More hacks show Sony hasn't figured out what 'fix your security' actually means

Three more nets cracked with SQL injections; gray-hat posts user data in public as a lesson to Sony

The real pwners of the networks that carry Sony's deeply smudged logo made a withdrawal of account information belonging to more than 2,000 users, Sony admitted yesterday.

This time it was the e-commerce portion of Sony Ericsson's Canadian site; hackers took emails, passwords and phone numbers, but no credit cards.

Sony closed down the e-commerce section of the site (with a lame joke based on a years-old cliche and colloquialism from a country on the opposite side of the world from the one that hosts the most recently victimized site).

Ldahc – who describes himself as a Lebanese gray-hat hacker, claims to be responsible for the hack, which he accomplished with a SQL injection, and posted some of the data on, a site that offers programmers and anyone else free temporary storage of text data. (It also asks, in particular, that users "do not paste email lists, password lists or personal information." I think ldahc violated that policy as well as Sony's.

"hackers vs Sony

We are the winners," he wrote.

He's right. Sony should shut down the of its sites and rebuild its security from the ground up.

The Sony attacks have gone way beyond the usual round of thrill-hacking pwnage, or even methodical commercial criminal cracking.

Its security is so bad and its vulnerabilities have been publicized so widely (among hackers, who knew about all this before we told you) that it has attracted copycats from around the world.

Not only did Canada get hit it also had to shut down its e-commerce shop in Indonesia because of one attack, and another in Thailand after it was penetrated and lost an email list to which the hackers have been sending phishing emails.

The Sony Canada hack came two days after the parent company estimated cost of the attacks would be $173 million – about 10 percent of the cost of the tsunami, earthquake and ongoing weather and power-related disaster recovery in Sony's native Japan.

Sony has already suffered breaches in networks including PlayStation Network, Sony BMG Japan, Sony BMG Greece and its So-net Internet service.

Sony has begun notifying members of its PlayStation Network that it is now providing free identity-theft protection, which they can sign up for at Sony's identity-theft protection site until June 28.

Security bloggers analyzing the exploits used to create the breaches blamed across-the-board failures to guard against SQL injection attacks – one of the most common categories of attack.

The eScan blog listed details of the attacks, several of the vulnerable sites, and the damning conclusion that, ultimately, the reason so many Sony sites are so vulnerable is that no one person or group at Sony has been held accountable for corporate security.

While Sony has apologized to customers, it hasn't taken responsibility for the global weakness of its security – a point that, after the original high-profile attack and its many sequels, everyone who cares already understands, whether Sony admits it or not.

At this point, it hardly matters. Time to call it quits and start over from the beginning, Sony.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon