Sony Still Digging Its Way Out of Breach Investigation, Fallout

With plot twists turning as fast as a Hitchcock story line, the news coming from Sony's camp and the security community at large regarding a breach at the company that exposed more than 100 million account records shows that investigators could still be scratching at the surface of the damage wrought by hackers.

Sony opened up the week with the announcement that it had discovered an additional 25 million records of Sony Online Entertainment customers were exposed through the attack -- above the initial 77 million Sony PlayStation Network customer records it had discovered exposed in mid-April. This followed a Sunday news conference during which Sony CIO Shinji Hasejima personally apologized to customers for the intrusions and explained what went wrong to cause the breach.

The attack was launched from an application server that sits behind a Web server and two firewalls on Sonys network, Hasejima said. It was a very sophisticated technique that was used to access our system. The initial attack was disguised as a purchase, so wasnt flagged by network security systems. It exploited a known vulnerability in the application server to plant software that was used to access the database server that sat behind the third firewall.

On Monday, Sony sent customers a letter that claimed its "main credit card database" was not exposed, but that hackers did gather credit card information for tens of thousands of customers through an unprotected out-of-date database.

"Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-U.S. customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained," the letter read.

It is not unusual for a company like Sony to keep discovering more layers of an incident's damage as investigators dig into the forensic evidence, says Alex Cox, principal research analyst at NetWitness. "As companies uncover the techniques and technologies involved with a breach, they typically discover additional intrusions," says Cox, who has helped companies deal with similar breach scenarios in the past. "This occurs in most types of these investigations in my experience."

Many within the security community have blasted Sony for its overall security laxity, as well as its practice of keeping credit cards lurking on old databases in the first place.

"This incident underlines that in the world of security, just because something is simple doesn't mean it is unimportant," says Jon Gossels, CEO of SystemExperts. "In this case, an out-of-date database served as the entry point. It's not sophisticated, not fancy, but you've got to take care of the basics."

Sony told The Wall Street Journal yesterday that it had brought in three security firms, Protiviti, Guidance Software, and Data Fort� to help with the investigation and forensic work. Though the company has not confirmed who is responsible for the breach, it did say in a letter to the U.S. House of Representatives that it had discovered what it believed was a calling card from the renegade group Anonymous left behind on its servers. Sony says a file called "Anonymous" was left in the breached server. "We Are Legion" was written in that file -- a reference to a catch phrase frequently used by Anonymous.