Sony Networks And Qriocity May Kill The Fat Cat

If ever there was a case study of corporate irresponsibility, Sony would be a prime candidate. A massive international corporation, with no dedicated security executive, which “loses” over 100 million user records and an unknown number of payment card details is somewhat more than unfortunate.

On Sunday we saw the heads of Sony bowed in apology, but now we have another breach confession as the company reveals the loss of 24.6 million more records, 12,700 card details and 10,700 bank account details from the Sony Online Entertainment (SOE) network. This was from “an outdated database from 2007” and the question must be asked why it was not archived and taken offline.

After The Horse Has Bolted

Sony now says that it is appointing a chief information security officer (CISO) – which conjures an image of stable doors and Trojan horses bolting. It may not be too little but it is certainly too late.

Sony’s CIO Shinji Hasejima explained the company had suffered a “highly sophisticated attack by a skilled intruder”. The attacker had entered the system through a web application server vulnerability and introduced a tool that enabled access rights to the database.

Before the new disclosure, Wired quoted a security expert who said that Sony was running an outdated version of the Apache server and suggested that the hacker may have used a known vulnerability to breach the system.

Two months before the breach, on 16 February, Bret McDanel, known as Trixter, wrote to an Internet Relay Chat (IRC): “If Sony is watching this channel they should know that running an older version of Apache on a RedHat server with known vulnerabilities is not wise, especially when that server freely reports its version and it’s the auth[entication] server,” Wired reported.

Obviously, Sony was not watching.

Small Expenditure Could Have Saved Billions

Colin Tankard, managing director of Digital Pathways reckoned that it would have cost Sony about £60,000 to encrypt all the data but added: “It is obvious that they had no in-depth cover, no audits or controls for unusual behaviour.”

This appears to be borne out by the fact that the second breach would not have been noticed had it not been for an investigation into the recent attacks on Sony’s PlayStation Network and Qriocity music streaming services.

The implied picture is one of incompetency or, at least, a dangerously cavalier attitude towards security. Considering the nature of the data – personal information entrusted to Sony’s safekeeping – the maintenance of the system obviously left much to be desired.

“This is bad for Sony’s reputation and will provide another wake up call for businesses that deal with online payments… It seems Sony is also unsure what has actually been accessed, suggesting data access auditing measures were not in place,” said Bob Tarzey, analyst and director for Quocirca, echoing Tankard’s views.

Pulling The Great Switch

The fall-out from the breaches will probably see some resignations/sackings at Sony but the costs could be immense – running into billions of dollars. The company already has the expense of moving the whole infrastructure away from its current location and the losses from switching off the Playstation Network, Qriocity and SOE websites for two weeks or more.

On top of this, the company faces several class-action suits that have been launched against it and could lead to other prosecutions, government departments are investigating what actions they may take against the company, and there could be fines levied by the payment card issuers.

Kazuo Hirai, pesident and group CEO of Sony Computer Entertainment, did not mention the expected cost of the incident on Sunday, but did say that it would include the cost of replacing credit cards, new security and infrastructure, and lost sales.

Sony’s Big Data Protection Challenge

The security measures Hirai promised included better intrusion detection, network analysis software, automation tools, additional firewalls, and a move from its current San Diego data centre to a more secure facility.

The general view is one of amazement that these procedures were not already in place and that a lot of the data was stored as plain text.

“It was great the card data was encrypted,” Tankard said before the latest attack was revealed, “which sounds as if they have followed PCI guidelines. But it doesn’t sound like they encrypted the personal information like addresses and emails etc. It seems odd that they have not bothered to encrypt all of the data.

“Encryption is only part of the overall system – alone it is only good for physical theft of data. You need to link access control to the data so only certain people see and have access to that data. Audit and SIEM (Security Incident and Event Management) systems should also be installed,” he added.

Warning To Everyone

Sony is not alone and there has been an upsurge of customer data robberies over the past few months. Epsilon, Play.com, IEEE, RSA Security, and CEOP have all been compromised. This should be a wake-up call for all companies, who ask their customers to register online, to check their security procedures immediately.

“There will be an investigation and some of the facts will emerge [from Sony], but other organisations cannot wait for that and, if in doubt, they should review their own data storage and handling procedures now,” said Tarzey.