Could Sony have prevented breach?

Failure to address "insecure" infrastructure may have led to attack on electronics giant, says security expert, who also warns loss of customer data may be "tip of the iceberg".

With 100 million customers' data stolen from its PlayStation and PC games network, a security expert said it was possible that Sony was aware of the "insecure" state of its application servers that was attacked but did not act on it.

Guillaume Lovet, senior manager of FortiGuard Labs threat response team, told ZDNet Asia it is common for companies to do so.

"Such decisions occur more frequently than we think among companies. It is for performance and service continuity reasons," he explained in an e-mail.

Another "hypothesis" would be oversight, according to Lovet. Sony, he noted, claimed it was not aware its servers were vulnerable.

To date, the Japanese electronics giant has yet to pinpoint the exact attack scenario, with the company announcing the need for "more testing time" before relaunching its PlayStation Network (PSN).

PlayStation chief Kazuo Hirai earlier promised that most services on PSN would be restored last week, but a blog post Sunday on Sony's PlayStation.Blog revealed that the corporation needed more time for testing before relaunching its online game play for the PlayStation 3 and PlayStation Portable, as well as chat functions.

Hirai, who is the chairman of Sony Computer Entertainment, said the company hoped to restore the entire network "within the month".

Lovet said the extended timeframe suggested Sony "is not 100 percent sure if the holes are patched".

"The attackers covered their traces particularly well, and this implied that either security logging was particularly weak, or the attackers were highly skilled, and possibly helped by an insider," he added.

The PSN was said to be breached between Apr. 17 and 19, exposing names, e-mail addresses, dates of birth and passwords for Qriocity, Sony's media streaming service. In addition, the company later admitted that customer data from its Sony Online Entertainment (SOE) PC games network were leaked, two to three days before the attack on PSN.

Sony has not been able to confirm if credit card data had been compromised.

The company blamed Anonymous for the attacks, but the hacker group has denied it was responsible.

In a statement, Anonymous spokesperson Barret Brown said: "Whoever broke into Sony's servers to steal the credit card info and left a document blaming Anonymous clearly wanted Anonymous to be blamed for the most significant digital theft in history.

"No one who is actually associated with our movement would do something that would prompt a massive law enforcement response."

The group, however, admitted its involvement in an earlier distributed denial of service (DDoS) attack against Sony for its lawsuit against PlayStation 3 hacker George Hotz, also known as "Geohot".

According to Lovet, the latest attacks on Sony may have been a reaction to the company's actions, reflecting an "Anonymous school of thought", regardless of whether the party is associated with them.

"If this attack was indeed carried out by other hacktivists, it would be a retaliation stunt against Sony for reasons such as the Geohot trials," the security expert said. "Whoever launched the attacks is part of the Anonymous movement by definition."

Should this be the case, Sony may have less to worry about as hacktivists traditionally are not financially motivated and hence less interested in the customer data, he added. They are merely out to "retaliate against Sony's corporate greed", and were probably interested in damaging the brand's reputation, causing it to lose customers and make huge compensation payouts to customers.

On the contrary, it could be a case of theft by "traditional cybercriminals" looking to profit from customer details, said Lovet. To that end, he cautioned that the customer database is "only the tip of the iceberg" in the recent Sony breach.

"Other data, like corporate information, could have been stolen but not publicly divulged by Sony, given that U.S. laws only oblige Sony to reveal loss of customer data," he warned.

More emphasis on data protection
In the wake of the Sony fiasco, security vendor Symantec recommended that organizations guard against attacks by deploying software to protect endpoints, adopting a proactive information-centric approach to protect information and transactions, implementing strong IT policies, as and managing security efficiently through standardization, workflow and automation.

The Sony incident, added Lovet, should serve as a wake-up call to companies, including mega-corporations, to take into account the reputation they have on the Internet and see how they can improve the security of their customers' data.

Noting that some estimates put the cost of the breach at "several billions of dollars", he questioned how that would compare to the amount Sony might spend putting security "firmware" on game consoles. "I don't know, but from a purely economic viewpoint, the question is worth considering."

And in spite of the large number of compromised records--75 million alone for PSN--Lovet said it was unlikely cybercriminals will--if they do--attempt to sell the stolen data all at once. Instead, they may "fraction" and sell portions of the databases, which would in turn generate "a chain of richness creation" that can profit a large part of the underground economy, he predicted.

Microsoft did not respond to ZDNet Asia's queries on its approach to secure its Xbox system, and whether changes will be made in the light of Sony's predicament.