playstation network pwned; hard questions for sony

In case you missed it, the recent Playstation Network outage has been finally acknowledged in a Sony release. If you were thinking it was a DoS, you’re wrong. It was complete pwnage [emphasis mine]:

…we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.

In short, this is a big deal. Maybe not ultimately to Sony/PSN, but it is a big deal for the industry. And these are the hard questions:

1. How did this one breach disclose so much? Was it one issue or several that were leveraged? (As a learning opportunity, which is better, a single issue that caused your (gigs of) data to be exfiltrated or a series of leveraged weaknesses?)

2. No password hashing? Encrypting? Credit card information segregated/tokenized/hashed/encrypted? If it was, was the key management that poor? I hate to be the one to say it, but let’s hear that PCI compliance status… (without the PCI marketing spin)

3. What was Sony’s security budget? Or any budget around technology and the protection thereof.

4. If Sony’s deep pockets and ability to have a deep budget didn’t help, is this further illustration of security futility? If nothing else, it’s illustration of the view of digital security in profitable enterprises…

5. What if Sony *has* done risk analysis and determined to accept whatever risk was present? (Even the act of not doing anything is an unspoken acceptance of risk, in my book.) This is my biggest problem with risk and probability: You’re still susceptible to that one-in-a-100-years-hurricane scenario; and heads will roll. It’s also my biggest problem with security and the media: We, in security, believe that you *will* fail, and the media will always sensationalize everything it can. This will always shake out against us; even when we do things absolutely correct (and what organization lets us even come close to doing things absolutely correct?).

6. Do you blame the attacker or do you blame Sony?

7. What was the time-to-breach after they leveled their attacks against you? I’m hoping it wasn’t hours, days, or even weeks… I’m also hoping their breach-to-detection time is small.

One thing I won’t harp on is how long or quick it took Sony to announce something to its customers. A 6-day period during which it took the network down to analyze the extent is not entirely something I can get upset about. And you certainly don’t want to tell 70 million customers something until you know it for sure; not just because of a loss of customers, but simply because if you’re wrong, you’ve just done fucked up even worse. This is an announcement you take the time to get right; and 6ish days is not unreasonable. Does this mean an attacker may have had free reign on credit card information (etc) for 6+(time of breach-to-detection) days? Yes, but when is that *not* the case?