10th Sony hack: Sony Ericsson website gets hacked by Lebanese hacker Group, Idahca

Sony has now officially become the testing ground for hackers where they get their claim to fame exploiting various security holes at Sony Corporation and Sony keeps trying to figure out how many security loopholes exist in their systems.

In the latest security incident, Idahca (Lebanese hacker Group) has hacked the database of ca.eshop.sonyericsson.com with a simple sql injection. That makes two attacks on Sony in one day. In the morning LulzSec Leak Sony’s Japanese websites Database and now Sony Ericsson’s Eshop Database are hacked. Email, Password and names of 1000’s of users are exposed via text file on Pastebin. Similar to the LulzSec’s hack, the whole database of Sony Ericsson site was leaked the hacker’s Facebook/Twitter Accounts. The Pastebin link is http://pastebin.com/4YGAWxQZ .

9th Sony hack: LulzSec leaks Sony’s Japanese websites databases

LulzSec Hacking team today Release the Sony’s Japanese website Database dump via their Twitter Account @LulzSec. This is the 9th Attack on Sony. This attack is also using SQL Injection method.

The vulnerable Links are:
SQLi #1: http://www.sonymusic.co.jp/bv/cro-magnons/track.php?item=7419
SQLi #2: http://www.sonymusic.co.jp/bv/kadomatsu/item.php?id=30&item=4490

Database Structure Has been Leaked on a text file via Pastebin.com : http://pastebin.com/NyEFLbyX

LulzSec are the guys who cracked the Fox.com login database, including emails and passwords. Last attack on Sony was also using SQL injection, Sony BMG Greece Hack. There seems to be no end to the attacks on Sony as this is the 9th hack in the last one month on various Sony sites and assets. However, Sony is still trying to investigate the hack on its PlayStation Network and trying to rebuild their security infrastructure.

Latest Sony hack: Sony BMG Greece websites compromised

In what seems to be a neverending nightmare it appears that the website of Sony BMG in Greece has been hacked and information dumped.

An anonymous poster has uploaded a user database to pastebin.com, including the usernames, real names and email addresses of users registered on SonyMusic.gr.

The data posted appears to be incomplete as it claims to include passwords, telephone numbers and other data that is either missing or bogus.

According to Chester Wisniewski, Senior Security Advisor, Sophos Canada, “It is nearly impossible to run a totally secure web presence, especially when you are the size of Sony. As long as it is popular within the hacker community to expose Sony’s flaws, we are likely to continue seeing successful attacks against them.”

“It appears someone used an automated SQL injection tool to find this flaw. It’s not something that requires a particularly skillful attacker, but simply the diligence to comb through Sony website after website until a security flaw is found,” Wisniewski added.

While it’s cruel to kick someone while they’re down, when this is over, Sony may end up being one of the most secure web assets on the net.

If you are a user of SonyMusic.gr, it is highly recommended that you reset your password. Expect that any information you entered when creating your account may be in the hands of someone with malicious intent, and keep a close eye out for phishing attacks.

The lesson I take away from this is similar to other stories we have published on data breaches. It would cost far less to perform thorough penetration tests than to suffer the loss of trust, fines, disclosure costs and loss of reputation these incidents have resulted in.

So-net hack adds to the list of hacks and data leakages from Sony

According to a WallStreet report, So-net Entertainment Corp, an Internet service provider subsidiary of Sony Corp., said an online intruder accessed its customer rewards site earlier this week and stole customers’ redeemable gift points worth about $1,225.

Sony’s infamous hack on online gaming networks including PlayStation Network and Sony Online Entertainment has already become one of the biggest ever hacks ever. The latest hack is the only hack that has a direct financial component attached to it. The previous hacks that brought down PSN around 19th of April and impacted over 100 million users resulted in the outages of the two gaming networks for nearly a month and exposed user credit card details. However, there are no reports yet on any misuse of that data.

Security experts said there were not surprised the electronics company has yet to clean up weaknesses in its massive global network. Earlier this week, Sony shut down one of its websites set up to help millions of users change their passwords after finding a security flaw.

As for whether this latest hack is related, So-net’s Keisuke Watabe said, “Although we can’t completely rule out the possibility that there is a connection with the PSN issue, the likelihood is low.”

So-net sent a warning to its members yesterday saying that someone had tried to log in to the rewards site 10,000 times from the same IP address, and that the company thought the hacker might have had members’ usernames but no passwords. Therefore, he or she repeatedly tried automatically generated passwords until they worked.

When the dust settled, rewards points from 128 accounts with a total worth of just over $1,200 were redeemed. The Journal says that 73 additional accounts were accessed but had no points taken, and 90 So-net e-mail accounts were compromised as well. So-net claims that “there is no evidence that any personal data such as names, addresses, birth dates or phone numbers were viewed,” reports the Journal.

It’s becoming increasingly clear that Sony may have a company-wide security problem on its hands. It took Sony an eternity to get the PlayStation Network back up and running, but it didn’t take long before people noticed a vulnerability in the PSN’s login system. Sony’s response was to point out that the security hole was simply a vulnerability, not an actual hack.

F-Secure  also noted that a phishing site “targeting an Italian credit card company” was found on one of Sony’s servers in Thailand. “Basically this means that Sony has been hacked, again,” says F-Secure’s post, which continues, “Although in this case the server is probably not very important.”

Sony has already accepted that it didn’t even have a Chief Information Security Officer and is NOW trying to create that position. That clearly shows the callous approach Sony has been taking towards security so far.

Sony PSN restoration faces a glitch

After much delay and promises of ‘quick restoration’ of its PlayStation Network Services, Sony finally started restoring the online gaming platform on Sunday. However, in less than into the restoration process, Sony faced a major glitch.

Sony announced Sunday that PSN users can start updating the firmware on their PS3 and will be able to change their password when PSN services are restored in their respective countries. Kazuo Hirai just announced that Sony has begun the phased restoration by region of some of the services, starting with online multiplayer functionality.

However, according to Sony’s blog on Monday, some of the users have mentioned that they have not received their password reset emails. With the huge number of people coming back online at the same time and resetting their passwords, it is creating significant email traffic to ISPs. The consequence is that some of the ISPs are throttling the emails.

Sony says it is currently trying to resolve this, but in the meantime asking users to remain patient and refrain from submitting multiple requests.

Here’s the latest update on the restoration process from Sony:

Update:
We’re currently experiencing an extremely heavy load of password resets, so we recently had to turn off services for approximately 30 minutes to clear the queue.

If you’ve requested your password reset, please give it a bit of time to reach your email.

60,000 Irish credit card accounts included in Sony hack

With over 100 million users affected with Sony’s biggest hack ever on PlayStation Network and Sony Online Entertainment, the company is slowly revealing the number of affected users in various countries. According to Irish publication, The Post.IE, Sony has filed an ‘‘initial report’’ to the Office of the Irish Data Protection Commissioner on the loss of names, addresses, passwords and other personal data of over 400,000 Irish PlayStation account holders.

As many as 60,000 Irish credit card accounts were also exposed during an internet hacking episode which affected 100 million people worldwide. Sony is unlikely to face any sanction under Irish data protection law, which is based on a voluntary code. Despite several lawsuits in the US, experts say that the company will also escape legal action from affected Irish subscribers, whose only legal remedy lies in proving a breach of the company’s duty of care.

Under Irish law, companies are not currently required to report details of a data breach either to the Data Protection Commissioner or to the data subjects themselves. However, the hacking attack is said to be one of the most serious data breaches ever to affect Irish internet users.

Third hack on Sony systems exposes additional 2500 users

There seems to be no end to the data loss incidents at Sony Corporation. In the last two weeks, the company has accepted losing personal data of over 100 million users (77 million users affected by hack on PlayStation Network and 25 million affected with hack on Sony Online Entertainment). In a statement made Saturday to Reuters, Sony acknowledged that another Sony property had been attacked by malicious hackers and more data stolen and published.

Even more embarrassing was the fact that the stolen information was published on a Sony web server that reportedly is part of Sony Electronics.

The information disclosed contained names and partial addresses of Sony customers who had participated in a 2001 sweepstakes. Sony’s comment is as follows:

“The website was out of date and inactive when discovered as part of the continued attacks on Sony,”

This appears to be a partial repeat of what they disclosed in their second statement acknowledging that Sony Online Entertainment had been compromised. “Don’t worry it was old data on a forgotten server.”

“In an organization as large as Sony the hackers targeting them may be able to continue to find low hanging fruit, unpatched old equipment at any of the various Sony subsidiaries could continue to embarrass Sony publicly,” opined Chester Wisniewski is a Senior Security Advisor, Sophos .

Meanwhile, Sony Playstation Network users are starting to get quite impatient as they await the return of the online gaming service.

In this case Sony is certainly doing the right thing. It is better to be offline and identify what must be done to return the service to a secure state than to simply turn it back on and allow attackers to target even more data.

Sony offers $1 million identity theft insurance policy for users affected with PSN hack

Last weekend, Sony Computer Entertainment announced that it will provide complimentary enrollment in an identity theft protection program. Here are the details of this program for PlayStation Network and Qriocity account holders in the United States only. Sony said it is working to make similar programs available in other countries/territories where applicable.

Sony has made arrangements with Debix Inc., an identity protection firm, to offer AllClear ID Plus at no cost to PlayStation Network and Qriocity account holders for 12 months from the time an account holder registers for the program.

Sony will start sending out activation emails for this program over the next few days, and users in US will have until June 18th to sign-up and redeem their code. Users will need to sign up directly through AllClearID, not on Sony’s websites, and details, including step-by-step instructions for the program, will be emailed to United States PSN and Qriocity Account holders soon.

The details of the program include:

• Cyber monitoring and surveillance of the Internet to detect exposure of an AllClear ID Plus customer’s personal information, including monitoring of criminal web sites and data recovered by law enforcement. If his/her personal information is found, the customer will be alerted by phone and/or email and will be provided advice and support regarding protective steps to take. The customer will also receive monthly identity status reports. Debix works with an alliance of cyber-crime experts from the government, academia and industry to provide these services.
• Priority access to licensed private investigators and identity restoration specialists. If an AllClear ID Plus customer receives an alert, or otherwise suspects that he/she may be the victim of identity theft, the customer can speak directly, on a priority basis, with an on-staff licensed private investigator, who will conduct a comprehensive inquiry. In the case of an identity theft, the customer can work with an identity restoration specialist to contact creditors and others, and take necessary steps to restore the customer’s identity.
• A $1 million identity theft insurance policy per user to provide additional protection in the event that an AllClear ID Plus customer becomes a victim of identity theft. This insurance would provide financial relief of up to $1 million for covered identity restoration costs, legal defense expenses, and lost wages that occur within 12 months after the stolen identity event.

Sony blames Anonymous for PSN and SOE hack

Sony has finally broken the ice and replied to the US Commerce Committee on the recent PlayStation hack that affected 77 million users and subsequent attack on Sony Online Entertainment that affected another 25 million users. In a formal letter addressed to members of the House Commerce Committee, Sony Computer Entertainment America, Kazuo Hirai suggests the rogue hacktivist movement Anonymous played a role in the massive customer data breach that now exceeds 100 million records.

Anonymous followers had previously taken credit for a distributed denial of service (DDoS) attack against the Sony websites in early April but refused any involvement in the later hack on PSN and SOE.

Initially, Sony representatives did not seek to connect the hacktivist group with the data breach event. That has changed now that forensic investigators have located a file on the hacked PSN systems named “Anonymous” and containing the movement’s tagline “We are Legion.”

The discovery was enough evidence for Sony’s chairman to state in the letter to Congress that Anonymous was at least partly to blame for the customer data loss event:

“Just weeks before, several Sony companies had been the target of a large-scale, coordinated denial of service attack by the group called Anonymous… Whether those who participated in the denial of services attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know. In any case, those who participated in the denial of service attacks should understand that – whether they knew it or not – they were aiding in a well planned, well executed, large-scale theft that left not only Sony a victim, but also Sony’s many customers around the world,” Hirai’s letter said.

The letter to Congress also sought to counter criticism that Sony waited too long to notify authorities and customers of the breach, stating that the company only released information after it was confirmed in the investigation:

“Throughout the process, Sony Network Entertainment America was very concerned that announcing partial or tentative information to consumers could cause confusion and lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence,” Hirai’s letter said.

Sony has provided a summary of Hirai’s letter to Congress:

In summary, we told the subcommittee that in dealing with this cyber attack we followed four key principles:

1. Act with care and caution.
2. Provide relevant information to the public when it has been verified.
3. Take responsibility for our obligations to our customers.
4. Work with law enforcement authorities.

We also informed the subcommittee of the following:

• Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.

• We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.”

• By April 25, forensic teams were able to confirm the scope of the personal data they believed had been taken, and could not rule out whether credit card information had been accessed. On April 26, we notified customers of those facts.

• As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack.

• Protecting individuals’ personal data is the highest priority and ensuring that the Internet can be made secure for commerce is also essential. Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and find ways to combat cybercrime and cyber terrorism.

• We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer.

Another 25 million users’ data stolen in the second Sony hack

Sony has disclosed that hackers stole the names, addresses and passwords of nearly 25 million more users than previously known less than a day after the Japanese company apologized for one of the worst break-ins in Internet history.

On Sunday, Sony apologized to its users for the incident that was initially thought to have impacted close to 77 million Sony PlayStation users. Sony also announced a compensation package for the users with multiple freebies for its users. According to Reuters, the Japanese electronics company said it discovered the break-in of its Sony Online Entertainment PC games network also led to the theft of 10,700 direct debit records from customers in Austria, Germany, the Netherlands and Spain and 12,700 non-U.S. credit or debit card numbers.

Sony said late Monday that the names, addresses, emails, birth dates phone numbers and other information from 24.6 million PC games customers was stolen from its servers as well as an “outdated database” from 2007. However, Sony denied on its official PlayStation blog on Monday that hackers had tried to sell it a list of millions of credit card numbers.

The April incident has sparked legal action and investigations by authorities in North America and Europe, home to almost 90 percent of the users of the network, which enables gamers to download software and compete with other members.

On Monday, Sony declined to testify in person in front of a U.S. congressional hearing, but agreed to respond to questions on how consumer private data is protected by businesses in a letter on Tuesday, said a spokesman for Rep. Mary Bono Mack, a Republican Congresswoman from California, who is leading the hearing.

The incident that Sony disclosed on Monday also forced it to suspend its Sony Online Entertainment games on Facebook. Sony posted a message on Facebook saying it had to take down the games during the night. A Sony spokesman said the Facebook games make money from microtransactions and the sale of virtual goods like costumes and weapons.

It was not immediately clear if the data theft included data from players of Sony games including “PoxNora,” “Dungeon Overlord,” “Wildlife Refuge” on Facebook.