Amazon's cloud may have been a cheap platform for PlayStation hack
Breach may be the first time a cloud service blamed for attack
- By Kathleen Hickey
- May 18, 2011
A major hack of Sony’s PlayStation Network that reportedly came via Amazon’s Elastic Compute Cloud (EC2) service has become a wake-up call for government officials and IT personnel to take cloud security issues seriously.
The FBI will likely investigate Amazon’s network to determine what happened, and identify the attackers and their funding source, said E.J. Hilbert, president of security company Online Intelligence and former FBI cyber-crime investigator, Bloomberg reported. Bloomberg, citing an unidentified source, reported the hacker’s use of Amazon’s EC2 for the hack in the same article.
The hack, in which the attackers accessed personal data from more than 100 million customer accounts for PSN and Sony's Qriocity streaming video and music service in April, is the first acknowledged time a cloud service has been used to wage an attack, reported Popular Science.
The PlayStation Network is still not fully up and running. And even though Sony has hired three security firms to investigate and is working with law enforcement officials, including the FBI, Sony CEO Howard Stringer said “he can't guarantee the security of its videogame network or any other Web system in the ‘bad new world’ of cyber crime,” according to a report in the Wall Street Journal. Stringer further warned that the global financial system, the power grid and air traffic control systems were also all vulnerable to similar attacks.
The hack is actually one of two the network is dealing with – a new exploit occurred the morning of May 18, reported gaming website Nylevia. The new attack uses an account’s e-mail address and user’s date of birth to change the account password.
Security experts agree on the cloud’s current security vulnerabilities.
“Anyone can go get an Amazon account and use it anonymously,” Pete Malcolm, CEO of data management company Abiquo, told Bloomberg. “Realistically, Amazon can’t do anything to prevent it....There is no way of telling who’s a good guy and who’s a bad guy.”
The hackers purchased time on Amazon’s cloud – Amazon charges 28 cents per minute for the service – to gain access to Sony’s PlayStation network, making it an affordable and easy cyber crime attack method.
Sony’s chairman, in a letter to Congress, earlier said that a distributed denial-of-service attack, possibly by the hacker group Anonymous, played a part in the breach.
The hack happened about the same time that part of Amazon’s network went down for two days, taking with it several popular social networking sites, the Energy Department’s OpenEI.org site, and others, GCN reported. The Recovery Accountability and Transparency Board’s Recovery.gov site, also hosted by Amazon’s affected cloud, switched to a new location as part of its backup plan and stayed in operation.
Not only is it easy for hackers to gain access to cloud networks, they are much harder to catch than if they were hacking from their own computer system, Malcolm said. Plus, the ability to use multiple servers in the cloud makes many tasks, such as cracking passwords, easier, Ray Valdes, an analyst at Gartner Inc., told Bloomberg.
Cloud security has long been ignored by vendors and customers alike. A recent report issued by the Ponemon Institute, sponsored by CA Technologies, found that the vast majority of cloud service providers -- 73 percent of U.S. service providers and 75 percent of European providers responding to the survey -- said their cloud services did not substantially protect and secure confidential or sensitive information, GCN reported.
A major reason security has gotten short shrift? It’s not a high priority for customers. According to polled vendors, the primary reason customers purchased their solution was cost reduction (91 percent), ease of deployment (79 percent) and improved customer service (37 percent).
Kathleen Hickey is a freelance writer for GCN.