaculates ("injects") diseased infested semen ("SQL, or structured query language") into the asshole ("server"), rendering it diseased and vulnerable.

Vomit

 

[rchiu]

If hackers really stole those info via SQL Injection, and this is after the lesson from the first hack, I can only say Sony should not be in the business at all.

I mean I am no security specialist, but as an app manager, even I know I need to secure my web apps from SQL Injection, and it's not rocket science.

 

[halik]

Ha ha, time to refund that kid's settlement cash and stop being DMCA assholes.

46 DC EA D3 17 FE 45 D8 09 23 EB 97 E4 95 64 10 D4 CD B2 C2

 

[Gooberlx2]

Beyond the SQL injection, that they don't at least seed/hash sensitive info in the databases is absurd.

 

[alfa147x]

I think I saw somewhere that they said the injection was on a gallery page or something, so their website has an address something like this:
http://whatever.com/view_photo.php?id=25
Which is meant to show you whichever photo in the database has an ID of 25. To do that, they pull some information out of the database, and the query kind of looks like this:
SELECT * FROM photos WHERE id = 25;
So if they've done a poor job of coding their site, they just trust whatever the person put in the address, and shove it directly into the database query without checking that it's actually a number first. So someone loads up the address but with a "photo id" something like this:
http://whatever.com/view_photo.php?id=25 UNION ALL SELECT username, password FROM users
Which gets put into the query unchecked like this:
SELECT * FROM photos WHERE id = 25 UNION ALL SELECT username, password FROM users;
Which also pulls out some username/password information from the database along with the photo info.
It's somewhat more complex than that, but that's the basic gist of how an injection attack works.

For anyone else who wants to know

 

[Miramonti]

Earlier this afternoon, a slickdeal member posted a file of 20,000 Sony Music Pass 16-digit codes in their hotdeal section, each code representing 3 free song downloads from their site. (I guess you receive codes when you buy sony products?) The thread was deleted within a few moments, but not before it was downloaded atleast few times.

They all seem to work as well, atleast after a small sample of random ones were tested.

Sony is fvcked, lol.


/edit: story

“Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 ‘music codes’ and 3.5 million ‘music coupons,’” it added.

Didn't take too long for atleast some, if not all of them to get into the wild.

 

[0roo0roo]

So, imagine Sony's servers are an AIDS-free asshole. And a hacker is diseased infected penis. The penis ejaculates ("injects") diseased infested semen ("SQL, or structured query language") into the asshole ("server"), rendering it diseased and vulnerable.

:awe:

 

[Kev]

I actually feel bad for sony now. They are really taking it up the ass

 

[AnonymouseUser]

I actually feel bad for sony now. They are really taking it up the ass

This ass-kicking is well deserved.

 

[Gooberlx2]

I actually feel bad for sony now. They are really taking it up the ass

Heh, I don't. I mean, I do feel bad for the poor schmucks who had their info compromised. But Sony themselves are getting exactly what they deserve for not taking fairly basic measures to secure the data.

 

[Malak]

Heh, I don't. I mean, I do feel bad for the poor schmucks who had their info compromised. But Sony themselves are getting exactly what they deserve for not taking fairly basic measures to secure the data.

So you deserve to have people come in and loot your house and go on shopping spree because you don't have a house alarm? Your reasoning is stupid.

 

[Phanuel]

So you deserve to have people come in and loot your house and go on shopping spree because you don't have a house alarm? Your reasoning is stupid.

Sure, if you're a known criminal (hi2u free rootkits in all of our music CDs) you deserve to get what's coming.

 

[Gooberlx2]

So you deserve to have people come in and loot your house and go on shopping spree because you don't have a house alarm? Your reasoning is stupid.

If I leave the doors to my house open while I'm away, I don't expect good things to have happened when I get back.

 

[Patranus]

Its sad that people find the need to get pissy with Sony over Geohot.
These people need to get out of their basements and become constructive members of society.

 

[Lean L]

Educate me, I'm a total tech noob.

I've read bunch of things about 256-bit encryption on my upcoming phone HTC Evo3D (well HTC unlocked it now due to demand). Such encryption would make any brute force attack impossible to crack and would take millions of years.

Why can't Sony do a similar protection? Is it different because it's web?

This response makes me sad...

I expected AToT to at least know the difference between man in the middle attack and sql injections.