This time the lulz did it for us

by Lucas Wilkins

Well, actually, they probably did it for fun, but that doesn’t mean that it doesn’t benefit us. jellymatter should be the kind of place that has an opinion on the recent hacking of Sony by Lulz Security (the name make me laugh when I heard it on BBC news last night). So here is my opinion on the matter…

Good Job. That’s the jist of what I have to say. Well done for doing before someone with worse intentions. Well done for publicly shaming Sony.

For those of you who don’t know the details, LulzSec used an SQL injection, an attack so simple that it shouldn’t really be called hacking. The way this works is: first someone designs a website really badly, so that when someone types in a speech mark followed by, in effect, “give me all you data”, the website gives you all its data. Second, someone does this. Seriously, it’s that easy – and making a website that doesn’t have this vulnerability isn’t much harder. Sony users should be insulted that a company they trusted treated their private data with such disregard.

So, hats off to LulzSec for their reckless benevolence.

About these ads

3 Comments to “This time the lulz did it for us”

  1. SQL injection came in at number two in a recent (and good) list of common software errors: http://www.sans.org/top25-software-errors/

    Number 1 was cross site scripting, which is in principle very similar.

    Yes, it’s basically the most obvious security flaw to look for, but it happens a *lot*, not just to Sony. Sony is just special for being a particularly big company that gets in the spotlight. I’m pretty sure there are millions of companies that have the same problem.

    I also read that another problem was that Sony was storing the passwords in plain text. Usually, passwords should be stored in a hashed format, so that password checks are a one-way process – you can only check that an entered password is correct from the hash, you cannot (in a reasonable time) work out what the password is. Not storing passwords as hashes is criminally lazy, but again I would wager it happens at many more companies than Sony, which is why I use the password hasher firefox extension to do lazy programmers’ jobs for them: https://addons.mozilla.org/en-us/firefox/addon/password-hasher/

  2. Incidentally, the password hashing thing usually gets exposed if you request to reset your password on a website. A company doing it “right” will send you a new or temporary password, because they can’t retrieve your password from their database. If when you request a password, they send you an email containing your old password, you know their security is rubbish.

    • Plus, sending you the password in plain text is fundamentally insecure anyway. Email can be intercepted, so it’s basically saying “hey everybody, here’s what this guy’s password is.” Particularly annoying if you’ve used the same password on other sites.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 478 other followers

%d bloggers like this: