BLOG

Begin of April: Sony is in the processing of suing George "GeoHot" Hotz, a 21-year-old hacker who uncovered (and subsequently shared online) the PlayStation 3's root key.

As a payback the Anonymous, an online community, launched a series of DDoS (Distributed Denial of Service) and LOIC (Low Orbit Ion Cannon) attacks against the company. The two attacks went under the names #OpSony and #SonyRecon.

The first disrupted Sony’s web sites and the other, by using social engineering techniques, gathered and published personal details on Sony executives including CEO Howard Stringer.
Strangely, in the same attacks, Anonymous disrupted also the PSN network. Thing, this one, that create some internal problem in the community, since this kind of attack might impact more on the millions of users of the PSN than Sony itself.

After this escalation, nothing moved for a couple of weeks, but then, in April 19, Sony put offline the networks Qriocity (a network used by Sony to sell services such as video-on demand, music download etc.) and PSN (PlayStation Network).
For few days, no information was released about the motivation of this shutdown, until April 25, when Sony started to provide the first information about the attack.
What apparently happened is that "someone", taking advantage of some vulnerabilities of the protection systems of Sony, was able to breach into its data-servers, stealing the personal data of more that 77 millions of users spread all around the world.

More in details, according to Shinji Hasejima, Sony's chief information officer, the attack was launched from an application server sitting behind a web server and two firewalls on Sony's network.

Ongoing investigations have further revealed that an extra 25 million customers data set on Sony Online Entertainment (SOE) have been stolen on 16 and 17 April, before the PSN break-in: again, names, addresses, emails, birth dates, phone numbers and other information from PC games customers were stolen.

One question is, why the attack has not been detected promptly? According to Hasejima, it was disguised as a purchase, and for that reason, the security system were not able to detect it. The attacker exploited a known vulnerability in the application server to plant software that was used to access the database server that sat behind the third firewall.

The management at Sony Network Entertainment International, wasn't aware of the vulnerability, and this, considering the relevance for the company of this network, is significant.

Coming back to the results of the attack, 25 million of users data have been stolen in the first attack, 77 million more in the second one. The data stolen in the last attack, were stored in the AT&T Datacenter of San Diego, in clear.
Among these 77 millions of users, at least 10 million saved also their credit card data. The credit card data were, at least, encrypted, and in a different repository (in the same Data Center). 
This means that, even if the attacker was able to download also the credit card credentials, there is a good chance that till now he has not been able to use them (even if it might be able in the future, after decrypting them (a costly but not impossible operation). 
Most important for the users is that Sony declared that as internal policy they do not usually store the security number associated to the credit cards… And this should make the users at least a little come comfortable.

Meanwhile, security company G Data has published some details about the established underground market with the stolen data sets.

It is important to notice that in this attack, till now, there is no evidence of the involvement of the Anonymous group (as said authors at the begin of the year of another attack against Sony) nor of Georg Hotz (famous PSN hacker).

Sony is now collaborating with FBI to identify the author of this attack.

The magnitude of this event should however raise the attention at national and world level: in few minutes this attack has been able to directly hit more than 77 millions of users, causing at the same time, considering the impact on the stock market, damages to a multinational company as Sony, for millions of euro, and then indirectly damage other million of persons (all those involved directly or indirectly with the Sony operations).

This incident remarks how data breach represents one of the major threats ICT systems, service providers and their customers can experience nowadays, and this inevitably shifts the attention over cloud services security from different perspectives: operations and policy/regulations.

From an operation point of view, both internal incident response plans and security assurance practices proved to be ineffective: too much time passed between the intrusion detection and the acknowledgment that millions of records were stolen. At operational level, after being kept offline, PSN and Qriocity services started to be gradually restored after a long time.

Customers started to complain about the too long time Sony took to communicate details about the incident and the consequent damages in terms of data theft, and in some countries the targeted community menaces to undergo through class action against Sony.Sony has started investigations in close cooperation with national law enforcement agencies, such as FBI: a positive point of this entire story is that, at least, through further investigations another antecedent breach was discovered.

From a policy and regulations point of view, security poses a challenge, still open and actual, about where liability should be placed between service providers and customers: in this sense, it is a today news that Australia’s government is planning to put in place some regulation amendments in order to request service providers to operate immediate action with respect to their customers whenever intrusions or cyber attacks are detected.

Incidents cannot be avoided at all, but companies must be prepared to deal with the inevitable and risks have to bemanaged: internal security audit should be an ongoing, continuous process, and incident response plans should be clearly defined, agreed upon, communicated and implemented. Lessons learnt should be shared within and outside the company’s borders, just enhancing those information sharing mechanisms which allow community to learn from other’s experience.
Cooperation with law enforcement agencies should be continuously maintained, establishing clear point of contacts, procedures for incident reporting, information exchange and common operations.

Finally, this attack reveals one more time the vulnerabilities of ICT systems and services. It's a matter of technology and processes inadequacy of course, but it's also a matter of culture of security, people education and security awareness.