By IAN SHERR And NICK WINGFIELD
On a Tuesday afternoon last month, engineers working for Sony Corp. were baffled when several servers running the company's PlayStation Network suddenly turned themselves off and then back on.
At the time, the unexpected rebooting seemed like an odd malfunction. The next day, however, the engineers found the first evidence that an intruder had penetrated Sony's systems, prompting the Japanese company to take what it calls "the almost unprecedented step" of shutting down the popular online gaming network.
Sony Chief Executive Howard Stringer issued a public apology this week for what the company later disclosed was a data breach that compromised more than 100 million user accounts on three public networks, and a delay in informing users of the theft. Sony says the loss included users' names, birthdates and passwords. It also hasn't ruled out the loss of credit card numbers associated with the Sony PlayStation network.
Some analysts believe the incident, which has drawn the attention of authorities around the world, will cost the company more than $1 billion for measures that include new security and a $1 million insurance policy for any victims of identity theft. The company hasn't provided its own estimate of the cost. It also hasn't resumed operating the network, but has said it is in final testing and is expected to do so within days.
"Taken as a whole, the number of customers affected, the PR impact and now the legislative inquiries," this ranks "at the top" of data breaches to date, said Cynthia Larose, an attorney specializing in privacy matters with Mintz Levin in Boston.
PlayStation Network, which is accessed by owners of Sony game consoles, uses 130 server systems, 50 software programs and has 77 million user accounts, according to a letter that Kazuo Hirai, president and group chief executive of Sony Computer Entertainment Inc., sent Wednesday to a U.S. congressional committee. That letter, and a similar account included in a letter Friday to Sen. Richard Blumenthal (D., Conn.) provide the most detailed accounts of the incident.
Sony's troubles began in January, after it sued a 21-year-old software wiz named George Hotz for posting software that let gamers reconfigure the company's popular PlayStation 3 console. The suit enraged a loose community of vigilante technologists that calls itself "Anonymous," which in early April made an oblique threat against the company. Sony's PlayStation Network began suffering intermittent outages, which the company later linked to a denial-of-service attack—a common maneuver that attempts to overwhelm a target's servers with a flood of data traffic. A week later, Sony said it settled with Mr. Hotz, but the denial-of-service attacks continued.
Sony said in the letters that its difficulties in discovering the intrusion that occurred later that month may have been exacerbated by its security teams working very hard to defend against the denial-of-service attacks. It acknowledged, however, that it may never know whether people who participated in the denial-of-service attack were conspirators in the data breach.
Though Anonymous has denied being involved in the data breach, senior Sony executives believe a person or people affiliated with the group are responsible for the data theft, according to someone familiar with their thinking.
On April 19, according to the letters, engineers noticed servers rebooting themselves when they weren't scheduled to do so. They began combing through logs generated by the machines to find the problem. The network team concluded that "unplanned and unusual activity was taking place on the network," and took four servers offline, working into the evening investigating the machines. The next day, the company mobilized a larger team to study the four machines, an effort that later led to evidence six more machines were possibly compromised, according to the letters. That afternoon, the network team discovered evidence of an intrusion and that data of some kind had been transferred off the PlayStation Network servers without authorization.
Unable to determine what type of data had been transferred, the team opted to shut the network down. Sony posted a three-sentence notice April 20 on its PlayStation website that said nothing about the data breach. That afternoon, the company retained a security consulting firm and began a two-day process of copying the contents of the servers so they could be analyzed. It later retained a second and ultimately a third outside firm, beefing up manpower as part of the painstaking analysis. The Federal Bureau of Investigation was notified of the intrusion on April 22, with a meeting set up to provide details five days later.
"We're aware certain functions of the PlayStation Network are down," wrote Patrick Seybold, a Sony spokesman. "We will report back here as soon as we can."
By the evening of April 23, according to the letters, the company and its consultants were able to confirm that intruders had used "very sophisticated and aggressive techniques" to obtain unauthorized access to its servers. The intruders hid their presence from system administrators, obtained privileges to access restricted parts of Sony's systems and deleted log files to hide their activity, Sony says. It took until April 25 to confirm the scope of the data believed to have been taken from its systems, Sony wrote in the letters. The next day, Sony told its customers their personal data had been stolen, urging users to change passwords and check their credit card accounts for fraudulent behavior. It later offered free time on the system and identity theft monitoring services as compensation in the U.S.
The company says it didn't learn until May 1 of another likely theft at Sony Online Entertainment—another network serving games for PC users—involving nearly 25 million user accounts. That second discovery was made only after the Sony unit rechecked its machines—which earlier showed no evidence of the theft—using information developed by security experts working for Sony, according to the letter sent to Mr. Blumenthal.
"I wish we could have gotten the answers we needed sooner, but forensic analysis is a complex, time-consuming process," Mr. Stringer said in his statement Thursday.
Sony has provided few specifics about the attackers' techniques, citing worries that the information could be used to penetrate other similar systems. During a press conference last weekend, however, Sony senior vice president Shinji Hasejima indicated that the intruders exploited a vulnerability in a program called an application server—a flaw not known to Sony—to breach the company's firewall defensive mechanisms.
The attack "came in as a normal transaction, which could not be detected by the firewall and went out as an ordinary transaction," Mr. Hasejima said. "It was a very skillful approach."
Though they deleted most traces of their activity, according to the Sony letter, the attackers did leave a file called Anonymous that included the digital posse's tagline, "We are Legion."
In a press release on May 4, Anonymous reiterated that it had not orchestrated the data theft. "Whoever broke into Sony's servers to steal the credit card info and left a document blaming Anonymous clearly wanted Anonymous to be blamed for the most significant digital theft in history," the group said. "No one who is actually associated with our movement would do something that would prompt a massive law enforcement response."
—Don Clark, Juro Osawa and Ethan Smith contributed to this article.
0 comments:
Post a Comment