Sony Security Breach

Written by Ben Miller, CEH

Sony announced, Wednesday April 20, they were aware of their network services being down.  Little did they know this would turn into one of the largest data breach fiascos in history.  On May 14, Sony began bringing their network back online for customers in North America.  News stories have been concerned all along with the amount of credit card numbers stolen but, there is more at stake than just credit card numbers.

On April 26, Sony released a statement clarifying what had been breached on their blog.  Their statement included this:

“Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.”

This constitutes a gold mine of information to use in any number of secondary thefts, such as credit card fraud and other forms of identity theft.  All of this information together can be aggregated and analyzed to form connections across many systems and used to provide entry ways into more breaches.

The real world data, personal identifier used for impersonation and fraud, is frightening enough to be handed out amongst criminals, this is the sort of data that would be used for more personal grudge type hacks.  Seventy-eight million accounts worth of this real data is something that could be used for legitimate advertising and demographic usages, the types of endeavors that Sony uses it for.  From a hacking stand point it might give me the information needed to pull off a high stakes theft against a handful of users.  There is a secondary market for this data, corners of the Internet where names, social security numbers and addresses are posted by hackers, most likely it has already been sold.

The data that I would go after is the online identifiers: your email address, your PSN network name, password, security questions. From this you can glean a significant understanding of how a person sets up their online accounts.  If you are like most people, you use one or maybe two standard usernames and passwords to keep everything connected.  It is human nature to make things simple so that we are not burdened with extra “work” every time we log on to play a game, check a forum we read, or even view our bank statement.  However, not being willing to do the “work” of separating our different levels of sensitive info is exactly what a hacker counts on.  If you happened to be one of the seventy eight million accounts compromised in these breaches, and if you used the same password for your PSN account and your email account you registered, then the hackers now have access to that email as well.  From that email they would be able see that have other websites in them, such as your bank, your retirement fund, maybe your work log ins.  If you used the same email for two accounts, why not three or four?  Not everyone will be affected in this manner, but the possibility is there for everyone who reuses a password.

Imagine this:  an average PlayStation owner Darren uses his PlayStation network account to play Call of Duty: Black Ops multiplayer.  He also uses their network to watch Hulu and rent Netflix movies.  To keep everything simple he uses his work email to access his account and to use if he forgets his password.  His PSN handle is MedicDarren, in our hypothetical situation he works at Hypothetical Hospital.  Now, we have a data breach and the hackers have a pile of data to work with.  Using MedicDarren’s information they put it into a database of instances of medical words and group all the email addresses and username data together that might be used to commit medical fraud of any kind.  This data could be sold to a secondary market of individuals who target these types of people and businesses.  These other hackers then isolate Darren’s email account as one that could be used to break into one of the systems at the local hospital.  Darren uses a different password for work email, as he has gone through security awareness training.  However, the hackers also have access to Darren’s password recovery questions and answers, so they know his mother’s maiden name, his first pet’s name, and what city he was born in.  If Hypothetical Hospital uses an automated password recovery system, the hackers would be able to use these answers to change his password, getting access to a completely separate protected system.  Once they have that, depending on the Electronic Medical Systems in use at Hypothetical Hospital, they could reset his password again and be able to harvest whatever patient information Darren normally has access to in his normal course of work.  The medical identity fraud begins, unrelated, but aided by a breach into the PlayStation gaming network.

This scenario isn’t far -fetched, and could be happening and going unnoticed since the end of April.  The “gamer” demographic is broad and can reach into every other industry.  We’ve had a little more than a month to figure out how we as customers will react.  We have had time look at our own habits (or accounts if we are PSN customers) and verify that we’re still safe.  We all have to remember that when it comes to security, even multinational corporations are not going to one hundred percent of the time protect us.  When it comes to Security – U R IT!