Sony Still Digging Its Way Out of Breach Investigation, Fallout

Sony knew of the vulnerabilities that led to the breach, a noted security expert tells Congress

Dark Reading Staff, Dark Reading

May 4, 2011

5 Min Read

With plot twists turning as fast as a Hitchcock story line, the news coming from Sony's camp and the security community at large regarding a breach at the company that exposed more than 100 million account records shows that investigators could still be scratching at the surface of the damage wrought by hackers.

Sony opened up the week with the announcement that it had discovered an additional 25 million records of Sony Online Entertainment customers were exposed through the attack -- above the initial 77 million Sony PlayStation Network customer records it had discovered exposed in mid-April. This followed a Sunday news conference during which Sony CIO Shinji Hasejima personally apologized to customers for the intrusions and explained what went wrong to cause the breach.

The attack was launched from an application server that sits behind a Web server and two firewalls on Sonys network, Hasejima said. It was a very sophisticated technique that was used to access our system. The initial attack was disguised as a purchase, so wasnt flagged by network security systems. It exploited a known vulnerability in the application server to plant software that was used to access the database server that sat behind the third firewall.

On Monday, Sony sent customers a letter that claimed its "main credit card database" was not exposed, but that hackers did gather credit card information for tens of thousands of customers through an unprotected out-of-date database.

"Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-U.S. customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained," the letter read.

It is not unusual for a company like Sony to keep discovering more layers of an incident's damage as investigators dig into the forensic evidence, says Alex Cox, principal research analyst at NetWitness. "As companies uncover the techniques and technologies involved with a breach, they typically discover additional intrusions," says Cox, who has helped companies deal with similar breach scenarios in the past. "This occurs in most types of these investigations in my experience."

Many within the security community have blasted Sony for its overall security laxity, as well as its practice of keeping credit cards lurking on old databases in the first place.

"This incident underlines that in the world of security, just because something is simple doesn't mean it is unimportant," says Jon Gossels, CEO of SystemExperts. "In this case, an out-of-date database served as the entry point. It's not sophisticated, not fancy, but you've got to take care of the basics."

Sony told The Wall Street Journal yesterday that it had brought in three security firms, Protiviti, Guidance Software, and Data Fort to help with the investigation and forensic work. Though the company has not confirmed who is responsible for the breach, it did say in a letter to the U.S. House of Representatives that it had discovered what it believed was a calling card from the renegade group Anonymous left behind on its servers. Sony says a file called "Anonymous" was left in the breached server. "We Are Legion" was written in that file -- a reference to a catch phrase frequently used by Anonymous.

However, Anonymous says it was not involved in the breach. Through its AnonOps Communications blog, the group's leaders say that Sony was simply "incompetent."

"While it could be the case that other Anons have acted by themselves, AnonOps was not related to this incident and does not take responsibility for whatever has happened," the blog said.

Regardless of who was responsible for the hacking attack, it is clear that Sony and its outsourced investigators and forensics experts have their work cut out for them in the weeks and months to come.

"Typical intrusion analysis involves a formal report at the close of the investigation that details who, what, when, where, and why. This can and should be used as a remediation guide in order to rearchitect the compromised systems to a more secure end-state," Cox says. "This sort of remediation activity typically involves bringing additional technology and personnel capabilities to help fill gaps that were revealed by the intrusion investigation."

However, some within the industry believe that more drastic measures need to be taken to satisfy shareholders and customers enraged by Sony's lack of security measures prior to now. Today the House Subcommittee on Commerce, Manufacturing, and Trade held a hearing on the incident -- which Sony chose not to participate in beyond a letter -- in which respected security expert Dr. Gene Spafford of Purdue University noted that Sony knew of the vulnerabilities that led to the breach.

Spafford told the committee members that Sony was using an outdated Apache server that was unpatched and had no firewall installed, a fact that was reported on a forum monitored by Sony employees several months before the breaches occurred.

If true, these claims likely show a culture devoid of security emphasis. It's a common problem in enterprises today and one of the first things that needs to change if organizations are going to truly stem the tide of breached databases, Gossels says. "The only way to improve the situation is that organizations have to institutionalize security in their culture," he says.

As for Sony, the company may well need to clean house and name names in order to re-establish credibility and demonstrate true concern about customer data, says Phil Lieberman, CEO of Lieberman Software.

"I would love to know the name of the auditors responsible for the shoddy IT security audit of Sony, as well as the names of the CFO and CIO of Sony [who] was responsible for these decisions of under investing in security," Lieberman says. "Even better would be to see the CEO and the board toss them out of Sony publicly for not investing in security. That outcome would be justice to the stockholders and customers of Sony. Sony should also publicly fire their IT auditors for doing such a poor job."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights