Yes, it is Sony again. This time it is their Canada web site and their Japan website. According to thehackernews.com, which I cannot vouch for, this is the 10th Sony hack. While we don’t know how the PlayStation Network hack happened, we do have some information about how some of the other attacks were performed and if you have a website then you’d best be learning from Sony’s mistakes or you could be next. Don’t think that because you haven’t angered a hacker your site is safe, there are automated programs that are happy to compromise any website. Don’t think that your site has nothing of value, a compromised website is the favorite choice of spammers to place fake pharmaceutical websites and collect money, and it is a favorite for other nefarious characters to store content you don’t even want to stumble across.

At least three of the compromises were due to SQL infection attacks. This is a preventable form of attack, but it requires that the website admin dots each and every “i” and crosses every “t”. In a nutshell here is how it works.

Grandma is allergic to roses, so you set up a guard outside of her house and he inspects all flowers coming into the house. Any and all roses are left outside and the orchids come in and make the house beautiful. The guard is validating that only safe flowers make it into the house and thereby keeping the house sanitary for Grandma to breathe in.

When you go to a website and fill in a form, usually that information that you type in is stored in a database. If the field is for your phone number then “pickle” is not a valid entry and the website should reject it before it gets passed along to the database for storage. This is data input validation and sanitization. It gets a bit more complex than that though. A database is a two headed beast. Imagine a device that is part restaurant drive through order speaker and part baseball bat. As long as you order food on the menu, the employee will tell you how much to pay when you get to the drive up windows to get your food. If, however, you try to order sunglasses the speaker morphs into a bat and breaks your windshield. Not pretty. Well that are certain words that when presented to a database just right will make the database reveal some, or all of the information it has, or even grant full control of the computer it is running on! When you set up a website you want to make sure that your database never, ever, hears those bad words or that if it does hear them they get harmlessly redirected and stored as data instead of commands to do things.

Well, unfortunately some of Sony’s databases heard the words they shouldn’t have. This means some pretty fundamental security processes were not being followed. It doesn’t mean the processes are easy, but they need to be implemented or websites fall like the rain in Seattle (Yes, the web sites get one day off each year).

In the case of the Sony ISP So-Net, they reported that “an intruder tried 10,000 times to access the provider's "So-net" service, which grants customers reward points that can be exchanged for Sony products and online currency. The company believes the hacker used the usernames of account holders and an automated software program to generate passwords, leading to the security breach.”

This is a bit trickier, but only a little bit. If an intruder is trying something 10,000 times your intrusion detection systems probably should have alerted you at least 9,800 tries earlier (depending upon the application). You have to know when you are under attack if you are an ISP. As for brute forcing the passwords, there is little So-Net can do to force customers to use really good passwords, but their own internal accounts should be using passwords that require at least a few trillion attempts to break. If you have a website your administrative password should be no less than 20 characters and 30 or more is even better. This also assumes you are following best practices for password composition. We talk about passwords from time to time, for example Paul Laudanski blogged about the subject here and David Harley here.

At RSA this year we presented about some of the biggest security blunders over the past 25 years and asked “Are we learning or repeating?” You can see that presentation here. Be smart, learn from the mistakes that Sony and so many others have made before you. It is virtually impossible to stop all attacks, but if your website has the basics taken care of then someone else’s website is generally more attractive to the hackers. You don’t have to run faster than the lion, just faster than the slowest runner!

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America