Thursday, July 10, 2008

Sony - say it ain't so

IDG Norway is reporting that Sony's US Playstation site has been hacked.

This isn't news, right? Everyone's been getting hacked lately. The big news comes with the how, or the hacking. The site was yet another victim of the SQLi automated tool that blackhats have been using to inject malicious code into .Net -based web sites, and display a fake "anti-virus scan" window that then tells the user that their machine is "virus-ridden" and (get this) offers them a [fake] virus program for a fee. Not only will the payload .exe file infect your machine with malware, you're going to pay for it! That's truly mean-spirited. You, the end user, is paying for the privilige of having your machine pwn3d. That hurts.

This is my favorite quote from the entire article... boils it down quite simply folks. Developers - heed the warning... VALIDATE YOUR INPUTS!

"They're not doing input validation," he [Brian Bourne, president of Toronto-based security analyst firm CMS Consulting Inc.] explains. "They're not looking at it and saying 'hey, this is not regular user input' -- that's the simple version."
The whole story on IDG's Norway site is here.


Anonymous said...

Ummm, input validation?

What about parameterized queries, as that is the only true solution.

Rafal Los said...

@marcin: Pirate Roberts says "Yaaaar! That be the right answer, me matey!"