Sony’s Fatal Flaw
In recent weeks, everyone has become aware of the massive attack that Sony incurred. The exploitation of a commercial network like that is very noteworthy. Many people are angry that they can’t play their games online, some are upset that their usernames, passwords, and other identifiable information have been exposed. Obviously something like this can hardly be considered a good thing, however I think this brings to light some issues that will become increasingly relevant in years to come. I honestly believe there are some valuable lessons can be taken away from this.
Sony, I’m sure, has learned the value of pen-testing. While the nature of the exploit hasn’t exactly been clearly revealed, most accounts point to a simple exploit. Careful pen-testing might have revealed this. Hopefully, Sony has learned a valuable lesson about the responsibility a company has to protect their customer’s information.
From most accounts Sony will have to spend billions to rectify this situation. While I would like to be quick to point the finger at Sony, I’m not entirely convinced it’s warrented. I think that perhaps that it is fortunate that this happened to a company that can likely withstand the backlash that this will create. I sincerely hope that this has opened the eyes of company executives everywhere. This could have been any company. I’m not entirely convinced that Sony’s infrastructure was inherently less secure than any other retail operation on the internet. While this is certainly a large security breach, I’m relatively surprised that there haven’t been more. The scale of this breach serves to make it more visible, which I think will lead people to take these issues more seriously. If it happened to a smaller firm that could more scarcely afford the monumental cost that this will incur, it may not have been more than a foot-note on the back of the news paper, and a 30 second new spot on some local news channel.
The Play Station Network is a relatively closed thing. Typically most of the network is only accessible from a few types of devices. While I probably should do some FAQ checking on this, presumably transmitted over SSL. There seems to be some question whether the credentials are hashed properly prior to transmission, however, there is a clear effort toward security. Mal-ware and viruses are difficult to develop for game consoles, and are exceedingly rare if existant. A key-logger would be next to useless on a PS3, being that most people don’t connect a keyboard and mouse, so it would take a long time to map key presses to meaningful information. So they had a right to believe that the client end was relatively secure. They were right here.
Now we can debate the effectiveness of those meaures, however, my purpose is not to dictate that their measures were sufficient, as they clearly weren’t, but to compare them with a traditional web vendor. There are a lot of web applications with weak authentication mechanisms, vulerabilities to SQL injection, or all manner of other nasty vandalism. In Sony’s case, it appears that the failure was server side. Most Windows based machines are prone to all of the threats that game consoles are specifically resistant to, but I don’t think most PC based vendor’s are much better secured. Ecommerce, contrary to predictions of many analysts in the 90’s is not a fad, and is not going anywhere. I would bet there are a large number of web-based vendors who have not put sufficient thought in their security strategies. It would greatly benefit them if they were proactive in their efforts rather than reacting to a breach. What does client security have to do with it, you might ask. Well, simply put if one account on the site is comprimised (ahem…like a developer account, admin account, or just an account with a credit card number) it’s often possible to use that account to get others. Examining their service’s weaknesses, not only for the benefit of their clients, but to hedge legal liability only makes sense. Please don’t mis-understand me, obviously there needs to be a balance between security and functionality, however this does not mean that security should be cast to the wind.
Ok, so I’ve talked about web-based vendors, and their role. Are they solely responsible? I really don’t think so. I think this should be taken as a cautionary tale to users, shoppers, and web-service subscribers alike. I think this is a call to consciousness about what we authorize to keep on file for us. Maybe it’s worth the extra minute and a half to enter your credit card again. One-click purchasing is certainly convenient, however, I think consumers need to balance the value of this convenience against the value of what it would cost if their information were compromised. Once again, that balance needs to be struck between security and functionality, however I have to wonder how cognizant people are of the information they put out there.