Sony Website Hacked By the "Lulz Boat"

[DanDeFool]

Also, I must have missed the memo that said, "Everyone gang up on Sony for the next couple of months." Seriously, their online stuff has been attacked how many times now? More than I can be bothered keeping track of anyway.

I made a prediction about this a few weeks ago, and I think it's coming true. It seems to me that these hackers have one objective; to use their knowledge of internet security to ruin a multinational company, JUST TO SHOW EVERYONE THAT THEY CAN.

That said, I originally gave a semi-approval of what they were doing, saying something like "if these guys can put the fear of the common man into the hearts of the corporate world, I think it's a net positive" but after thinking about it some more, I realized that these kinds of attacks could be a huge blow to the case for Net Neutrality. After all, protecting their corporate campaign contributors from hackers could just be the last push needed to get legislators worldwide to vote for a regulated and restricted Internet.

The group claims that much more could have been nabbed if only they had the resources (read: money) to make it happen, prompting a request for donations.

Yes, because now we're all going to be chomping at the bit to fund cyberterrorists. Frankly, I think these guys have their hearts in the right place, hitting Sony back for abusing their customers and whatnot, but they have their heads up their asses. Not seeing the big picture at all.

 

[OutforEC]

This alleged security breach, as far as I have been able to tell, hasn't even been verified by Sony yet (who at last check was 'looking into it'), so everyone is basically just taking as gospel the words of a group called Lulzboat? Really?

It helps that they regularly post all of the information they've gathered and it's a rather simple matter to check if the accounts/people are real or not.

One news network called an account's given phone number given by LulzSec and verified that it was genuine.

I can give you the phone number of any number of people and claim I hacked into secret-squirrel database to get it, but that doesn't make it true. Hell, I could give a news network my phone number and tell them to ask for so-and-so, and they'd never know the difference. Especially if some of the stories I've read tonight on various sites is indicative of people's ability to fact-check.

All I'm saying is that I'll reserve judgement until I get the facts, and not just heresy sourced by a Twitter feed.

Edit: Ah, I see you edited and clarified. Then perhaps there's more to this than I thought, and I'll await to hear what the target/victim has to say.

Thanks for the clarity.

 

[CrashertheSmasher]

Why? Why wold they hack the again? I'm getting ready to get rid of my PSN account.

 

[-Dragmire-]

I know nothing of hacking but the wikipedia page says this is a "SQL Injection, abbreviated SQLIA, is a very sophisticated Web Attacking Vector."

Granted, anything taken in "plain text" sounds bad.

source: http://en.wikipedia.org/wiki/SQL_injection

 

[Redd the Sock]

I wonder if these twerps realize how much damage they're doing to their own cause. This kind of activity is only going to put the hard clamps down on the internet, not make it more open. Then again, they seem like little sociopaths that have a beef with Sony and don't care that customers and employees are colatoral damage in their personal war, so I doubt they're really thinking far ahead.

 

[Kopikatsu]

Why? Why wold they hack the again? I'm getting ready to get rid of my PSN account.

Sony Pictures (What got hacked) and Sony Games are two WHOLLY separate companies. Sony Games is probably nearing Fort Knox levels of protection, considering they've hired multiple security firms and completely recreated the PSN with a higher level of security.

Your PSN account is most certainly safe. A Sony Pictures account, on the other hand...

 

[taciturnCandid]

Got bored and looked through the stuff that lulsec posted. I don't see any justification for what they did. In interest I looked at what type of passwords people were using. Dear god people, use more secure passwords! I mean seriously, 99% of those people had simple passwords. I thought they would use more security then sony, but I guess people just don't know how to be secure online.

 

[Kopikatsu]

This alleged security breach, as far as I have been able to tell, hasn't even been verified by Sony yet (who at last check was 'looking into it'), so everyone is basically just taking as gospel the words of a group called Lulzboat? Really?

It helps that they regularly post all of the information they've gathered and it's a rather simple matter to check if the accounts/people are real or not.

One news network called an account's given phone number given by LulzSec and verified that it was genuine.

I can give you the phone number of any number of people and claim I hacked into secret-squirrel database to get it, but that doesn't make it true. Hell, I could give a news network my phone number and tell them to ask for so-and-so, and they'd never know the difference. Especially if some of the stories I've read tonight on various sites is indicative of people's ability to fact-check.

All I'm saying is that I'll reserve judgement until I get the facts, and not just heresy sourced by a Twitter feed.

Edit: Ah, I see you edited and clarified. Then perhaps there's more to this than I thought, and I'll await to hear what the target/victim has to say.

Thanks for the clarity.

Yeah, I forgot to add that last part and it was kind...relevant.

I generally don't claim things without fact checking, so I did download a few files from LulzSec to check their validity for myself, and...they're valid. This is just part of one of the files. (But this is staff info, so it wouldn't include addresses or phone numbers or anything. That would be in the user data...which they also posted. I didn't take any of those, though.)

Spoiler

TARGET: Sony BMG Music Entertainment Belgium [sonybmg.be]

[exposed sonybmg.be datbase]

NAME: dbSBPartnerBe

-- This target gave us LOLs as it provided internal release dates of records, barcodes, sales reports, and plaintext Sony employee passwords:

ID | EMAIL | USERNAME | PASSWORD

3 | [email protected] | Bert | vekens5
4 | [email protected] | Linde | SCH.oo
441 | [email protected] | jos | pau02
443 | [email protected] | customerservice | sonybmg
464 | [email protected] | willemien | sonybmg
468 | Sales | sonybmg
469 | [email protected] | jos | paulussen
479 | [email protected] | [email protected] | SqVjnKX2Ds

ID | EMAIL | USERNAME | PASSWORD

1 | Administrator | admin | SB.admin
2 | Generic User | sb_be | sb_gen_user
3 | Myra van Bladel | myra | bladel
4 | Joost Neelemans | joost | neelemans
5 | SCH.oo
6 | Willemien | willemien
7 | Kristin Willems | Kristin | _b2b_52qH
8 | Madelon Fennis | madelon | fennis

TABLE | COLUMNS

tmp_product_test | updaction ppd_new genre_ind5 genre_ind4 genre_ind3 genre_ind2 genre_ind1 price_code packing_units dvd_region genre boxset ppd lblcode status relweek confcode mmijnr conductor composer title artist barcode prefix suffix sender id
tmp_product_new | ppd_new genre_ind5 genre_ind4 genre_ind3 genre_ind2 genre_ind1 price_code packing_units dvd_region genre active pos type updaction boxset ppd lblcode status relweek confcode mmijnr conductor composer title artist barcode prefix suffix sender id
tmp_product | updaction boxset ppd lblcode status relweek confcode mmijnr conductor composer title artist barcode prefix suffix sender id
tbl_defaults | webmaster_email id_sub_themes id_sub_lan id
sub_type_press | descr name id
sub_themes | descr name id
sub_lan | short name id
sub_confcode_old | descr code id
sub_confcode | descr code id
sec_vars | verwachtdays releasedays id
sec_subcat | url name id_sec_maincat id
sec_sort | pos barcode id
sec_returns | entrydate remarks total_weight boxpallet number_boxes contact pickup ret_no country city pc number street company clientnr id
sec_request | entrydate email contactpersoon klantnaam bmgnr sonynr id
sec_maincat | name id
sec_descr_bu | entrydate priority rockoff b2c cinfo minfo_fr minfo_en minfo descr_fr descr_en descr item_doc item_image2 item_image barcode id
sec_descr | entrydate priority rockoff b2c show_tracks cinfo minfo_fr minfo_en minfo descr_fr descr_en descr item_doc item_image2 item_image barcode id
sec_actionrecords | ppd barcode id_prim_action id
ret_cred | bill_date tot_amount net_price ppd cred_qty ret_co artist_title profit_center cat_no order_no bill_no town cust_name cust_no id
ret_auth | sales_person rej_reason ref_bill_no ret_no lastsales_date auth_date ann_date total_amount net_price ppd auth_qty req_qty ret_code title artist cat_no del_city del_street del_name town cust_name cust_no id
product_group | child parent id
prim_product_bu | active pos pricecode boxset ppd label status releasedate confcode conductor composer title artist barcode itemnumber countrycode id
prim_product_ | active pos boxset ppd label status releasedate confcode conductor composer title artist barcode itemnumber countrycode id
prim_product | active pos pricecode boxset ppd label status releasedate confcode conductor composer title artist barcode itemnumber countrycode id
prim_page | entrydate type pagevalue descr name id
prim_news | entrydate active pdate descr_long descr_short title id
prim_links | language entrydate active descr link name id
prim_faq | answer question id
prim_contest | entrydate active ip optin comment bday gender email lastname firstname id
prim_concerts | entrydate entry_user active country classic jazz link descr ptime location city artist pdate company barcode ldar_artist id
prim_clients_new | status default_lan pass username contact company email clientnr id
prim_clients_bu3 | status default_lan pass username contact company email clientnr id
prim_clients_bu2 | status default_lan pass username contact company email clientnr id
prim_clients | code returns check status default_lan pass username contact company email clientnr id
prim_banner | item_image id
prim_b2b_mailingpress | entrydate descr title id
prim_b2b_mailing | entrydate descr title id
prim_auth | entrydate pass username name id
prim_action | entrydate active end start descr title item_doc id
lnk_auth_subcat | id_sec_subcat id_prim_auth id
dig_releases_tmp | title country config id
dig_releases_recip | entrydate code mobile nl email id
dig_releases_prio | entrydate prodno id
dig_releases_mailing | id
dig_releases_artist | artist id
dig_releases | id
bmg_Sec_Image | EntryDate Name PNumber ID
bmg_Prim_Text | EntryDate Date Active Marketinginfo Text Summary Headlines Name PNumber ID_Sec_Image ID
b2b_recippress | code language email id_sub_type_press name company id

 

[Liudeius]

Donations? Paypal donations? I know there was something about getting names from Paypal with Geohot that caused a ruckus, but wasn't it donater names, not account owner names? He's making himself so easy to track...

 

[CrashertheSmasher]

Oh ok. Thanks for the message.

 

[sleeky01]

You want a real challenge?

http://www.pbc.gov.cn/

Take your pick.

Uuuuuh...http://blogs.forbes.com/andygreenberg/2011/05/30/pbs-hacked-after-critical-wikileaks-show/

Oh for god sa...look at that link again would you?

...Oh. I mistook the 'c' as an 's'. My bad. Why would that site be difficult to hack, though?

Did you even look at the site I linked? Somehow I don't think you would be asking me that question if you did. Take a look again:

http://www.pbc.gov.cn/

If lulzdouche is looking to finance themselves and are looking for a challenge...

Yeah, I did. People's Bank of China. I don't get the challenge thing, though. Are Chinese Government sites supposed to be hackproof or something?

One would think a bank, let alone a Chinese bank, would have better security don't you think? If they are looking for money, there's the challenge.

 

[OutforEC]

I know nothing of hacking but the wikipedia page says this is a "SQL Injection, abbreviated SQLIA, is a very sophisticated Web Attacking Vector."

Granted, anything taken in "plain text" sounds bad.

source: http://en.wikipedia.org/wiki/SQL_injection

If there is honesty in the statement made by those that made the intrusion, the problem isn't necessarily with the mode of entry but the lack of basic encryption on data once inside.

 

[Xanthious]

After the way Sony has shit all over their customers time and again it warms my heart to see them getting ***** slapped over and over. If they weren't locked down on all fronts like Fort Knox then they deserve to continually get hacked over and over. That being said I think it's unfortunate that innocent people are getting caught in the crossfire.

If what's being reported is true then Sony needs to be punished by the powers that be accordingly for the sheer negligence they are displaying over and over. They obviously do not believe that safeguarding their customers' sensitive information is of any kind of importance as is demonstrated by said information reportedly being stored in in an unencrypted manner and with almost no security in place.

I would really like to see Sony drug out in front of courts in countries across the globe and be made into an example of why you should keep customer information safe and secure.

 

[renegade7]

Attention whore hackers VS. Butthurt Sony Fanboys-FIGHT!

 

[Sudenak]

It used to be really funny. Now it's just pathetic. Completely, and utterly, pathetic.

Sony obviously doesn't give a flying fuck about their user base. They never did, they never will. They have consistently produced good products while pulling bullshit behind the scenes. Well, good if you're into that kinda thing.

But what baffles me is how, even now, people still defend Sony.

I get it, you're a fanboy/girl. But at this point, Sony is not the blameless, helpless victim. It's like they opened a bank, left all of the social security numbers of everyone who signed up with them out on a table somewhere, and stored all of the money in a giant plastic bin behind the counter.

And when they were stolen from, they promised their customers a .02% increase in interest.

And then they were stolen from again.

And still their customers defend them.

Sony has the PR power of a kitten strangler, and yet still, their user base refuses to think that maybe Sony should be blamed a little for this.

Utterly. Baffling.

 

[Therumancer]

It used to be really funny. Now it's just pathetic. Completely, and utterly, pathetic.

Sony obviously doesn't give a flying fuck about their user base. They never did, they never will. They have consistently produced good products while pulling bullshit behind the scenes. Well, good if you're into that kinda thing.

But what baffles me is how, even now, people still defend Sony.

I get it, you're a fanboy/girl. But at this point, Sony is not the blameless, helpless victim. It's like they opened a bank, left all of the social security numbers of everyone who signed up with them out on a table somewhere, and stored all of the money in a giant plastic bin behind the counter.

And when they were stolen from, they promised their customers a .02% increase in interest.

And then they were stolen from again.

And still their customers defend them.

Sony has the PR power of a kitten strangler, and yet still, their user base refuses to think that maybe Sony should be blamed a little for this.

Utterly. Baffling.

Well, I see this as one ongoing incident as I explained. Vigilantism is not as awesome IRL as it is on TV or in comic books as we're seeing here, and the fallout is just the inconveinence of a lot of people as opposed to say someone getting hit by a stray bullet.

I blame Sony for provoking this, but at the same time if the hackers keep going it's only a matter of time before the identity theft protection services they are relying on to prevent their outing of information from doing any real damage fail, and people start to actually suffer.

The thing with Sony is that they are a literal godzilla of a corperation, these guys are the inspiration for the Japanacorps of cyberpunk and dark future fame. Renraku from Shadowrun I believe was based directly on Sony. The thing is that Sony has such a fan base because they produce a great product, it's not like it's easy to turn away from their services and find something as good elsewhere since they very much set the standards for a lot of things. They are also involved in things aside from gaming and electronics, right down to movies, and music, and even apparently heavy machinery and military hardware (or well, the components) through some of their subsidiaries.

A guy sitting there with a PS-3 who got a PS-3 because he likes it and the service, is not so keen to just run over and get say an XBox. Likewise those who have grown up with Sony products are going to have a lot of faith in them.

Decades of building a brand name and infrastructure is not something that just goes away overnight, nor does an installed customer base just evaporate when your dealing with something on this scale.

See, blacklisting Sony over the "Other OS" thing wouldn't work, too many people would go "well that sucks" and just keep right on using the services they find conveinent. Things like the PSN attack brought down the service and cost Sony money by preventing the customers from giving it to them. At a certain level simple word of mouth, or a bad experience isn't going to do enough damage for it to matter. A corperate Godzilla like Sony is immune to anything legal, social, or even physical for most practcal purposes, that's why it's such a big deal when something so unstoppable, that people put faith into for being unstoppable (as it gives a sense of security) gets a black eye.

Given it's level of societal penetration even if Sony was going to die, which it won't, there are going to be fanboys holding on until the last monment when the company closes doors on it's last branch.

Plenty of people have written about this kind of thing. It's sort of what guys like Romero were trying to say in their Zombie movies... the mindless, constant shamble of the consumer culture. Even dead the people continue to march relentlessly on to their favorite stores and brands.

Ah well, I'm tired, and this is probably making less sense than usual.

 

[Sonic Doctor]

At the pace that Sony is trying to work out these problems, one would think that they have just one man trying to fix the whole thing, though my money is on that they hired a poo-flinging monkey.

They hired at least three different security firms. Anything security-wise that goes wrong from here on out, I would blame on one or more of the firms.

Well that is what I said at the end, "they hired a poo-flinging monkey."

From what you pointed out, I guess they hired three poo-flinging monkeys.

The people that worked for the computer/tech/internet connection help office at my old university were a bunch of monkeys that took ages to fix critical errors in the university system, and they still could work circles around the people Sony hired.

 

[Kakashi on crack]

Ckeymel? Pfft! I posted this hours ago. [http://www.escapistmagazine.com/forums/read/18.288638-LulzSec-steals-SonyPictures-everything-Updated?page=1]

Anyway, I have absolutely zero idea of both how to hack systems, and also how to encrypt information, so I can't really side with one group or the other on this...but I default to siding with Sony, if only because in an ideal world, we should be able to leave our doors unlocked without fear of being raped and murdered in the middle of the night. Then have the corpse kicked. Over and over and over.

Anywho, I kind of doubt LulzSec's claim that they were only doing it to show vulnerability since they posted the information publically. Sure it was needed as proof, but they compromised personal information and accounts in doing so. Wouldn't it have been better to just email Sony's CEO with the information? Not to mention LulzSec's claim of Sownage being 'The beginning of the end for Sony'

Alright, to explain hacking... wait nevermind that'll take too long.

To explain encryption... Have you ever had one of those decoder rings you found in a cereal box that allowed you the decode messages on something or another, or to make your own messages? Think of encrypting a file as taking a normal message, and using the decoder ring to code said message so that only select people can decode it.

Encryption is one of the most BASIC forms of security, you can encrypt files right from your home computer, so to see a company not even bother with basic encryption is kinda sad...

I personally can't side with either group here. I feel that Sony kinda deserves it, but at the same time I have to say that if Sony keeps getting hacked, its unlikely that they will get their act together (hell at much as they fail at it, they're trying.)

I have to agree with you though that the Lulz group as obviously created a fabrication to try and keep themselves from getting in as much trouble if caught. I understand part of the reasoning for not sending it to a C.E.O. though. If they did that, then said C.E.O. would have time to create some kind of story before announcing it to the public to try and lessen the blow.

 

[fundayz]

I feel sorry for those affected but I think good things will come out of this.

Sony is being made an example out of and hopefully this will show companies that they can't take their security for granted anymore.

Companies, meet the 21st century.

 

[Zeekar]

I did a double-take when I saw the words "SQL injection", but I can't really go for the whole whitehat bs. If they were really trying to do a good thing here, they would have just quietly (or loudly, even) shown Sony and their customers what they could do as opposed to actually releasing the stolen information to the public.

I'm annoyed with the hackers and disappointed with Sony.