News: PSN Hacked - Who is to Blame?

Unless you have been living under a rock for the past week you will have been aware that the PlayStation Network has been down (under maintenance). More information has finally been released by Sony, although its not the whole story - yet.

If you haven't received your email from Sony yet, or seen the message on another site or blog, here is a copy of the message sent out to all UK members:

In short, some attacker(s) found a vulnerability in the PSN network and managed to access a lot of personal details from potentially every PSN and Qriocity account in the world - 75 million of them in around 60 countries. This is bad. Currently they can't say whether credit card data was also available to them as they have not yet found any evidence it was, and I hope to goodness it wasn't. Why can't they say yet? Well, as someone who has dealt with network forensics a little in my time I can say it is incredibly time consuming to piece together all the information and build a picture of what happened after an event like this. Even on a relatively small system the logs created can be huge and stored across several systems, so I can't even imagine the size of the PSN logs. Hackers usually try to cover their tracks too by altering logs or filling them with bogus or irrelevant information to hide their real activity, making it much harder to see what they did. 'Freezing' the PSN system as soon as they detected the problem would have been a good idea.

There are plenty of people complaining about the data protection breach in online forums and blogs so I won't moan about it here, but I can say that it certainly isn't the first time this kind of thing has happened to an online store and definitely won't be the last. News reports just in the last month or so include...

• A few days ago, Rogelio Hackkett Jr. from Georgia USA pleaded guilty to using SQL vulnerabilities (database hacks) to obtain over 676,000 credit card numbers from different online companies. Worryingly, half of those were from one online ticket sales company which may not have even informed their customers of the breach! Credit card companies have traced more than $36 million in fraudulent transactions to those accounts.
• A couple of weeks ago several servers at WordPress (the blogging people) were hacked wide open potentially revealing account details of the 18 million publishers who use WordPress.
• In February a hacker got into a Nintendo 3DS promotional site and grabbed personal info (including email addresses) of thousands of Nintendo members. After failing to blackmail Nintendo they posted some of the details online and promptly got arrested by Spanish police.
• Also in February Yevgeny Anikin of Russia pleaded guilty to stealing $10 million from former Royal Bank of Scotland (RBS) company WorldPay back in 2008 by hacking into accounts there.
• In January the user details (possibly including PayPal account info - depending upon whose report you read) of 28 million members of the dating site PlentyOfFish were open to hackers. Passwords were apparently stored in plain text.
• The cosmetic group Lush were hacked and customer info including credit card details were stolen for orders between October 2010 and January 2011.
• In October 2010, Lin Mun Poo of Malaysia was arrested at JFK airport with a laptop containing 400,000 credit card, debit card and bank account details he had obtained after hacking into systems belonging to financial institutions, international banks, defence contractors, major corporations and FedComp (who look after several Federal Credit Union organisations). He traded and sold the information he obtained.
• Not long ago Epsilon who manage email campaigns for around 2500 world-wide companies such as Dell, Barclays Bank, BestBuy, CitiBank, Marks & Spencer, Ritz Carlton, Target, TiVo and Verizon had their data stolen. It didn't contain credit card or bank info but it did contain customer info and email addresses which could be used for huge scale phishing attacks. Epsilon send out 40 billion emails a year on behalf of their clients so you can imagine how many peoples details they hold.
• In December 2009 an SQL injection attack took place against the social network application maker RockYou.com in which 32 million login details were stolen, including those for users of Facebook and MySpace. Sadly (or stupidly) they apparently stored this information in plain text, i.e. unencrypted!
• According to the recently released Verizon/US Secret Service 2011 data breach investigations report, 50% of data breaches reported last year were from systems being hacked. 17% of data breaches were the result of privilege misuse (i.e. an insider accessing the data). 49% of data breaches involved malware (which is worrying!).
• And many more...

So who is to blame in the Sony case? Some are pointing the finger at Sony for having a vulnerable system. Without knowing how the hackers got in it is difficult to say. If Sony were lapse then they should take responsibility and perhaps offer compensation, but it may well be a third party system which was to blame (e.g. an SQL or Web server vulnerability) of which they were unaware. Of course it could be that the recent PS3 hacking information posted online was a key factor in people finding an exploit to the PSN network. This is why I get wound up when some online users complain that the system should be open and anyone should be able to hack it as much as they want. This would be yet another reason why that is a bad idea. Whatever blame you may put on Sony, nobody can deny that the thieving scum that broke into the system to steal the personal information of innocent gamers is definitely at fault. It's not even smart people most of the time who disrupt or break online systems. It is 'script kiddies' who download software written by someone else, without the knowledge or interest or brain capacity to know how it works but simply that it will cause annoyance to innocent users. And they think that bragging about it online gains respect or makes them look clever. No. Rant over.