Sony's DoS Attack Merely A Diversion For The Real Theft

Sony's gigantic data breach last month was triggered by a two-pronged attack: a denial-of-service attack thieves used as cover to make a retail 'purchase' from Sony's E-Commerce site, an effort that was really a ploy to exploit an unpatched vulnerability that in turn gave thieves access to an application server and huge quantities of personal customer information. (Yes, it was a ploy within a ploy.)

Details of the attack were spelled out by Sony executives at a Tokyo news conference on May 1 and in written testimony to a U.S. Congressional committee on Wednesday (May 4). As with most attacks, plenty of things went wrong to give thieves their opportunity. But the timeline makes two things very clear: Sony's online store provided the opening that allowed thieves to collect huge quantities of personal information on customers—including names, addresses, birth dates and E-mail accounts—and the attack depended on an unpatched hole in the E-Commerce system.

(Related Story: As Sony’s Breach Tops 100 Million Accounts, It Needs To Fix Its Encryption Rhetoric.)

According to written testimony by Sony executive Kazuo Hirai for a U.S. House subcommittee hearing, a network team at Sony's San Diego datacenter spotted a series of unexpected server reboots on the afternoon of Tuesday, April 19. The network team took four of the 130 servers offline and began to investigate. Within 24 hours, the team found evidence of an intruder and that six more servers had been compromised.

That was the point at which the company decided to shut down the PlayStation Network and its E-Commerce site. Sony then brought in outside forensic experts to hunt for evidence.

What those experts found was that log files had been deleted, access privileges had been escalated and unencrypted personal information on every one of the PlayStation Network's 77 million customers had been accessed. But the experts couldn't determine conclusively whether the encrypted payment-card numbers had been taken—that's 12.3 million card numbers globally, including 5.6 million from U.S. customers.

According to Wednesday's Congressional testimony, "major credit-card companies have not reported that they have seen any increase in the number of fraudulent credit-card transactions as a result of the attack."

Some details from that testimony are simply eyebrow raisers. For example, Sony contacted the FBI on April 22, three days after IT people spotted a problem and two days after it was clear that data had been compromised. "A meeting was set up to provide details to law enforcement for Wednesday April 27, 2011," the testimony said. Wait, what? A data breach that exposed personal information on tens of millions of Americans, and the earliest the FBI could squeeze Sony into its calendar was five days later?

Sony also said the breach initially went undetected because the network team was busy fighting off a denial-of-service attack.Sony also said the breach initially went undetected because the network team was busy fighting off a denial-of-service attack. "Our security teams were working very hard to defend against denial of service attacks, and that may have made it more difficult to detect this intrusion quickly—all perhaps by design," Sony's Hirai said in his testimony.

"Whether those who participated in the denial-of-service attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know," Hirai harrumphed. "In any case, those who participated in the denial-of-service attacks should understand that—whether they knew it or not—they were aiding in a well-planned, well-executed large-scale theft that left not only Sony a victim, but also Sony's many customers around the world."

Sony has been hit with denial-of-service attacks in the past (so have Visa, MasterCard and various major retailers) by the hacker group Anonymous. But the hacker group announced in early April, weeks before the breach, that it had stopped its attacks on Sony, which Sony had pooh-poohed anyway. (Apparently to Anonymous it's OK to annoy a large corporation, but ticking off video-game addicts is out of bounds.)

That suggests that a DoS attack severe enough to successfully distract Sony's network admins from an ongoing breach came from a much more conventional bought-and-paid-for botnet—and that it was indeed specifically launched to provide cover for the breach.

In the end, though, the starkest outline of the breach is the most disturbing. Sony's E-Commerce site had unpatched software, and that made it possible for a thief to capture an enormous amount of customer information after infiltrating a datacenter, compromising at least 10 servers and remaining hidden for two days.

When it comes to online retail, Sony is small potatoes—those 77 million customers are on the PlayStation Network mainly to play games, not to buy videos or merchandise from the online store. But the Sony breach makes it clear that E-Commerce systems provide the weakest point in many networks.

It's not just that E-Commerce attracts thieves because that's where the credit cards are. It's also that E-Commerce requires so much input from customers, so many different points of entry and so much complexity that it provides far more chances for thieves to break in.

Now combine all those potential points of entry with a big diversion, such as a denial-of-service attack to distract admins from warning flags about security breaches, and it's clear just how risky online commerce has become for all E-tailers.

As for Sony, there are two bits of irony. If the company—for which E-tail is just a sideline—hadn't been selling things online, the security hole in its E-Commerce systems wouldn't have been there for the thieves to use to sneak in.

And if Sony's network admins hadn't been so focused on keeping the PlayStation Network up in the face of the denial-of-service attack, the breach might have been detected and blocked early on. Instead, admins kept the site up for three more days—and, thanks to the breach, it has now been offline for two weeks.