Sony has come out and stated that the PlayStation Network has been compromised. But what does this mean? Is this an attack by Anonymous or something more sinister? And just how at risk are your personal details. Has Sony been doing right by its customers so far? We spoke to two of Australia’s foremost security experts about the PSN security breach and its wide-ranging implications.
At first it was merely a harmless inconvenience, a minor distraction. Most Australians were packing their desks for the long weekend as reports began circulating that the PlayStation Network was down. Nothing major. A pain for those looking forward to five days of online gaming, but nothing more.
But then the story gathered steam, momentum – as more details were slowly released, it became evident that Sony, and the PlayStation Network, was on the receiving end of a major security compromise.
Someone, somewhere may be in possession of your personal details. They may even have your credit card details. How did it come to this? How did this breach occur? And who is responsible?
THE BAD GUYS
“Well, the bad guys are targeting in the cloud services, that’s becoming clear. We’re seeing a lot of events like this as of late where the bad guys are able to get in and compromise services and get the information that might be stored by these kinds of services. This Sony one is yet another incident in a long line that have happened over the last six months.”
Lloyd Borrett is the security evangelist for AVG, distributors of Internet Security products across Australia and New Zealand. According to him, the Sony breach is just the latest in a long line of attempts by well-organised cyber criminals, or, as he calls them – “bad guys”.
“The bad guys are starting to realise they can have massive success by targeting those kinds of services rather than the piece meal approach of going after individuals. They are obviously putting increased efforts into targeting these repositories of information.”
But just who are these potential bad guys?
“The bad guys are organised cyber criminals with links into organised crime,” claims Borrett. “There are a few smart cookies that write the exploits and they market it to others who buy the services and create things like the botnets and other stuff. They also provide monetisation services, because you or I can spend $400 on the service and set it up, but to monetise the information we get that’s something else again.
“Cyber crime is so organised and multi-tiered that the whole process is part of a huge network. Someone might be skimming credit cards, but other might be taking that information and then selling it. Others are selling the services that help gain that information.”
Rumours swirling around the net have stated that Anonymous may have been behind the attack, especially in the wake of the George ‘Geohot’ Hotz legal saga. It’s impossible to say at this early stage but, according to Kaan Kivilcim, Security Consultant at Sense of Security, the more sophisticated the attack, the less likely it was that Anonymous was the culprit.
“It is possible,” begins Kaan. “Anonymous is pretty opportunistic – if they see a target that’ll get them publicity they’ll definitely attack it. It’s entirely possible that a group like this instigated the attack. It might also be possible that it was the work of someone more skilful.
“Not to discount the skill of anonymous, but a lot of their hacks have been traditional hacks, other major hacks like RSAs – that hack was incredibly sophisticated, so depending on how the attack came through and how Sony were compromised, based on the level of skill required, then you can draw conclusions on whether it was anonymous or not.”
“Yes and no,” says Kaan, “the way they’ve approached their network to date has been pretty good -they haven’t had any real significant compromises over the past couple of years, so I guess you can take it in two different ways – you could say, yes, they have good security or you could say they’ve just been lucky so far.
“They have a similar approach to Apple in that the firmware on the PlayStation is closed – they don’t provide an option to install a different OS on the device, which means they have a better amount of control. But one of the things we’ve been looking into over the past couple of months is a new custom firmware called ‘Rebug’ for the PlayStation 3, which is the result of someone cracking the cryptographic keys for the PlayStation firmware.
“’Rebug’ basically allows you to build custom firmware for the device. When you install it on your PS3 it allows you to gain access to some development features of the device. One of these development features actually allows you to make purchases that doesn’t validate the credit card number.
“So from that perspective, perhaps Sony haven’t done the right thing – in that the protection measures they’ve put in are solely relying on the fact that the firmware is this obscure thing and once you’ve got access to the firmware and how it works it could be a trivial thing to circumvent some of their security measures.”
Lloyd Borrett sees the incident as an example of just how vigilant companies have to be with the increase of more sophisticated methods of cyber crime.
“I think everyone’s got to take a hard look at the services they provide in the cloud,” claims Barrett. “We all love the benefits the internet brings us but it comes with security risks. And we’ve got to make sure that when we set up these sorts of services that those things are taken into account. And that the right security policies are put into place.
“We’re increasingly seeing businesses moving towards in the cloud services, and when they’re involving third parties to do that they’re outsourcing some of the security risks involved. They’ve got to be mindful, when they put it in someone else’s hands that they’re going to handle it appropriately.”
A QUESTION OF TIME
Most major criticism of Sony has been directed at their performance post the security breach. It took Sony just over a week to inform PSN users of the fact that their credit card details may be in the hands of hackers. According to Kaan Kivilcim, this delay is a matter of prudence and pragmatism – he’s been impressed by how Sony has kept consumers informed so far.
“The concern is that these companies have to balance the amount of information they disclose based on their investigations,” begins Kaan. “The fact that they’ve come out after a week and been upfront with their customers about the information leak and the credit card – I think that’s a pretty good reaction from a company like Sony. A lot of companies will actually keep the whole thing under wraps and not come clean until they absolutely have to – but Sony hasn’t done that.”
Kaan also mentioned, however, that Sony has been “coy” about the amount of information they’re releasing so far.
“The fact that Sony hasn’t given out any more information about how they were actually compromised, to me, probably indicates that the attack was quite sophisticated and they’re still coming to grips with exactly what happened,” says Kaan. “It could just be that they were totally unprepared – that they didn’t know they were vulnerable in this way and are now totally on the backfoot now trying to work out how the compromise occurred and what they need to do to fix it.”
According to Lloyd Borrett, Sony’s initial reaction – shutting down the PlayStation Network indefinitely – was absolutely the correct decision.
“By shutting it down they’ve locked them out from getting more information,” claims Borrett. “It could be that the horse has already bolted, that they’ve got all the information they need – but shutting it down gives them time to analyse what the bad guys have got, and helps them prepare plans with regards to what they can do. It also gives them a chance to rectify the security loopholes used by the bad guys. So I think that’s a prudent thing for Sony to do.”
WHERE CREDIT IS DUE
The question on most PSN users is this: have my credit card details been stolen? Are these details in the possession of cyber criminals? According to Kaan, the answer to that question is dependent on a number of factors, the most prudent of which being precisely how Sony store your personal information.
“The compromise is quite significant,” says Kaan. “If Sony have not been following security best practice and they’re not storing credit card details with encryption, then someone may already have your details.
“On the other hand, it might be possible that the information has been compromised but is still in an encrypted state.”
Kaan claims that Sony’s admission that credit card details may have leaked is a huge deal – the decision to reveal that information would not have been made without some sort of evidence that said details could have been leaked.
“For Sony to come and say that the credit card information for millions of PSN users has been compromised, that’s not something Sony would do lightly. You wouldn’t do that unless you had doubts.”
For now, Kaan suggests you take every measure possible in order to secure any passwords you may have on any other services – particularly with regards to net banking.
“Best practice is to try and have a different password for all your different services,” claims Kaan. “If you have a net bank service make that password stronger and make sure it’s a different password. Password reuse is a way in which many people have been compromised in the past – so if you’re using your PSN password for anything else assume that all of those passwords need to be changed. Follow Sony’s advice – keep an eye out for any strange activity on your credit card and if anything happens contact your bank immediately.”
THE WAITING GAME
For now, the important thing is to be vigilant with your own details. As to the specifics of who breached the PSN’s security, and for what reason, we’ll only know for sure when Sony start distributing the information themselves. It’s difficult to say what the impact of this whole incident will be in the long term but, for now, consumer trust in PlayStation has been shattered.
Sony has been one of the pioneers in console digital distribution, but with this breach Sony has lost the ability to confidently stride ahead as a leader in this growth market.
How Sony recovers depends majorly on its conduct in the coming days and weeks.
Stay tuned for more news.