Sony Website Hacked By the "Lulz Boat"

[infohippie]

This is pretty damn funny. This LulzBoat crew are reprehensible, sure, but c'mon Sony - how the hell do you leave yourself open to an SQL injection of all things when you're as big and rich as Sony? Especially on such an important database as your user info? And plaintext passwords on top of that? That's just another whole level of fail.
Maybe I should try hacking Sony tomorrow - my fiendish plan is to login with the username "Administrator" and the password "1234". If that doesn't work, I'll try the password "Password". It's gotta be one of those two, surely.

 

[Fasckira]

Only dickheads would break into something to prove how poorly secured it is.

Damn those licensed penetration testers who do this for a living, dickheads the lot of them.

 

[Sutter Cane]

no, people are criminals when they break a law. Crime does not necessarily have anything to do with morality

Laws are created by humans and can by a high possibility be wrong for overall improvement. Plus they can get changed anytime.

Saying someone is bad because laws say it is stupid since laws are not perfect and are not created by somekind of superior being...

That's exactly what i was saying. maybe i wasn't clear enough?

 

[Void Droid]

Who really cares how good Sonys security is, even if it was the best in the world with so many people targeting them then someone will always get through, would be the same with any company other than Sony too.

 

[AdumbroDeus]

I know nothing of hacking but the wikipedia page says this is a "SQL Injection, abbreviated SQLIA, is a very sophisticated Web Attacking Vector."

Granted, anything taken in "plain text" sounds bad.

source: http://en.wikipedia.org/wiki/SQL_injection

Goddamnit wikipedia and your constant need to over complicate everything.


Here's what you need to pay attention to:

"The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed."


What this essentially means is that a user a the web site enters something that goes into the database, and that something is an SQL command. That command is then executed on the database.

A smart team for a web site will code it so that the inputs "sanitized" so the commands cannot be executed, but obviously, that wasn't the case here.

Yea it SOUNDS complicated and sophisticated, but it's dead easy to perform in practice.


Here's an (already cited) example: http://xkcd.com/327/


It's also easy to take care of.

Only dickheads would break into something to prove how poorly secured it is. A reasonable human being who knows how to integrate into society and has an idea about appropriate conflict resolution would find some way to talk to the people at Sony and explain how and why their security doesn't work.

More and more I wonder if the majority of hackers are deliberately complete pricks or if they all genuinely have serious learning disabilities.

Yes cause it's evil incarnate to break into the system of a company that paid you to do exactly that then report on their system vulnerabilities.

10badgeneralizations.

A service which most grey hat hackers provide for free, though most don't cause so much bad PR.

 

[Owlslayer]

Well this just sucks for Sony.
But is there any actual proof that Sony has been hacked again, or just the lulzboat (or what were they called?) who are saying it?

 

[CrazyCapnMorgan]

This is pretty damn funny. This LulzBoat crew are reprehensible, sure, but c'mon Sony - how the hell do you leave yourself open to an SQL injection of all things when you're as big and rich as Sony? Especially on such an important database as your user info? And plaintext passwords on top of that? That's just another whole level of fail.
Maybe I should try hacking Sony tomorrow - my fiendish plan is to login with the username "Administrator" and the password "1234". If that doesn't work, I'll try the password "Password". It's gotta be one of those two, surely.

Before trying those two, might I recommend the password 'admin'?

 

[MorphingDragon]

...I'm sick of hackers as a whole.

Read my goddamn text:

Spoiler

[HEADING=1]YOU ARE NOT FUCKING HEROES[/HEADING]

.

No one will sing of your battles, no one will think of you as heroes out to help the littleman. All they see is a group of peopple willing and able to enter their private lives and steal their information.

Which you freaking idiots did, oh Noble of Noblemen.

So thanks, you exposed over a 1,000,000 people to identity theft. I hope you freaking proud of yourselves.

Hackers do much more than just break security. Even then hackers aren't necessarily malicious.

The terms Black Hat, Grey Hat and White Hat were made for a reason. Be angry at the right people.

 

[YunikoYokai5]

Oh for fucks sake, I'll say it again and maybe this will be put to rest. THERE IS NO REASON FOR THE HACKERS TO LIE ABOUT THEIR METHODS!

Putting distrust in the public about Sony's security? Making shareholders remove their shares for fear of Sony getting into another major hack downtime? Trying to bring Sony down by making their consumers switch to rival companies because the public are appalled/afraid about how their information is protected?

There are many reasons for hackers to lie about their method of hacking a system. The information this Lulzboat have could have been generated by a simple random generator program. Attacks on consumer confidence is far worse than a simple attack on a company. I suggest we all just wait for Sony to make an official statement. We can conclude from there. (holds hands up) I don't want an arguement here, just throwing some suggestions out, but until Sony says that the SQL injection did hack them, I still think the hackers are just saying this to spite Sony. If this SQL injection did hack into Sony, then all I can do is shake my head in disbelief...but it's going to to take a new controller before I switch to Xbox XD

 

[Cyberjester]

Yes, releasing the personal information of thousands of people is a good way of getting at Sony, and it isn't malicious. Not at all.

Retards

 

[Xaio30]

Stored in plaintext and stolen by a SQL injection.
Stand in shame, Sony.

 

[Detective Prince]

The...Lulzboat?...How terrifying. Is this what the internet really has to offer nowadays?

Can't someone hack Sony, not do anything, just leave them a note saying "Your security is still crap, please try again," and then leave it at that? -.-

 

[diggy140892]

That is assuming what they are saying is true. As a rule I don't believe thieves. They stole thousands of peoples personal info how the acquired it is of little relevance passed the fact that they stole it.

Edit: Yes the only thing we as consumers can take from this is be carefull about what you put online.

They have no reason to lie, whereas SONY would have several.
Also they didn't do any of this for the money, they just did it for fun and humiliating SONY further or they wouldn't have put the data online.

I also find it funny that a lot of people seems to assume those people are from the US instead of Russia, Eastern Europe (Romania, Ukraine etc.) or Asia and that the "FBI" has any say in the matter.

Why are you defending the hackers... Just why...

Why are you defending a corporation that clearly fails to use the basic protection for their customers?

If you had read my earlier posts I did say Sony's security is inexcusable however they are still not the ones who posted all of our information online.

 

[Valdus]

"Lol'z, I'm a H4ckor! 2 stoopid to do sumthing, so only hakz instead!"

If you want to make a statment make one. Stealing personal data is just that - stealing. They're just trying to justify their actions so that any potential "fans" might still side with them. Someone should tell them to grow a fucking pair and man the hell up. It's easy to make all kinds of statments from one side of the computer screen but you can tell if any of these guys actually came face to face with someone investigating this they would shit bricks.

 

[EchetusXe]

Sony Pictures? Why do I get the feeling that the hackers have a harder time finding all the obscure shit Sony does than they do hacking their websites?

"Why do you put such faith in a company that allows itself to become open to these simple attacks?" Yeah, they're right, let us now start up our own electronic giants and put out a console to rival Microsoft's next XBox console. Better yet let us just allow Microsoft to run everything related to computers. Because when I have just finished my 23 hour shift at the Bill Gates salt mines I want to know that my data is secure.

I don't know man, back in the day hacking meant something. These new guys aren't black hats or white hats, they're fucking no hat. Hatless bastards! Get a hat, jerks.

 

[Shycte]

Criminals with cause are still criminals.

Criminal is a very broad term. With it you could tar the likes of George Washington, Nelson Mandela, Ted Kaczynski, and Jeffrey Dahmer all with the same brush.

In places like the US with increasing bodies of criminal law, there's also a good chance that many citizens subject to those laws are criminals and don't even know it.

My point is that people should be cautious about reading anything more into the term than its' most basic definition.

There is a diffrence is fighting for equalty and to hack a website with the lulzboat. Now, history tells us that the diffrence between a terrorist and a freedom fighter is if their cause is won or not. However, we can all agree that hacking and stealing things are bad, even if you do it to expose shitty security.

"I only stole that mans credit card to the world that Identity Theft is easy".

Doesn't hold up.

 

[jonoortrev]

Congrats, LulzShit or whatever. Sony is looking for a punching bag right now. You've pretty much just handed them your heads on a silver platter.

that's if Sony will be left with any money after this, this roughly opened them up to so many many many many many law suits. As lulzsec/boat have shown their methodology, they've literally been able to prove with nearly no doubt that Sony have been in complete breach of the pretty much all Data Protection Act's in all their forms and variations pretty much globally. (England - Data Protection Act 1998 a company has to by law prove sufficiently that they did everything that is possible to prevent data loss, the EU's Data Protection Directive, though America doesn't have any specific law by the look of it, it does have '201 CMR 17.00' amongst a few other things)