Sony BMG Greece the latest hacked Sony site

Sony Music Greece logoIn what seems to be a neverending nightmare it appears that the website of Sony BMG in Greece has been hacked and information dumped.

An anonymous poster has uploaded a user database to pastebin.com, including the usernames, real names and email addresses of users registered on SonyMusic.gr.

The data posted appears to be incomplete as it claims to include passwords, telephone numbers and other data that is either missing or bogus.

Screenshot of DB from Pastebin.com

As I mentioned in the Sophos Security Chet Chat 59 podcast at the beginning of the month, it is nearly impossible to run a totally secure web presence, especially when you are the size of Sony. As long as it is popular within the hacker community to expose Sony’s flaws, we are likely to continue seeing successful attacks against them.

It appears someone used an automated SQL injection tool to find this flaw. It’s not something that requires a particularly skillful attacker, but simply the diligence to comb through Sony website after website until a security flaw is found.

While it’s cruel to kick someone while they’re down, when this is over, Sony may end up being one of the most secure web assets on the net.

If you are a user of SonyMusic.gr, it is highly recommended that you reset your password. Expect that any information you entered when creating your account may be in the hands of someone with malicious intent, and keep a close eye out for phishing attacks.

The lesson I take away from this is similar to other stories we have published on data breaches. It would cost far less to perform thorough penetration tests than to suffer the loss of trust, fines, disclosure costs and loss of reputation these incidents have resulted in.

Want to learn more about securing your web servers and databases? Download our paper “Securing Websites” to learn some best practices to defend your organization against these types of attacks.

Update: The editors of The Hacker News have contacted Naked Security and indicated they were the source of the post to pastebin.com. The original hackers had contacted them with the dump.

SSCC 60 – Obama Proposals, Square Enix, Mac threats

Sophos Security Chet Chat logoWell it is bound to happen occasionally, and it did last week… I missed a Chet Chat. I was at the Sophos sales conference and did so much speaking and chatting with colleagues, that I lost my voice.

I’m back this week though, and I had my friend and co-worker Ben Jupp join me on Chet Chat 60. Ben works in our Global Escalation Support team and deals with all the thorny issues with non-Windows platforms. Ben’s specialty is Mac OS X and works closely with product development and SophosLabs on Apple related issues.

This week we began our discussion with Obama’s recent proposed changes to the Computer Fraud and Abuse Act (CFAA) and Racketeer Influenced and Corrupt Organizations Act (RICO). We talked about the latest data breach at Square Enix and Sony’s most recent stumble.

My primary reason for having Ben as my guest was to explore all the news surrounding the recent fake anti-virus attacks against the Mac platform. In addition to the malware for OS X we also talked a bit about the Apple Mac App Store and keeping applications patched against vulnerabilities.

If you prefer a news summary for the week in text format, visit the Sophos Security News and Trends for the latest selected hot topics or subscribe to our weekly newsletter, Sophos eNews.

(19 May 2011, duration 20:27 minutes, size 9.9MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 60 or subscribe to our RSS.