Sony just released a bit of info regarding the PlayStation Network and Qriocity breach that I’ve been dreading to read since March. Simply put, everyone’s personal information such as usernames, passwords, addresses, and possibly credit card and purchase information has been compromised due to an unauthorized intrusion in their network. I’ve said time and time again that a breach like this is peanuts compared to what happened at Gawker back in late 2010 and nowhere near the magnitude of the Epsilon breach a short while back. With over 70 million accounts affected and the depth of the sensitive information accessed, this is easily one of the largest security disasters in Internet history. To put it into perspective, this is the equivalent of almost a quarter of the population of the United States becoming vulnerable to identity theft overnight. So who is to blame for this? Does the blame game make an all-out assault on Sony? Are Anonymous and the hacker splinter cell that piggybacked their tactics be the ones we tar and feather? Or are we the ones responsible for this attack via our growing hive mindish and egotistical outlook on the world?
The old saying of “fool me once, shame on you, fool me twice shame on me” applies to a broader degree in today’s globalized economy. The importance of internet security has been beaten to death over the years, with issues ranging from the insecurities of IPv4 to viruses such as Conficker, and identity theft to brute-force database breaches. The 2000s transformed the Internet into the most dangerous playground of them all as hackers became smarter on a playing field that remained largely the same since the mid 1990s. As the war on the wired frontier has heated up, a war on the wireless frontier is just beginning to brew. So when all these previous warning signs regarding the protection of your consumer’s information arise, you expect every sensible company out there to take measures to ensure that a breach doesn’t happen to their home.
The Gawker hack was the tipping point that should have led every major corporation out there to completely re-analyze their consumer protection security systems that they had in place. It’s not that recent security breaches were performed by some elite group of super-hackers. All it took was a small group of young people who simply understood how the Internet worked. Their knowledge, at best, is comparable to that of professionals working at major security firms such as Kapersky or Norton. The Gawker breach made consumers rethink how they use passwords, and it should have made companies dealing with sensitive consumer information to rethink how they protect their users.
Sony chose to ignore that, whether it be for reasons driven by financial concerns or reasons driven by hubris. It isn’t cheap to bring in a firm to completely overhaul a network that deals with 70 million people worldwide. Suddenly explaining to investors the reason why millions of dollars were just dissected from this quarter’s financials, effectively causing Sony to potentially come short to analyst forecasts and expectations is possibly just as costly of a move. So Sony chose to ignore the turmoil occurring in the online industry and opted to keep its fingers crossed in hopes that such a breach wouldn’t happen to them.
Then came the first major warning sign. In February a hacker giving detailed information on how insecure the PlayStation Network was published a report about how certain sensitive user information was obtained with minimal effort. This information wasn’t isolated in any way; it was republished by a major PlayStation blog among other sites. It’s almost 100% guaranteed that this information was obtained by Sony at some level of the bureaucratic hierarchy. Yet Sony did nothing. It was at this moment that a ticking time bomb became active and it was only a matter of time until Sony’s own ineptitude caused it to blow.
Sony is definitely at fault here. The personal information of over 70 million people should never have been transferred across the network in pretty much unencrypted text format for anyone with a few simple tools to acquire. It is absurd that Sony would implement such lax security measures when dealing with the transference of sensitive information such as credit card numbers and security codes. The PlayStation Network launched in 2006, over a year after the major CardSystems breach that involved the exposure of over 40 million credit cards. A year is plenty of time to implement security measures to prevent that. Over four years is definitely more than enough time to set a few million aside to revamp those security measures. Simply put, this PSN breach is unacceptable on Sony’s part. Sony’s sloppiness was fueled by either frugality or hubris, but the hit it would’ve taken by revamping the PSN’s security would have been far less costly than the aftermath it will experience due to this breach.
Blame the Hackers
Speaking of hubris, hackers are so bent on personal pride for their accomplishments that they often make the mistake of linking their exploits back to themselves. The Melissa worm, the Blaster virus, and the ILOVEYOU worm easily come to mind as major internet security threats that were traced back to their creators and arrests were made. The last few years, the hacktivist group known as Anonymous has risen out of the ranks of 4chan to act as sort of a “moral compass” for anonymous Internet users worldwide. Originally the actions of Anonymous were strictly for the lulz, with campaigns against Habbo, child-predator Chris Forcand, and the Church of Scientology. Somewhere around 2009 or 2010 Anonymous began to take a more serious spin in its attacks with its attacks being more politically and “ethically” motivated. Culminating with the HBGary disaster, Anonymous had outgrown its original mission of lulz to an all out hacktivist group bent on punishing those who infringed upon certain Western ideologies.
The thing about Anonymous is that they work in numbers. They pack a very big punch and when the masses combine, the punch is devastating. For being such a disorganized group, they sure know how to mount an organized attack. The downside to this is that the more people that are involved, the more likely it is for information to be spread to other people outside the group. This is precisely what happened in the Sony breach. The initial information regarding the PSN’s lack of security measures was greeted with skepticism when it was posted on PS3Crunch.