- Select a language for the TTS:
- UK English Female
- UK English Male
- US English Female
- US English Male
- Australian Female
- Australian Male
- Language selected: (auto detect) - EN
Play all audios:
Recent high-profile cyber attacks have dented the image of Japanese technology giant Sony and left millions of customers worried about the security of their personal information. An attack
in April resulted in the company’s Sony’s Playstation Network being taken offline; the personal information – including credit card details – of more than 77 million users was compromised.
Subsequent attacks in the past few days have exposed further vulnerabilities in Sony’s infrastructure, with more users’ information being released to the public. Dr Philip Branch is a
network security expert at Swinburne University. WHY HAS SONY BEEN TARGETED IN THIS WAY? Sony is a big target and a well-known target, and there’s a lot of kudos within the hacker community
for these sorts of exploits. But I think the reason the company’s facing repeat attacks is that its security probably isn’t as good as it could be. Certain people may have seen the first,
really big attack, felt that security at Sony is inadequate and thought: “What else can we get up to?” So it comes down to being a prominent target, but also a juicy target. WHY ARE HACKERS
FINDING IT SO EASY TO ACCESS INFORMATION BEING STORED ON SONY’S SERVERS? ISN’T THIS INFORMATION ENCRYPTED? Encryption is fine if someone loses a back-up but a piece of software needs to be
able to “see” the data whether it’s encrypted or not. This software presents some kind of credential to the system which essentially says: “Here I am, give it to me”. Maybe the data on
Sony’s servers _is_ encrypted but as far as the software accessing the data is concerned, the data is in its raw form. THE SONY HACKERS USED A TYPE OF ATTACK KNOWN AS AN “SQL INJECTION”.
WHAT IS THIS, AND HOW DO THESE ATTACKS WORK? SQL (Structured Query Language) is what’s known as a query language for databases – a way that applications, programs and systems can query
databases. SQL allows a user to say things such as: “give me this value in the field”, or “give me this particular email address” or “give me this user ID” or “give me all values between
here and here”. On any site there will be a range of forms: “Join our mailing list”, for example – those sorts of forms. SQL injection attacks work by putting in the basic commands the SQL
database recognises, which will return results. So the form might say: “Enter your email address”. You can put in a couple of SQL commands, with a few characters to say “we’re talking to the
database”, and it will spit out some of the tables in the database. This is surprisingly simple to do, which is why it’s so strange people at Sony haven’t defended the company against this
kind of attack. WHAT STEPS CAN BE TAKEN TO PREVENT SUCH ATTACKS? The first thing would be what’s known as “input validation”. If you’ve got a field that’s only meant to accept email
addresses, you make sure that what’s entered looks like an email address. My email address is [email protected] – so if I started putting in slashes and stars and spaces when I log in, my
address would be rejected by the system. The second thing is something called “stored procedures” and this puts a lot of restrictions on what people can do. These procedures actually write
the SQL (which adds information to the database) and the user issues the SQL command with parameters by filling in the form. GIVEN THESE ATTACKS ARE SIMPLE TO PREVENT, WHY WAS SONY
VULNERABLE? I really don’t know. Maybe something got missed during development, or got missed during testing: maybe they didn’t do much testing of the security. I’m at a loss to understand
how it could happen. WOULD OTHER COMPANIES OF SONY’S SIZE BE VULNERABLE TO THESE SORTS OF ATTACKS? I think it’s extremely unlikely Sony is alone in having these vulnerabilities, which is
frightening. Most companies have lots of different systems. Someone that puts together a particular system, a form for signing up for a newsletter, say, might not have the expertise or
understanding of these security-related matters. I think Sony is unlucky, actually. SO WHAT’S NEXT FOR SONY AND ITS SUBSCRIBERS? It seems Sony is doing all the right things at this point.
The company has engaged external security firms to look for evidence of identity theft and so on, but if I were a subscriber I’d have a very close look out for strange transactions on my
credit card. I’d consider changing my credit card. The reason these attacks are so spectacular is because, not only did these hackers get so many people’s data in these attacks, they seemed
to get everything there is to _know_ about these people. It’s very worrying from a consumer’s point of view.
:max_bytes(150000):strip_icc():focal(149x0:151x2)/michelle-williams-300-8-03fb2eff55b84be9a0c7e0bd8913eaa3.jpg)
:max_bytes(150000):strip_icc():focal(399x0:401x2)/kidney-donor-800-3d19af90c88b4a6daefbdf9e8c27275d.jpg)
