Hackers turn PlayStation into pay station
In late April, a hacker crippled Sony鈥檚 PlayStation Network by stealing the names, home addresses and perhaps even the credit card numbers of some 70 million subscribers, who play and download games through the online service.
Engin Kirda, an associate professor with joint appointments in Northeastern鈥檚 College of Computer and Information Science and Department of Electrical and Computer Engineering, assesses the impact of the attack he said represents the 鈥渓argest loss of private information to date.鈥
How easy is it to hack into a network, like Sony鈥檚, and steal personal information? How difficult is it to combat?
Although we have recently seen very sophisticated attacks against security companies such as RSA, Comodo, and HBGary, most of the successful attacks are still quite simple in nature. In many聽cases, a simple programming mistake on a company鈥檚 website can聽lead to complete compromise over time.
Attackers typically proceed聽step by step. For example, they might first compromise the web server and then move on to attack other critical聽components, such as databases and mail servers. Many attacks today聽also use so-called "social engineering" techniques. Like phishing attacks, a user might be tricked into downloading and聽installing malicious software, which can then help the attackers gain access to sensitive data.
To my knowledge, it is not very clear what vulnerability or technique the attackers used to聽break into Sony's systems. In any case, we have witnessed the largest loss of private information to date.鈥 At Northeastern, my security group is working on techniques to聽automatically detect vulnerabilities in software systems in order to prevent attacks. We are also looking at how social engineering attacks work effectively in practice, and why users聽often fall for such attacks.
Get free science updates with Science X Daily and Weekly Newsletters 鈥 to customize your preferences!
The PlayStation Network has been down for almost three weeks after Sony promised that it would be back online within a day or two. Why is it taking so much longer than expected?
It is not easy to say why things are taking time to fix without having knowledge of the internal discussions at Sony. My guess would be that Sony is trying to make sure that its systems are secure so that聽something like this does not happen again. Suffering a similar attack after the network goes back online would be very embarrassing for聽them.
It could also be that their聽systems are so complex that a quick fix is impossible. Often, bad design decisions are the hardest to fix. Some of my colleagues at Northeastern are聽working on the problem of designing systems in a secure way聽from the start.
Should users who play or download games on the PlayStation Network be hesitant to log back on? What type of impact can hackers have on the bottom line of a company like Sony?
Once the systems go back online, I would not be hesitant to log back on. Having said that, I would advise all users to change their聽passwords and also make sure that they have not used the same聽password that they used on Sony on other sites, such as Gmail or Yahoo. It has been reported that many passwords have been stolen and聽attackers often use stolen passwords to log on to other websites to send spam.
I would also advise Sony users to be wary of phishing聽attacks. The attackers are probably going to use the information聽they have stolen to craft authentic looking phishing e-mails. I would not be surprised if such phishing e-mail will be designed to look as if Sony has sent it. There are also reports that credit card聽information has been stolen. If you had your credit card information stored on the Sony site, then it would be wise to regularly check your聽credit card statements.
Provided by Northeastern University