iPhone app iPad app Android phone app Android tablet app More

Peter S. Goodman
pgoodman@huffingtonpost.com Become a fan of this reporter
GET UPDATES FROM Peter
 

Sony Hack Speaks To Proliferating Threat

Sony Hackers

First Posted: 05/09/11 09:46 AM ET Updated: 07/09/11 06:12 AM ET

Inspiring
 Funny
 Obsolete
 Scary
 Must-Have
 Amazing
 Innovative
 Nerdy

Sony is run by a bunch of greedy morons who stupidly left their systems vulnerable to an attack by hackers: This is the conventional explanation of how the company finds itself bent into a familiar pose of contrition, following news that cyber-pirates breached its defenses, potentially gaining access to troves of valuable information -- credit card numbers, email addresses -- for more than 100 million customers.

If only life were so soothingly simple. The Sony data hack and the predictable pursuit of villains carries a dose of false comfort, implicitly affirming the assumption that someone must have fouled up to create such a menace to privacy and commerce; someone must have failed in a readily identifiable way, because this surely can't be the ordinary state of events. But the blame narrative masks an unsettling question: What if Sony did the best it could to protect itself, and the pirates still won? What if the company employed the best defenses available, yet they proved inadequate in the face of a decentralized and proliferating threat?

Sony has captured headlines because it is one of the world's most conspicuous consumer brands, and the recent attacks on its network have been both brazen and successful. But the list of companies that have been targeted by similar plots is lengthy and growing.

Last month, the online marketing giant Epsilon confirmed that hackers made off with personal files relating to customers of Best Buy and J.P. Morgan Chase, among other firms.

In February, officials at Nasdaq, the giant stock exchange, confirmed that hackers penetrated servers used to handle communications for some 300 major corporations. The breach did not affect stock trading, and resulted in no stealing of customer data, Nasdaq said.

Congress and assorted government offices collectively absorb 1.8 billion cyber attacks each month, according to Senate Sergeant-At-Arms Terrance Gainer, as cited by Politico. Over the last five months of 2009 alone, some 87 Senate offices and 13 Senate committees were on the receiving end of emails that contained malicious files, the Politico story detailed.

Russian hackers have been implicated in penetrating Citibank ATM systems to make off with cash.

Last week, as the House Subcommittee on Commerce, Manufacturing and Trade convened to probe the public's vulnerability to cybersecurity breaches, Rep. Mary Bono Mack (R-Calif.) kicked off the proceedings with some eye-catching numbers: In April alone, some 100 million records were put at risk through 30 data breaches at hospitals, insurance companies, universities, banks, airlines and government offices.

The hearing she oversaw was part of a public flaying faced by Sony in the wake of disclosures about the penetration of its popular PlayStation gaming network -- an episode Bono Mack referred to as "the great Brinks robbery of cyber-attacks." Far be it from anyone to dismiss the curative powers of an old-fashioned Washington flaying, but the search for simple villains seems misguided, as if more about sowing feelings of greater security than actual delivering it.

Officialdom ought clearly try to figure out what Sony knew and what it did to protect its customers from harm, holding its executives to account. Inquiry is healthy. But the nature of the inquiry underway seems more theatrical than substantive; an effort to satisfy the public that all is in order by pinning bad outcomes on bad actors, rather than a reasoned inquiry directed at addressing a collective vulnerability.

One cybersecurity expert, Eugene H. Spafford of Purdue University, came before Bono Mack's panel and confessed he had no idea who was actually at fault or what had gone awry, even as he fingered Sony and Epsilon for greedily cutting back on security measures.

"Both companies are large enough that they could have afforded to spend an appropriate amount on security and privacy protections of their data," Spafford testified in his prepared remarks.

How did he know that? "I have no information about what protections they had in place," he said, "although some news reports indicate that Sony was running software that was badly out of date, and had been warned about that risk."

None of this is to exonerate Sony, Epsilon, or the other companies that have been penetrated by the apparently growing legions of hackerdom. Let us hope that experts continue to probe for weak points and advocate that gaps be plugged as they are identified. If the culprit proves to be an unwillingness to spend on security by the companies entrusted with our personal information, bring on Congressional compulsion.

That said, there is a uncomfortably familiar quality to this narrative, a reflexive assumption of prescribed roles: Congressional inquisitors and investigative reporters taking on the chiefs of wayward corporations, as if the problem can be solved by identifying the villain. (Indeed, Sony and Epsilon both stepped right into their assigned roles as their executives opted not to show up for the ritual excoriation before Congress.)

We saw this last summer, amid the disastrous oil gusher in the Gulf of Mexico, as BP and its contractors all pointed fingers at one another, trying to stick the other guy with legal liability. Here was a case where blame and media scrutiny were not only justified but productive, an instance where the companies appeared to value their own bottom lines over the safety of their workers and the sanctity of the environment: The disaster could presumably have been avoided had BP and its contractors operated more carefully, maintained their equipment and heeded warnings of danger.

When planes crash, it is logical to assume that something terribly unusual happened and press to identify what precisely failed. When toxins pop up in the food supply and kill people, here, too, the search for a malefactor aligns with the public interest.

But given the ubiquity of the threat involved in the issue of cybersecurity -- 1.8 billion attacks on government offices a month! -- these breaches seems less like an oil spill or a plane crash or an instance of food poisoning, and more like a situation where the available brainpower and technology may simply not be up to the task of providing protection. The threat may be so diffuse and sophisticated that there are no products that can fully safeguard the data.

Consider the abundance of cyber-crime and the blame game seems not only unfair but even dangerous, a diversion from the serious process of collectively coming up with counter-measures. The search for a villain is more about feelings than security, a way to tell ourselves that we are not at risk. This is human. We hear someone got cancer or died in a car crash and we have questions that are really attempts to assure ourselves that there are ways to avoid a similar fate: Was he a smoker? Had she been drinking before she got behind the wheel?

Sony and Epsilon and the other firms in possession of our vital information -- where we live and how to reach us; what medicines we take, and how much money we control -- may be staring at such a complex assortment of threats coming from so many different angles that the traditional mode of accountability may be effectively bankrupt.

In children's stories, wicked witches can be melted into puddles, their black magic defeated -- night-night, sweet dreams.

In messy grownup reality circa 2011 –- and especially in cyberspace -- threats mutate and evolve. Sony and Epsilon may be less the villains than fellow victims, part of a modern society that has entrusted its most valuable gold -- information -- to a frontier that has so far proven beyond taming. That argues not for a blame game but for a sustained process of inquiry aimed at delivering effective policing.

FOLLOW HUFFPOST TECH

Sony is run by a bunch of greedy morons who stupidly left their systems vulnerable to an attack by hackers: This is the conventional explanation of how the company finds itself bent into a familiar po...
Sony is run by a bunch of greedy morons who stupidly left their systems vulnerable to an attack by hackers: This is the conventional explanation of how the company finds itself bent into a familiar po...
Related News On Huffington Post:
 

Read more from Huffington Post bloggers:
Sarah Granger

Sarah Granger: White House Unveils Global Cyberspace and Cybersecurity Policies

The next Osama bin Laden may not be one bearded man hiding in a walled fortress but instead a group of highly skilled, faceless men behind computers. Cyberterrorism, while still largely science fiction, lurks around the corner.

 
 
  • Comments
  • 289
  • Pending Comments
  • 0
  • View FAQ
Comments are closed for this entry
View All
Favorites
Bloggers
Recency  | 
Popularity
Page: 1 2 3 4 5  Next ›  Last »  (9 total)
photo
littlebrowngirl
Brevity is the soul of wit - Shakespeare
1253 Fans
07:29 AM on 05/11/2011
Sony is responsible. If they store the data, they are supposed to protect it. The same goes for any other company that stores your data. I am not even sure why Sony needs to store this data on the first place.
Permalink  |
photo
brievolz84
6 Fans
10:52 PM on 05/10/2011
I just took a class in this field and anyone who thinks their system is secure is an idiot. A few years ago a university did a study to see how long it would take a unsecure computer dialed into the Internet to be attacked. If you think it was days, wrong; if you think it was hours, it took a mere 2 hours and some change to successfully infiltrate and infect that computer. Just think what someone can do if they have all the time in the world to hack your system even if you have NIPS, HIDS, Firewalls and Anti-virus software; a lot shorter than you think.
Permalink  |
photo
yukonsam
This space reserved for self-referential irony.
1270 Fans
 
11:44 AM on 05/10/2011
SOE's hamfisted ineptitude at attempting to protect its intellectual property and at community relations makes it a huge target. If a company treats all its customers as potential criminals, it shouldn't be surprised that some tiny fraction will fulfill those expectations.

That said, there's no excuse for this hack. This is an implicit threat against the CUSTOMERS: if you continue to do business with this company, we will get you.

I will continue to do business with Sony Online Entertainment, despite their myriad shortcomings, because they have products and services that I want. As a legitimate client, I will continue to voice my displeasure at their shortcomings. But I will not be pressured or threatened into ceasing my activities by anybody.

Catch the criminals. Put them away. And then let's have an adult conversation between company and clients about how not to turn your fans and supporters into a bloodthirsty lynch mob.
Permalink  |
ded 666
0 Fans
08:04 PM on 05/13/2011
All the webpages I read are blaming Sony and their security. While they are not communicating with their customers clearly, no one seems to be pissed at the attackers that took the network away from 100 million people because their 2 hacker friends were being cut down by the sword they chose to live by. They attacked millions of people for wrongs done to a couple. Sound like not just Cyber crime, but cyber terrorism.
If I knew where to find these clowns, I COULD beat them to death with their keyboards and monitors. But just because I COULD, does not mean I SHOULD. I know this, why don't these computer "geniuses? If they are ever caught, I hope they are prosecuted to the full extent of the laws in all the countries they broke laws in. If not, may they come to realize their actions were not noble, but pathetic. If they happen to read this = You're so good at hacking into systems, use your talent to better the world, not inconvenience millions of people just trying to unwind with video games at the end of their days. Maybe one day you could put your skills to use to help the world. If not, well then I'll see you all in hell.
Permalink  |
HUFFPOST SUPER USER
Mark Knudsen
163 Fans
11:20 AM on 05/10/2011
GREED, EGO.AND PRIDE, when we spend most our our daly activities defending those preious characteristics of our lives how do we find time and energy to do anything else to make this world a better place. it not only goes on today as exabited in the daily news here, and other places it has been going on all through history and we who precive ourselves as being the Q>E>D of every thing can't seem to get it throuh our heads to try something different. All you young bucks and buckies show me your metal, by quiting all this whinning and do something other than what you all have historicaly been doing to no avail for centuaries...TALK...the old viking.....Hope this isn't considered to off subject by mentors to get zapped...
Permalink  |
Warren Lauzon
79 Fans
11:26 AM on 05/10/2011
How do posts like that babble ever get past the moderators?
Permalink  |
HUFFPOST SUPER USER
Mark Knudsen
163 Fans
01:36 PM on 05/10/2011
maybe....they see with wider vision than some who keep going round and round...but again blessed are those who go round in circles( like our society) all day, for they shell,be called wheels but than again wheels are marvelious collectors of dirt or mud or manure depending where they travel.... the old viking
Permalink  |
Warren Lauzon
79 Fans
11:16 AM on 05/10/2011
The Sony breakin does not worry me all that much, nor do most of the other highly publcized ones.

What does worry me is the ones we don't hear about, and I am betting there are a lot of them.

But companies being careless with customer data is nothing new - back in the early 90's there was some brief excitement when it was found that a major corp had tossed printiouts of part of it's customer database into a publicly accessible recycle dumpster.

In the 70's it was people going through trash to get paper credit card receipts.

But people themselves are remarkably careless about their own data - for an example just google the first 5 or 6 digits of your SS number, and you will find some SS numbers posted on the internet in resumes and bios.
Permalink  |
HUFFPOST SUPER USER
realitytrumpsbull
Two 'alves of coconut!
2048 Fans
10:56 AM on 05/10/2011
"If a man can make it, a man can break it"-Anon.

No computer system is 100% hack-PROOF. Somebody out there either has the knowledge, or the skills to get passwords, either through social engineering, or other methods, and once they're 'in', they can pretty much do any damn thing they want to. Lots of little Mitnick Jr's running around out there on the internet.  And, government probably hires hackers, as do corporations...as do criminal organizations...it's all about money...
Permalink  |
Excalibre
86 Fans
10:41 AM on 05/10/2011
There are always going to be inherent security vulnerabilities that can't be anticipated. But most of these successful attacks are via simple, mundane means that the companies EASILY could have protected themselves from if they had taken security more seriously. Real security imposes (fairly minor) additional burdens on the tech people, though, and as a result it is constantly ignored in the real world.

Most of this sort of thing doesn't happen because some eccentric genius has identified some subtle problem. Most of it happens because of poor decisions -- keeping data on internet-attached machines when that's not necessary, failure to adhere to known best practices, etc. -- and those could largely be avoided if companies paid enough for security and the people in charge of security got compliance from the rest of the employees.

It's more a social and economic problem than a technological one, in the end. If the market actually punishes companies for these screwups, they will become much rarer. Alas, holding people like the decision-makers at Sony responsible is rare. But that's what should happen.
Permalink  |
mp905
154 Fans
10:39 AM on 05/10/2011
Let's agree that Sony was criminally negligent and deserved to be hacked because of their treatment of the 'little" guy. But Goodman still makes a good point. Our data will always be vulnerable because some people who are really talented in security measures will always choose the dark side. You can't stop talent, even when it is being misused.
Permalink  |
photo
HUFFPOST BLOGGER
Andrew Reinbach
is Grand Vizier of ReinbachsObserver.com
261 Fans
10:22 AM on 05/10/2011
The answer to your question is that the phrase "Secure network" is an oxymoron, Mr. Goodman. I covered bank computer security beginning in 1997 and my best sources told me as established fact that no network is "secure"--that the more a hacker examined a network, the more vulnerable it apeared to be. The techniques range from simple to complex, but along a spectrum that ranges from highly-trained hackers operating with government backing, to kids using tools they can buy on any black site, no system exists that can't be broken into.What we like to think of as attacks bouncing off impervious barriers is in fact an ongoing game, and considering the volume of attacks, it's surprising matters aren't worse, because the points of entry are so very many.Just a few years ago a kid with a laptop got so far into a merchant's network that he set up two different depositories for credit card information--on the merchant's computers. He downloaded them at his leisure. And this was a kid; the government guys do much better. the money stolen? Just the cost of doing business for the merchants. Now, take that information and apply it to the battlefield networks our Army uses, and you've got a real problem.
Permalink  |
mp905
154 Fans
10:42 AM on 05/10/2011
Just what I was trying to say, but said much better. F&F
Permalink  |
photo
king soloman
I'Am the cats Pajamas! ! ! !
204 Fans
12:53 PM on 05/10/2011
you should go post that on sonys blog. Alot of idiots over there crying that sony should have no let this happen. They dont realize nothing in secure anymore. Plain and simple.
Permalink  |
hermes369
0 Fans
09:34 AM on 05/10/2011
I can't help but think Sony's lock down of the box(preventing users from installing Linux) and their efforts to prosecute the guys that figured out how to get control of the hardware, hardware the user owns, btw, has something to do with this.

I see this hack as an act of non-violent protest. That said, if the credit card numbers are used, then it's something more than breaking and entering.
Permalink  |
rh654
403 Fans
09:17 AM on 05/10/2011
"What if Sony did the best it could to protect itself, and the pirates still won? "

But this did not occur, all we have to do is look at Sony's latest statements on the new security steps they are taking and ask "Why were all of these security measures not in place to start with?".

These companies know that even with a huge security breach most customer's are not going to leave them.

If all of the Executives had to have their personal information and credit information stored in the same databases as their customers perhaps they would actually care about security.
Permalink  |
photo
Iceman11
34 Fans
08:21 AM on 05/10/2011
When it comes to Government investigators vs. Corporations, I think we know how this will turn out. Data security costs money and generates no revenue. Corporations will continue to minimize it and the public will continue to pay the price.
Permalink  |
photo
HUFFPOST SUPER USER
WordProcessor
Republicans are not conservatives they're radicals
303 Fans
09:01 AM on 05/10/2011
Also as corps get cheaper and cheaper they create more disgruntled employess who are the real source of the proplem. Hackers are not breaking codes, they are buying the passwords from employees of these companies whom are treated poorly and have little job security.
Permalink  |
This comment has been removed due to violations of our [Guidelines]
Permalink  |Show replies(1)
TheHansen
2 Fans
08:00 AM on 05/10/2011
Want to get some first-hand information on Data Breaches?

Who is behind data breaches:
- 92% stemmed from external agents (of which 65% are located in Eastern Europe, incl. Russia and Turkey)
- 17% implicated insiders
- less than 1% resulted from business partners
- 9% involved multiple parties

What commonalities exist?
- 96% of breaches were avoidable through simple or intermediate controls
- 92% of attacks were not highly difficult
- 89% of victims subject to PCI-DSS had not achieved compliance

These stats were taken from the 2011 Data Breach Investigations Report put together, investigated and published by Verizon, the United States Secret Service and the Dutch National High Tech Crime Unit. They examined 800 data compromise incidents with a total of 4 million compromised records. These reports are published anualy since 2008 and if you want to know whos behind data breaches and how they occure you should read it.

The report can be downloaded at http://www.verizonbusiness.com/dbir/?utm_source=newsletter&utm_medium=email&utm_campaign=dbir2011&utm_content=customeremail
Permalink  |
photo
Flying Dutchman
Don't judge what you don't yet understand
82 Fans
06:28 AM on 05/10/2011
Sony did not do the best they could, they simply did not.
If they did the best they could, this mayor theft wouldn't have happened in the first place.
Sony screwed it up, it's that simple.
Of course they blame a couple of script kids for it, there are more than enough people who want to believe that.
Sony costumers paid for the PS3 console, games and services, so it is up to Sony to make sure their costumers are safe. That safety should have been priority number one, apparently it wasn't, hence the theft. So blame on Sony.
Sony has to deal with this, just like a bank has to deal with robbers and thieves, it is their responsibility.
When was the last time a bank employee told you couldn't make a withdraw because all your money was gone as a result of a robbery? You wouldn't accept that, would you?

Sony has a very smart legal department that screwed a lot of good paying costumers by downgrading the PS3 for whatever reason, it just isn't the device they advertised and costumers bought, but costumers have to suck it up because of the fine print.
So if Sony tells it good paying costumers how it is, but can't protect those costumers, that's the world up side down!
Permalink  |
photo
HUFFPOST SUPER USER
frank day
Obama cares about all of U.S.
7624 Fans
 
08:20 AM on 05/10/2011
Sony is the worst run electronics company by far.

Their technology is often amazing, How they implement their business model is lacking.

We have been lured into products like the original PSP, only to have Sony fail to deliver

as promised.

We are done with Sony.
Permalink  |
photo
Flying Dutchman
Don't judge what you don't yet understand
82 Fans
10:33 AM on 05/11/2011
I agree, partly.

I still own a 300 euro PS3, it would be a waste to never use it again. By the way, Mass Effect 2 kicked monkey @ss, I can't wait for the next episode.

Sony did put a nice blue ray player / media render on the market a while ago, it really is a neat device, a lot of functionality, more functionality than the PS3 (accept the gaming part of course), better media rendering etc.

The whole problem here is the extreme aggressive attitude of the legal department of Sony, many legal people don't understand that there is quite a gap between written law and law in practice, in my opinion it makes Sony look very arrogant and stubborn.
Permalink  |
Page: 1 2 3 4 5  Next ›  Last »  (9 total)