Sony’s DoS Attack Merely A Diversion For The Real Theft
Written by Frank HayesSony’s gigantic data breach last month was triggered by a two-pronged attack: a denial-of-service attack thieves used as cover to make a retail ‘purchase’ from Sony’s E-Commerce site, an effort that was really a ploy to exploit an unpatched vulnerability that in turn gave thieves access to an application server and huge quantities of personal customer information. (Yes, it was a ploy within a ploy.)
Details of the attack were spelled out by Sony executives at a Tokyo news conference on May 1 and in written testimony to a U.S. Congressional committee on Wednesday (May 4). As with most attacks, plenty of things went wrong to give thieves their opportunity. But the timeline makes two things very clear: Sony’s online store provided the opening that allowed thieves to collect huge quantities of personal information on customers—including names, addresses, birth dates and E-mail accounts—and the attack depended on an unpatched hole in the E-Commerce system.
(Related Story: As Sony’s Breach Tops 100 Million Accounts, It Needs To Fix Its Encryption Rhetoric.)
According to written testimony by Sony executive Kazuo Hirai for a U.S. House subcommittee hearing, a network team at Sony’s San Diego datacenter spotted a series of unexpected server reboots on the afternoon of Tuesday, April 19. The network team took four of the 130 servers offline and began to investigate. Within 24 hours, the team found evidence of an intruder and that six more servers had been compromised.
That was the point at which the company decided to shut down the PlayStation Network and its E-Commerce site. Sony then brought in outside forensic experts to hunt for evidence.
What those experts found was that log files had been deleted, access privileges had been escalated and unencrypted personal information on every one of the PlayStation Network’s 77 million customers had been accessed. But the experts couldn’t determine conclusively whether the encrypted payment-card numbers had been taken—that’s 12.3 million card numbers globally, including 5.6 million from U.S. customers.
According to Wednesday’s Congressional testimony, “major credit-card companies have not reported that they have seen any increase in the number of fraudulent credit-card transactions as a result of the attack.”
Some details from that testimony are simply eyebrow raisers. For example, Sony contacted the FBI on April 22, three days after IT people spotted a problem and two days after it was clear that data had been compromised. “A meeting was set up to provide details to law enforcement for Wednesday April 27, 2011,” the testimony said. Wait, what? A data breach that exposed personal information on tens of millions of Americans, and the earliest the FBI could squeeze Sony into its calendar was five days later?
Sony also said the breach initially went undetected because the network team was busy fighting off a denial-of-service attack.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
