The bunch of hackers said they got hold of more than a million passwords. “Every bit of data we took wasn’t encrypted, they said. “Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it.”
Aziz Maakaroun, business development director at security firm Outpost24, critcised the Japanese giant, saying: â€œYet another successful attack on Sony raises serious questions about the organisationâ€™s security. What is particularly shocking here is that this hack utilised one of the oldest tricks in the book, an SQL injection vulnerability. Not only are SQL injections one of the most common and well known threats on the web, they are also one of the most easily protected against.”
What can anyone say? The mind boggles that Sony thought they could operate with two fewer layers of security than anyone else with a web-facing server. In the real world we have been taking better care of passwords for more than two decades and preventing SQL-injection attacks for a decade. There are all kinds of resources on the web explaining how to prevent SQL injection exploits.
So, what’s your excuse, Sony? Dog ate your security plan? Cost of a rewrite? Using non-free software?