Ever since Sony won the case against hacker Geohot, it’s facing a pretty bad time. With Sony’s PlayStation Network (PSN) being down for more than a month, Sony has lost $172 million. This cost is nearly same to the losses incurred by Sony with Japan’s Earthquake & Tsunami. PSN was not online for more than 2 days after it was back up again about a couple days ago.
Now finally when Sony’s PSN network went online about 2 days back, it’s other service, SonyPictures.com has been hacked and information of over one million customers has been compromised.
Who hacked SonyPictures.com?
The Hacker group LulzSec has claimed responsibility of the attack. This is a new group seeking attention and it previously hacked Fox News & PBS in less than one month time.
What information is compromised?
Over 1,000,000 users’ personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts has been compromised. Also, all admin details of Sony Pictures (including passwords) along with 75,000 “music codes” and 3.5 million “music coupons” has been breached.
How Did the Attack Happen?
The most important thing is that the attack happened due to a simple SQL Injection. Bad Luck Sony! I cannot imagine that a company as big as Sony cannot patch such simple injections. And the more worse thing is that Sony stored all the passwords in unencrypted format. All the data was stored in plain-text.
What Next?
Although Sony has managed to get the website running back again, this is a great loss of information. Privacy of all it’s customers is endangered. As a proof for hacking Sony, the LulzSec team has also made this data available for download, including the personal information, passwords and the music coupons. If you’re amongst the one who’s information has been disclosed, I suggest you change your passwords to be on the safer side.
We hope that Sony secures it’s other networks in the mean time to prevent attack on it’s other services.
On the second day at Pwn2Own 2011, Apple’s iPhone 4 and BlackBerry Torch 9800 were successfully compromised. Charlie Miller, who has hacked Safari for the past 3 years, has successfully exploited the iPhone 4.
Miller used an exploit to run arbitrary code on the iPhone after visiting a specific website on the hugely popular Apple device. The flaw has now been patched with the iOS 4.3 release, which was issued ahead of schedule this week.
It was the fourth year in a row Miller had won a contest at Pwn2Own.
BlackBerry Torch 9800 was hacked by a team consisting of Willem Pinckaers, Vincenzo Iozzo and Ralf-Philipp Weinmann. The trio successfully managed to crash the WebKit Browser.
“It was all trial and error. We didn’t have a debugger, so it crashes or it doesn’t crash or it takes a long time to respond. Those are the three options,” Pinckaers said.
The team set up a specially rigged web page that fired the exploit at the BlackBerry browser. They were able to successfully pull the contacts and images database from the Torch and even write a file to it for demonstrating full code execution. The team described that the process to exploit the BlackBerry browser was by trial and error and that it was bit easier since the new WebKit is based off Apple’s open source browser. Although, current BlackBerrys lack ASLR or DEP security features that have been implemented into the iPhone.
For each hack, the winners received $15,000. Pwn2Own is still up for one day. Stay tuned via Email or Twitter for more updates.
Two days have been past since Pwn2Own 2011 contest is live. On the first day, Hackers successfully managed to hack Apple’s Safari 5.0.3 on fully patched Mac OS X 10.6.6 and Internet Explorer 8 on Windows 7 SP1 64-bit machine.
Apple and Google released last-minute patches prior to the event. Google’s Chrome browser has been update to v10, while Apple released 50+ patches for various softwares including Safari and iOS 4.3.
Apple’s Safari was hacked by French security company Vupen who walked off with $15,000 and a new MacBook Air. They managed to exploit an unpatched vulnerability in Safari in just 5 seconds.
Meanwhile, IE8 was exploited by Stephen Fewer, who used three separate vulnerabilities to get out of Protected Mode and crack that browser’s best locks. It’s hard to exploit IE8 since Microsoft uses ASLR and a strong Sandbox. Even though, Stephen managed to hack it flawlessly.
But still, Google Chrome and Firefox have not been broken down. There’s still 1 more day remaining for the contest. Let’s see if these 2 browsers can be hacked.
The three day Pwn2Own contest at the CanSecWest security show is on.
And at the end of the day, 3 major browsers, Firefox, Safari and IE8 were successfully exploited.
Also a non-jailbroken iPhone was also hacked and its SMS database was stolen.
Vincenzo Iozzo and Ralf Philipp Weinmann redirected an iPhone to a web site they’d set up, crashing its browser and then stealing its entire SMS database (including some erased messages). It is possible, however, to set up a similar attack to work without crashing the browser, hackers claim, and set up different attack payloads. Iozzo and Weinmann won a $15,000 prize for successfully demonstrating the attack. Details about the attack will be released once Apple is notified and the security hole is patched.
A successful remote attack against a MacBook Pro running the latest version of Apple’s MacOS X was done by Charlie Miller – exploiting a unknown security vulnerability in the Safari browser to launch a remote shell and winning himself $10,000 plus the laptop for his work.
Peter Vreugdenhil managed to bypass Windows security features including Data Execution Prevention code via Internet Explorer 8 to take over a PC (running the latest patched version of Windows 7) – and again receiving $10,000 plus the hardware.
