It's been two years since Sony first experienced major security breaches to its PlayStation Network in 2011, one of the largest data security breaches in our industry's history. This event, representative of the security risks of modern consoles, offers a glimpse into how all console owners can be affected by decisions of console manufacturers. Now with a new generation of consoles in reach, just how much can be said of what's been learned from the security features of our current systems?
Both Sony and Microsoft maintain experienced security operations teams to identify breaches, a fact that Sony's security chief information security officer revealed to be the key to secure systems. But even with new consoles on the horizon, a senior security advisor at Sophos Inc. tells Polygon the future of console security has little to do with hardware architecture at all.
The 'Preventable' data hack
PlayStation Network went dark for just over 20 days in 2011 between late April and early May, following a crippling cyber attack that reportedly exposed the private information of millions to hackers. In the wake of the 2011 breach of Sony's PlayStation Network, the Information Commisioner's Office released its official report confirming that names, addresses, dates of birth and payment card information were indeed at risk. The ICO would later fine Sony over what it called a "preventable" data hack.
Now in 2013, just how much has changed in the enforcement of online security?
Sony confirmed PSN credit card information remained encrypted at the time of the intrusion, but other user data - including passwords which had only been transformed with a "cryptographic hash function," a method that makes use of an algorithm that isn't strictly encryption - was not.
As a direct response, the company revealed its intentions to prevent future breaches through enhanced levels of data protection and encryption, an enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns, as well as the introduction of additional firewalls. The PlayStation maker also confirmed the creation of a new data center set in an undisclosed location following the breach, alongside the naming of a new chief information security officer.
Changing the way we think
Speaking at a panel held by the Homeland Security Policy Institute at the start of this month, Sony's chief information security officer Philip Reitinger commented on the necessity to focus on ability over credentials when it comes to the hiring of workers in cybersecurity fields. Reitinger, himself a Certified Information Systems Security Professional, added to an ongoing debate over whether requiring cybersecurity workers to have certification before being hired causes those workers to lose incentive to learn beyond what was included in their certification test.
"I don't care if they've got a community college degree. If they know their way around a kernel, and they can tell me about a buffer overruns and different ways to attack and they've got the skills to get the job done, they've got a job," Reitinger said, offering insight into the hiring philosophy within Sony's security sector.
"Protecting your account from unauthorized access and fraud is a top priority for us," said the company in an official post. "It helps keep Xbox Live safer and more secure for everyone." Microsoft's new terms also cover what information the company can share with partners who publish apps, like HBO Go, Netflix, ESPN, Last.fm and others that require a separate user account.
"If you choose to link this account with your Xbox Live account, we confirm key data points across the accounts by sharing data such as your name, address, email address and date of birth with the partner," the post reads. "In this TOU update, customers agree to allow Microsoft to share this information in this manner."
But as Reitinger notes during last week's panel discussion, cyber attacks will always beat out defensive measures when it comes to security.
Attacks always beat defense
"The overarching problem we've got in cyber security right now is that attack beats defense," said Reitinger. "Technically there's no clear way to solve the problem and so if somebody wants to get into your networks they will get into your networks. Technology will help with the problem, process can help with the problem, but neither solves the problem. What that means is that you've got to have good people. You absolutely have to have good people. What all of us in this field do is we find the good people who work for our friends and we try to steal them from our friends."
Responding to whether the new PS4's network security was now considered up-to-date by ICO, lead communications officer James Stanley told Polygon the organization does not keep "on-going" critiques of companies. Likewise, as of press time, Sony declined to comment on what specific changes have been introduced since 2011 that will keep user data more secure than it previously was.
"Sony never confessed as to what happened the first time with regards to PSN being compromised," Sophos Inc. senior security advisor Chester Wisniewski said in a statement to Polygon. "The security of PlayStation Network will likely remain a mystery."
'Sony never confessed as to what happened...'
While it may remain a mystery, the new PlayStation 4 architecture — based on an x86 processor instead of a proprietary chip CELL processor previously seen in its PlayStation 3 predecessor — does not make the machine itself "inherently more hackable," Wisniewski told us. Earlier this year, Sony's Mark Cerny explained the company's decision to base its new console on the x86, describing the move as an attempt to make it easier for developers to code on the machine.
However, Wisniewski adds, "it is true that there is a far greater number of people who know how to dissect and write malicious code for x86 CPUs."
"The future direction, including Xbox One and PS4, of protecting gaming networks from cheating and piracy is more likely to depend on network verification features rather than trying to do everything in hardware in the consoles themselves."
But it also depends on staff and education, Reitinger maintains throughout the panel.
"What I would like to see is political leaders: the President, the secretary of defense, the secretary of security, not just calling up the team that wins the world series but attending the U.S. cyber challenge and being there to give out the award to someone, to generate stories and press and to have kids say 'that's cool' [when talking about cyber security.] The 'astronaut model' is the right one now [to follow]. We want kids to think of [a career in cyber defense] that way."
This is part of Polygon's Gen Next series, stories that will examine the transition from current-generation to next-generation consoles, what it means if you don't make the transition and if and when you should. Follow along here.