DVTimes

The devastating attack on the PlayStation Network (PSN) is yet another illustration of how technology-savvy criminals are determined to get their hands on our personal information.

As gamers rued the missed opportunity for online play over the holiday weekend, hackers were able to embark on an Easter hunt around the PSN, picking up small clues which could lead to a bigger prize: card fraud and identity theft.

The hack, which has led to the network being unavailable for over a week, has left observers wondering if a company as vast and seemingly advanced as Sony can get hit, who out there is safe?

The answer, according to experts, is no-one - and something similar will almost certainly happen again.

"We're moving into an era of 'steal everything'," said David Emm, a senior security researcher for Kaspersky Labs.

He believes that cyber criminals are now no longer just targeting banks or retailers in the search for financial details, but instead going after social and other networks which encourage the sharing of vast amounts of personal information.

Soft targets

Because of the need to be widely accessible and easy-to-use, networks like PSN are seen as being more vulnerable to attack than banks or big retailers.

"Any lock can be picked," said Blaine Price, senior lecturer in computing at the Open University and an expert in data protection.

"The reason is that there's always a trade off in security between usability - being able to get at what you want to get at, and making it secure.

"Your online banking site is much more sophisticated."

Setting up a PSN account involves a lengthy and sometimes frustrating process of entering personal data - usually on a games controller. But this is a one time inconvenience, as data is saved by the network so that next time around it only takes a few steps.

A more secure option would seriously hinder this process, Mr Price argues.

"A bank would usually use two-factor authentication, where you've not just got a password.

"It would be a real pain if every time you want to start up a game you had to scan your thumb, type in 15 digits and pull out a card reader.

"Any time you're just using a user ID and password, it's going to be a risk."

For networks like the PSN, or indeed, any system which encourages its users to share lots of data, this poses a massive problem.

Bombarded with countless passwords for a multitude of web services, users are prone to keeping the same or similar details for all.

Discovering the password on one account can often lead to clues about someone's online banking credentials, a far less difficult approach than attempting to hack the bank itself.

"The weakest link is always the individual," said David Emm.

"Clearly, trying to undermine a bank's security is a lot of effort. Whereas if you go after an individual, it's not going to be noticed, it's going to be easier to do."

Data minimisation

As news of the PSN breach emerged, the list of exposed details proved as serious as it was lengthy. Customers' names, date-of-birth, addresses and, Sony fears, their financial details were all compromised.

A more cautious observer would argue that an obvious method of preventing personal information from being taken is to simply never share it, but this is unworkable for people wanting to make use of the latest technology.

There is an on-going debate over how just how much information is necessary for the safe and secure running of a service, and how much simply bolsters the company's marketing opportunities.

At the forefront of this debate is the Information Commissioner's Office (ICO), which said that as well as investigating whether Sony has adequate security measures in place, it will be taking a close look at exactly what data the company collected and why.

"Data minimisation is a security measure in itself," deputy information commissioner David Smith told the BBC.

"It's a very important data protection principle that you shouldn't collect excessive information or keep it longer than is necessary.

"The question about, for example, why an organisation asks for a specific date of birth, as opposed to an age band, is at the centre of our work."

In the mean time, Sony will be working to rebuild its network as securely as possible. For consumers however, worries will remain over the vulnerability of a system that they had previously trusted.

Other services too will be reviewing their own arrangements and seeking to assure customers that their details are safe.

Mr Price from the OU believes that networks must take a more open, transparent approach to security, sharing details about methods used so they can be peer-tested.

"The best thing for security is openness, believe it or not," he said.

"You publish the security method you've used, and that way experts can also test them. If lots of experts are testing your open security standard for a long time, that's usually and indication that it's pretty good.

"If you keep it secret, then it only takes one person to know the secret and then you're in trouble."

http://www.bbc.co.uk/news/technology-13213632

__________________
The Affiliate Program

raymor

As a licensed security officer and investigator with 15 years of internet security experience,
I'm of the opinion that this is rather misleading. "a company as vast and seemingly advanced as Sony"
is a giant bureaucracy, driven almost entirely by marketing, with most decisions being made
by people who know nothing at all about security. Giant bureaucracies like that, in my experience,
hire a computer science degree without regard to the cluelessness of the person holding it.
We've conducted several short interviews with people who, when we saw they weren't
nearly competent enough to work for us, they soon got a job with a big name bureaucracy.

So if they get hit, who is safe? Any company who cares enough to actually pay attention
to security and work with a knowledgeable security professional is pretty safe. The vast
majority of hacks happen because of a very few rookie mistakes in configuration and code.
A couple of hours developing security policies and then FOLLOWING those policies will
make you safer than 95% of sites, and the bad guys normally go after the easier targets.



There IS a trade off, and you can CHOOSE to either make your script "work" by chmodding
everything 777, or you can choose to set permissions correctly, which means taking a few
minutes to pay attention to what you're doing (or choosing to hire people who pay attention
to doing things right). You CAN choose to be safer than Sony. They obviously made some
rookie mistakes. If you choose to be lazy, that will be easier for now, but eventually, maybe
this year or maybe next year, you will have a major problem. You will reap what you sow, eventually.

For example, systems we've designed, like Sony's, have a publicly accessible interface, and a billing
system which has credit card information. The difference is, our public systems, like our
web site and the admin or game interfaces, are not connected to have any access to the credit card
systems. No matter what hackers did through our public systems, we would have no worries
about credit card data, because there's no path from the public system to the billing, they
are separate networks. There is no reason for data to flow in that direction. Sony DECIDED
to be lazy and set it up that way, and now they are paying the price.

__________________
For historical display only. This information is not current:
support@bettercgi.com ICQ 7208627
Strongbox - The next generation in site security
Throttlebox - The next generation in bandwidth control
Clonebox - Backup and disaster recovery on steroids

L-Pink

raymor, nice post.