The hacking of Sony’s PlayStation Network has put the issue of internet security under the spotlight. So just how safe are we when we go online? Grant Woodward reports
WHEN computer giant Sony shut down its PlayStation Network a fortnight ago it wasn’t just the fact they were unable to go online to play the latest Call of Duty video game that troubled the system’s three million British users.
It emerged that the company had been forced to freeze the system because someone had managed to hack their way in and steal gamers’ personal information.
The names, addresses, email addresses, birth dates, usernames, passwords and even password security answers of the system’s 77 million global users were all snatched in the online raid.
Sony says that credit card information may also have been taken but cannot say for certain.
So far the company has refused to confirm whether passwords were stored in files protected by encryption, a process that would have made them useless to criminals.
It has sparked concerns that users’ other accounts may now be at risk due to the fact that many people use the same password for several different sites.
Sony has told customers: “If you use your PlayStation Network user name or password for other unrelated services or accounts, we strongly recommend that you change them as well.”
The breach represents one of the biggest ever cases of data theft and raises new questions about the safety of the confidential information we put online.
Dr Nick Efford, a lecturer in the School of Computing at Leeds University, said it placed the whole issue of internet security under the microscope.
“It’s surprising that it is a company of Sony’s size that this has happened to because you generally expect the bigger firms to have more resources to devote to security and to take it more seriously.
“I think it shows to everyone that you can’t be complacent and simply assume that a big and prominent company is going to be better at keeping its systems secure.
“The problem is that keeping these systems safe is a real challenge because they are highly complex. An attacker only needs to find one chink in the armour to get in and there are some very clever people out there who are trying to do just that.”
He says successful hacks on this scale are few and far between, but believes the incident is a wake-up call for companies and customers alike.
“It does highlight that we need to keep in mind that the details we put online are not 100 per cent secure.
“In Sony’s case we don’t know how well protected the actual details were. There’s a suggestion that details weren’t encrypted or protected at all, which would be a serious error on Sony’s part. So the question arises as to how many services we use online are a bit lax.
“I’m sure there will be a lot of companies quietly checking their own networks and procedures just to make sure, because something as prominent as this is a huge embarrassment to Sony and will affect their business for some time to come.
“Part of the problem we have these days is that the pace of development is so fast that if you’ve got an original idea for a new service you need to bring it out quickly to beat the competition.
“Unfortunately that means systems are developed very quickly and can have bugs in them or are not adequately tested.”
As far as the theft of credit card and password details is concerned, Nick says it’s hard to say which is the more serious.
“It depends to a large extent on individuals. If you’re the sort of person, who many people unfortunately are, who uses the same password on many services then your password being compromised might be more serious.
“You can easily cancel a credit card – and probably should do if you bought anything from the PlayStation Network – but if you’ve used the same password on several different sites then it’s quite a difficult job to change all those passwords.
“In theory passwords are actually very secure. There are a huge number of different eight-character passwords available if you allow yourself any character on the keyboard.
“But in practice people only choose from a small range of names and things they can easily remember and tend to use those same passwords again and again because with all the online services we use these days it becomes difficult to keep track of them.
“When people sign up to some fancy new service on the web they need to look at the amount of personal information they are required to put into the system and be aware there may be a risk of it being divulged.”
Nick says it’s difficult to speculate exactly how the Sony breach happened without more information, but typically these things boil down to one of two things, or a combination of both.
“One is a software vulnerability. A piece of software they’re running as part of their network has a bug in it that the attacker was able to exploit to gain privileged access to the system.
“The other possibility is human error. Because these things are so complex, setting them up is difficult and people can make mistakes. If that mistake is discovered that can then lead to a compromise of the system.”
Emlyn Butterfield, a senior lecturer at Leeds Metropolitan University, runs a course in computer security and ethical hacking.
He says there are three different types of hacker: those who do it for criminal reasons, those paid by a company to hack into its network to test its security and those who do both.
Emlyn argues we are naive to think the information we provide online may not end up in the wrong hands.
“Any time your personal information is taken you’re going to be worried and a bit angry. You’re putting your trust in a company to look after your data and keep it safe. But people automatically assume that it’s going to be secure rather than considering if it’s going to be secure.
“They use the same passwords and email addresses on different websites, often using passwords that can be easily guessed.
“It might be your mother’s maiden name or a mixture of your wedding anniversary and your kids’ names. All these things are quite easy to find if you look on social networking sites like Facebook, LinkedIn or MySpace where you’ve voluntarily recorded personal information.
“People can go on to those sites and start compiling lists of your potential passwords. Once they find out your username or email address they can then trial these different passwords to try to get into your accounts.
“Another thing in criminals’ favour is the fact that cash doesn’t change hands these days and that makes it ripe for criminals looking to siphon off money from people’s accounts.
“You used to get cash in hand and you knew what you had left over at the end of the month. These days everything is done electronically and most of us don’t pay much attention to our bank statements.
“That makes it far easier for someone to take a few pounds here and there. Over the years that builds up to a heck of a lot of money but chances are we will never notice because we’re not looking at our accounts that closely.
“To get business these days companies have to be online, but that creates a hole into your company through which people can attack you. With a website you have databases that are connected to it which need to be accessible to customers logging on to the website and staff at the back end.
“All companies have to comply with the payment card industry standards to be able to process debit and credit cards. You assume big companies like Sony, PayPal and so on will look after your details and keep all that data secure, but as soon as they set up these sorts of systems their security is weakened because there are people out there actively trawling these sites trying to find a way in.”
The authorities regularly set up so-called ‘honey pots’ to combat hackers.
These weakened computer systems analyse all the traffic they receive and monitor what methods hackers are using to attack them.
This information is then used to create more sophisticated and secure networks in a bid to keep hackers out.
But Emlyn warns that the theft of passwords and credit card details could be just the tip of the iceberg.
“You imagine if you could take down an entire country by hacking into the power grid, the nuclear power plants and all the rest of it.
“A lot of that sort of stuff is offline so can’t be accessed. But if you could get into any part of that and disable something, you could cause havoc.
“It sounds like the plot of a Hollywood movie, but it’s perhaps not as far-fetched as we would like to think.”
FIVE WAYS TO SATY SAFE ON
* Use websites you trust rather than sites you have not heard of before.
* Try to use complex passwords and avoid using the same password for different sites.
* Don’t allow your computer to automatically remember your passwords.
* Install a firewall and anti-virus program on your computer.
* Keep a close eye on your bank account and query any unusual payments.