LulzSec Hacking of Sony

Thank you for staying tuned into our third case study and final installment of our four-part series on the Lulz Security hacks. Our first entry on the LulzSec hacks gave a broad overview of the group and what they did and how it made people aware of hacking. We then embarked on three case studies beginning with PBS and then InfraGard that outlined the attacks and corporate response and lessons learned. This entry will focus on what happened to Sony. Keeping true to form, we will look at the security of the company attacked, the hack done by LulzSec, and the company’s response to that attack.

Sony was hacked recently on two occasions. The first attack against Sony on April 19, 2011, targeted the PlayStation network. This attack exposed records for over 70 million Sony PlayStation users including usernames, passwords, credit card information, security answers, and addresses. Allan Paller, research director at SANS Institute, called the breach the largest identity theft on record. The Washington Post states that LulzSec has not taken credit for this attack however other sources reference a tweet made by LulzSec around the time of the attack where they stated that they were stealing information from Sony. Either way, this attack serves as another lesson in how to better protect valuable information. This attack was successful because passwords were not stored in a hashed format. Hashes allow the program to verify that a password given to it is correct while maintaining the secrecy of the password.

Sony responded to the attack on the PlayStation network by allowing US account holders to participate in an identity theft protection program, and they issued a 30-day membership to the PlayStation Plus service. It is unknown, however, if the security problems that caused this attack have been addressed sufficiently. Sony did shut down the PlayStation network so that they could take care of the issues without risking further compromise of the system. We applaud Sony for making a decision to improve security even at the cost of the availability of the system. They most certainly lost money while the system was unavailable but they were able to prevent customers of the PlayStation network from further harm.

The second attack on June 2, 2011, was against Sony’s pictures and music divisions. LulzSec claimed responsibility for the attack and criticized the lack of security controls that allowed them access to the systems. Their attack exposed more than one million accounts that were stored in an unencrypted text file and stole 75,000 music codes and 3.5 million music coupons that are used to download music from the Sony/BMG site. LulzSec also compromised over one million users’ personal information including emails addresses and passwords. They obtained access to this information by using a SQL injection vulnerability. SQL injection is a method where harmful database queries are executed against a database by inserting the queries, which are formed using SQL (Structured Query Language), into an input to the program often in a web form. The program or web site collects the input and processes it but along the way, the query is executed providing the attacker with information from the database.

To prevent against the attack against Sony pictures and music, the website code should have implemented web coding best practices including limiting application privileges, validating the input collected before processing it, and reducing the amount of debugging information provided from the web site. They also should have encrypted files that contained confidential information and stored passwords in a hashed format rather than in plain text.

Today we emphasized these two attacks on Sony. We now conclude our four-part series on the LulzSec hackings and hope that you will ask the question, could my company be next?



About The Author


Eric Vanderburg

Eric Vanderburg is an author, thought leader, and consultant. He serves as the Vice President of Cybersecurity at TCDI and Vice Chairman of the board at TechMin. He is best known for his insight on cybersecurity, privacy, data protection, and storage. Eric is a continual learner who has earned over 40 technology and security certifications. He has a strong desire to share technology insights with the community. Eric is the author of several books and he frequently writes articles for magazines, journals, and other publications.

26 Comments

  1. Nice, I’ve bookmarked the page in Digg.com under “LulzSec Information Security Case Study Volume 3 – Sony |”. Cheers!

  2. I should have found this article much sooner. Other articles on this topic had me so confused. Thank you for making clear and valid points that I can easily understand.

  3. It’s hard to discover professional individuals on this matter, however you sound like you know what you’re speaking about! Many thanks

  4. Ranjan,

    Thanks for reading my article on the LulzSec Sony case. I appreciate your feedback and agree with you that the term “hacker” is ambiguous. “Hacker” is an evolutionary term and one that is contextually diverse. Originally the term only referred to those who tried to figure out how things worked and create new things with computers. In the general media nowadays however, the term means someone who performs malicious actions with a computer and does not imply a specific level of skill. I have chosen to use the term “hacker” as is generally perceived because of the diversity of those who read this blog.

    I do have to disagree with your comment that website denial of service does not hurt anyone. Availability of systems is crucial for most businesses today and the unavailability of a website could mean loss of business or loss of reputation. A script kiddie playing with a botnet or a DoS tool may just want to have fun but their actions are still wrong and damaging to their victims. The fact that it is easy does not make it right.

  5. That is a loaded eiqstuon! Depending on who you talk to they are either hackers or they aren’t. The media seems to have the notion that anything computer related that is bad is a result of hackers. There is a new virus today that deletes so and so file. The hackers who wrote it It’s hard to take the media seriously when they go into computer or internet security and even their chief security officers seem to get the information wrong or use the wrong lingo at times. Let’s discuss two of the bigger incidents Lulzsec members can claim.1) They performed a DOS attack on a government web site and it became unresponsive for a short period of time.2) They have broken into a number of people’s email accounts and leaked email information to the internet world. Lulzsec can claim they did both of the above and no one can dispute that. But if you are asking if they are HACKERS because they performed (or have the ability to perform) the above actions, then the answer is no. They aren’t hackers at all. The above can be done without knowing anything about security or computers at all. In the security boards I frequent and through many of the IT world this group are considered script kiddies which is often construed as the name hacker through the media. I won’t say they are script kiddies but most security professionals or anyone working in the field will likely tell you Lulzsec is the furthest thing from a computer hacking group. 1) DOS attacksIf you have enough people with enough computers and any of 100+ freely downloadable DOS attack applications from Google you can take down most any unsuspecting web server. It doesn’t really hurt anyone. It’s just people using a freely available program with enough support to bring a computer down. It has nothing to do with hacking or security. Anyone with 12 brain cells could pull it off if they had enough resources. 2) Email hacking This, by itself, is one of those things that strike a nerve with me. There isn’t such a thing as email hacking unless someone has say a Lotus Notes client on their computer and they also have the databases stored locally (oops) and someone manages to break into the computer and recover the email data. What people consider email hacking isn’t hacking at all. People break into email accounts all the time and it is almost always due to the victim using an insecure password. If that person used a 25 character cryptic password (undercase, uppercase and numeric characters without using any words) Lulzsec wouldn’t be able to get into the email account if they had 6 months to work on it. Again, there are HUNDREDS of free applications on Google that can be used to brute force email passwords for Yahoo, Hotmail, Comcast, Qwest, etc. The software is FREE. And all that you really have to do is type in an email address and a link to a sign-in form and it’ll try every combination of a computer-generated password as it can until it finds one that signs into the account. Anyone can do it if the password is short or easy enough to guess but really the people who run these types of programs or the DOS programs mentioned above are nothing more than script kiddies. Unless someone knows how to break into systems on their own, they aren’t hackers. That is a definition most security people are likely to agree with. So by this definition the answer is NO. Lulzsec is not a group of hackers. That’s not to say some members might have the ability to, it’s saying the group as a whole uses freely available programs to do all the work for them and they find easy targets to hit.VN:F [1.9.10_1130]please wait…VN:F [1.9.10_1130](from 0 votes)

  6. Jack asked what the point of LulzSec was anymore. There is no point. There never was. I do agree with annmyoous though. It is in the name… LULZ – Losers United Lacking Zyprexa Get a job, move out of mommy’s basement and contribute something useful to society. If the only way you can feel good about yourself (or have a LULZ) is to tear down something that someone else has built then you have serious issues. The good news is… they make medication for that. Try some!!! Flame away skiddies… 🙁

  7. It’s as simple and storightfrrwaad as this:Hacking a site to “reveal” security issues is the same as breaking into your neighbours home because he doesn’t have armour plating over his windows and doors.People choose ridiculous passwords, this is true and will continue to do so until someone invents a better way. As soon as new technology comes out to replace passwords, these guys will be busy busy trying to break it too.Armchair Vandals, nothing more!

  8. Maybe that these people are using gevnrnmoet resources ie. our tax dollars, for personal pursuit. I am sure ther are strict regulations about using these accounts for personal and not business use. No to mention I have to wonder how many of them were enjoying these sites during business hours, when they are supposed to be serving the country. It seems something else is getting served and we are paying for it.

  9. Silvana,

    Yes. You are right. Ethical hacking only occurs when the penetration testing occurs with the customer’s consent. Here, LulzSec did not have the consent of Sony or the other companies they attacked so they are not ethical hackers. They try to take the “moral high ground” on this but that does not justify their actions.

  10. I’ve been reading your posts for a while now. Thanks for the information on LulzSec. I enjoyed reading this discussion. You are an expert in this topic!

  11. Isn’t it nice for those of us who live is the US that we are allowed to hold our own opinions. So, in your opinion which I respect but completely disagree with .In the opinions of many in Silicon Valley and at other technology centers, I think you would be in the minority. There is a difference between a Hacker and a Cracker and I think you did a good job explaining what that difference is.

Leave a Reply