This is page 2 of:
Sony’s DoS Attack Merely A Diversion For The Real Theft
Sony also said the breach initially went undetected because the network team was busy fighting off a denial-of-service attack. “Our security teams were working very hard to defend against denial of service attacks, and that may have made it more difficult to detect this intrusion quickly—all perhaps by design,” Sony’s Hirai said in his testimony.
“Whether those who participated in the denial-of-service attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know,” Hirai harrumphed. “In any case, those who participated in the denial-of-service attacks should understand that—whether they knew it or not—they were aiding in a well-planned, well-executed large-scale theft that left not only Sony a victim, but also Sony’s many customers around the world.”
Sony has been hit with denial-of-service attacks in the past (so have Visa, MasterCard and various major retailers) by the hacker group Anonymous. But the hacker group announced in early April, weeks before the breach, that it had stopped its attacks on Sony, which Sony had pooh-poohed anyway. (Apparently to Anonymous it’s OK to annoy a large corporation, but ticking off video-game addicts is out of bounds.)
That suggests that a DoS attack severe enough to successfully distract Sony’s network admins from an ongoing breach came from a much more conventional bought-and-paid-for botnet—and that it was indeed specifically launched to provide cover for the breach.
In the end, though, the starkest outline of the breach is the most disturbing. Sony’s E-Commerce site had unpatched software, and that made it possible for a thief to capture an enormous amount of customer information after infiltrating a datacenter, compromising at least 10 servers and remaining hidden for two days.
When it comes to online retail, Sony is small potatoes—those 77 million customers are on the PlayStation Network mainly to play games, not to buy videos or merchandise from the online store. But the Sony breach makes it clear that E-Commerce systems provide the weakest point in many networks.
It’s not just that E-Commerce attracts thieves because that’s where the credit cards are. It’s also that E-Commerce requires so much input from customers, so many different points of entry and so much complexity that it provides far more chances for thieves to break in.
Now combine all those potential points of entry with a big diversion, such as a denial-of-service attack to distract admins from warning flags about security breaches, and it’s clear just how risky online commerce has become for all E-tailers.
As for Sony, there are two bits of irony. If the company—for which E-tail is just a sideline—hadn’t been selling things online, the security hole in its E-Commerce systems wouldn’t have been there for the thieves to use to sneak in.
And if Sony’s network admins hadn’t been so focused on keeping the PlayStation Network up in the face of the denial-of-service attack, the breach might have been detected and blocked early on. Instead, admins kept the site up for three more days—and, thanks to the breach, it has now been offline for two weeks.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
