Sony's PlayStation Network was hacked earlier this year, but what did the company know about it, and could other companies fall victim?
Technology companies are in a frontline war against a new security threat. Politically and economically motivated groups have begun to target high-profile companies and their websites. The primary target appears to be technology and Internet companies.
Sony has just endured a very high-profile hacking to illustrate the new danger – but what did the company know about the hack, and when? This question has been pondered by industry watchers ever since the company revealed that its PlayStation Network – which links gamers through the Internet to pit their skills against each other – was hacked and personal data 'may have been' accessed. The data in question included name, password, address, email and even credit and debit card information.
This means that Sony PlayStation Network members whose details were compromised face the prospect of possible fraudulent activity in their bank accounts. They could (and probably should) cancel their cards, but they will still have a heightened risk profile in relation to phishing attacks and identity theft.
When the network first went down, Sony suspected a security breach by hackers, but initially was not certain. The issue was important enough that the company immediately issued a statement that the network would be down for at least two days
However, rather than being a relatively simple prank by teenagers using kiddie scripts in their bedrooms, a potentially more complex and serious motive began to emerge.
Sony had recently been identified as a hacking target by the global hacking group Anonymous when it threatened to ban for life some developers who claimed that Sony was installing a rootkit onto PlayStation Network customers' consoles.
A rootkit is a piece of software that automatically installs itself on a client device clandestinely without the owner's knowledge or permission. It has negative connotations because it is often used by virus writers to compromise the security on a host machine.
Rumours initially began surfacing in discussion groups earlier this year that the official 3.56 firmware upgrade for Sony's consoles gave the consumer electronics giant the ability to execute code on the PS3 as soon as a user goes online.
Sony could, it was suggested, use the technology to verify system files or to look for home-brewed games. More sinister still, the rumours warned, the code could be updated without further firmware updates.
The more excitable elements of the gamer community, as well as tech blogs and gaming sites, cried foul over the move, with many describing it as the introduction of hidden rootkit-style functionality.
Chris Boyd, security researcher at GFI Security, points out the development is not new; Sony has retained the ability to carry out remote updates since at least 2006.
'It's been common knowledge that a networked PS3 will communicate with Sony servers at start-up whether it has an active PlayStation network account on it or not, and this performs various tasks related to error logs, updates and other activities,' Boyd says.
Most likely, the suspicions were fuelled owing to an earlier incident involving a different division of Sony. A rootkit was found in Sony CDs back in 2005 which provoked a huge privacy outcry. Sony is therefore seen to have form – and suspicious users saw history repeating itself.
However, the PS3 firmware upgrade is nothing like as sinister, argues Boyd, who has keynoted on XBox and online gaming security at several security conferences. 'Comparing a botched attempt at blocking hacks to the CD rootkit is senseless.'
Sony's music division had bundled copy-protection on its music CDs that meant a rootkit secretly installed itself on a hard-drive if they were played on Windows PCs. This created a security vulnerability on affected machines that could have been exploited by other hackers. Sony withdrew the technology following an outcry.
Comparing the PS3 firmware update the the Sony CD rootkit fiasco misrepresents what has actually been done or the practical risks of the move, according to Boyd. 'It's only a concern if you're interested in modifying your kit – which in itself is not a crime, but Sony has the right to ban.'
Sony recently earned the enmity of the gamer and security communities by suing hackers who figured out a way to run 'unsigned' code on PlayStation 3 console. Commentators and bloggers have subsequently been inclined to assign the malign motives to any changes Sony makes to its console.
It wasn't until day three of the outage that it emerged Sony had actually taken the network down on its own to block an ongoing external intrusion. The company wasn't rushing to bring the PlayStation network back online and instead focused on rebuilding and trying to enhance its now pulverised network security.
Some commentators have suggested that Sony must have suspected that data – and potentially collossal amounts of it – had been compromised, and yet the company said nothing. True enough, it kept customers up to date on the network outage (after all, they could hardly have failed to notice), but it did not alert them to the possibility of a data breach until almost a week into the attack.
By this point of course, there had been ample opportunity for customer data to be passed on to malefactors – data that might include a credit card number, email, and billing address. One thing that, remarkably, the hackers did not get is the credit card security code; the three-digit number on the reverse of your credit card – as this is typically not kept on any credit card database.
Who are the hackers?
There are a number of hacking collectives who have been linked with the attack. Sony spokespeople were keen to point the finger at Anonymous, which has in the past been active in taking down sites in defence of Wikileaks and its editor-in-chief Julian Assange. It has no formal membership or structure; rather it is a leaderless campaign of digital disobedience based on ideology of online freedom and collective action.
However, Anonymous denied any involvement and immediately announced a 'disbandment' – tricky at best, in a movement without a structure. Sure enough, in April a splinter group, LulzSec, emerged comprising a small core of Anonymous's most active and vociferous participants. After the arrest in the UK of alleged member Ryan Cleary, LulzSec announced it too would 'disband', and its activities appeared to dissipate. However, they emerged once again in the wake of the phone-hacking scandal involving News International, when the Sun website appeared to be hacked and published a story announcing the death of Rupert Murdoch.
To date, Sony has not declared the full financial impact of the cyber attacks on its PlayStation Network, but Tim Schaaf, the president of Sony Network Entertainment has been quoted as saying that it has cost the company $171m so far and that it will incur costs as a result of cleaning up after the hack. The company's profits have plummeted in its latest quarterly results, although this is thought mainly to be due to the Japan earthquake and the subsequent component shortage and loss of productivity.
Sony also plans to offer ID theft protection for 12 months after enrolment. PlayStation Network and Qriocity account holders have already received information on how to enrol. Those who have enrolled will receive monthly status reports and alerts if the program detects their personal information is being misused. The program also includes an insurance policy that provides up to $1m in relief for covered costs for a year after an identity theft incident.
The full extent of Sony's losses will doubtless become clearer in the months and years ahead. A wave of class-action law suits has already been launched in the US. Zurich American Insurance Co, a unit of Zurich Financial Services, has asked the Supreme Court of the State of New York to rule that 'it does not have to defend or indemnify Sony against any claims 'asserted in the class-action lawsuits, miscellaneous claims, or potential future actions instituted by any state attorney general.''
The insurance company is also suing units of Mitsui Sumitomo Insurance, AIG and ACE Ltd, asking the court to clarify their responsibilities under various insurance policies they had written for Sony, according to reports. To date, 58 class-action lawsuits in the US and three in Canada have been filed against Sony, and the company has apparently sent in claims in relation to one or more of these to Zurich American that it wants paid.
Zurich American says in its court filing that its policies only cover Sony for 'bodily injury, property damage or personal and advertising injury' and none of the lawsuits claim that these have occurred.
Yet Sony is just one example in the consumer technology market. Could other companies be affected in a similar way? The answer, according to Graham Cluley of security firm Sophos, is 'yes'.
'There is a trend where consumer companies are trying to differentiate themselves by offering value-added service only available using a network.'
Cluley points out that the processes and procedures in large companies have not really changed much in the last ten years, whereas the threat from malevolent hackers evolves from month to month.
The latest breed of 'hacktivists', points out Cluley, adds a new element of challenge for enterprise security practitioners. Because denial-of-service attacks are the primary weapon of these hackers, security teams must focus much more on the availability of networks than they had previously.
In the past, concerns about availability were primarily around handling usage spikes and growth. But with the abundant availability of off-the-shelf denial-of-service tools, a small number of malicious users can completely take down even a very large server farm.
'Even though we know that attacks are more prominent, companies are working with the same budgets that they have had for the last ten years,' says Cluley.
Facebook, for example, perhaps hopes to turn the poachers into gamekeepers. It is offering a $500 bounty to anyone who can find a vulnerability in its network and report it confidentially to the company.
'To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs,' Facebook said in a blog post.
'Our security team will assess each bug to determine if it qualifies,' Facebook said.
Facebook has also recently hired George Hotz, a celebrated Sony hacker known as 'GeoHot', but has not disclosed what he is doing for the company.
Although IT costs have a tendency to spiral without control, perhaps this is one cost companies cannot afford to ignore. *