Recent high-profile cyber attacks have dented the image of Japanese technology giant Sony and left millions of customers worried about the security of their personal information.
An attack in April resulted in the company’s Sony’s Playstation Network being taken offline; the personal information – including credit card details – of more than 77 million users was compromised.
Subsequent attacks in the past few days have exposed further vulnerabilities in Sony’s infrastructure, with more users’ information being released to the public.
Dr Philip Branch is a network security expert at Swinburne University.
Why has Sony been targeted in this way?
Sony is a big target and a well-known target, and there’s a lot of kudos within the hacker community for these sorts of exploits. But I think the reason the company’s facing repeat attacks is that its security probably isn’t as good as it could be.
Certain people may have seen the first, really big attack, felt that security at Sony is inadequate and thought: “What else can we get up to?”
So it comes down to being a prominent target, but also a juicy target.
Why are hackers finding it so easy to access information being stored on Sony’s servers? Isn’t this information encrypted?
Encryption is fine if someone loses a back-up but a piece of software needs to be able to “see” the data whether it’s encrypted or not. This software presents some kind of credential to the system which essentially says: “Here I am, give it to me”.
Maybe the data on Sony’s servers is encrypted but as far as the software accessing the data is concerned, the data is in its raw form.
The Sony hackers used a type of attack known as an “SQL injection”. What is this, and how do these attacks work?
SQL (Structured Query Language) is what’s known as a query language for databases – a way that applications, programs and systems can query databases.
SQL allows a user to say things such as: “give me this value in the field”, or “give me this particular email address” or “give me this user ID” or “give me all values between here and here”.
On any site there will be a range of forms: “Join our mailing list”, for example – those sorts of forms.
SQL injection attacks work by putting in the basic commands the SQL database recognises, which will return results.
So the form might say: “Enter your email address”. You can put in a couple of SQL commands, with a few characters to say “we’re talking to the database”, and it will spit out some of the tables in the database.
This is surprisingly simple to do, which is why it’s so strange people at Sony haven’t defended the company against this kind of attack.
What steps can be taken to prevent such attacks?
The first thing would be what’s known as “input validation”. If you’ve got a field that’s only meant to accept email addresses, you make sure that what’s entered looks like an email address.
My email address is pbranch@swin.edu.au – so if I started putting in slashes and stars and spaces when I log in, my address would be rejected by the system.
The second thing is something called “stored procedures” and this puts a lot of restrictions on what people can do. These procedures actually write the SQL (which adds information to the database) and the user issues the SQL command with parameters by filling in the form.
Given these attacks are simple to prevent, why was Sony vulnerable?
I really don’t know. Maybe something got missed during development, or got missed during testing: maybe they didn’t do much testing of the security.
I’m at a loss to understand how it could happen.
Would other companies of Sony’s size be vulnerable to these sorts of attacks?
I think it’s extremely unlikely Sony is alone in having these vulnerabilities, which is frightening.
Most companies have lots of different systems. Someone that puts together a particular system, a form for signing up for a newsletter, say, might not have the expertise or understanding of these security-related matters. I think Sony is unlucky, actually.
So what’s next for Sony and its subscribers?
It seems Sony is doing all the right things at this point. The company has engaged external security firms to look for evidence of identity theft and so on, but if I were a subscriber I’d have a very close look out for strange transactions on my credit card. I’d consider changing my credit card.
The reason these attacks are so spectacular is because, not only did these hackers get so many people’s data in these attacks, they seemed to get everything there is to know about these people.
It’s very worrying from a consumer’s point of view.