Thursday, April 28, 2011

On-line Security, They Told You So

The news for on-line security has been pretty grim recently. I've personally been affected by user data theft at Epsilon and Sony's Playstation Network. Epsilon's breach revealing names and e-mail addresses was low impact but Sony's loss of control of everything you give them is no small matter: Name, Address, Credit Card Number, CC Expiration Date, Date of Birth, e-mail, username, and password. Storing your Credit Card Number was optional but the rest was mandatory to access PS3 features such as on-line play, downloadable content, and third party services such as Netflix's streaming movies. That's most of what someone needs to steal your identity. Furthermore, if you thought of this account as a throw-away, you may have used a username and password that you use elsewhere, potentially allowing hackers access to gain additional info and sell it to the highest bidder. Given that you have to enter your username and password with a D-pad and on-screen keyboard, a pretty frustrating system, users were certainly incentivized to use an easy-to-type password.

We trust companies who store our personal information in an on-line system more than they deserve. According to Sony's FAQ on their breach, credit card numbers were stored encrypted and they're only warning customers to assume their CC numbers were released in an "abundance of caution." That statement in addition to their statement that they're rebuilding the network from scratch with security upgrades says to me they aren't very confident in the encryption, key management, or communications security they used to move that info around. It is apparent that no one scrutinized their system before it was approved to store all this info and expose it to the open internet.

It shouldn't be possible for this to happen for all 77 million of their customers in a single breach. The concept that a firewall keeps the bad guys out has been disproved again and again. Critical information needs to be protected making the assumption that the bad guys are inside your network. Simple, mature techniques for protecting this kind of information (https, AES encryption, etc) have been in place, implemented on many platforms, and promoted by security experts for many years. Often, turning them on requires no more than ticking a checkbox. All the security experts get to say, yet again, "I told you so."