Hackers turn PlayStation into pay station

May 10, 2011
Hackers turn PlayStation into pay station
Professor Engin Kirda assesses the impact of an attack he said represents the “largest loss of private information to date.” Credit: Mike Mazzanti

In late April, a hacker crippled Sony’s PlayStation Network by stealing the names, home addresses and perhaps even the credit card numbers of some 70 million subscribers, who play and download games through the online service.

Engin Kirda, an associate professor with joint appointments in Northeastern’s College of Computer and Information Science and Department of Electrical and Computer Engineering, assesses the impact of the attack he said represents the “largest loss of private information to date.”

How easy is it to hack into a network, like Sony’s, and steal personal information? How difficult is it to combat?

Although we have recently seen very sophisticated attacks against security companies such as RSA, Comodo, and HBGary, most of the successful attacks are still quite simple in nature. In many cases, a simple programming mistake on a company’s website can lead to complete compromise over time.

Attackers typically proceed step by step. For example, they might first compromise the web server and then move on to attack other critical components, such as databases and mail servers. Many attacks today also use so-called "social engineering" techniques. Like phishing attacks, a user might be tricked into downloading and installing malicious software, which can then help the attackers gain access to sensitive data.

To my knowledge, it is not very clear what vulnerability or technique the attackers used to break into Sony's systems. In any case, we have witnessed the largest loss of private information to date.
 At Northeastern, my security group is working on techniques to automatically detect vulnerabilities in software systems in order to prevent attacks. We are also looking at how social engineering attacks work effectively in practice, and why users often fall for such attacks.

The PlayStation Network has been down for almost three weeks after Sony promised that it would be back online within a day or two. Why is it taking so much longer than expected?

It is not easy to say why things are taking time to fix without having knowledge of the internal discussions at Sony. My guess would be that Sony is trying to make sure that its systems are secure so that something like this does not happen again. Suffering a similar attack after the network goes back online would be very embarrassing for them.

It could also be that their systems are so complex that a quick fix is impossible. Often, bad design decisions are the hardest to fix. Some of my colleagues at Northeastern are working on the problem of designing systems in a secure way from the start.

Should users who play or download games on the PlayStation Network be hesitant to log back on? What type of impact can hackers have on the bottom line of a company like Sony?

Once the systems go back online, I would not be hesitant to log back on. Having said that, I would advise all users to change their passwords and also make sure that they have not used the same password that they used on Sony on other sites, such as Gmail or Yahoo. It has been reported that many passwords have been stolen and attackers often use stolen passwords to log on to other websites to send spam.

I would also advise Sony users to be wary of phishing attacks. The attackers are probably going to use the information they have stolen to craft authentic looking phishing e-mails. I would not be surprised if such phishing e-mail will be designed to look as if Sony has sent it. There are also reports that credit card information has been stolen. If you had your credit card information stored on the site, then it would be wise to regularly check your credit card statements.

Explore further: Twitpic to stay alive with new owner

add to favorites email to friend print save as pdf

Related Stories

Sony to restore PlayStation Network by end of May

May 10, 2011

(AP) -- Sony said Tuesday it aims to fully restore its PlayStation Network, shut down after a massive security breach affecting over 100 million online accounts, by the end of May.

Sony sued over PlayStation Network hack

Apr 29, 2011

Sony is being sued in US court by gamers irked by news that a hacker cracked PlayStation Network defenses and pilfered data that could potentially be used for fraud or identity theft.

Sony PlayStation network users face password change

May 01, 2011

Users of Sony's PlayStation Network will have to change their passwords, the Japanese entertainment and technology giant said Sunday as it looks to boost security after its system was hacked.

Sony says stolen PlayStation credit data encrypted

Apr 28, 2011

(AP) -- Sony is telling PlayStation users that it had encrypted the credit card data that hackers may have stolen, reducing the chances that thieves could have used the information. ...

Sony says 25 million more accounts hacked

May 03, 2011

Sony Corp. said Monday that hackers may have taken personal information from an additional 24.6 million user accounts after a review of the recent PlayStation Network breach found an intrusion at a division that makes multiplayer ...

Recommended for you

Facebook dressed down over 'real names' policy

Sep 17, 2014

Facebook says it temporarily restored hundreds of deleted profiles of self-described drag queens and others, but declined to change a policy requiring account holders to use their real names rather than drag names such as ...

Yelp to pay US fine for child privacy violation

Sep 17, 2014

Online ratings operator Yelp agreed to pay $450,000 to settle US charges that it illegally collected data on children, in violation of privacy laws, officials said Wednesday.

User comments : 0