Sony Hacked Again: 1 Million+ Accounts Compromised

The same group became infamous for hittin PBS earlier this week has just announced that they've now hit Sony with a SQL injection which allowed them full access to various Sony databases. LulzSec statement:

Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks? What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it. Rob Beschizza, writing for BoingBoing: Sony traditionally is run as a set of 'silos', independent departments, divisions and joint ventures that have much autonomy from one another. This might be why there are so many different attacks: there is always another Sony silo which runs its own web infrastructure, where hundreds of dollars worth of web development can go down the drain, just like that. Ouch. As I said last week on Twitter, friends don't let friends create user accounts on Sony networks.

FaceNiff Android App Takes Firesheep Mobile, Hacks Facebook and Twitter Accounts In Seconds

Terrence O'Brien writing for Engadget:

Remember Firesheep? Well, the cookie snatching Firefox extension now has a more portable cousin called FaceNiff. This Android app listens in on WiFi networks (even ones encrypted with WEP, WPA, or WPA2) and lets you hop on to the accounts of anyone sharing the wireless connection with you. Right now it works with Facebook, Twitter, YouTube, and Nasza-Klasa (a Polish Facebook clone), but developer Bartosz Ponurkiewicz promises more are coming. You'll need to be rooted to run FaceNiff -- luckily, we had such a device laying around and gave the tap-to-hack app a try. Within 30 seconds it identified the Facebook account we had open on our laptop and had us posting updates from the phone. At least with Firesheep you had to sit down and open up a laptop, now you can hijack Twitter profiles as you stroll by Starbucks and it'll just look like you're sending a text message (but you wouldn't do that... would you?). Lovely