Attacks on Sony, others show it's open hacking season

There seems to be a groundswell of hacking activity recently. From the Epsilon breach that touched dozens of major U.S. companies and their millions of customers, and RSA replacing its customers' SecurID tokens after attacks on several defense contractors to Sony sites getting pummeled by hackers on a regular basis--all within the last few months.

What's going on?

"I truly don't think there's a higher instance of hacking right now. I think there's been a wave of media coverage," said Bruce Schneier, chief security technology officer of BT and one of the most respected security experts around. "We saw the same thing with shark attacks. It's not that there are more shark attacks. It's that they made the news when people started looking for them."

No one can really say if there are more attacks happening. Reports indicate that the number of breaches is rising every year, as can be expected. But those statistics are based only on incidents that are reported; there are untold numbers that happen all the time that no one knows about except the attacker and, eventually, the victim.

But it's clear that more attacks are bubbling to the surface lately. And they are various types of attacks, not just the data breaches that expose sensitive consumer personal data and thus trigger state disclosure laws.

RSA

Take, for example, RSA. The company sells SecurID tokens that are used by corporations, government agencies, and any other organization that needs to provide a way for workers to remotely access a sensitive network securely. SecurIDs are the industry standard for two-factor authentication, requiring users to supply a one-time numerical code from the device along with a password to log in.

RSA shocked the security world when it announced in March that it was victimized by an "extremely sophisticated cyberattack" in which sensitive data related to the SecurID technology had been pilfered and could be used by attackers to get access to networks of RSA customers who rely on the technology.

RSA has been mum on the details of what was stolen, but it did hold private briefings with its most important customers, ostensibly to help them shore up their defenses in light of the breach. Despite that, two defense contractors--Lockheed Martin and L-3 Communications--reported attacks on their systems that exploited data stolen from RSA. Another, Northrop Grumman, unexpectedly shut down remote access to its network last month, which led to speculation that it had had a SecurID-related incident. Following news stories about the incidents, which experts speculate may have a tie to China, RSA said this week it would replace SecurIDs for customers concerned about the risks.

Those types of industrial cyber-espionage incidents aren't new, but the successful attack on the security pioneer and technology provider RSA is significant and has broad impact. Companies can move to other solutions, but replacing big security deployments within an organization is not cheap or easy.

Meanwhile, Google said last week it had thwarted an attack aimed at snooping on hundreds of Gmail accounts owned by U.S. and other government officials, journalists, and political activists that appeared to originate in China. (Hotmail and Yahoo accounts also have been targeted in similar attacks, according to Trend Micro.) Google has been more candid and forthcoming than other companies in going public with attacks aimed at it or its customers. The company set a precedent in announcing an espionage-related attack on its network in early 2010 that also targeted what turned out to be about 30 other companies.

Cyber-espionage is sexy, but attacks on databases containing customer information are more common for the financially motivated cybercriminals who litter the Internet. We've had a fair share of those recently too, notably Epsilon, an e-mail marketing service provider. In April, a breach at Epsilon turned the formerly obscure company into a household name practically overnight. All of a sudden customers of big companies like Citibank, Chase, Capital One, Walgreens, Target, Best Buy, TiVo, TD Ameritrade, and Verizon got e-mails warning them that their e-mail addresses were exposed in the one data breach.

In a different type of attack in March, hackers targeted companies that provide digital certificates that are used by Web sites to prove they are legitimate. A number of the certificates were fraudulently obtained, which could have allowed attackers to spoof major sites, including Google, Yahoo, Microsoft's Live.com, and Skype. The certificates were stolen from Registration Authority resellers for Comodo. A 21-year-old Iranian patriot took credit for the attacks, saying he did it to protest U.S. policy and as revenge for last year's Stuxnet malware that experts believe was created to shut down Iran's nuclear program.

Public whipping boy

But the headlines of late have the word "Sony" in them. The company has been victimized so frequently and publicly that one of the hacker groups targeting it came up with a new word--"Sownage"--a play on the company's name and "pwnage," which stands for "pure ownage" and refers to taking control of a Web site, or "owning" it.

"Sony has become, for some reason, the public whipping boy" for hackers, Schneier said.

Sony's recent troubles started with a spat over customers hacking its PlayStation 3 device. After the company took some PS3 "modders"--hackers who modify the device for different users--to court, a loose-knit group of hackers known as Anonymous launched a digital protest and shut down several Sony sites with a distributed denial-of-service (DoS) attack in early April.

Anonymous has a history of online activism, having targeted the sites of the Church of Scientology, the governments of Egypt and Iran, and the controversial Westboro Baptist Church. But the group really made its mark when it championed the cause of whistleblower site WikiLeaks last year. Anonymous organized a series of attacks against PayPal, Visa, MasterCard, and other companies that had stopped enabling contributions to WikiLeaks.

Weeks after the DoS attack, an attacker got into Sony's network and compromised personal data of 77 million PlayStation Network customers, including possibly credit card information, prompting Sony to shut down the network. Less than a week later, Sony announced that data of more than 24 million Sony Online Entertainment customers had also been exposed. Combined, the PSN and SOE breaches are the second-largest in U.S. history, according to the DataLossDB site.

Since then there's been a veritable avalanche of reported attacks on Sony's sites, with Sony Music Indonesia defaced; a phishing site found on a Sony server in Thailand; and records breached on sites in Japan, Greece, Canada, Belgium, the Netherlands, and Russia. About 37,500 customer records from a Sony Pictures site was exposed last week, Sony said today, and there were reports of data leaks related to the Sony Computer Entertainment Developer Network (proprietary code) and Sony BMG. The Attrition.org site has a comprehensive timeline of the attacks on Sony here, which lists the total number of attacks since the Anonymous attack at 17, not including the DoS attack. Meanwhile, the site lists more than 40 older attacks on Sony sites, so clearly attacking Sony is not a new pastime.

"The Sony hacks are nothing but pile-on," said Schneier. "'Let's have more fun at Sony's expense. Ha ha.'"

The Sony attacks have spawned attacks on other targets and copycats, including Acer Europe, Sony Europe, Nintendo, and FBI partner Infragard. In a particularly audacious move, members of the LulzSec hacker group harassed one Infragard victim who made the big mistake of using the same password on multiple e-mail accounts and sites. In e-mails and chat messages, LulzSec members bullied the chief executive of a security-related start-up, trying to get money and data out of him. The hacker group, however, claims it was just trying to set up the victim to prove that whitehat hackers who work on the good side of the law aren't any less corruptible than blackhat hackers. When the CEO refused to cooperate, the group went public with his information.

LulzSec and other hackers are no doubt taking their cue from the success of Anonymous in its online protests and its new-found high profile. They realize that it's fairly easy to make a splash, particularly with an anti-establishment message. LulzSec has even taken action to show solidarity with WikiLeaks, hacking PBS.org, leaking passwords, and posting a fake news article on the site as punishment for what it said was a biased Frontline program about WikiLeaks.

Hacking revival

While the RSA, Epsilon, and espionage attacks are truly threatening, some people seem to be enjoying the playfulness of the less destructive, more pranksterish attacks against Sony. These hacks of protest harken back to the days of DoS attacks on Yahoo and eBay and numerous Web site defacements in the 1990s, before e-commerce was so prevalent and organized criminals moved online.

"We are seeing a revival of the sort of hacking we have not seen in many years," said Marc Maiffret, chief technology officer at eEye Digital Security. "The hacking that has been taking place recently against Sony and others is a reminder that the hacker culture prior to our fixation on cybercrime and 'China is scary' is still alive and well."

"Although large sections of the security community will deny it if you ask them, they're secretly enjoying watching LulzSec's campaign of mayhem unfold," Patrick Gray wrote on the Risky.Biz blog. "It might be surprising to external observers, but security professionals are also secretly getting a kick out of watching these guys go nuts."

The Web of 2011 offers a more fulfilling playground for hackers than it did in past decades, not just because the number of targets is so much greater, but the tools of self-expression are more varied and effective. For instance, Twitter offers a perfect platform for publicity, and LulzSec makes use of it, frequently posting information about new hacks, boasts, and threats, as well as solicitations for donations.

"It hasn't been this bad since 2003 when all the worms were hitting, and even then we only had three worms" that targeted Microsoft customers by exploiting holes in Windows, said security researcher Dan Kaminsky. "Now governments are involved, defense contractors are involved, kids with Twitter accounts are involved."

Does this mean the rules of engagement have changed for companies going forward and that they will have to be careful not to anger hackers with a cause?

"I don't think it's necessarily going to change companies' behavior that much," said Chris Wysopal, chief technology officer at Veracode. "But I hope it will serve as a lesson to companies that if you have Sony vulnerabilities you're at a huge risk if someone decides to try to publicly flog you."

Updated at 11:30 a.m. PT with Sony Pictures saying 37,500 customer records were exposed last week.

Correction at 10:45 a.m. PT: This story initially misstated the name of the company where Marc Maiffret is CTO. It is eEye Digital Security.