Wednesday, May 25, 2011

Sony's online woes continue, mobile phone site hacked

source: gmanews


Sony's online woes continued, with an e-commerce site of its Sony Ericsson mobile phone division being the latest victim of hackers.

Online security firm Sophos said the attack on Sony Ericsson's Canadian e-commerce site, was the fifth time Sony's site was hacked in the last four days.

"I did some checking on the password hashes and they do not appear to be easily recovered MD5 or SHA1 hashes, hopefully Sony has salted them to make it more difficult for them to be recovered," Sophos Canada senior security advisor Chester Wisniewski said in a blog post.

He said the hacker, @idahc, posted a database to pastebin.com containing password hashes, email addresses and full names.

Now, he said @idahc_hacker is claiming to have discovered additional databases besides the one he posted to pastebin that may contain credit card numbers, telephone numbers, discount coupons and the administrator's username and password.

A separate story on PC World said Sony confirmed someone had hacked into its website and stolen about 2,000 customer names and e-mail addresses.

But it quoted Sony Ericsson Mobile Communications spokeswoman Ivette Lopez Sisniega as saying the e-commerce website has been disabled.

"Sony Ericsson has disabled this e-commerce website," she said in an e-mail message. "We can confirm that this is a standalone website and it is not connected to Sony Ericsson servers."

Another article on Softpedia said the hacker described himself as Lebanese.

"I am Idahc a Lebanese hacker and I am Back. I hacked The database of ca.eshop.sonyericsson.com with a simple sql injection," he told Softpedia in an email that also includes a screenshot of the attack.

Wisniewski said a screenshot obtained from The Hacker News indicated the SQL injection attack used to compromise the site was "similar to the recent attacks on Sony sites in Greece and Japan."

He also noted this was the first time a partner company to Sony has been targeted in the ongoing attacks against their brand.

"Looking at the attacks over the past few weeks it is clear that they are not being centrally coordinated, rather they seem to be opportunistic from those angry with Sony over the lawsuit against George Hotz," he said.

Hotz had gotten into trouble with Sony after he hacked its PlayStation 3 game console and was sued by Sony.

Hackers leave taunting message

After attacking the Greek site of Sony's music arm, hackers broke into Sony Music's Japan website, security firm Sophos said Tuesday (Manila time).

Sophos Canada senior security advisor Chester Wisniewski said the attack, via SQL injection, was similar to the attack on the Greek site.

"The good news? The database information that was published does not contain names, passwords or other personally identifiable information. The attackers noted that there are two other databases on the site that are vulnerable and it remains unclear whether they contain sensitive information," Wisniewski said in a blog post.

Another site, The Hacker News, identified the attackers of the Japan site as LulzSec, adding the attack on the Japan site was the ninth on Sony so far.

It identified the two vulnerable Sony Music Japan links as http://www.sonymusic.co.jp/bv/cro-magnons/track.php?item=7419 and http://www.sonymusic.co.jp/bv/kadomatsu/item.php?id=30&item=4490.

But as of Tuesday noon, the two sites appeared normal.

"LulzSec are the guys who cracked the Fox.com login database, including emails and passwords. Then LulzSec Hack & Leak pointless ATM information also," The Hacker News said.

"Last attack on Sony was also using SQL injection,Sony BMG Greece Hack. The attack on Sony are Continues (sic), But still Sony's Security Experts are busy in only making PlayStation Live again. Their other sites/Server are compromised Daily. Hacker now take this as just a GAME!" it added.

Sophos' Wisniewski said it was not immediately clear whether the hackers are able to inject data into the database, or simply access the tables and records it contains.

He said that if the hackers were able to alter the records, this could be used to insert malicious code that could be used to compromise people browsing the site.

But he said that while the attackers appeared to attack sites primarily for fun and political reasons and not to steal credit cards and commit other types of fraud, "this doesn't change the criminality of their behavior."

"Accessing systems without authorization is still a crime in most countries," he added.

Wisniewski also noted a message from the hackers that appeared to taunt Sony.

"This isn't a 1337 h4x0r, we just want to embarrass Sony some more ... Stupid Sony, so very stupid," they said in their message, as captured by a screenshot posted on Wisniewski's blog entry.

On the other hand, Wisniewski questioned whether Sony was taking security seriously, or needs more time to patch all the flaws in its sites.

"Sony has announced they are working with several professional organizations to get their security house in order and for their sake I hope this happens sooner rather than later," he said.

source: gmanews

No comments:

Post a Comment