PSN hack: The facts and the fiction
26th Jun 2011 | 14:30
When companies say "may", it's wise to assume the worst." So says Dave Whitelegg, security advisor to companies and consumers. His phone's been ringing a lot since Sony said it "may" have lost millions of PSN subscriber's credit card details.
The April 19 intrusion into the heart of Sony's online service caused over three weeks of downtime. A huge pain for players, a concern for developers and a catastrophe for indies making steps into the PSN marketplace.
For many of you Sony's 'Welcome Back' package may have repaired much of the damage - if the Xbox 360's 'Red Ring Of Death' disaster taught us anything, it's that gamers tend to forgive the moment they're back in the game.
THE REAL RISK
But will we forget? Not if we've any sense. As a tech-savvy yet often naive crowd, we've been given a wake-up call. The fact that many have obsessed over the card info - the most sensational angle - tells you just how out of touch we can be. "The thing with credit card info is that it's the quickest way for people to make cash out of the data set," says Whitelegg.
"But it's the personal information that's really important. And if you look at the kind of information that's been breached in this situation, the significant data is email address and password. Most people tend to use the same password for multiple accounts. So if a hacker knows your email, the first thing they'll try - especially if it's Hotmail or Gmail - is to log on.
"If I have control of your email account, I can do password resets on every other account you have. That's the second factor here: Sony's reset questions have been lost as part of the breach. If you look at e-commerce websites like Play.com, when they do a password reset they ask you some personal information. But Sony use generic ones like, 'What's your mother's maiden name?'"
Cancelling a payment card is as inconvenient as it is simple, and once done is absolute; those stolen numbers become useless. But unless you follow the sage advice of randomly generating each and every password in your online life - and let's face it, who does? - you'll be amazed how vulnerable you are.
KNOW YOUR ENEMY
"You could do quite clever phishing emails with this attack," says Whitelegg. "And you could make those emails very personalised - 'spear phishing' as it's called. So you could get an email, for example, pretending to come from Sony, saying you've got a free voucher because it's your birthday. So you're more likely to click on that link and, say, have malware installed on your PC."
The two attacks on PSN and Sony Online Entertainment's servers have, incredibly, brought over 100m such data sets into the culprit's hands. Various fingers have pointed between Anonymous (the anti-establishment hacking outfit with a vendetta against Sony) and some unknown cyber-criminal with more conventional aims. Anonymous became chief suspect when Sony discovered a file on an SOE server called 'Anonymous' which simply read: 'We are legion'. A sceptic might think this an obvious plant. But that's not how it works, argues Whitelegg.
"If you're good then you don't leave anything. You delete all your logs, don't leave messages, don't leave calling cards. Because that's how you get caught. You delete as much evidence as you can. This is someone trying to make a statement."
Speaking to SC Magazine, meanwhile, Anonymous spokesman Barrett Brown said, "Anonymous has no record in engaging credit card theft and resell, and if we did, the FBI would've already come down on us."
You may be wondering how any such thief could wrap even their prodigious head around a mother lode of a hundred million personal profiles. "If you get access to the core database, get admin rights, you get intel in the hundreds of thousands; you just download the whole lot," says Whitelegg. "It's unmanageable in some senses and they don't usually attack it all. They're quite smart, and sometimes they break it up and sell it on."
Of course, Sony have been hauled over the coals for this spectacular debacle. Some, such as fund managers Beyond Asset Management, predict high-profile resignations. Connecticut senator Richard Blumenthal slammed the "Troubling lack of notification from Sony about the nature of the data breach."
But when you consider Sony are just one of several high-profile victims in a season of major hacks - including firewall manufacturer Barracuda Labs - just how much blame do they deserve? Could they have given us the specifics any sooner?
"When you have a breach, you don't understand what's going on," says Whitelegg. "If you look at the Sony infrastructure it's quite complex. So the first thing to do is establish facts, and to do that you have to send in a team of IT forensic investigators, and it'll take them a couple of days to get in and find out what's happened. They shut the network down the next day, which is a pretty bold decision.
That was the right call. But if you don't have the right logging systems you might not even know what's been taken. "The thing with credit card fraud is that nine times out of ten, people get the money back and never realise how their card has been forged. And nine times out of ten it's not the cardholder doing something wrong, it's the keeper of your data. A lot of data breaches we don't even find out about, because it's not in the interest of Visa or Mastercard to publicise them."
So the data thefts are some of the biggest in history, but that doesn't make them unique. Sony, furthermore, are an easy target: arrogant in the early PS3 years, belligerent in its removal of OtherOS, ruthless against those seeking to put it back in. But to revel in its humiliation is not enough - because along with our precious personal data, what's being exposed is our own lack of care. If you're only now changing all those identical passwords, chances are you've helped make a victim of yourself.