Sony network fiasco

It is a little disturbing to think that a reputable company like Sony could operate a network that allowed the private records of 77,000,000 (seventy seven million) customers be siphoned out. These records include passwords and answers to security challenges, according to an official statement from Sony. What I can’t understand is why, as this statement seems to imply, the passwords and answers were stored in plain text. Surely every good security geek knows that you don’t store access data in plain text.

I wrote about this issue a few years ago. It doesn’t take much to protect this sensitive data. Did Sony assume that because the data was within their private network that it was safe? If they did, the assumption was foolish.

Now that passwords and answers, coupled to email addresses, are potentially in the wrong hands, it is only a matter of time before millions of accounts worldwide are scanned by bot-nets. Even if the Sony leak didn’t include credit card numbers, the subsequent attacks on non-Sony accounts will reveal additional data, including card information. This is inevitable given the human tendency to re-use passwords and security challenges. (I have long believed that the security challenge that asks for your mother’s maiden name was silly, given that this information is often in the public domain.)

The next few weeks will be interesting. There will be a lot more hacker activity, and targets will widen. Already there is talk of Microsoft’s network being attacked. According to the Xbox online status (at the time of posting): “Users may receive potential phishing attempts via title specific messaging while playing Modern Warfare 2.”

I don’t have any free time to be filled with things like a PlayStation, but it’s still possible that I could be affected if the accounts of any of my friends or relations are compromised. Worrying times are ahead.

Update (3 May): Sony said yesterday that the passwords were hashed (no mention of the algorithm) and that credit card details were encrypted. Hashing will prevent the reconstruction of passwords, while the credit card details will require some intensive (and expensive) computation to be revealed. Meanwhile, reports today say that Sony’s “Online Entertainment” was taken offline for security reasons, suggesting millions more people are being affected.

Categorised as: Business

Comment Free Zone

Comments are closed.