The Green Sheet Online Edition
May 23, 2011 • Issue 11:05:02
The Sony breach is not a game
Among the conclusions security and payments industry insiders emphasize in the wake of the massive Sony Corp. data breach are: consumers should be more outraged, the most secure payment systems are the systems that hold no consumer data and no system is invulnerable to cyber attack.
There are also continuing concerns about how Sony handled itself post-breach. Sony said the theft occurred April 16 and 17, 2011, but the video game giant waited over a week to alert the public of the break-in after it was notified by third parties of the hack. So far Sony has discovered more than 100 million of its customers have had personal information compromised.
Though there have been reports of 2.2 million credit card and customer verification value numbers from the theft for sale on black market websites, Sony maintains it is unsure if any credit card information was stolen.
On May 3, Reuters reported the Sony breach could be the most expensive data breach in history and may cost Sony and credit card issuers up to $2 billion. Reuters believes most of Sony's expense after the data theft will be in addressing technical issues, setting up communications with customers and resolving credit card problems with affected cardholders.
Is Sony PCI compliant?
Many security companies contacted for this article refused to comment on the Sony breach. Additionally, the PCI Security Standards Council LLC (PCI SSC) would not address whether Sony was compliant with the Payment Card Industry (PCI) Data Security Standard (DSS) at the time of the breach.
Tim Cranny, President and Chief Executive Officer of Panoptic Security Inc., speculated that data security firms are intimidated by the entertainment behemoth. "They may have been worried about getting involved with litigation," he said, adding that the companies may not want to upset a potential client.
But even determining something as seemingly simple as whether an entertainment merchant like Sony has to be PCI complaint, or who polices a company's compliance with the PCI DSS, was a surprisingly difficult task.
In response to questions about whether Sony networks are required to be PCI compliant and subject to PCI regulations, the council's general manager, Bob Russo, said, "Regarding the circumstances of this and any other data breach incidents, the council does not monitor or track compliance, nor does it engage in forensics investigations, so we do not have insight into the details of any specific breach."
In a separate statement, the council said, "We do not have anything to do with compliance. The individual participating payment brands separately determine what entities must be compliant, including any brand-specific enforcement programs."
Paul Martaus, President of consulting firm Martaus & Associates, said, "It's up to the card brands to maintain the integrity of their brands. They choose standards by which everyone must become compliant. They do not have their own police, however. They outsource the responsibility for policing their brands to financial institutions."
Martaus added that if Sony is a registered merchant, you would need to determine its sponsoring bank to learn if the institution requires Sony to be PCI compliant.
The eight-page letter
Congressional hearings on the Sony breach were held May 4 before the House Subcommittee on Commerce, Manufacturing and Trade. Sony provided answers to 13 questions submitted by lawmakers, but did not testify due to its continuing investigation into the data theft.
In lieu of testimony, Kazuo Hirai, Chairman of Sony Corp. subsidiary Sony Computer Entertainment America, addressed an eight-page letter to the subcommittee where he publicly acknowledged for the first time the data theft was likely the work of a group of "hacktivists" who collectively call themselves Anonymous.
Hirai said neither Sony nor the FBI had yet identified the individuals responsible for the breach. "What is becoming more and more evident is that Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes," he said. "When Sony discovered data from its servers had been stolen, it also found the intruders had planted a file on one server that said, 'We are Legion.'"
Anonymous is pegged in the computer world as an anarchistic collective of programmers, often unknown even to each other, who collaborate on protests and other strategies to promote Internet freedom and Internet freedom of speech. The Sony breach is reportedly typical of the kind of action Anonymous is known for.
Hirai said the data theft came weeks after Sony was the target of a previous Anonymous attack that shut down the Sony network by flooding the system with distributed denial of service (DDoS) notices. The Sony chairman said the attacks were likely in retaliation for Sony's decision to prosecute George Hotz, a Massachusetts gamer who the company believes is a member of FailOverFlow, a group that managed to hack Sony's PlayStation console to run pirated software on the PlayStation network.
Hirai pointed to at least three possible reasons Sony did not know when its networks had been breached: the break-in was highly sophisticated, the hackers found a hole in the software of which the company was unaware and Sony technicians were so busy fending off DDoS attacks that they missed the break-in.
"Whether those who participated in the denial of services attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know," Hirai noted.
Hirai's letter said Sony hired three unnamed firms to conduct forensics investigations of its network breaches. The Wall Street Journal reported those companies are international security consulting firm Protiviti Inc., Pasadena, Calif.-based software solutions firm Guidance Software Inc. and the software development firm Dataforce Development Force headquartered in Santa Cruz, Calif.
Sony reportedly hired the international law firm of Baker & McKenzie to represent it in the data breach matter. The Wall Street Journal also said it confirmed that hackers got into the Sony system through a Malaysia-based server.
Responses to Sony's answers
Subcommittee Chairman Rep. Mary Bono Mack, R-Calif., was critical of Sony's response to the data theft. "I hate to pile on, but - in essence - Sony put the burden on consumers to search for information, instead of accepting the burden of notifying them," she said. "If I have anything to do with it, that kind of halfhearted, half-baked response is not going to fly in the future. This ongoing mess only reinforces my long-held belief that much more needs to be done to protect sensitive consumer information."
Bono Mack was not the only one with concerns about the Sony response to the data theft. Security professionals also expressed doubts. Security consultant Cranny said, "I'm surprised the basic information has to be publicly dragged out of Sony like this. I'm surprised at how long it took Sony to take charge of this story and face up to the issues."
Cranny believes that from a public relations perspective, Heartland Payment Systems Inc. did a better job of addressing private and public concerns following the processor's data breach in 2008. In that incident, information from an estimated 100 million cardholders was compromised.
Cranny noted that the PCI SSC has on a number of occasions followed a major theft of information with forensic analysis of the break-in. "So far, no one has been both breached and PCI compliant at the time of breach," he said. "It is impossible to know if a company is compliant. It is possible in theory to comply with DSS and still be breached, but so far that is not what the council has found. There is nothing that can make you invulnerable to attack."
Martaus has a more acerbic view. "It's a fallacy when the PCI council says there has never been a breach if a company is following PCI-compliant rules," he said. "But it's a Catch-22. The other side of the coin is that, by PCI definition, a company that has been breached is not PCI compliant. The breach itself puts the company out of compliance. That's the only reason PCI can say a system in compliance has never been breached."
Cranny agrees with experts who say the best security system is the system that keeps no sensitive customer information at all. But that's not an option for everyone. "Sony did a risk assessment on what data to keep," he said. "Obviously something went horribly wrong."
Sony still claims not to know if the breach resulted in credit card account information being stolen. Hirai wrote to the subcommittee, "As of today, the major credit card companies have not reported that they have seen any increase in the number of fraudulent credit card transactions as a result of the attack, and they have not reported to us any fraudulent transactions that they believe are a direct result of the intrusions."
Approximately 12.3 million accountholders worldwide had credit card information on the PlayStation network, with 5.6 million of those account holders residing in the United States, according to Hirai.
Hirai promised new security measures for the Sony networks, including: automated software to defend against attacks; more data protection and encryption; a greater ability to detect intrusions, unauthorized access and unusual activity; the addition of more firewalls; a move to a new data center with enhanced security; and the naming of a new chief information security officer.
Cranny believes the Sony breach has taught the industry at least one lesson: data piracy is getting more sophisticated and more focused.
"It is unacceptable for a large company to suppose it won't be attacked," he said. "The cost of the damages greatly outweighs the cost of doing the right thing in the first place. I think companies like Heartland and TJ Maxx [associated with the TJX Companies Inc. breach of 2007] and Sony would dearly love a second chance to address their problems in the first place rather than going back and fixing them."
Alan Paller, Director of Research at The System Administration, Networking and Security (SANS) Institute, said there is a 90 percent probability it was a phishing scheme that initiated the Sony breach.
"Almost all high-priority targets are attacked the same way," Paller said. "The hackers get in by fooling a system administrator into opening an infected attachment, allowing the hacker to easily take advantage of vulnerability. That's how they get in. Once in, it's coding errors in the regular software that lets them find the data."
Paller recommends companies practice good system hygiene. There are simple ways businesses can protect sensitive information, he said. They include:
- Store personal information and credit card data in encrypted files.
- Ensure programmers have security-minded programming skills.
- Put a team in place that can locate attacks quickly.
"You can't stop all perimeter attacks," Paller said. "It is very hard. There are only a very few people in the world who can do it. Still, 90 - 95 percent of the major companies do not have a team in place. It's tough. The bad guys are invisible."
Martaus said data security is a tough problem for the industry to solve and that the root of the problem is public apathy. "The reason breaches are occurring so frequently is the general populace is almost becoming inured to these break-ins," he said. "I know that doesn't sound good because we should be outraged by these data thefts. Instead we say ... it's part of the cost of doing business."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.