Sony’s DoS Attack Merely A Diversion For The Real Theft

Written by Frank Hayes
May 4th, 2011

Sony’s gigantic data breach last month was triggered by a two-pronged attack: a denial-of-service attack thieves used as cover to make a retail ‘purchase’ from Sony’s E-Commerce site, an effort that was really a ploy to exploit an unpatched vulnerability that in turn gave thieves access to an application server and huge quantities of personal customer information. (Yes, it was a ploy within a ploy.)

Details of the attack were spelled out by Sony executives at a Tokyo news conference on May 1 and in written testimony to a U.S. Congressional committee on Wednesday (May 4). As with most attacks, plenty of things went wrong to give thieves their opportunity. But the timeline makes two things very clear: Sony’s online store provided the opening that allowed thieves to collect huge quantities of personal information on customers—including names, addresses, birth dates and E-mail accounts—and the attack depended on an unpatched hole in the E-Commerce system.

(Related Story: As Sony’s Breach Tops 100 Million Accounts, It Needs To Fix Its Encryption Rhetoric.)

According to written testimony by Sony executive Kazuo Hirai for a U.S. House subcommittee hearing, a network team at Sony’s San Diego datacenter spotted a series of unexpected server reboots on the afternoon of Tuesday, April 19. The network team took four of the 130 servers offline and began to investigate. Within 24 hours, the team found evidence of an intruder and that six more servers had been compromised.

That was the point at which the company decided to shut down the PlayStation Network and its E-Commerce site. Sony then brought in outside forensic experts to hunt for evidence.

What those experts found was that log files had been deleted, access privileges had been escalated and unencrypted personal information on every one of the PlayStation Network’s 77 million customers had been accessed. But the experts couldn’t determine conclusively whether the encrypted payment-card numbers had been taken—that’s 12.3 million card numbers globally, including 5.6 million from U.S. customers.

According to Wednesday’s Congressional testimony, “major credit-card companies have not reported that they have seen any increase in the number of fraudulent credit-card transactions as a result of the attack.”

Some details from that testimony are simply eyebrow raisers. For example, Sony contacted the FBI on April 22, three days after IT people spotted a problem and two days after it was clear that data had been compromised. “A meeting was set up to provide details to law enforcement for Wednesday April 27, 2011,” the testimony said. Wait, what? A data breach that exposed personal information on tens of millions of Americans, and the earliest the FBI could squeeze Sony into its calendar was five days later?

Sony also said the breach initially went undetected because the network team was busy fighting off a denial-of-service attack.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.