

Sony Japan hacked by SQL injection - klapinat0r
http://nakedsecurity.sophos.com/2011/05/24/sony-music-japan-hacked-through-sql-injection-flaw/

======
andrewcooke
the example in the link (the image of the "hack") isn't sql injection - it's
just reading a database table through the appropriate api.

the more detailed info at [http://www.thehackernews.com/2011/05/lulzsec-leak-
sonys-japa...](http://www.thehackernews.com/2011/05/lulzsec-leak-sonys-
japanese-websites.html) again doesn't show any injection. all they are doing
is reading the contents of various tables through a simple (REST-like)
API/URL.

["IT security blog of the year" and they don't know what injection is? and
what about all the "experts" in this thread? do any of you, so ready to
pontificate, have proof this is a valid attack?]

~~~
jlind
Security hole or not, Sony clearly has a whole lot of negative momentum in
regards to security. Sony are already estimating $171m loss for as a result of
the PSN outage[1].

[1][http://www.joystiq.com/2011/05/23/psn-breach-and-
restoration...](http://www.joystiq.com/2011/05/23/psn-breach-and-restoration-
to-cost-171m-sony-estimates/)

------
jbk
And once again, a proof that to take security seriously, you need to have a
security culture and policy in your whole company.

Else, many small Business Units of your International MegaCorp, who won't have
the knowledge or the culture of security, will not care enough and might get
hacked, in a way or another...

~~~
stcredzero
_in a way or another..._

In a way that you can eliminate using straightforward technical fixes.

------
pseudonym
I'm actually kind of curious about this now. Right now this is hack...5?
against something under the Sony umbrella.

1\. Just because it's got "Sony" in the name, how related are these, really?
Does Sony actually have a hand in all of them, or were they just random
companies that were acquired and picked up the "Sony" brand name, instead of
keeping their own and saying "Owned by X", like (for example) Blizzard and
Activision?

2\. I realize that 90% of this is because apparently it's fun to kick Sony
while they're down, both in terms of crackers saying "Let's poke at Sony sites
until we find something, trololo" and media sites saying "Hey, people don't
like Sony, let's get some free pagehits and report on this!" Would this hack
in particular, and the Sony Thailand from earlier, have even been noted in any
tech forum or news site anywhere before the PSN outage?

~~~
eitland
> 2\. I realize that 90% of this is because apparently it's fun to kick Sony
> while they're down

Guess Sony isn't "down" yet. Also guess the attacks have less to do with Sony
being "up" or "down" and more to do with Sonys history of attacking people
held in high esteem by the ones who are capable and willing to attack.

Free advice for Sony: Stop harassing researchers. Measure hacking attempts
before / after.

~~~
pseudonym
I would actually be curious how much of this is recourse for Geohot, although
there's probably no possible way of empirically finding out. That said, I'd be
willing to bet that "people who hack Sony to protest Geohot" and "people who
hack Sony to steal other people's credit cards" are two different camps.

As to the Sony being "down", I'd contend they are. Their reputation for
security is in the shitter, and any hacks executed now are going to have a far
greater effect than they would at any other time (again, I doubt things like
this or the Thailand hack would have ever made news sites in any fashion
before the PSN outage).

------
klapinat0r
Despite the name, this is not rails specific, and should serve as a good read
for all: <http://guides.rubyonrails.org/security.html> covering both sql
injections and cross site forgery/scripting.

------
eli
Big company with many independent websites has lots of independent
vulnerabilities. OK, I get it already. Probably true for many companies.

