As the PlayStation Network outage enters its fourth week, with no definite answer to the question of when service will be restored, security experts have told PCWorld that Sony could have done more to prevent PSN from being infiltrated by hackers.
Their comments follow the congressional testimony of Gene Stafford, a computer security professor at Purdue University, who told lawmakers that Sony used an outdated version of the Apache Web server software, and had no firewall installed. Hackers compromised the PlayStation Network on April 19, stole personal data, and forced Sony to rebuild its network from the ground up--a process that is still going on.
Sony has denied Stafford's claims, but other experts who spoke with PCWorld doubt that Sony took every precaution that it could have.
"Everything I've seen suggests that this very, very much could have been prevented," said Stan Stahl, president of the Los Angeles chapter of the Information Systems Security Association, which organizes conferences for security experts.
Stahl has no direct knowledge about the attack, but his experience suggests that Sony's security approach was outdated. He noted that Sony had blamed the PSN hack, in part, on an earlier denial-of-service attack, which had inadvertently or intentionally weakened the network's defenses against the larger break-in. Stahl knows this method quite well; he used a similar approach himself about eight years ago to crack a water company's Website as part of a consulting job.
"If we can do that to a small water district using an attack that's seven or eight years old, and Sony got hit with that attack ...you've got to say somebody at Sony wasn't watching the store," Stahl said.
Kris Alexander, head of gaming strategy for Akamai, said it's common for attacks to come in multiple waves, as they did for Sony. Alexander wouldn't talk about Sony specifically because Akamai's policy is not to comment on companies in the games industry, but he did say that it's important for companies to be prepared for attacks on more than one front. "Oftentimes, especially with malicious attackers, they're planning just as hard as you are to defend yourself," he said.
After the Attack
Mike Meikle, CEO of IT consulting firm Hawkthorne Group, was also critical of Sony, saying that the company's failings were evident in the way it responded to the breach. The company took five days to inform users that their names, e-mail addresses, passwords, real-world addresses, and birthdays were exposed; and only after the attacks did Sony announce that it would employ a chief information security officer to oversee the network.
"They really didn't have a defined process to address data breaches," Meikle said. Many companies don't, he noted, because it's an extra expense, and data security hasn't been a hot-button issue until quite recently. Still, Meikle was disappointed with Sony's response.
"Everyone was assuming that Sony, being Sony, would have their act together," he said, "and I think that's what's annoying people more than anything."
Was the PSN Breach Inevitable?
Although Sony's approach to security has come under fire, some experts--and some die-hard Sony fans--have painted the breach as unavoidable. Last week, renowned security expert Bruce Schneier told Kotaku that no network is truly secure, asserting that the fact that PSN was hacked likely had little to do with its level of security. "Everyone is probably equally sucky," he said.
Gary Bahadur of KRAA Security refutes the idea that hacking is inevitable. "If you are diligent and have a rapid response process in place to identify all of your assets and test daily for vulnerabilities, you can maintain a very good security posture," he wrote in an e-mail message.
The problem is that big targets like Sony need to invest considerable resources in stopping attacks, according to Steve Santorelli, director of outreach for Team Cymru, a nonprofit security research company in Chicago. "If you're a big enough target, you're going to have a lot of very talented people with a lot of resources and time hammering away at your systems," he said.
Videogame networks will continue to be attractive targets for hackers, because all associated credit cards need to be kept active for subscriptions and downloadable content, according to Tim Keanini, chief technical officer for network security firm nCircle. "It's a good bet that other cybercriminals are looking at this breach and evaluating other gaming sites as potential targets because they are equally 'rich' in personal information that can be quickly converted to cold, hard cash," Keanini wrote in an e-mail message.
Santorelli, who before his current job worked at Microsoft and as a detective sergeant on Scotland Yard's Computer Crime Unit, warned that there's no silver-bullet approach to stopping network breaches. He argued that there needs to be a sea change in the way consumers treat their data.
"If there's one message post-Sony, it's that this is the reality these days, and you have a responsibility to protect yourself, your networks, your family, and your information, because no one else is going to do it for you," Santorelli said.
He recommended practicing "good password hygiene" (specifically, not using the same password for every Website and service), keeping a close eye on banking statements, and maintaining a separate credit card for online purchases. For more information on dealing with PlayStation Network data theft in particular, check out our survival guide.