Final blog post first draft: The Hacks on the PSN (2011)

The Sony PlayStation Network (PSN) has had a handful of hacks and incidences since its release in November of 2006 from jail broken PS3s to a mass intrusion of privacy, but the hacks that took place in April and June of 2011 were two for the record books. In April, Sony said it discovered that between the 17^th  and 19^th,  an "illegal and unauthorized person" got access to 77 million PSN users names, addresses, email address, birthdates, usernames, passwords, logins, security questions and more. At first, Sony and the rest of the world believed it to be George Hotz, the hacker that made public instructions on how to jailbreak your PS3. Come to find out that the splinter hacktivist group of Anonymous known as Lulzsec was responsible by using a DDoS attack on the network, deliberately flooding the PSN server with traffic causing a loss of income for a company that does business online. Jake Davis (20), Mustafa Al-Bassam (18), Ryan Ackroyd (26) and Ryan Cleary (21) from Lulzsec all claimed responsibility and plead guilty. This hit Sony big time, shutting them down for nearly a month to try to recover and costing just about $171.1 million in damages. A few months later, a separate attack on the PlayStation Network, Sony Online Entertainment and Sony's Qriocity media-streaming service led to the theft of private data pertaining to more than 100 million user accounts, including credit-card numbers. All three services were offline for more than three weeks. Anonymous later came forward and took credit for the attack, saying that it was unintentional that they obtained the information of all PSN’s users. Using a basic SQL injection attack to expose millions users' personal data, 3.5 million digital coupons and 75,000 music codes.

A couple questions that I ask Sony are:

• Why were PSN passwords apparently stored in plain, human-readable text?
• Why were email addresses, personal details, and credit card details also stored in unencrypted form?

While it might be impossible to fully prevent unauthorized access to a system, it’s very simple to encrypt data in a way that both secures user privacy, and makes it almost valueless to any hacker with an intent to use that information for their own personal gain, profit or otherwise.

Some questions that I have for the hacktivist groups are:

• Why make user accounts public? Users aren’t the ones at fault so they shouldn’t be the ones that are punished.
• Instead of hacking a big league company like Sony, why not simply inform them that their security was not as tightly secured as they claimed it to be? Why was the result of your hacking necessary?

I was in either of the hacktivist’s shoes, I would probably have the same ideals in terms of trying to make being online safe for all users. As I mentioned in one of my questions to the hacktivists, I would simply inform a company that did business online that the security that they claim to be fool proof, isn’t. I wouldn’t put any of the users at risk because that isn’t my goal.

Sources:

http://www.extremetech.com/gaming/84218-how-the-playstation-network-was-hacked

http://www.theguardian.com/technology/gamesblog/2011/apr/27/playstation-network-hack-sony

https://www.youtube.com/watch?v=JUqYuanc1Lc

http://www.electronista.com/articles/11/06/02/lulz.security.hits.sony.again.in.security.message/

http://www.tomsguide.com/us/playstation-network-attack,news-19378.html

http://www.theguardian.com/technology/2011/apr/26/playstation-network-hackers-data