Sony has yet to fully recover from the public beating it took after its Sony PlayStation Network hack. Now the company's movie division has been breached.
The same hackers who recently broke into the PBS web site and led many to believe that murdered rapper Tupac Shakur is still alive are taking responsibility for the attack on Sony Pictures' web site. The now-infamous hacker group is called LulzSec.
"We recently broke into SonyPictures.com and compromised over 1,000,000 users' personal information, including passwords, e-mail addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 'music codes' and 3.5 million 'music coupons,'" the group said in a post at Pastebin.
"From a single injection, we accessed everything," the group said. "What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plain text, which means it's just a matter of taking it."
Finding the Threats
Sony needs to find the advanced persistent threat or threats that likely are sitting deep in its network , according to Stephen Gates, director of field engineering for Top Layer. That, he said, is because the hacker community isn't coming in through the front door -- they aren't knocking holes in the firewall.
"It has to be some sort of backdoor into these networks, and companies like Sony need to put some sort of protection mechanisms in place to identify these advanced persistent threats and shut them down," Gates said.
As Gates sees it, Sony needs to identify the compromised machines by tapping technology like intrusion-prevention systems that can thoroughly analyze the protocols coming in and out of its network, clearly identifying the protocol anomalies, and most likely identifying these compromises and shutting them down.
"Companies should take this as a warning and proactively inspect all traffic leaving their network," Gates said. "Most companies are concerned with what is coming and never look at what is leaving. If they were to look more closely at what was leaving their network, they would find these advanced persistent threats."
Simple SQL Injection
Fred Touchette, a senior security analyst at AppRiver, said Thursday's attack against Sony Pictures and its network demonstrates the need for more emphasis to be placed upon cybersecurity. Less than two months after the initial attacks began against Sony's PlayStation Network, the parent company is finding itself breached once again in yet another branch of the company.
"The real kicker here is that, according to the group that pulled off yesterday's attacks, they used a simple SQL injection attack against their databases in order to pull from them all of this private information, which was once again stored unencrypted in plain text," Touchette said.
"I believe Sony should have moved a little faster and used the information from their debacle in April to harden their network company wide," he added. "Hopefully that message is truly clear to them now, as well as to everyone else out there who handles personal private information."
3 komentar:
Hey owner! I hope you’ve got a minute. I noticed that you’re also a WordPress website builder, so I thought I’d share this with you. This is a 100% free step-by-step guide to setting up a WordPress autoblog that makes money automatically, 24-7. I’m sure you could learn a thing or two from this eBook. If you’re interested, check out my link. It’s 100% free and I guarantee it’s worth your time. Thanks.
Wow! This was a real quality post. In theory I’d like to write like this too – taking time and real effort to make a good article… but what can I say… I procrastinate a lot and never seem to get something done. Hope you can help me with my writing skills. c:
So, the Bank of England not only survives the credit crunch without any blame but it’s to be given increased authority. Is this justification though for anticipating it can save us from what’s being called ‘inflation’ but is really just good old ‘price rises’? The BofE can’t keep on top of events clearly within its remit, let alone those happening on the other side of the world.
Post a Comment