Sony Website Hacked By the "Lulz Boat"

Recommended Videos

overfiend_87

New member
Sep 19, 2008
32
0
0
Greg Tito said:
Sony Website Hacked By the "Lulz Boat"



A new hacker collective pilfered more than a million of personal passwords, emails and dates of birth.

After threatening to hack into Sony's systems for weeks on the group's Twitter feed, a group who alternately calls themselves LulzSec and the Lulz Boat has finally made good on project "Sownage" - that's Sony + ownage in case you confused the term with planting crops. The Lulz Boat infiltrated SonyPictures.com today and allegedly stole over 1 million users' personal information with a SQL injection. The group claims that much more could have been nabbed if only they had the resources (read: money) to make it happen, prompting a request for donations. All of the personal information that LulzSec were able to steal despite meager means is now posted online, along with a press release stating their intention was merely to call out Sony's botched security measures.

"We recently broke into SonyPictures.com and compromised over 1,000,000 users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts," LulzSec's statement read.

The attack was not made maliciously but in order to instruct the public about Sony's awful security practices. "Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed everything. Why do you put such faith in a company that allows itself to become open to these simple attacks?"

Sony apparently didn't have the wherewithal to encrypt the personal information collected on SonyPictures.com. "What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it."

I'm not sure that kind of rape-logic holds up, but LulzSec does have a point. Sony is a big company, with lots of interchangable parts, but you think database security would be at the top of every divisions to-do list right about now.

Source: LulzSecurity [http://lulzsecurity.com/releases/]

Thanks to [user]ckeymel[/user] for the awesome-est tip in the world!

Permalink
Kopikatsu said:
Ckeymel? Pfft! I posted this hours ago. [http://www.escapistmagazine.com/forums/read/18.288638-LulzSec-steals-SonyPictures-everything-Updated?page=1]

Anyway, I have absolutely zero idea of both how to hack systems, and also how to encrypt information, so I can't really side with one group or the other on this...but I default to siding with Sony, if only because in an ideal world, we should be able to leave our doors unlocked without fear of being raped and murdered in the middle of the night. Then have the corpse kicked. Over and over and over.

Anywho, I kind of doubt LulzSec's claim that they were only doing it to show vulnerability since they posted the information publically. Sure it was needed as proof, but they compromised personal information and accounts in doing so. Wouldn't it have been better to just email Sony's CEO with the information? Not to mention LulzSec's claim of Sownage being 'The beginning of the end for Sony'
I have no idea who to side with either, but I'm more prone to agreeing with you that in a perfect world we should't need locks on our doors, not to mention the amount of players that got fucked over by this and indie companies that were unable to sell their games online for that period.
 

Yuno Gasai

Queen of Yandere
Nov 6, 2010
2,586
0
0
Silva said:
So these idiots posted our personal information publicly against our will and we're supposed to be annoyed at Sony for "not making it secure enough"?

Screw that. BOTH sides are fools with their own self-interest in mind and no common good has come out of any of this.
I couldn't have said it better myself.

If the Lulz Boat wanted to make a point, they could have done it in a manner which was less malicious and that didn't pose a threat to innocent PS3 users.
 

Blackpapa

New member
May 26, 2010
299
0
0
overfiend_87 said:
I have no idea who to side with either, but I'm more prone to agreeing with you that in a perfect world we should't need locks on our doors, not to mention the amount of players that got fucked over by this and indie companies that were unable to sell their games online for that period.
A world where you have nothing worth stealing is not, in my definition, perfect.

Even food is worth stealing.

Also, you gotta break a few eggs..
 

Kopikatsu

New member
May 27, 2010
4,924
0
0
Generic Gamer said:
I'm going with the 'I think LulzSec is lying' crowd. Especially considering that they've hacked Nintendo and broke through the IAA (http://www.linkedin.com/company/infragard-atlanta-members-alliance) in one afternoon with little difficulty.
 

RamirezDoEverything

New member
Jan 31, 2010
1,167
0
0
I think they're just proving a point at this point, they're putting fear into the masses.
If the common people(mom and pop, not just people like us) know about anonymous, then they have much more power when they try to do something big.
 

AmayaOnnaOtaku

The Babe with the Power
Mar 11, 2010
990
0
0
Holy crud plus they had an affliate of the FBI. May and the beginning of june has been a busy a month for hackers and the cybersecurity people.
 

Th37thTrump3t

New member
Nov 12, 2009
882
0
0
The reason Sony keeps getting clusterboned is because these fucking hackers aren't even giving Sony a chance to recoup... Plus not only are they hurting Sony, but every one of those million accounts who's information is now publicly on display for all sorts of assholes to use.
 

Celinis

New member
Dec 22, 2010
25
0
0
2011 the year of unoriginal ideas, bad video games, and people with too much time on their hands. At this point I think Sony should just take time to go through everything and get everything secured and not bother coming online until they are inspected by several different companies around the world.
 

Blackpapa

New member
May 26, 2010
299
0
0
Kopikatsu said:
Generic Gamer said:
I'm going with the 'I think LulzSec is lying' crowd. Especially considering that they've hacked Nintendo and broke through the IAA (http://www.linkedin.com/company/infragard-atlanta-members-alliance) in one afternoon with little difficulty.
Great, I respect your opinion.

I'm curious as to at which point you believe LS is lying and what the correct version is.

If your idea is that this was more than an SQL injection I don't think it's a good argument either.

I'm not a security researcher myself but I do dabble in various things and have a strong opinion on where exactly good security lies.

First, all systems can be hacked and there's not a single system, encryption algorithm, no single way of securing data that is guaranteed to be unbreakable other than physical destruction.

Good security is when hacking a system using high-tech means is so unpractical (for example requires the attacker to have the computing power of the NSA at his disposal) that kidnapping the administrator and torturing him to unlock the system is a better, faster and safer choice.

Obviously LS did this hack using very little resources, little specialist knowledge and had little motivation. In other words the barrier for obtaining this data was set very, very low. Unreasonably low.

If you do believe that LS is lying however (meaning that they had to, for example, gain physical access to the internal company LAN to do this hack) then please explain more.
 

Raesvelg

New member
Oct 22, 2008
486
0
0
archont said:
Obviously LS did this hack using very little resources, little specialist knowledge and had little motivation. In other words the barrier for obtaining this data was set very, very low. Unreasonably low.
Why is it obvious?

Serious question by the way.

They claim to have compromised over a million accounts, but only have proof of a tiny fraction of that. They claim that the reason they don't have more is because of "financial constraints".

They also claim that the hack itself was incredibly easy, but then why have only a sample of accounts? Why say you need more money to continue the hack?

It doesn't really add up.
 

Blackpapa

New member
May 26, 2010
299
0
0
Raesvelg said:
archont said:
Obviously LS did this hack using very little resources, little specialist knowledge and had little motivation. In other words the barrier for obtaining this data was set very, very low. Unreasonably low.
Why is it obvious?

Serious question by the way.

They claim to have compromised over a million accounts, but only have proof of a tiny fraction of that. They claim that the reason they don't have more is because of "financial constraints".

They also claim that the hack itself was incredibly easy, but then why have only a sample of accounts? Why say you need more money to continue the hack?

It doesn't really add up.
Honestly I have no idea why immediate financial status was a constraint. I can't think up of a reasonable explanation.

Long-term, sure, they could use the funds to grant themselves additional security from persecution. With 3k USD + monthly upkeep it's possible to design a setup that grants a very high degree of anonymity.
 

Atmos Duality

New member
Mar 3, 2010
8,470
0
0
Greg Tito said:
I'm not sure that kind of rape-logic holds up, but LulzSec does have a point. Sony is a big company, with lots of interchangable parts, but you think database security would be at the top of every divisions to-do list right about now.
No, that's exactly the kind of logic that applies here, despite the colorful choice of metaphor. When you go live with your website or service on the internet, expect to be attacked at some point.
 

Strazdas

Robots will replace your job
May 28, 2011
8,405
0
0
it was just a matter of time till sony and macrosoft are going to start loosing thier databases. havking is necessary for such companies. if the paosswords were stored in plain text then im very happy somone hacked them, because maybe sony will think if a better way next time. most companies hire people who manadge to hack them, because that allows them to fix security flaws. sony isnt that smart though, but theres nothing new on that departament.

Raesvelg said:
They also claim that the hack itself was incredibly easy, but then why have only a sample of accounts? Why say you need more money to continue the hack?
They give only small sample because the reason behind the hack may not be the release of peopel rpivate information to web, thus they only give small portion for sample not to compromise everyones passwords. they dont want people to losoe account, they want to make a point. lets say you have no moeny to pay your electricity bills, can you continue hacking servers?
 

Blackpapa

New member
May 26, 2010
299
0
0
Raesvelg said:
They claim to have compromised over a million accounts, but only have proof of a tiny fraction of that.
On another note, releasing just a part of the information is a good thing. Let's assume they could just dump the entire database, including all usernames, personal info, passwords - would that be better than releasing a limited subset of this data?
 

Raesvelg

New member
Oct 22, 2008
486
0
0
archont said:
On another note, releasing just a part of the information is a good thing. Let's assume they could just dump the entire database, including all usernames, personal info, passwords - would that be better than releasing a limited subset of this data?
They also said that the tiny fraction was all that they could get, due to the aforementioned "financial constraints".

Like I've said before, something about this is... odd, to me at least.

Strazdas said:
They give only small sample because the reason behind the hack may not be the release of people's private information to web, thus they only give small portion for sample not to compromise everyones passwords. they don't want people to lose account, they want to make a point. lets say you have no money to pay your electricity bills, can you continue hacking servers?
Actually, they explicitly stated that they could only get a tiny fraction of the information, which to me rather belies the "it was so easy!" claim they made. The "1,000,000 accounts compromised" portion of the headline is rather misleading, in some ways. It's implied that they could access the information if they had more time/money, but something is standing in the way of that.
 

LogicNProportion

New member
Mar 16, 2009
2,155
0
0
danpascooch said:
An SQL injection? Seriously? A fucking SQL injection!?

That's the simplest type of hack in the world, if hacking were burglary, that would be the equivalent of checking if the front door was unlocked. Basically Sony left its front door open after being robbed blind just weeks ago, WHAT. THE. FUCK.

Don't even tell me none of this is Sony's fault, that's bullshit, I've always known it was bullshit, but now there's proof.
Yayyyyy! Someone with a brain!

I'm more alarmed at the crappy security than a bunch of hackers. Sony, you've had time now. Get your shit together, please. :)

You heard it from the man I quoted. if you see no problem with Sony at this point, you are the people who leave your doors unlocked in a world where there is always someone...or something...trying to break down your doors.

Only Sony in this world would be a Fort Knox.
 

RN7

New member
Oct 27, 2009
824
0
0
I know this has probably been ninja'd now but to just to make it more prevelant:

In this case, Sony kind of, only slightly, is at fault here, because they know, as in the thieves outrightly stated, that they were going to be attacked. Granted, a bank probably knows it might get robbed; that's not what I'm saying. This has happen before, very recently, and it was made known that would happen again. I'm not saying Sony hasn't made an effort to improve (and I'm also most certainly not saying I support these hackers), but the least they could have done is have some form of encryption...although these hackers likely could be witholding some information, or generalizing their endeavor to the "public".

Oh, hey! Look! I just pointed out that Sony needs to improve their security without committing a criminal offense and fucking with people's information! Granted, I used someone else's offense to make my point...still counts.
 

Svenparty

New member
Jan 13, 2009
1,345
0
0
Celinis said:
2011 the year of unoriginal ideas, bad video games, and people with too much time on their hands. At this point I think Sony should just take time to go through everything and get everything secured and not bother coming online until they are inspected by several different companies around the world.
I thought that was every year? :)


So bored of the Sony bashing...Can't they pick on the other Evil companies too?
 

JDKJ

New member
Oct 23, 2010
2,065
0
0
archont said:
Kopikatsu said:
Generic Gamer said:
I'm going with the 'I think LulzSec is lying' crowd. Especially considering that they've hacked Nintendo and broke through the IAA (http://www.linkedin.com/company/infragard-atlanta-members-alliance) in one afternoon with little difficulty.
Great, I respect your opinion.

I'm curious as to at which point you believe LS is lying and what the correct version is.

If your idea is that this was more than an SQL injection I don't think it's a good argument either.

I'm not a security researcher myself but I do dabble in various things and have a strong opinion on where exactly good security lies.

First, all systems can be hacked and there's not a single system, encryption algorithm, no single way of securing data that is guaranteed to be unbreakable other than physical destruction.

Good security is when hacking a system using high-tech means is so unpractical (for example requires the attacker to have the computing power of the NSA at his disposal) that kidnapping the administrator and torturing him to unlock the system is a better, faster and safer choice.

Obviously LS did this hack using very little resources, little specialist knowledge and had little motivation. In other words the barrier for obtaining this data was set very, very low. Unreasonably low.

If you do believe that LS is lying however (meaning that they had to, for example, gain physical access to the internal company LAN to do this hack) then please explain more.
Actually, according to them, they're highly motivated. They've tasked themselves with "owning" Sony and effectively bringing the company to its knees. Apparently, they hold some sort of grudge. Which does set them apart from your more typical cyber-thief motivated by financial gain and who will therefore seek the path of least resistance in order to achieve their ends. These guys seem willing to ignore the resistance and continue their efforts to gain access regardless of whatever obstacles are placed in their way.