Freitag, 3. Juni 2011

Erneut Sony Kundendaten gehackt

Eine Hackergruppe hat erneut einen Sony Server gehackt. Unter Verwendung von simpler SQL Injection wurden tausende Datensätze von Kunden und Mitarbeitern extrahiert.

Die Gruppe selbst zeigt auf ihrer Website die vermeindlichen bislang erfolgreichen Hacks gegen Sony an.

Per Twitter höhnt Lulz Boat, wie sich die Gruppe nennt über ihre Verfolger. Immer wieder werden Seiten dieser Gruppe vom Netz genommen und tauchen an anderer Stelle wieder auf.

Per Twitter ( http://twitter.com/#!/LulzSec ) hält die Gruppe - falls es sich tatsächlich um mehr als einen Hacker handelt, die Sony Gemeinde in Atem. Stündlich verlacht und verhöhnt dort der Hacker die Sony Kunden. Die Datensätze, die ins Internet gesetzt wurdne und frei verfügbar waren, sind übrigens nur ein Auszug aus der gesamten Kundendatei. Es finden sich dort Name, Passwort und weitere Angaben zu den Usern.

Per Bekennerschreiben wandte sich die Hackergruppe an die Öffentlichkeit:

Greetings folks. We're LulzSec, and welcome to Sownage. Enclosed you will
find various collections of data stolen from internal Sony networks and websites,
all of which we accessed easily and without the need for outside support or money.

We recently broke into SonyPictures.com and compromised over 1,000,000 users'
personal information, including passwords, email addresses, home addresses,
dates of birth, and all Sony opt-in data associated with their accounts.
Among other things, we also compromised all admin details of Sony Pictures
(including passwords) along with 75,000 "music codes" and 3.5 million "music coupons".

Due to a lack of resource on our part (The Lulz Boat needs additional funding!)
we were unable to fully copy all of this information, however we have samples
for you in our files to prove its authenticity. In theory we could have taken
every last bit of information, but it would have taken several more weeks.

Our goal here is not to come across as master hackers, hence what we're about
to reveal: SonyPictures.com was owned by a very simple SQL injection, one of
the most primitive and common vulnerabilities, as we should all know by now.
From a single injection, we accessed EVERYTHING. Why do you put such faith in
a company that allows itself to become open to these simple attacks?

What's worse is that every bit of data we took wasn't encrypted. Sony stored
over 1,000,000 passwords of its customers in plaintext, which means it's just
a matter of taking it. This is disgraceful and insecure: they were asking for it.

This is an embarrassment to Sony; the SQLi link is provided in our file contents,
and we invite anyone with the balls to check for themselves that what we say
is true. You may even want to plunder those 3.5 million coupons while you can.

Included in our collection are databases from Sony BMG Belgium & Netherlands.
These also contain varied assortments of Sony user and staffer information.

Follow our sexy asses on twitter to hear about our upcoming website. Ciao! ^_^

Auf Ihrer Website findet sich eine Chronologie der bisherigen Hacks:

Releases

02/06/11
30/05/11
  • PBS.org defacement (pbs.org/lulz) snapshot | http
  • PBS.org defacement (fake Tupac article) snapshot | http
  • PBS.org internal hosts | http
  • PBS.org database list | http
  • PBS.org staffers database | http
  • PBS.org authors database | http
  • PBS.org pressroom users database | http
  • PBS.org stations database | http
  • PBS.org MySQL users database | http
23/05/11
  • Sonymusic.co.jp database | http
15/05/11
  • UK ATM database | http
10/05/11
  • Fox.com innerworkings | http
  • Fox.com/sales database (SQL) | http
  • Fox.com/sales database (txt) | http
  • Fox.com/sales database cracked passwords | http
07/05/11
Es stellen sich die Fragen :

" Sind meine Daten bei Sony noch sicher?"

"Wie wird Sony aus diesen Desaster je wieder heraus kommen?"



Was meint ihr? Vertraut ihr Sony noch? Wie sind eure Erfahrungen?

Keine Kommentare: