Just how secure are the websites of major companies around the world?
Overnight, Sony was cracked yet again, and user information posted online, this time by a new force in online mischief, Lulzsec, which has a penchant for using commonly available programs to exploit lax corporate cyber security.
Sony has a particular problem because — perhaps in the manner of another Japanese company Tepco — it appears unwilling to reveal what is going on and unable to control its own systems. This is the second time in recent days Sony has been cracked using exactly the same SQL injection technique.
Get Crikey FREE to your inbox every weekday morning with the Crikey Worm.
Sony suffered a major crack in April and tried to pin the blame on Anonymous, which had launched a DDOS attack on the site roughly at the same time. The Financial Times, which has form in attacking Anonymous, joined in, alleging it was vaguely responsible for the break-in and theft of tens of millions of sets of user details, including credit card details which could be sold online.
Lulzsec’s latest crack secured over a million more user details, including passwords and home addresses. The group, which claims not to be part of Anonymous but shares some of its goals, made a point of noting how simply the SQL injection technique it used was.
Earlier this week Lulzsec sailed its “Lulzboat” over to the site of American public broadcaster PBS, which had run a profile on Bradley Manning that infuriated Manning and WikiLeaks supporters. The group used a different exploit to use poor security at the site to take data and post the now-famous “Tupac is alive” story on the website of the earnest, desperately “balanced” Newshour site. PBS took an extended period to regain full control of its site.
Lulzsec had previously done the same to the Fox.com site, posting user names and passwords online after accessing data.
In each case company administrators appear to have failed to minimise the potential for using well-known exploits to defeat security measures by keeping system software up to date, although in Sony’s case the failures are on a truly massive scale. After the latest Lulzsec hack, security experts online were calling for Sony to simply abandon its current cyber security framework and start again from scratch. In any event, the repeated cracks of one of the world’s biggest media companies even as it has struggled to restore its Playstation gaming network suggest it can’t be trusted with user data at the moment.
The question is, how many other companies entrusted by consumers with private data have also failed to keep their systems up to date and are only awaiting similar attacks by crackers wielding simple tools to breach security?