When LulzSec bragged way back in June that it had broken into Sony's servers and released the personal information -- including passwords, email addresses, home addresses and birthdays -- of a million users, smart readers took it with a grain of salt. The Anonymous splinter group claimed up front that it had used what's known as a SQL injection (regarded among hackers as one of the most basic break-in tools) to get into Sony's servers and get access to the information. On Thursday, the FBI announced two new Anonymous and LulzSec arrests. One was a homeless San Francisco man who allegedly broke into government websites in Santa Cruz. The other was Cody Kretsinger, a Phoenix man charged with the infamous Sony Pictures breach. The charging documents describe an attack that was as easy as the group first claimed.
The hack took about three days in total, according to the indictment against Cody Kretsinger, the Phoenix man charged in the Sony attack. Kretsinger and "known and unknown coconspirators" started stealing and sharing Sony Pictures' user data on May 30, and posted it on the Web on June 2, the indictment says. Kretsinger allegedly used the proxy server site hidemyass.com to disguise his location, then worked with his LulzSec colleagues to carry out the SQL attack:
What's a little laughable about this charge is that LulzSec openly admitted doing exactly what the FBI says it did when it issued its press release for the so-called Sownage attack:
Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?
To give you some idea of the extent of the SQL injection problem (or SQLi in the industry lingo), a report out Tuesday from the security firm Imperva found that Web applications it observed since July "suffered on average 71 SQLi attempts an hour." Lay people can learn SQLi in a few hours through tutorials like this one, and can sign up with hidemyass.com or a site like it in minutes. Though it should be noted that that particular proxy server doesn't appear to have done a very good job of hiding Kretsinger.
The ease with which SQLi attacks can be learned and carried out, and the allure of being part of what the U.S. Attorney's office calls "elite computer hackers," combined to create a powerful draw for many online who participated in LulzSec and Anonymous attacks. As we pointed out in July, some who participated in the attacks weren't very savvy at all. Kretsinger faces 15 years in prison for the Sony breach, and according to CNET, federal agents carried out more search warrants in New Jersey, Minnesota, and Montana on Thursday. There could be several more LulzSec arrests and indictments coming in the near future.
This article is from the archive of our partner The Wire.