NEWS
Sony under attack
H ackers have succeeded in
breaching Sony networks the
PlayStation Network (PSN), Qriocity
and Sony Online Entertainment
(SOE) resulting in the compromise
of users details that potentially
numbered as many as 100 million
records. Both systems were taken
offline immediately the breaches at
the AT&T datacentre in San Diego
were discovered.
Initial reports claimed that as many as
77 million customer records were com-
promised during the PSN attacks, which
took place in mid-April. This was based
on the size of the systems user base, but
estimates of the number actually affected
later dropped to 10 million still a mas-
sive breach. The PSN attack netted the
hackers records detailing names, birth
dates, email addresses, account logins
and physical addresses.
Later it was announced that SOE had
also been breached. SOE is home to a
number of services, including multi-play-
er online games such as EverQuest, The
Matrix Online, Star Wars Galaxies, DC
Universe Online and Free Realms. Up to
24.5 million records were compromised.
Sony has claimed that although credit
card information was stored on the
PSN system around 10 million user
accounts had credit/debit card informa-
tion associated with them this data was
encrypted. Sony also stated that it had
no evidence that credit card data was
taken. It also pointed out that it does
not store CVV data. However, Sony gave
no details about the encryption methods
used. And researchers from Trend Micro
claim to have seen discussions in carder
forums offering this data for sale with
as many as 2.2 million records being
available. Reported in the New York
Times, Trends senior threat researcher,
Kevin Stevens, said that the hackers
might be asking as much as $100,000
for the data, and had even offered to sell
it back to Sony. This has been denied by
the company.
With the SOE attack, Sony says that,
in addition to current user informa-
tion, an outdated database dating back
May 2011
to 2007 was also compromised. This
contained credit/debit card expiration
dates for 12,700 non-US customers and
10,700 direct debit accounts for custom-
ers in Germany, Austria, Netherlands
and Spain all of which may have been
stolen. Other account info was taken
and although Sony says passwords were
hashed, it didnt reveal what method
was used for the hashing for example,
whether a salt was employed. Sony also
hasnt yet explained why an outdated
database remained on its system and was
still reachable via the Internet.
Enterprises need to reconsider the
validity of data collection and accessibil-
ity, said John Colley, managing director
of (ISC)2 EMEA. Marketing people,
for example, should perhaps review the
amount and type of information they
gather as well as how they gather it,
given the level of attempts to defraud
people via email. They must consider
whether data needs to be stored perma-
nently or whether it can be held tempo-
rarily. Authentication is a clear example
of where the data usage requirement can
be temporary.
The Anonymous group, a loose col-
lective of activists, immediately fell
under suspicion, although very soon
after the Sony breach was announced
the group made a public statement that
it was not responsible. However, it had
been carrying out a DDoS campaign
against Sony because of the companys
now-settled legal action against George
Hotz, who hacked the PlayStations
encryption key. These attacks effectively
masked the hackers activities, which
is why Sony didnt notice the breaches
sooner, the firm claimed. In a letter to
a Congressional committee, Sony chair-
man Kazuo Hirai suggested that the
Anonymous members engaged in the
DDoS attack may have been providing
cover for the hackers.
Whether those who participated in
the denial of service attacks were con-
spirators or whether they were simply
duped into providing cover for a very
clever thief, we may never know, he
wrote. In any case, those who par-
ticipated in the denial of service attacks
should understand that whether they
knew it or not they were aiding in a
well-planned, well-executed, large-scale
theft that left not only Sony a victim,
but also Sonys many customers around
the world.
This prompted a second statement
from Anonymous, reiterating that it
was not responsible and that it doesnt
condone credit card theft (although it
has supported direct attacks on financial
institutions). However, the nature of the
group is such that individuals can eas-
ily mount an attack claiming to act on
behalf of the group. And Sony later said
it had found a file named Anonymous
on its servers carrying the message We
are legion a popular slogan used by
Anonymous. Nevertheless, the file could
have been left there by the hackers as a
way of shifting suspicion.
Sony said it is improving its security,
which includes the creation of the post
of Chief Information Security Officer
(CISO) and moving its datacentre to a
new location. And as well as working
closely with the FBI and database pro-
vider Oracle, it has also called in security
experts Guidance Software and Data
Forte to help investigate the breaches.
At the time of writing, there were
rumours of a pending third attack.
CNET reporter Erica Ogg claimed to
have communicated with one of the
attackers via an IRC channel. The hacker
said the attack would be on Sonys web-
site where the hackers would publicise
their successes.
PCI DSS appears to
reduce breaches
A lthough most information secu-
rity practitioners insist that com-
pliance does not equate to security,
a new report sponsored by Imperva
and carried out by the Ponemon
Institute has found a correlation
between Payment Card Industry
Data Security Standards (PCI DSS)
compliance and fewer data breaches.
The 2011 PCI DSS Compliance
Trends Study found that 64% of the
surveyed companies that comply with
the standards reported no data breaches
Continued on page 19....
3
Computer Fraud & Security