As it unfolds, the magnitude of stupidity in Sony's Playstation Network breach becomes more and more apparent. Why should anyone have faith in Sony going forward?
So ... the Sony Playstation Network had a serious breach, and it's been down for over a week. I'm not telling you anything new, that you can't find all over the Internet, and which is covered in exquisite detail. That's by no means the intent of my post. My intent is to highlight exactly how this is a massive security failure.
It took them a week to notify users that customer details had been breached. That's something that cannot - and should not - be ignored. Based on the latest FAQ, we know that the personal details of Sony's customers was not encrypted - but the credit card table, containing credit card number and expiry dates, was. Be under no illusion - this is a massive failure, and privacy breach, on the part of Sony. Worse still - they are being deliberately disingenuous about the information they're revealing. The lack of encryption and sanitisation on private details is a serious concern. And using "but the credit card table was encrypted" is an attempt to falsely assure those affected (and it's working with at least some). Here's the part they don't mention:
For the credit card information to be usable, it had to be stored with reversible encryption
The other aspect of their FAQ that's problematic is their assertion that there is "no evidence" that the credit card data was accessed. I'll let you try to work out why that's an incorrect assumption.
Got it yet? That's right - a successful attack could easily mean that the "evidence" of the data being accessed is non-existent. A successful attacker will often cover their tracks.
I have no stake in this. I don't have a PS3. I have nothing to do with Sony. I have no knowledge of their network architecture, and in no position to critique it. But I am, nonetheless, deeply concerned about just how wrong Sony have got their response - there are so many instances of failure in just what I've outlined above. For starters, the first rule in a breach of this nature - very obviously - should be to assess what data was potentially accessible and to proactively notify those affected.
Sony's response has left anywhere up to 77 million users (and by no means could all of those be "real" accounts, so it's certainly less) open to identity theft, along with what could be a very trivial decryption of their existing credit card details. Let's be clear on this - the personal data is quite enough. Based on what was accessible, an attacker could quite successfully get new credit and ruin people's credit rating (not to mention the stores who fall victim to credit fraud as a result). But on top of that, the existing credit card details could well have been accessed. That's a piece of low hanging fruit which is very attractive in some circles - and in a lot of cases, you still don't need the missing CVS/CSC number that they plead as a mitigation. I can think of many times that I haven't required it, and for a criminal, there's many ways in which this could exploited.
PSN users who are affected should be upset. They should be angry - very angry. They should demand better. This is an astounding failure by Sony, and one which they should not be easily forgiven for. To be eligible for forgiveness, they should have been notifying users on Day 1. This is corporate idiocy at its worst.
For myself, I certainly hope that other services, such as Xbox Live - which I do use - are taking this incident as an important lesson, and reviewing their own controls and procedures to ensure that they aren't susceptible. I'd hate to think that they're just sitting back and gloating, without being absolutely certain that they've taken all reasonable precautions.
As always, security is not so much about prevention as it is risk reduction. The failure here seems to be that Sony didn't expect to be breached. As far as I see, that's a massive mistake. I'd prefer to assume that controls are imperfect, and to plan the response accordingly. That's certainly a fundamental of disaster recovery - and the mistake always made is to leave out the disaster. If you don't expect it, you won't respond well.
I'm sure there are those that feel that Sony's response was perfectly adequate, and feel that they should be given a break. That's as may be - I just feel that it's not the case, and from my own experience, this is an example of entirely the wrong response, amplified to disastrous proportions. This is a great example of a massive "cloud" service failure, and one which quite rightly should be given widespread attention and scrutiny.
I whip my tweets back and forth: @OhCrap
Enjoyed this post?
Help us spread the word by sharing with friends and colleagues!
Posted in: [GeekThink], [IT Pros], [Software Devs], [ICT Security], [Network Infrastructure / Architecture]
Popular tags: sony, playstation, network, failure, security, breach, poor, response, privacy, identity, theft