Sony Portugal site falls to 'gray hat' hacker

Sony's online woes continued this week after a Lebanese hacker broke into its Portugal site and dumped part of its database online. The hacker claims to be a grey hat and not a black hat, computer security firm Sophos said Thursday afternoon (Manila time). "I am not a black hat to dump all the database I am Grey hat," a Sophos blog post quoted the Lebanese hacker "idahc" as saying. Sophos noted "idahc" only dumped the email addresses from one table in Sony's database, instead of dumping the entire database like many previous Sony attackers. It said the hacker claimed to have discovered three different flaws on SonyMusic.pt, including SQL injection, XSS (cross-site scripting) and iFrame injection. "By my count, this is the 16th attack against Sony since the chaos came raining down on them in mid-April," said Chester Wisniewski, a senior security advisor at Sophos Canada. Wisniewski noted there were two other breaches on Monday by LulzSec, "but I simply couldn't bring myself to write about more Sony hacks." LulzSec earlier compromised the Sony Computer Entertainment devnet and downloaded the source code for SCE's entire website, which they posted on BitTorrent. In what LulzSec claimed as a separate hack, they also disclosed a complete network map detailing all of the Sony BMG internal systems. Wisniewski said the question that remains is whether Sony is reacting to this situation at all, or whether their strategy is simply to hope it goes away. "You would expect an organization with 170,000 employees and over $88 billion in revenue over the last 12 months to be able to round up the resources necessary to secure their web presence," he said. — TJD, GMA News