Sony Website Hacked By the "Lulz Boat"

[Atmos Duality]

I'm not sure that kind of rape-logic holds up, but LulzSec does have a point. Sony is a big company, with lots of interchangable parts, but you think database security would be at the top of every divisions to-do list right about now.

No, that's exactly the kind of logic that applies here, despite the colorful choice of metaphor. When you go live with your website or service on the internet, expect to be attacked at some point.

 

[Strazdas]

it was just a matter of time till sony and macrosoft are going to start loosing thier databases. havking is necessary for such companies. if the paosswords were stored in plain text then im very happy somone hacked them, because maybe sony will think if a better way next time. most companies hire people who manadge to hack them, because that allows them to fix security flaws. sony isnt that smart though, but theres nothing new on that departament.

They also claim that the hack itself was incredibly easy, but then why have only a sample of accounts? Why say you need more money to continue the hack?

They give only small sample because the reason behind the hack may not be the release of peopel rpivate information to web, thus they only give small portion for sample not to compromise everyones passwords. they dont want people to losoe account, they want to make a point. lets say you have no moeny to pay your electricity bills, can you continue hacking servers?

 

[Blackpapa]

They claim to have compromised over a million accounts, but only have proof of a tiny fraction of that.

On another note, releasing just a part of the information is a good thing. Let's assume they could just dump the entire database, including all usernames, personal info, passwords - would that be better than releasing a limited subset of this data?

 

[Raesvelg]

On another note, releasing just a part of the information is a good thing. Let's assume they could just dump the entire database, including all usernames, personal info, passwords - would that be better than releasing a limited subset of this data?

They also said that the tiny fraction was all that they could get, due to the aforementioned "financial constraints".

Like I've said before, something about this is... odd, to me at least.

They give only small sample because the reason behind the hack may not be the release of people's private information to web, thus they only give small portion for sample not to compromise everyones passwords. they don't want people to lose account, they want to make a point. lets say you have no money to pay your electricity bills, can you continue hacking servers?

Actually, they explicitly stated that they could only get a tiny fraction of the information, which to me rather belies the "it was so easy!" claim they made. The "1,000,000 accounts compromised" portion of the headline is rather misleading, in some ways. It's implied that they could access the information if they had more time/money, but something is standing in the way of that.

 

[LogicNProportion]

An SQL injection? Seriously? A fucking SQL injection!?

That's the simplest type of hack in the world, if hacking were burglary, that would be the equivalent of checking if the front door was unlocked. Basically Sony left its front door open after being robbed blind just weeks ago, WHAT. THE. FUCK.

Don't even tell me none of this is Sony's fault, that's bullshit, I've always known it was bullshit, but now there's proof.

Yayyyyy! Someone with a brain!

I'm more alarmed at the crappy security than a bunch of hackers. Sony, you've had time now. Get your shit together, please.

You heard it from the man I quoted. if you see no problem with Sony at this point, you are the people who leave your doors unlocked in a world where there is always someone...or something...trying to break down your doors.

Only Sony in this world would be a Fort Knox.

 

[RN7]

I know this has probably been ninja'd now but to just to make it more prevelant:

In this case, Sony kind of, only slightly, is at fault here, because they know, as in the thieves outrightly stated, that they were going to be attacked. Granted, a bank probably knows it might get robbed; that's not what I'm saying. This has happen before, very recently, and it was made known that would happen again. I'm not saying Sony hasn't made an effort to improve (and I'm also most certainly not saying I support these hackers), but the least they could have done is have some form of encryption...although these hackers likely could be witholding some information, or generalizing their endeavor to the "public".

Oh, hey! Look! I just pointed out that Sony needs to improve their security without committing a criminal offense and fucking with people's information! Granted, I used someone else's offense to make my point...still counts.

 

[Svenparty]

2011 the year of unoriginal ideas, bad video games, and people with too much time on their hands. At this point I think Sony should just take time to go through everything and get everything secured and not bother coming online until they are inspected by several different companies around the world.

I thought that was every year?


So bored of the Sony bashing...Can't they pick on the other Evil companies too?

 

[JDKJ]

-Snip-

I'm going with the 'I think LulzSec is lying' crowd. Especially considering that they've hacked Nintendo and broke through the IAA (http://www.linkedin.com/company/infragard-atlanta-members-alliance) in one afternoon with little difficulty.

Great, I respect your opinion.

I'm curious as to at which point you believe LS is lying and what the correct version is.

If your idea is that this was more than an SQL injection I don't think it's a good argument either.

I'm not a security researcher myself but I do dabble in various things and have a strong opinion on where exactly good security lies.

First, all systems can be hacked and there's not a single system, encryption algorithm, no single way of securing data that is guaranteed to be unbreakable other than physical destruction.

Good security is when hacking a system using high-tech means is so unpractical (for example requires the attacker to have the computing power of the NSA at his disposal) that kidnapping the administrator and torturing him to unlock the system is a better, faster and safer choice.

Obviously LS did this hack using very little resources, little specialist knowledge and had little motivation. In other words the barrier for obtaining this data was set very, very low. Unreasonably low.

If you do believe that LS is lying however (meaning that they had to, for example, gain physical access to the internal company LAN to do this hack) then please explain more.

Actually, according to them, they're highly motivated. They've tasked themselves with "owning" Sony and effectively bringing the company to its knees. Apparently, they hold some sort of grudge. Which does set them apart from your more typical cyber-thief motivated by financial gain and who will therefore seek the path of least resistance in order to achieve their ends. These guys seem willing to ignore the resistance and continue their efforts to gain access regardless of whatever obstacles are placed in their way.

 

[Angry_squirrel]

Usually I'm all for anon but this just sucks.
Both sides are in the wrong.

 

[Raesvelg]

blah blah blah

My point stands. You are apparently mistaking the act of breaking encryption (hard), with breaking into the website (easy). If it is so easy, however, why not have more? Or all? Why essentially beg for money to continue an operation that supposedly was a simple SQL injection?

The "there's all this data sitting there unprotected, but we can't get more unless we have more money" line seems to ring a little false to me. Then again, they basically said "Here's how we did it, go enjoy yourselves", which may or may not lend credence to their claims. I've no intention of verifying it for myself, after all.

And frankly, I expect that it WAS just sitting there in plaintext for the most part. It's hardly uncommon, sadly, even the lack of protection for the passwords. At least the credit card info was encrypted and/or inaccessible. Which is more than Rhode Island can say.

 

[Adventurer2626]

...



Well it's good to know the boys in red, white and blue aren't going to be out of work anytime soon. After you've finished with Libya, you can start bombing the INTERNET. Guh, I need another can of Coke.

 

[dashiz94]

I cannot fucking believe people are calling out Sony for this.

I don't give a shit how "easy" it is for someone to hack their site, YOU JUST DON'T DO IT.

To make matters worse, they posted the information online.

Fuck all of you people who have the gall to call out Sony because of this. Do you know how many god damned times companies get hacked and don't even ADMIT IT?!

No, of course you don't. Because you're all fucking idiots.

 

[Sonicron]

... Rrrrrrrr. Can't they call attention to Sony's shoddy security without providing yet another free boost to identity theft crime rates? -.-

 

[nightwolf667]

if someone actually wanted to get in and steal credit cards and whatnot, due to sony's ineptitude, millions of people would be subject to identity theft and likely loose a good chunk of money. this is a fire drill for sony.

What do you need to fill out a credit card application?

Name, Date of Birth, Address, Phone Number. You do not need a social security number. You need one to open a bank account but not a credit card. What did LulzSec steal? Names, DOBs, Addresses, phone numbers, email addresses, and passwords. Then they posted it online. Even if they had only posted the email addresses and passwords they opened these people up to identity theft (which they didn't, they posted everything). If someone cracks an email with their password and they have that same password on their bank account, they can get into the bank account. Anyone who downloads that data could open up a credit card in the name of any person who was in that file.

And while either LulzSec or Anonymous has no interest in credit card fraud on their face, there are those among them (I guarantee you) who are stupid enough to love it. There are those among them who may try it, there are others who will certainly download the data and try it.

So no, this wasn't a fire drill. This was theft and this left millions of innocent people open to abuse from that information.

 

[Raesvelg]

blah blah blah

And you're evidently too lazy to actually read the releases of the LulzSec crew.

As such, I have no need to continue talking with out.

We're not talking about encryption, ass. We're talking about access, and the difficulty thereof, and why the LulzSec crew simultaneously says it is easy, and yet says that they CANNOT access more of the database without considerably more money and several weeks of time.

So evidently it's not as easy as just accessing and downloading the entirety of it.

Which somewhat undermines their claims of it being incredibly easy, and casts some small measure of doubt not on the fact that they accessed it, or that the information was in plaintext, but that the act of accessing it was of trivial difficulty.

Do you not fucking read? Seriously. You're just irritating me at this point. You've seized on an completely unrelated issue, which has no relevance to the matter at hand because according to the people who performed the hack, the data WAS NOT ENCRYPTED. It requires no decryption. That cannot be the source of their stated requirements of more time and money.