Author(s): Jon Oltsik

Published: May 4, 2011

Sony PlayStation Breach: Sophisticated Attack or Insecure Internally-Developed Software?

In spite of the fact that RSA Security and Epsilon recently suffered security breaches, Sony seems to be getting the majority of nightmare security headlines. Why? Probably because Sony and its PlayStation are more ubiquitous. Sony is a trusted brand that was producing high-end Trinitron TVs back in the 1970s and anyone with young boys in their house probably owns a PlayStation or some similar gaming device.

Sony is under a lot of heat these days, so it is finally going public with some details about the breach and its impact--and things are worse than first thought. First, Sony now says that the PlayStation breach may have compromised the personal records of as many as 77 million user accounts. Second, early reports that user passwords were encrypted turned out to be false. Instead, they were transformed using a hashing algorithm. Since some hashing algorithms aren't exactly bulletproof, this could also be a problem. Finally, Sony is getting dragged through as the U.S. and other government bodies press the companies for answers.

Clearly Sony has "some 'splainen" to do, as Ricky Riccardo might say. Sony has consistently called the breach a "sophisticated attack." Hmm, maybe, but here is a link to a diagram that illustrates how the attacker bypassed the firewall and application to gain access into the database (http://www.siliconrepublic.com/strategy/item/21637-how-the-hackers-breac...).

Assuming that the PlayStation Network site is a public site on the Internet that users can access, then it appears like the attack is the result of the exploit of a Web application vulnerability. If so, this isn't very sophisticated at all. The same type of thing just happened to Barracuda Networks a few weeks ago.

So if this breach was in fact the result of a Web application vulnerability, here are a few of my thoughts:

  1. Everyone thinks they write good software, but they often don't. In a recent survey of critical infrastructure organizations in the U.S., 30% of firms had experienced a security incident directly related to the compromise of internally-developed software. Most of these companies also believed that their homegrown software was secure. Seems like a disconnect to me. I suggest that software developers review some of the published material from SAFECode or the Microsoft Secure Development Lifecycle (SDL).
  2. Web application vulnerabilities happen--it's just a function of writing software. The task at hand, however, is to introduce software assurance practices into software development processes to minimize risks. At the very least, progressive companies should make sure to review and test against the SANS Top 25 software errors (http://www.sans.org/top25-software-errors/). Did Sony do this? I have no idea, but it would be nice if they would let us know.
  3. The fact that Sony mishandled communications around this security breach shouldn't surprise anyone. When security incidents take place at large companies, lawyers immediately step in, evaluate their exposure, and then mandate what to say and what not to say about the breach. Not to be outdone, PR people often get involved as well and look for ways to spin security events. These strategies may be appropriate for tainted products, but security breaches need to communicated quickly and concisely, free from marketing manipulation. I'm doing some research on best practices in this area. Please point me to any documented processes that I can look at as background.

Read more of Jon's blog entries at Insecure About Security.

Comments

Post a Comment
  • Leave this field empty
Please Enter Correct Verification Number

*All views and opinions expressed in ESG blog posts are intended to be those of the post's author and do not necessarily reflect the views of Enterprise Strategy Group, Inc., or its clients. ESG bloggers do not and will not engage in any form of paid-for blogging. Click to see our complete Disclosure Policy.

Phone:
508-381-5166

E-mail

Jon Oltsik is an ESG senior principal analyst and the founder of the firm’s Information Security and Networking services. With 25 years of technology industry experience, Jon is widely recognized as an expert in threat and security management as well as all aspects of network security. Recently, Jon has been an active participant with cybersecurity issues, legislation, and technology within the U.S. federal government. Prior to joining ESG, Jon was the founder and principal of Hype-Free Consulting. He has also held senior management positions at GiantLoop Network, Forrester Research, Epoch Systems, and EMC Corporation.

Full Biography

NEWSLETTER

Enter your email address, and click subscribe