Published: May 4, 2011
In spite of the fact that RSA Security and Epsilon recently suffered security breaches, Sony seems to be getting the majority of nightmare security headlines. Why? Probably because Sony and its PlayStation are more ubiquitous. Sony is a trusted brand that was producing high-end Trinitron TVs back in the 1970s and anyone with young boys in their house probably owns a PlayStation or some similar gaming device.
Sony is under a lot of heat these days, so it is finally going public with some details about the breach and its impact--and things are worse than first thought. First, Sony now says that the PlayStation breach may have compromised the personal records of as many as 77 million user accounts. Second, early reports that user passwords were encrypted turned out to be false. Instead, they were transformed using a hashing algorithm. Since some hashing algorithms aren't exactly bulletproof, this could also be a problem. Finally, Sony is getting dragged through as the U.S. and other government bodies press the companies for answers.
Clearly Sony has "some 'splainen" to do, as Ricky Riccardo might say. Sony has consistently called the breach a "sophisticated attack." Hmm, maybe, but here is a link to a diagram that illustrates how the attacker bypassed the firewall and application to gain access into the database (http://www.siliconrepublic.com/strategy/item/21637-how-the-hackers-breac...).
Assuming that the PlayStation Network site is a public site on the Internet that users can access, then it appears like the attack is the result of the exploit of a Web application vulnerability. If so, this isn't very sophisticated at all. The same type of thing just happened to Barracuda Networks a few weeks ago.
So if this breach was in fact the result of a Web application vulnerability, here are a few of my thoughts:
Read more of Jon's blog entries at Insecure About Security.
*All views and opinions expressed in ESG blog posts are intended to be those of the post's author and do not necessarily reflect the views of Enterprise Strategy Group, Inc., or its clients. ESG bloggers do not and will not engage in any form of paid-for blogging. Click to see our complete Disclosure Policy.