Latest Playstation posts

H4cked Off: Pity the CSO

10 Jun 2011

Computing reporter Stuart Sumner

This week a sizeable chunk of masonry detached itself from the building opposite the Computing offices and plummeted to the Soho streets below.

Fortunately a parked car was the only casualty. I understand there will be no legal repercussions for the building owners, because they're now intending to appoint a chief masonry officer.

Similarly, my four year old son would ordinarily be in grave trouble for refusing to listen to me last night when I told him it was time for bed, but I understand he's looking at appointing a chief behavioural officer, so that's the end of it.

This being a security blog, hopefully by now most of you have realised I'm talking about the recent actions of secure token specialists RSA, and consumer tech giants Sony.

Both firms have seen their brands dragged through the mire of late as a result of security failings. Both have since sought to wipe away the mud and restore a bit of gleam through the creation of a new role, that of the chief security officer.

In both cases, the role will, at least initially, be a bit of a poisoned chalice. Perhaps not on the scale of anyone hapless enough to allow himself to be put in charge of the England football team, but a sticky wicket nonetheless.

In the case of corporate behemoth Sony, much appears to be wrong. I've written recently about the persistent nature of its data breaches so I won't go into detail here. But suffice to say if its security policies were a hard hat, I wouldn't stalk the streets of Soho in it just at the moment.

When a large and disparate corporation with myriad servers storing presumably countless petabytes of data suddenly and unexpectedly finds itself targeted by the world's hacking elite, the pain is going to be deep and enduring.

There's no security switch that it can flip to ‘on'. Given the sloth's pace of Sony's response to its security troubles, it seems apparent that it had either no, or at best severely deficient, policies in place for dealing with breaches.

And RSA is little better. It too has been accused of a ponderous response to its attack, which it describes as ‘extremely sophisticated' and others describe as ‘fairly basic, you just weren't very well prepared'.

The point is it takes time, certainly months, to improve security across an organisation. The larger the enterprise, and the more disparate its services, the more likely those months roll on into years.

Multiple security solutions need to be implemented to create that mystical ‘layered approach' that security evangelists like to preach.

Penetrate one layer? Here's another. Accessed our network? Well done, you won't find anything though. Found something? Tough, it's encrypted. Found the encryption key? Fire the chief security officer...

And that's why it's a poisoned chalice. In the short term these appointments are an attempt to reassure customers that similar troubles won't happen again. And if they do? Well you've got a nice scapegoat installed to take the bullet.

Stuart Sumner, chief reporter, Computing

H4cked Off: OMGWTFBBQ!

20 May 2011

Computing reporter Stuart Sumner

ssumnerIf you've ever frequented an internet forum, besides dodging the incessant sniping, flaming and accusations of being just like Hitler, you might have seen the odd acronym that I've chosen as this week's title.

Whilst I won't translate it for you (come on, it's not hard to work out), I will describe it as an expression of extreme frustration. That's the sort of emotion you might be feeling right now if you're a Sony customer.

Not content with leaking the personal (and in some cases financial) details of over 100,000 customers following a cyber attack, it has stumbled, Harold Lloyd-like, into a succession of security and PR failures since.

Let's have a look at what Sony's done so far:

• Took a week to tell anyone about the breach. Given the extent of the attack, and that other DDoS attacks were being perpetrated simultaneously, you could argue that it should be forgiven for this one.

• Complained (in a letter to the US House of Representatives) that it was hard to detect the hack. Yes, welcome to the internet. Hacks are often hard to detect, that's often sort of the point.

• Complained that it was hard to know what was stolen because the hackers deleted the log files: see above. Log files are all well and good but if your forensic capability begins and ends with log files then you're living in 1996.

• Finally began to bring the PlayStation Network (PSN) back online... then immediately had to take it down again because everyone was changing their passwords and the system couldn't keep up. Not a massive issue, but what were they expecting people were going to do when access was restored?

• The PSN comes back online again...then the password reset pages are taken down as reports of another vulnerability emerge, where anyone can hack an account simply by knowing the username, and date of birth used in its creation.

At the time of writing the PSN is up across most countries, and normal services appear to have been restored... for now.

But what can we learn from Sony's experience? Hackers are good at what they do? Everyone is vulnerable, even (or perhaps especially) large organisations? Nothing new there.

Since the initial attack, Sony has engaged external security advisers both to plug the security hole, and help to ensure there aren't others. It has also announced that it will appoint a new CISO (chief information security officer), who will report directly to the CIO.

To my mind, given the scale, severity and notoriety of the problem, it doesn't appear to have done an awful lot. And the reason is that ultimately it doesn't need to. It all comes down to financials, quel surprise. Sony needs to balance the cost of its restorative measures against the cost of doing nothing.

And the cost of doing nothing is very low. Plug the breach sure, as making exactly the same mistake twice will incur the wrath of the governments of several countries in which the corporation operates. But don't go overboard. Don't bother changing your infrastructure, or stripping out your existing (and patently ineffective) security measures and replacing them with more layers.

The harsh reality is Sony just needs to make a few of the right noises, give its customers a little compensation (both of which it has done), and then it's back to business as usual.

After all, its customers just want to get back to playing games. They're not all going to switch to Xbox Live; they've invested in the PlayStation platform and its games, so very few will jump ship. OK, they might type a few obscenities onto internet forums, some may even go as far as OMGWTFBBQ, but they'll be back on the PSN soon enough, credit card details and all.