3Qs: Hackers turn PlayStation into pay station

In late April, a hacker crippled Sony’s PlayStation Network by stealing the names, home addresses and perhaps even the credit card numbers of some 70 million subscribers, who play and download games through the online service.

Engin Kirda, the Sy and Laurie Sternberg interdisciplinary associate professor for information assurance, with joint appointments in Northeastern’s College of Computer and Information Science and Department of Electrical and Computer Engineering, assesses the impact of the attack he said represents the “largest loss of private information to date.”

How easy is it to hack into a network, like Sony’s, and steal personal information? How difficult is it to combat?

Although we have recently seen very sophisticated attacks against security companies such as RSA, Comodo, and HBGary, most of the successful attacks are still quite simple in nature. In many cases, a simple programming mistake on a company’s website can lead to complete compromise over time.

Attackers typically proceed step by step. For example, they might first compromise the web server and then move on to attack other critical components, such as databases and mail servers. Many attacks today also use so-called “social engineering” techniques. Like phishing attacks, a user might be tricked into downloading and installing malicious software, which can then help the attackers gain access to sensitive data.

To my knowledge, it is not very clear what vulnerability or technique the attackers used to break into Sony’s systems. In any case, we have witnessed the largest loss of private information to date.
 At Northeastern, my security group is working on techniques to automatically detect vulnerabilities in software systems in order to prevent attacks. We are also looking at how social engineering attacks work effectively in practice, and why users often fall for such attacks.

The PlayStation Network has been down for almost three weeks after Sony promised that it would be back online within a day or two. Why is it taking so much longer than expected?

It is not easy to say why things are taking time to fix without having knowledge of the internal discussions at Sony. My guess would be that Sony is trying to make sure that its systems are secure so that something like this does not happen again. Suffering a similar attack after the network goes back online would be very embarrassing for them.

It could also be that their systems are so complex that a quick fix is impossible. Often, bad design decisions are the hardest to fix. Some of my colleagues at Northeastern are working on the problem of designing systems in a secure way from the start.

Should users who play or download games on the PlayStation Network be hesitant to log back on? What type of impact can hackers have on the bottom line of a company like Sony?

Once the systems go back online, I would not be hesitant to log back on. Having said that, I would advise all users to change their passwords and also make sure that they have not used the same password that they used on Sony on other sites, such as Gmail or Yahoo. It has been reported that many passwords have been stolen and attackers often use stolen passwords to log on to other websites to send spam.

I would also advise Sony users to be wary of phishing attacks. The attackers are probably going to use the information they have stolen to craft authentic looking phishing e-mails. I would not be surprised if such phishing e-mail will be designed to look as if Sony has sent it. There are also reports that credit card information has been stolen. If you had your credit card information stored on the Sony site, then it would be wise to regularly check your credit card statements.