Sony PSN Hacked: A Case Study of Security Issues in Information System

Sony PSN Hacked: A Case Study of Security Issues in Information System
Page content

Hackers Attack Sony

Hackers are attacking gaming technologies and the latest mobile technologies to plant viruses and steal personal details. After all, traditional computer networks and websites are usually so well protected that even the most advanced hacker often has to spend hours trying to find a way in past the security measures. A much easier target is the relatively new technologies such as mobile phones, tablet PCs and gaming machines such as the Sony PlayStation. These technologies do not have the same level of protection as the standard PC networks using firewalls and protected networks.

The recent issues with the PlayStation Network, where thousands of accounts were hacked, is evidence that hackers are trying, and succeeding, in breaking in to steal personal details from thousands of paying customers. The security is so lapse that the only way Sony could prevent the problem from reoccurring in the end was to close down the gaming network for a few weeks.

As stated in the New York Times, dated June 6th, 2011 Sony will probably take years to fix their security issues for the website, database and servers in the Sony infrastructure. Unlike Microsoft, a company that has had years in the process of improving security, Sony are way behind the times when it comes to security of their core services.

The Core Issues

Sony was attacked in a number of areas, including their website, network and gaming platform. The hackers from the Lulz hacking group had decided that Sony was fair game by the nature of their lapse security, and indeed they claimed that the objective was to prove that the Sony systems were easily breakable. They published names, personal details and user account details of people entering contests provided by Sony.

Several security problems were identified simply by entering specific searches in Google. The research undertaken by John Bumgarner of the Unites States Cyber-Consequences Unit (US-CCU), an independent research institute, identified numerous loopholes in various pages from Sony websites able to be exploited. The Java security console was easily accessible on several web pages. This provides access to underlying functions of the website including information. This is normally unavailable on a secure website server. Another aspect is easily available access to the identity management system indexed by Google.

PSP Hacked

The information gleaned from these lapses could be used to access servers, databases and other high value security resources. It seems that in the case of Sony, the hackers could virtually access any technology they wanted within the Sony infrastructure.

It has been stated that the security levels and infrastructure of an organization like Sony, containing several million accounts should (ideally) be comparable to an organization such as the Department of Homeland Security servers. Specifically, the list of issues included the following:

  • Access available to the Sony management console.
  • Sony network sites such as Sony Corporation of America, Sony Electronics, Sony Pictures and old websites such as Sony Santa including personal information were all accessible.
  • Employee information available via an access point in the identity management system.
  • Information available on IT managers which could be exploited to launch phishing attacks on the sites.
  • Hidden files could be accessed containing items such as links to password protected applications.
  • Servers providing information on Sony customers linking their information to Facebook.
  • The Riverbed Technology security management appliance had a user-id already populated, accessible to anyone through one of the Sony servers.

Lessons: Sony Implications

It is apparent that Sony’s security infrastructure, combined with a hacking group’s intent on showing how capable they are of breaking into systems, is a recipe for disaster. No server is impervious to attack, but for so many holes to appear in a security system containing millions of subscribers must imply serious consequences. Sony will need to analyze and fix their security systems from the ground up, and for every server, website, and database they have in their organization. It will be a huge undertaking but it will be a lesson learned the hard way not only for Sony but for other companies who have the same kind of lapse security in place.

One of the hardest tasks is going to be convincing Sony customers their information is now safe from attack. In an effort to rectify the situation and provide a more robust infrastructure, Sony are employing the use of a number of third-party security companies in addition to consulting with the Federal Bureau of Investigation in order to prevent further occurrences of these kind of hacking attacks. In the case of Lulz, their hacking attacks were backed up by thousands of dollars in donations to keep up their attacks on Sony and its enterprises. It is feasible that rival organizations were in on the act. However, that does seem unlikely as it would be a serious breach of competition law.

Sony is behind the times in implementing modern security mechanisms in their IT infrastructure in the final analysis. It will probably take Sony years to fix the situation. However, what could take even longer is gaining the trust of paying customers again.

References