Every now and then, an exciting or controversial issue triggers a flood of online discourse. For our Noise Filter feature, the WHIR pans the raging rivers of opinion for shining nuggets of useful commentary.
In April, technology giant Sony (www.sony.com) faced an outage to its Playstation Network that compromised approximately 100 million users private information. Now, nearly a month later, the system is still down and many experts are suggesting that this outage could have a much larger impact on the way people perceive the security of the cloud.
While reports have surfaced that Sony was running outdated software that enabled the attack, these reports have now been deemed speculative. Still, it is curious why it has taken so long to restore the service. Sony has still not confirmed a date for the full restoration of the network.
Despite a loyal fan base, Sony may have to offer a lot more than its proposed “make good” plan to appease users who have criticized the company for taking too long to speak out.
On April 26, Connecticut Senator Richard Blumenthal wrote to Sony president Kaz Hirai demanding answers for the delay in notifying its affected customers. Hirai responded on May 5, and called the situation “complex.”
With respect to your specific questions, please understand that the PlayStation Network is an extremely complex system that consists of approximately 130 servers, 50 software programs and 77 million registered accounts. To determine what meaningful information we could tell consumers about the attack on that network required a thorough investigation to understand what had occurred.
According to a report by , Sony first became aware of the attack on April 19 after it discovered “several PlayStation Network servers had rebooted themselves unexpectedly. Four servers were immediately taken offline in order to figure out what was going on. By the next day, it was clear that another six had been attacked, and they were taken offline as well.” on CNET
CNET says a DDoS attack was the first event in the outage.
A person or people involved with the initial denial-of-service attacks carried out against Sony in support of a hacker named George Hotz may have gone beyond the bounds of the action that was intended simply to hit Sony’s PlayStation Gaming Network with more requests for service than it could handle and temporarily knock it off the Web.
Sony has tried to blame hacktivist group Anonymous for the attack, but the group has denied involvement.
Purdue University security expert Dr. Gene Spafford told Congress that Sony had been running outdated Apache software at the time of the attack. Now, in a report by Steve Watts on ShackNews, it was revealed that Spafford knew he was passing on unconfirmed information.
I [Spafford] have no information about what protections they had in place, although some news reports indicate that Sony was running software that was badly out of date and had been warned about that risk.
Meanwhile, Bitmob users are offering conflicting accounts on Sony’s Apache servers. The report’s writer points to a Beyond3D forums user, who claims that a Google webcache shows Sony running current version 2.2.17 as of March 23, 2011. Others in the comments counter that only some of Sony’s servers were up to date, while others were running version 2.2.11.
Sony has defended its security procedures, claiming the proper measures were in place including recently patched and updated servers as well as firewalls.
The company is being called out on more than its security though. Erik Sherman at BNET said Sony completely dropped the ball on handling the breach with its customers.
To call Sony’s response inept would be an insult to inept corporations. First, the company pretended that its online service was down. When Sony finally admitted a breach, management said that no credit card numbers were compromised. Now the breach is even larger, stretching to nearly 100 million accounts, and credit card and bank account numbers are involved.
It wasn’t until May 3 that Sony admitted to a second, earlier attack that compromised 25 million Sony Online Entertainment users information, this time including credit card numbers. Sony tried to assure its customers that the credit card information was stored in an outdated data base from 2007. Prior to this announcement, Sony said there was no reason to believe credit card information had been stolen.
A report by Richard S. Levic on Fast Company gives a broader perspective on cybercrime, placing some of the blame on board of directors putting data security on the back burner.
That’s why it is incumbent on boards to recruit data security expertise — and prioritize putting such expertise to work — not only to prevent future incidents; but also to develop effective reputation-protection programs should a breach occur. The speed with which the marketplace expects an organization to react to a data loss demands that policies and procedures be put in place far in advance.
In a blog post on the Wall Street Journal, Ben Rooney says “the whole cloud computing movement has taken a bit of a knock, or perhaps has had a wake-up call.”
One of the issues with cloud is liability. If there is a breach and data is lost, whose liability is it? At the moment the industry is trying to establish guidelines and working practices; but until that issue is resolved—if it ever is—expect public cloud adoption to be slow and cautious.
If you saw any other interesting commentary on the Sony outage, please share a link in the comments section below.