Thank you for staying tuned into our third case study and final installment of our four-part series on the Lulz Security hacks. Our first entry on the LulzSec hacks gave a broad overview of the group and what they did and how it made people aware of hacking. We then embarked on three case studies beginning with PBS and then InfraGard that outlined the attacks and corporate response and lessons learned. This entry will focus on what happened to Sony. Keeping true to form, we will look at the security of the company attacked, the hack done by LulzSec, and the company’s response to that attack.
Sony was hacked recently on two occasions. The first attack against Sony on April 19, 2011, targeted the PlayStation network. This attack exposed records for over 70 million Sony PlayStation users including usernames, passwords, credit card information, security answers, and addresses. Allan Paller, research director at SANS Institute, called the breach the largest identity theft on record. The Washington Post states that LulzSec has not taken credit for this attack however other sources reference a tweet made by LulzSec around the time of the attack where they stated that they were stealing information from Sony. Either way, this attack serves as another lesson in how to better protect valuable information. This attack was successful because passwords were not stored in a hashed format. Hashes allow the program to verify that a password given to it is correct while maintaining the secrecy of the password.
Sony responded to the attack on the PlayStation network by allowing US account holders to participate in an identity theft protection program, and they issued a 30-day membership to the PlayStation Plus service. It is unknown, however, if the security problems that caused this attack have been addressed sufficiently. Sony did shut down the PlayStation network so that they could take care of the issues without risking further compromise of the system. We applaud Sony for making a decision to improve security even at the cost of the availability of the system. They most certainly lost money while the system was unavailable but they were able to prevent customers of the PlayStation network from further harm.
The second attack on June 2, 2011, was against Sony’s pictures and music divisions. LulzSec claimed responsibility for the attack and criticized the lack of security controls that allowed them access to the systems. Their attack exposed more than one million accounts that were stored in an unencrypted text file and stole 75,000 music codes and 3.5 million music coupons that are used to download music from the Sony/BMG site. LulzSec also compromised over one million users’ personal information including emails addresses and passwords. They obtained access to this information by using a SQL injection vulnerability. SQL injection is a method where harmful database queries are executed against a database by inserting the queries, which are formed using SQL (Structured Query Language), into an input to the program often in a web form. The program or web site collects the input and processes it but along the way, the query is executed providing the attacker with information from the database.
To prevent against the attack against Sony pictures and music, the website code should have implemented web coding best practices including limiting application privileges, validating the input collected before processing it, and reducing the amount of debugging information provided from the web site. They also should have encrypted files that contained confidential information and stored passwords in a hashed format rather than in plain text.
Today we emphasized these two attacks on Sony. We now conclude our four-part series on the LulzSec hackings and hope that you will ask the question, could my company be next?