sloth unleashed

Following the news that Sony Music raised prices on Whitney Houston’s music very, very soon after news broke that she passed away, the company has now said that it was a “mistake” and issued an apology:

“Whitney Houston product was mistakenly mispriced on the UK iTunes store on Sunday. When discovered, the mistake was immediately corrected. We apologize for any offense caused.”

…In the 80s, Universal Studios famously sued Sony to block the sale of Betamax VCRs, which could be used to “facilitate” the infringement of copyrights in shows and movies aired on broadcast television. Blocking VCR sales, of course, might also have strengthened the market position of the DiscoVision laserdisc system being developed by MCA, Universal’s parent company. The Supreme Court eventually vindicated Sony, but Universal did manage to persuade one lower court to rule in their favor. If SOPA’s blocking provisions could be implemented in the physical world, every VCR (and maybe every Sony product) would have stopped working after that first favorable ruling, until Sony could meet the burden of proving its innocence in a U.S. court. Of course, under a rule like that, consumers might have been wary of buying a VCR in the first place…

I’ve lost count of how many times Sony’s online properties have been hacked now—I just don’t have that many fingers—but it’s happened again. Databases used to operate sonypictures.com, sonybmg.nl, and sonybmg.be have been compromised by a group calling itself Lulz Security, or LulzSec for short. This is the same group that earlier in the week hacked PBS’s servers in retaliation for a documentary felt to be critical of Wikileaks; they also hacked sonymusic.co.jp last week.

Just as was the case with the sonymusic.gr hack and LulzSec’s sonymusic.co.jp hack, the latest hack was performed using SQL injection: a rudimentary technique that depends on improper handling of Web site URLs. Being susceptible to SQL injection is embarrassing enough—techniques to prevent it are well-known, and easy to apply to any database-driven Web site—but what makes this hack even worse is the data that has been compromised.

The hackers retrieved account information from the database. They claim there are more than a million accounts in total; their BitTorrented dump just contained a sample. The database contained information about a variety of different account types, apparently related to different promotions and features operated by the company. Different sets of accounts, but with one major feature in common: they included plaintext passwords. Anyone who can read the database can read the passwords. And given that password reuse is rampant—many, many people use the same passwords for Web sites as they do their e-mail or online banking—many of those who have had their Sony accounts compromised now risk having their e-mail accounts attacked.

Some accounts also included names, phone numbers and full postal addresses.

At some point, one has to imagine that Sony will realize that it’s a major target for hackers and it will wise up, and fix its multitudinous broken Web applications. Until then, Lulz Security’s “Lulz Boat” will continue to find rich plunder wherever it sails.

With Anonymous Denial of Service attacks and then the twin hacks of PlayStation Network and Sony Online Entertainment, Sony’s online infrastructure has been taking a battering over the last few weeks—and it’s not over yet. Another successful hack against the company is being reported by security firm F-Secure. A Web server used to host Sony’s Thai site has been broken into, and is now being used to host a phishing site that targets customers of an Italian credit card company.

Unlike the PSN and SOE break-ins, this hack is not likely to have any serious consequences; it should be restricted to a relatively unimportant Web server that has no access to sensitive customer information. Still, it shows that Sony’s online troubles aren’t over yet—and that the entire company needs to take online security more seriously.