Sony PlayStation Breach: Sophisticated Attack or Insecure Internally-Developed Software?

Hint: Bad guys got in through a web application vulnerability

In spite of the fact that RSA Security and Epsilon recently suffered a security breach, Sony seems to be getting the majority of nightmare security headlines. Why? Probably because Sony and its PlayStation are more ubiquitous. Sony is a trusted brand that was producing high-end Trinitron TVs back in the 1970s, and anyone with young boys in their house probably owns a PlayStation or some similar gaming device.

Sony is under a lot of heat these days so it is finally going public with some details about the breach and its impact -- and things are worse than first thought. First, Sony now says that the PlayStation breach may have compromised the personal records of as many as 77 million user accounts. Second, early reports that user passwords were encrypted turned out to be false. Instead they were transformed using a hashing algorithm. Since some hashing algorithms aren't exactly bulletproof, this could also be a problem. Finally, Sony is getting dragged through as the U.S. and other government bodies press the companies for answers.

Clearly Sony has "some splainen" to do as Ricky Riccardo might say. Sony has consistently called the breach a "sophisticated attack." Hmm, maybe but here is a link to a diagram that illustrates how the attacker bypassed the firewall and application to gain access into the database (http://www.siliconrepublic.com/strategy/item/21637-how-the-hackers-breac...).

Assuming that the PlayStation Network site is a public site on the Internet that users can access, then it appears like the attack is the result of the exploit of a web application vulnerability. If so, this isn't very sophisticated at all. The same type of thing just happened to Barracuda Networks a few weeks ago.

So if this breach was in fact the result of a web application vulnerability, here are a few of my thoughts:

1. Everyone thinks they write good software but they often don't. In a recent survey of critical infrastructure organizations in the U.S., 30% of firms had experienced a security incident directly related to the compromise of internally-developed software. Most of these companies also believed that their homegrown software was secure. Seems like a disconnect to me. I suggest that software developers review some of the published material from SAFECode or the Microsoft Secure Development Lifecycle (SDL).

2. Web application vulnerabilities happen, it's just a function of writing software. The task at hand however is to introduce software assurance practices into software development processes to minimize risks. At the very least, progressive companies should make sure to review and test against the SANS Top 25 software errors (http://www.sans.org/top25-software-errors/). Did Sony do this? I have no idea but it would be nice if they would let us know.

3. The fact that Sony mishandled communications around this security breach shouldn't surprise anyone. When security incidents take place at large companies, lawyers immediately step in, evaluate their exposure, and then mandate what to say and what not to say about the breach. Not to be outdone, PR people often get involved as well and look for ways to spin security events. These strategies may be appropriate for tainted products but security breaches need to communicated quickly and concisely, free from marketing manipulation. I'm doing some research on best practices in this area. Please point me to any documented processes that I can look at as background.

• Security
• barracuda networks
• Epsilon
• Microsoft
• Playstation
• RSA Security
• Safecode
• SANS institute
• SDL
• security breach
• Software Assurance
• Sony
• web application vulnerability