Wednesday, June 22, 2011

Sony PSN and Data Security

This got lost in my "Drafts" folder...

I work at a large company doing data systems engineering and architecture. One of the major components of my job is data security so when I hear of a security breach at a major online service my ears perk up.

The news doesn't look good. What Sony initially acknowledged only as a service interruption has escalated into an "external intrusion." In other words, they were hacked. PWN3D. People are already complaining about fraud and the lawsuits are lining up even before the dust settles. What did the hackers get? The investigation is ongoing but this is the list so far-

  • Your personal profile information: Name, email, birthday

  • Your PSN login information (username/password and answers to security questions)

What might have been taken-

  • Your purchase history on PSN

  • Your billing information: home address

Was credit card data access? Yes, but it was encrypted. Were the hackers able to read the encrypted data? Sony is still investigating.

Even though Sony has a major black eye right now, here is where Sony is shining:

  • They are doing a complete service rebuild from the ground up. This is Security 101: when you are compromised in a major way instead of trying to ferret out every intrusion point, malware, and hacked admin account, just rebuild the entire thing. They are maintaining evidence where necessary to investigate and cooperate with law enforcement but they also have a service to run. The only way to know that your service is not compromised is to go back to a known good state. Which means re-imaging every server in your datacenter from a known-good copy and start fresh.

  • They are being open and honest about what happened and the possible consequences to the point of advising everyone to watch their credit reports and credit card accounts for unusual activity.

It took weeks to recover and bring the site back up only to be taken town again... and again... and again.

What does this mean to the information security world?

  1. Encrypt or at least hash your passwords BEFORE you store them in the DB.

  2. Teach your IT guys appropriate security practices

  3. AUDIT, AUDIT, AUDIT. And when you are done, AUDIT SOME MORE.

  4. Teach your users to TRUST NO ONE. When you receive an attachment from someone call them up and ask them: did you mean to send me this document (in Excel format with an embedded malicious flash component)? (that's how RSA was hacked)

Will the Sony debacle blow over? Of course. Will people every forgive them for screwing up and come back to the PSN? Of course they will. People want to play games and Sony has a popular (albeit #2) game console. The public forgets all the time. They will eventually forget with the next ultra-cool, can't-miss games comes out as a PS3 exclusive.

But will the industry ever be the same? People are already calling 2011 the "Golden Age of Hacking." Exploits are no longer being bragged about by hackers to show who is the best: they are hiding them close to the vest and selling them off to the highest bidder or embedding them in malware that is then sold on the web to spammers and would-be botnet controllers.

Wake up people, tighten your belts and gird your loins. The advanced persistent threat is here to stay. Only good development practices, sound security policies, and self-analysis will win the day.

No comments:

Post a Comment