A group of hackers operating under the name LulzSecurity announced in a statement posted on its website on Thursday that it had compromised SonyPictures.com, gaining access to the passwords, email addresses, dates of birth and home addresses of one million users. The vector for attack was an SQL injection, one of the most common online vulnerabilities. This attack joins a host of others targeting Sony in recent weeks.
Aziz Maakaroun, business development director at Outpost24, made the following comments: “Yet another successful attack on Sony raises serious questions about the organisation’s security. What is particularly shocking here is that this hack utilised one of the oldest tricks in the book, an SQL injection vulnerability. Not only are SQL injections one of the most common and well known threats on the web, they are also one of the most easily protected against.
“We know from recent statistics that attacks via SQL injections are on the up, accounting for half of attacks in 2009 and spiralling to almost four fifths in 2010. An SQL injection is not a subtle exploit, and can be easily protected against by ensuring that web applications are securely coded – to not protect your company against this form of attack is the equivalent of leaving your front door unlocked. Organisations should take note of Sony’s recent woes and beef up their web security to ensure that they do not fall victim to similar embarrassment.
“Organisations must assess applications hosted on their sites for errors in coding. Vulnerability scanners can carry this out automatically, at a low cost and with little time investment. Attacks of this nature push consumer and investor confidence in an organisation to rock bottom, disrupting revenue and driving potential customers elsewhere. Others may look at Sony’s victimisation and think “I’m glad that isn’t happening to my company”, but they need to realise that they too may be vulnerable. To not protect sensitive consumer data adequately is an absolute no-no, which can result in a feeding frenzy for hackers and the protracted humiliation of a company.”