Computing – Opinion: Sony PSN Hack

The following brief opinion piece was originally published as an Opinion piece in Computing, on the topic of the recent large-scale Sony hacks, including of the PlayStation Network (PSN):

“Over the past few weeks there has been a lot of complaint and speculation about the significant compromises of the Sony PlayStation Network (PSN), Qriosity and Sony Online Entertainment (SOE) affecting over 100 million accounts. I don’t know all the facts, as they are still emerging, but I have a few general views:

1. Be prepared
Ensure that you have an effective communications plan, which you can enact quickly. Sony and Apple have recently both been castigated for their time to both acknowledge and respond to issues. People shouldn’t expect answers immediately, but they would like to know that you’re actively addressing the situation.

Have a forensic readiness plan, retaining technical and investigative expertise as required. This will help minimise contamination of evidence whilst controlling the incident – essential if you want to know how they got in, what they did, what trail they left. Without this, you have no realistic chance for a successful prosecution.

2. Treat customer data as your own
It’s one thing to spend lots of effort in protecting your information with DRM, DMCA takedown notices, rootkits, and legal threats & proceedings and another to leave personal data such as e-mail addresses, phone numbers and passwords in the clear. Just encrypting credit card data, to get your PCI-DSS tick in the box, is not enough.

Validated email addresses have value to spammers, real names help phishers, dates of birth help facilitate identity fraud, password reuse is big with users leading to further compromises. Learn from other attacks, such as on Epsilon and Gawker. Governments looking to spy on dissidents have targeted Facebook and Gmail.

If it is popular, expect it to be targeted and hacked. Build your platform to minimise impact.

3. Expect legal and regulatory fallout
In our interconnected world, there is a raft of jurisdictionally specific (and sometimes conflicting) legal and regulatory requirements that large online services need to be aware of and compliant with, including ones covering data breach notifications and privacy of personal and financial data. Investigations may ensue.

Fines may be imposed by data protection and financial regulators, and individual or class action suits may be brought. These could be anywhere you are considered to operate your service. The Sony and Hotz ‘PS3 hacking’ case demonstrated this can be a complex and fraught process. Make sure you have access to a great legal team.

This hacking incident may have brought some positives in that Sony has now learnt some of the above lessons, and has a new Chief Information Security Officer (CISO) role that, hopefully, has the remit to improve security and privacy practices, and the PSN users have gone outside to enjoy the spring sunshine.”

The original version of this piece is available online at:

http://www.computing.co.uk/ctg/opinion/2071155/firm-learn-sony-psn-debacle

ISNow – Ethical Hacking

The following introduction was originally published in the BCS Information Security Now Magazine, Spring 2011 issue (Volume 5, Issue 3), which was on the topic of Ethical Hacking:

“There has been debate and disagreement as to whether the term ethical hacking is correct and appropriate. Adding ethical as a prefix to a word that has the baggage of hacking does not placate those that subscribe to a belief that hacking is solely unlawful (forgetting the history and alternate uses of the word). For myself, I have more of an issue with ethical, as criminals may have a stronger ethical position than some professionals, demonstrated in some recent leaks. Ultimately it’s down to authorisation and scope, not terminology.

As seen from numerous recent large-scale intrusions, seemingly backed by state-sponsors, spammers and fraudsters, failure to test adequately can be a factor. Only once you start with a known secure system or service can you look to keep it that way.

It’s mine, I can do what I want
Restrictive laws can give those that wish to tinker and open up closed and proprietary systems a significant legal headache, even when only trying to restore a feature removed by the manufacturer. Copyright (monopoly rights) was originally conceived as a protection against duplication. Once you’ve bought, say, a games console why should rights of fair use to modify or adapt be so limited?

There is a lot of discussion around what responsible disclosure entails, and not everyone agrees (even on the name), but on the whole it is reporting the finding in a responsible way, usually to the site or vendor, and providing sufficient time to develop, test and deploy a fix before announcing it to the world.”

A PDF version of the magazine is available online at:

http://www.bcs.org/upload/pdf/isnow-spring2011.pdf

ISNow – Future Threats

The following introduction was originally published in the BCS Information Security Now Magazine, Winter 2010 issue (Volume 5, Issue 2), which was on the topic of Future Threats:

“The start of each New Year brings festive cheer and thoughts about what security related treats we might see in the coming year. I think 2011 may bring:

Targeted malware – next generation spear-phishing. The emergence of Stuxnet, which combines traditional malware techniques with a specially crafted targeting mechanism and payload parameters, may signal a new form of deniable attack. Even with the required time and resources required to develop the intelligence and programming that feeds into such software, it could still be a much more cost effective and politically acceptable virtual approach versus physical alternatives. This attack vector is likely to be picked up by other online ne’er- do-goods.

Secrets revealed – exposing truths. Wikileaks, Crytome, The Smoking Gun and others have a track record of exposing the secrets of governments, corporations and individuals. State and court sanctions are unlikely to deter all those seeking to expose unlawful, hypocritical and immoral activities. Once details are released on the internet it is too late, however good your censorship capabilities are and if the traditional press get hold of it too it’s as good as over. As people learn the effectiveness of such exposure we may see more whistleblowers emerge.

Personal intrusions – self-exposure. From airport security officials wishing to either irradiate us or touch our junk; governments wanting to know about our worldwide banking arrangements, health, happiness and online activities; social networks wanting to know where you are, who your friends are and what you’re saying; advertisers wanting to know where you are and what you’re interested in; employers wanting to know if you’re a suitable hire or risk to the business.

Happy New Year – hopefully.”

A PDF version of the magazine is available online at:

http://www.bcs.org/upload/pdf/ISNOW-Winter2010.pdf

ISNow – Who Are We Fighting?

The following introduction was originally published in the BCS Information Security Now Magazine, Autumn 2010 issue (Volume 5, Issue 1), which was on the topic of Who Are We Fighting?:

“For a number of years there has been concern about the growth of state sponsored cyber espionage and warfare. It is believed that around 100 nations have such capabilities. Although we occasionally see news stories about the alleged activities of particular nations, attribution remains a significant challenge and most countries are looking at improving their defensive capabilities.

The UK has formed an Office of Cyber Security (OCS), to complement the Centre for the Protection of National Infrastructure (CPNI), and NATO has established the Co-operative Cyber Defence Centre of Excellence (CCD COE) in Tallinn, Estonia, after the country was subjected to cyber attacks.

Recently it was suggested that NATO conduct joint cyber warfare exercises with Russia so that all countries can learn how to better protect critical information infrastructure. Exercises have already happened between the US, UK and others.

Beyond state sponsored activities, which seem to focus on information gathering, mapping defences, disinformation and occasionally attacking, politically and religiously motivated ‘hactivism’ occurs, but rarely gets beyond website vandalism and DDoS attacks, which can claim collateral impacts.

Add to this the traditional malware, spamming, hacking and commercial piracy that is so prevalent online and it is no wonder that law enforcement, such as the Police Central e-crime Unit (PCeU) in the UK, has issues with resourcing and priorities and so many crimes fail to be reported, investigated or solved.

One thing missing from this mix is the almost always mentioned, almost never seen, cyber terrorism. My view is that unless it is visually impactful or used in support of a physical attack, this will not materialise to the level claimed by the scaremongers, whose motives should sometimes be questioned.”

A PDF version of the magazine is available online at:

http://www.bcs.org/upload/pdf/isnow-autumn10.pdf

ISNow – Protecting the Internet

The following introduction was originally published in the BCS Information Security Now Magazine, Summer 2010 issue (Volume 4, Issue 4), which was on the topic of Protecting the Internet:

“The internet is a wonderful thing; putting knowledge at our fingertips, enabling instant communication and helping us target new customers more effectively. As with everything, it comes at a cost –
from technical exclusion through to new online threats and vulnerabilities, which have the capability of affecting our life and business.

Problems, like hacking, viruses, spam and scams become more prevalent and merge into things like phishing and online identity fraud. Users need to learn and do more to stay safe, and governments need to focus more on the virtual world, which may be outside their direct control, to ensure that the benefits of the internet are fully realised.

Control issues
Some governments feel that the right approach is to try and control the internet and its users, from limiting what they can say to blocking content they object to. In reality, much of this control does little to protect people from the real security threats out there; national ‘firewalls’ are not for security, and protecting citizens from ‘outside threats’ is a convenient excuse for control.

Big business
‘Three-strikes’ style sanctions and disproportionate financial penalties for civil infringements say more about the undue influence of big business on the legal system than a real desire to move with the internet times, to protect both users and artists.

At least the UK Government isn’t currently proposing to take over the internet in an emergency, as they are in the US. Protecting the internet comes best from educating users, businesses and government and for them to come together to create balanced workable solutions.”

A PDF version of the magazine is available online at:

http://www.bcs.org/upload/pdf/isnow-summer10.pdf

The Blog of Gareth Niblett