Sony investigating another hack
- 3 June 2011
- From the section Technology
Sony is investigating another hacking attack on one of its websites.
A group called Lulz Security claims to have broken into Sonypictures.com and accessed details of a million users.
Passwords, home addresses and other personal information relating to several thousand of the accounts was released online.
It is the third major hack to hit Sony since April when the PlayStation Network was targeted and the details of 77 million users compromised.
Details of the latest attack were made available on the recently created Lulz Security website
A LulSec press release said: "SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now.
"From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?"
SQL attacks are generally regarded as one of the more straightforward ways of gaining unauthorised access to a website.
Typically, an attacker will attempt to bypass the username and password system by sending code or characters that confuse the site's programming.
The release also claims that user information on Sonypictures.com was stored in unencrypted, plain text format.
LulSec explained that it was unable to make the entire user database available, however it released a portion of it, totalling roughly 50,000 users.
Sony has yet to respond to the claims, but said in a tweet: "We are looking into the claims about reports of attacks on Sony Pictures websites. Please follow us for latest updates."
Mikko Hypponen, chief research officer at security firm F-Secure, said that another Sony breach had been almost inevitable.
"I'm not surprised by anything about Sony anymore," he told BBC News.
"It will be hard for a company of that size to make sure they are secure if someone wants to go and find holes."
Mr Hypponen said that Sony had become a preferred target of hackers because of the company's long history of vigorously defending its intellectual property.
Most recently, it took legal action against a US hacker, George Hotz, who claimed to have cracked elements of the PlayStation's security.
"That was the turning point. But it is easy to hate Sony, starting with the CD rootkit in 2005," said Mr Hypponen, referring to an earlier scandal that erupted when it was discovered that some Sony music CDs had secretly installed copy protection software on users' computers.
Little is known about the LulSec group, although they have claimed responsibility for recent attacks on several websites in the USA - Fox, PBS and XFactor.
It is understood to be a separate organisation from Anonymous, the "hacker collective" which has been linked to a number of high profile web attacks including several on Sony sites.
The latest attack has, once again, raised questions about the strength of security employed by Sony and other companies holding sensitive user data.
Much of the information taken in the Sony hacks was unencrypted and easily readable.
Mike Smart from cryptography specialists Safenet said that many companies were only applying their highest security protocols to data such as credit card numbers.
He explained that other "social" information was often given minimal protection.
"People can get through the front door. Now we have got to the stage that we need to lock the inside doors and put our documents in a safe.