Just over two weeks since the PlayStation Network went dark on the twentieth of April, ten days since Sony's filing acknowledged the personal data of seventy-seven million users had been taken, and now Sony Online Entertainment with another twenty-four point six million on top earlier this week. The company has spent the past several days apologising in public and rather longer apologising in writing to the US House Energy and Commerce Subcommittee, where the letter and supporting filing went in yesterday. The board has bowed at a press conference. Class actions have been filed. The PlayStation Network is still offline at the time of writing.
There is a great deal of useful operational material that will come out of this incident over the next few months but very little of it is available now, because Sony has been understandably guarded about the technical detail. What I can say is that the Patrick Seybold blog post and the subsequent filings to the US Subcommittee describe a path that involves "discovered an exploit" — Sony's words — without further detail of where the exploit lived. The widely-circulated speculation — that the public-facing PlayStation Network ran on Apache 2.2.15 with patches missing for known vulnerabilities, and that there was no firewall in front of those servers — has an originating source in a Reuters piece and several pieces of corroboration from people who claim PSN-internal knowledge but is not, on present material, confirmed. Sony's wider statements have stopped well short of confirming or denying the configuration. I will be very surprised if the eventual technical post-mortem differs much from "unpatched Apache reachable from the public internet, no defence in depth behind it, large user-data store directly accessible from the application servers". That has been the texture of every breach of this scale that has actually been published in the last five years.
The aspect that has been under-discussed in the press coverage so far is the Anonymous angle. Anonymous-aligned operators ran an Operation Sony campaign through April in protest at Sony's lawsuit against George Hotz over the PS3 jailbreak — a lawsuit that, in the hot-button language of the relevant subculture, made Sony into an enemy of "freedom of innovation". Anonymous have publicly denied involvement in the breach, and the two activities — DDoS-and-defacement protest, and large-scale credential exfiltration — are different operational shapes carried out by different operators. But it is plausible that the Operation Sony noise gave the underlying breach operators cover to move during a period when Sony's incident-response team was distracted by surface-level political activity. This is the same shape that HBGary Federal demonstrated in February — Anonymous-style operations as cover or noise behind which more material exfiltration occurred — and it is a pattern I expect to see more of through the year.
For the seventy-seven million users, the immediate operational concern is credential reuse. Anyone whose PSN password was the same as their email password, or the same as their bank password, has a meaningful problem. The proportion of users who do this is, on every survey I have seen, somewhere between forty and sixty per cent. Sony has not yet confirmed how the passwords were stored — whether they were properly hashed, whether they were merely encrypted (which is meaningfully worse), or whether they were stored cleartext. The crisis-communications grammar in their statements — "we believe that an unauthorized person has obtained" and "while there is no evidence at this time that credit card data was taken" — is the same grammar I read in the HBGary incident and the Heartland disclosure two years ago. It is the grammar of an organisation that does not yet know.
The conversations I have been having through Hedgehog and the secondments this week have all turned, eventually, on the same point. Sony PSN is the sort of incident that boards now expect their CISO to brief on — and when the brief happens, the questions are not about Sony, they are about the equivalent risk in the board's own organisation. "Could this happen to us" is the real question, and the honest answer for most large consumer-platform operators is "yes, in some form, and we do not know enough about our own data flows to say how bad". I have been pulled into three of those conversations since the original disclosure. I expect the rest of May to look similar.
The narrower thing I am writing down is the operational pattern that Sony has now demonstrated for the third time in this incident alone. Step one: discover the breach. Step two: take systems offline before the incident-response team understands what has happened. Step three: spend two weeks trying to give the public an answer the company itself does not yet have. Step four: end up with a worse public position than would have come from saying "we know there has been an intrusion, we do not yet know what was taken, we are investigating with a target of giving you an honest answer in seventy-two hours". Sony are not unusually bad at this; they are typical. The communications pattern is the dominant failure mode of post-breach response across the industry, and it is more recoverable than most boards think. The recovery requires a CISO-and-comms relationship that does not exist in most companies.
There is much more to say about this when the technical post-mortem lands. For now I will be reading Robert McMillan at IDG and Brian Krebs for incremental detail, and I will be relieved when the network actually comes back up, because the scale of compromise will then start being measured against actual fraud activity rather than against speculation.