From: Polygon
By Emily Gera
It’s been two years since Sony first experienced major security breaches to its PlayStation Network in 2011, one of the largest data security breaches in our industry’s history. This event, representative of the security risks of modern consoles, offers a glimpse into how all console owners can be affected by decisions of console manufacturers. Now with a new generation of consoles in reach, just how much can be said of what’s been learned from the security features of our current systems?
Both Sony and Microsoft maintain experienced security operations teams to identify breaches, a fact that Sony’s security chief information security officer revealed to be the key to secure systems. But even with new consoles on the horizon, a senior security advisor at Sophos Inc. tells Polygon the future of console security has little to do with hardware architecture at all.
The ‘Preventable’ data hack
PlayStation Network went dark for just over 20 days in 2011 between late April and early May, following a crippling cyber attack that reportedly exposed the private information of millions to hackers. In the wake of the 2011 breach of Sony’s PlayStation Network, the Information Commisioner’s Office released its official report confirming that names, addresses, dates of birth and payment card information were indeed at risk. The ICO would later fine Sony over what it called a “preventable” data hack.
Now in 2013, just how much has changed in the enforcement of online security?
Sony confirmed PSN credit card information remained encrypted at the time of the intrusion, but other user data – including passwords which had only been transformed with a “cryptographic hash function,” a method that makes use of an algorithm that isn’t strictly encryption – was not.
As a direct response, the company revealed its intentions to prevent future breaches through enhanced levels of data protection and encryption, an enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns, as well as the introduction of additional firewalls. The PlayStation maker also confirmed the creation of a new data center set in an undisclosed location following the breach, alongside the naming of a new chief information security officer.
Changing the way we think
Speaking at a panel held by the Homeland Security Policy Institute at the start of this month, Sony’s chief information security officer Philip Reitinger commented on the necessity to focus on ability over credentials when it comes to the hiring of workers in cybersecurity fields. Reitinger, himself a Certified Information Systems Security Professional, added to an ongoing debate over whether requiring cybersecurity workers to have certification before being hired causes those workers to lose incentive to learn beyond what was included in their certification test.
“I don’t care if they’ve got a community college degree. If they know their way around a kernel, and they can tell me about a buffer overruns and different ways to attack and they’ve got the skills to get the job done, they’ve got a job,” Reitinger said, offering insight into the hiring philosophy within Sony’s security sector.
While Reitinger emphasizes the need for creative hiring practices, so far both Sony and Microsoft, in preparation for the launch of next-generation networks on the foundation of current-gen online services, have highlighted the necessity of users to protect themselves from potential security risks. In light of the upcoming Xbox One release, Microsoft has already made its new Xbox Live terms of use available, asking “all users to commit to keeping their contact information up to date” in an effort to bolster security.
“Protecting your account from unauthorized access and fraud is a top priority for us,” said the company in an official post. “It helps keep Xbox Live safer and more secure for everyone.” Microsoft’s new terms also cover what information the company can share with partners who publish apps, like HBO Go, Netflix, ESPN, Last.fm and others that require a separate user account.
“If you choose to link this account with your Xbox Live account, we confirm key data points across the accounts by sharing data such as your name, address, email address and date of birth with the partner,” the post reads. “In this TOU update, customers agree to allow Microsoft to share this information in this manner.”
A Sony representative told Polygon they are not aware of any similar security updates headed to the company’s terms of use for PS4, although the company recently released renewed Software Usage Terms stating the company will monitor discretely monitor and record PSN activity, including the content of voice and text communications. Sony previously reminded PSN users to keep a complex password and username combination not associated with other online sites following another hacking attempt in late 2011.
But as Reitinger notes during last week’s panel discussion, cyber attacks will always beat out defensive measures when it comes to security.
Attacks always beat defense
Leave a Reply