Their comments follow the congressional testimony of Gene Stafford, a computer security professor at Purdue University, who told lawmakers that Sony used an outdated version of the Apache Web server software, and had no firewall installed. Hackers compromised the PlayStation Network on April 19, stole personal data, and forced Sony to rebuild its network from the ground up–a process that is still going on.
Sony has denied Stafford’s claims, but other experts who spoke with PCWorld doubt that Sony took every precaution that it could have.
Stahl has no direct knowledge about the attack, but his experience suggests that Sony’s security approach was outdated. He noted that Sony had blamed the PSN hack, in part, on an earlier denial-of-service attack, which had inadvertently or intentionally weakened the network’s defenses against the larger break-in. Stahl knows this method quite well; he used a similar approach himself about eight years ago to crack a water company’s Website as part of a consulting job.
“If we can do that to a small water district using an attack that’s seven or eight years old, and Sony got hit with that attack …you’ve got to say somebody at Sony wasn’t watching the store,” Stahl said.
Kris Alexander, head of gaming strategy for Akamai, said it’s common for attacks to come in multiple waves, as they did for Sony. Alexander wouldn’t talk about Sony specifically because Akamai’s policy is not to comment on companies in the games industry, but he did say that it’s important for companies to be prepared for attacks on more than one front. “Oftentimes, especially with malicious attackers, they’re planning just as hard as you are to defend yourself,” he said.
After the Attack
“They really didn’t have a defined process to address data breaches,” Meikle said. Many companies don’t, he noted, because it’s an extra expense, and data security hasn’t been a hot-button issue until quite recently. Still, Meikle was disappointed with Sony’s response.
“Everyone was assuming that Sony, being Sony, would have their act together,” he said, “and I think that’s what’s annoying people more than anything.”
Was the PSN Breach Inevitable?
Gary Bahadur of KRAA Security refutes the idea that hacking is inevitable. “If you are diligent and have a rapid response process in place to identify all of your assets and test daily for vulnerabilities, you can maintain a very good security posture,” he wrote in an e-mail message.
The problem is that big targets like Sony need to invest considerable resources in stopping attacks, according to Steve Santorelli, director of outreach for Team Cymru, a nonprofit security research company in Chicago. “If you’re a big enough target, you’re going to have a lot of very talented people with a lot of resources and time hammering away at your systems,” he said.
Videogame networks will continue to be attractive targets for hackers, because all associated credit cards need to be kept active for subscriptions and downloadable content, according to Tim Keanini, chief technical officer for network security firm nCircle. “It’s a good bet that other cybercriminals are looking at this breach and evaluating other gaming sites as potential targets because they are equally ‘rich’ in personal information that can be quickly converted to cold, hard cash,” Keanini wrote in an e-mail message.
“If there’s one message post-Sony, it’s that this is the reality these days, and you have a responsibility to protect yourself, your networks, your family, and your information, because no one else is going to do it for you,” Santorelli said.
He recommended practicing “good password hygiene” (specifically, not using the same password for every Website and service), keeping a close eye on banking statements, and maintaining a separate credit card for online purchases. For more information on dealing with PlayStation Network data theft in particular, check out our survival guide.
Follow Jared on Facebook and Twitter for even more tech news and commentary.