Already infamous for defacing PBS's website earlier this week, cracking outfit LulzSec today claimed a familiar scalp—whatever remains of it, anyway. This time, it's Sony Pictures Entertainment, the movie-making division. From a statement attributed to the group:
Our goal here is not to come across as master hackers, hence what we're about
to reveal: SonyPictures.com was owned by a very simple SQL injection, one of
the most primitive and common vulnerabilities, as we should all know by now.
From a single injection, we accessed EVERYTHING. Why do you put such faith in
a company that allows itself to become open to these simple attacks?
What's worse is that every bit of data we took wasn't encrypted. Sony stored
over 1,000,000 passwords of its customers in plaintext, which means it's just
a matter of taking it. This is disgraceful and insecure: they were asking for it.
The haul of data, already posted to The Pirate Bay, also includes 3.5 million Sony Music coupons.
Sony traditionally is run as a set of 'silos', independent departments, divisions and joint ventures that have much autonomy from one another. This might be why there are so many different attacks: perhaps there is always another Sony silo which runs its own web infrastructure, where hundreds of dollars worth of web development can go down the drain, just like that.