Security Expert: Sony, Microsoft Should Hire Hackers

June 2, 2011 -

Ligatt Security International's Gregory Evans says that both the PlayStation Network and Xbox Live remain vulnerable to cyber attacks and that both companies should consider hiring hackers to test security.

"Most big corporations have what’s called an annual security audit and they go out and hire outside security companies," Ligatt Security International's Gregory Evans told Industry Gamers. "But they’re nothing but a bunch of IT managers who went out and got a bunch of certifications and now they come in to see if your system is truly hacker proof. These IT managers who take the test to become a certified computer hacker or a CISSP (Certified Information System Security Professional) have to work in a lab and hack into a system that’s in a controlled environment."

Evans goes on to say that a "true computer hacker" will test a target system where others might not think to check. Testing security in a controlled environment doesn't make a lot of sense, he adds. Evans also said that Sony has been punished by the media for its honesty, and that corporate hacks happen all the time, with most never being reported.

"Sony has about 100 million customers out when they got hacked, they’re out there at the forefront of the news, but big corporations get hacked every single day," he added. "Only 17 per cent of companies whose computers were hacked report them to law enforcement due to fear of negative publicity. 90 per cent of Fortune 500 networks have been hacked."

Evans thinks that online gaming is a significant security threat that most gamers aren't aware of.

"It’s not just Sony gamers that are at risk. It’s anyone who has any online gaming console like Xbox or Wii. Nothing’s 100 percent secure," he warns. "Even if Sony had never been hacked, when anybody goes online to do anything, play games, search the internet… you’re always taking a risk that somebody might get your information."

"When you’re connected to your Wi-Fi and you’re playing online games it’s opening up hundreds of ports. Each one of those ports is like a door that a hacker can use to bypass your firewall and get into your computer. In the gaming community, most people don’t even know this is happening."

Source: MCV


Comments

Re: Security Expert: Sony, Microsoft Should Hire Hackers

I disagree with this.

From what I gather (and details are rather sparse), the problem was not technological, it was cultural.  Management support and resources were simply not being put in to network security and the dull tasks of keeping servers up to date.  You do not need 'hackers' to tell you that you need to keep up with your patches.

It sounded like it was more of a case of Sony simply not wanting to properly fund the 'unsexy' activities involved in maintaining such a network.  The solution to that is changing the attitudes of upper management.

Re: Security Expert: Sony, Microsoft Should Hire Hackers

The OS / vendor supplied apps aren't the only place for holes. Keeping patched is a bare minimum and shouldn't even be in question.

Are there SQL injection vulnerabilities? Path canonicalization issues? Buffer overflow in custom apps? Do you not do authorization / authentication properly (see: Rebug)? There's a lot more there than keeping servers patched.

 

 

Re: Security Expert: Sony, Microsoft Should Hire Hackers

That is kinda my point.  They were not even doing the bare minimum. 

It is kinda pointless hiring people to do intrusions and look for more advanced vulnerbalities if the corperate willpower for doing even the baseline updates is not there.  Hiring hackers solves the wrong problem.

Re: Security Expert: Sony, Microsoft Should Hire Hackers

Not entirely the wrong problem. One of the base things to do is scan for lack of patches. As long as the testing was done on the same environment, the problems would've been found.

 

Re: Security Expert: Sony, Microsoft Should Hire Hackers

But if management is not willing to fund patching in the first place, they are not going to fund it because a new hire says 'oh, we found these problems'.

Finding hols is not the problem, management support for taking the time for ongoing maintaince is.  Fixing holes just isn't sexy enough.

If they did hire hackers... here is probably what would happen...

hackers do thier tests, provide list of problems.

management looks at list, goes 'wow, this is bad', then does nothing.

problems do not get fixed since new feature requests take priority

hackers are eventually fired because they have not proven their value.

Re: Security Expert: Sony, Microsoft Should Hire Hackers

Even if their security was kept up to date this could have happened. Having people who have at least some experience with kacing on staff means someoen who can find security holes and likely ways to patch them.


Re: Security Expert: Sony, Microsoft Should Hire Hackers

True, I can agree to the utility of someone going red team on sony... BUT if they were not even willing to keep thier software up to date with the basic security patches I doubt more advanced advice will do them any good.

This is the equivelent of tech support asking 'did you try plugging in the computer?' when the customers 'friend' is suggesting replacing the video card.

Re: Security Expert: Sony, Microsoft Should Hire Hackers

These are people you want on your side.

Keep your friends close...

Re: Security Expert: Sony, Microsoft Should Hire Hackers

This would make perfect sense.  The folks at Sony and Microsoft would also be wise to read Clifford Stoll's "The Cuckoo's Egg."  The book details Stoll's real-life experience about being hired by the government to track down a hacker after he had reported a discrepancy in their systems.  Stll himself wasn't a hacker, but he knew their mindset, and it would help if they hired him and people like him as consultants.

Of course, this being the most sensible thing to do means they probably won't do it.

Re: Security Expert: Sony, Microsoft Should Hire Hackers

They don't even have to hire black hat hackers. There are plenty of white and grey hat hackers who are willing to work as security experts for large companies. These people know the methods and thought processes of black hat hackers and will be a tremendous help.

For those not aware: black hat means illegal hacking, white hat is mostly research and consulting, grey is in the middle.

E. Zachary Knight
Divine Knight Gaming

Re: Security Expert: Sony, Microsoft Should Hire Hackers

Well... white hat sometime operate on their own accord. For example, a white hat belonging to a community that hears that accounts are being stolen could try and find the weakness on his own and then give all relevant information to the company. The main point being they would not exploit the weaknesses they find nor publicly advertise them.

 

This is also where some hackers become grey hat. They grow impatient with the lack of patching or want to draw attention to something and publish the details of the weakness. While not exploiting it for their own gain, it is definitively not a white hat move to do so.

Re: Security Expert: Sony, Microsoft Should Hire Hackers

In that case, Stoll could be considered a White Hat hacker, then.

Re: Security Expert: Sony, Microsoft Should Hire Hackers

I honestly would agree.

Hackers would know the methods and know that if they can break in, others can too.

 
Forgot your password?
Username :
Password :

Shout box

You're not permitted to post shouts.
SleakerGamestop articles popping up everywhere about their ludicrous new Credit card offerings at a whopping pre-approval for 26.9% APR07/29/2014 - 10:19pm
Matthew Wilsonhttp://arstechnica.com/tech-policy/2014/07/podcasting-patent-troll-we-tried-to-drop-lawsuit-against-adam-carolla/ the podcasting patent troll scum is trying to turn tail and run.07/29/2014 - 9:50pm
MaskedPixelanteOf course it's improved. At launch, Origin was scanning your entire hard drive, but now it's just scanning your browsing history. If that's not an improvement, I dunno what is!07/29/2014 - 8:59pm
Papa Midnighthttp://www.escapistmagazine.com/articles/view/video-games/columns/experienced-points/12029-Has-EAs-Origin-Service-Improved-Any-Over-the-Last-Two-Years07/29/2014 - 8:25pm
Sora-ChanSo it's just a matter of having better emulation software. If it can be done with a 3DS game, with all the memory and what not it takes up, it can be done with a GBA title through emulation.07/29/2014 - 7:30pm
Sora-ChanOther VC titles for the NES and Gameboy had the same setup where you couldn't access the homescreen without quitting out of the game til a later update when those games were released for the public outside of the founder program.07/29/2014 - 7:28pm
Sora-Chanthe 3DS can, and does, run GBA games, as seen by the founder gifts, which included a number of GBA titles. As for running GBA games and still having access to the home screen, I beleive it's more of the game emulation software needs to be updated.07/29/2014 - 7:27pm
Matthew Wilsonthe 3ds already swaps os's with the original ds. plus I dont think people expect miverse interaction when playing a gba game.07/29/2014 - 6:06pm
MaskedPixelanteBut that's not the issue, the 3DS is perfectly capable of emulating GBA games. The problem is that it doesn't have enough available system resources to run it alongside the 3DS OS, and thus it doesn't have access to stuff like Miiverse and save states.07/29/2014 - 5:45pm
Matthew WilsonI am well aware that it requires more power, but if a GBA emulator could run well on a original psp, than it should work on a 3ds.07/29/2014 - 5:36pm
ZenThe reason the SNES could run Gameboy, or the Gamecube could run GBA was because their adapters included all of the necessary hardware to do it in the respective add-ons. The systems were just conduits for control inputs and video/sound/power.07/29/2014 - 4:51pm
ZenMatthew: Emulation takes more power than people realize to run a game properly. You can make something run on less, but Nintendo...as slow as they are at releasing them..makes them run as close to 100% as possible. Each game has its own emulator for it.07/29/2014 - 4:47pm
Matthew Wilsonkind of hard to believe since the 3ds is atleast as powerful as the gamecube hardware wise.07/29/2014 - 4:27pm
MaskedPixelanteYes, the 3DS has enough power to run 16-bit emulators, but not at the same time it's running the 3DS systems themselves. You could run the games, but you wouldn't get save states or Miiverse.07/29/2014 - 4:04pm
InfophileRunning GBA on 3DS shouldn't be hard. The DS had flashcarts sold for it that added just enough power to emulate GBA and SNES games, so the 3DS should have more than enough natively.07/29/2014 - 3:37pm
MaskedPixelanteIt's a bunch of people whining about boycotting/pirating Trails in the Sky FC because XSEED didn't license the Japanese dub track, which consists of about 10 lines per character.07/29/2014 - 11:27am
Sleaker@MP - devolver Digital issued a twitter statement saying they would replace the NISA pledge.07/29/2014 - 10:57am
E. Zachary KnightIs that a discussion about RIAA member music labels?07/29/2014 - 10:48am
MaskedPixelantehttp://steamcommunity.com/app/251150/discussions/0/43099722329318860/ In this thread: Idiots who don't understand how licensing works.07/29/2014 - 9:20am
MaskedPixelantehttp://www.joystiq.com/2014/07/28/gaymerx-in-dire-straits-after-nis-america-allegedly-backs-out-of/ NISA backs out of GaymerX support, but it seems like the only people crying foul are GaymerX.07/29/2014 - 6:30am
 

Be Heard - Contact Your Politician