Blame it on Amazon?
With Sony’s PlayStation Network offline since April 20 following what is being called the second largest breach in history, there has been plenty of time for rumours, speculation, and red herrings. The latest is Bloomberg’s report,
“Hackers using an alias signed up to rent a server through Amazon’s EC2 service and launched the attack from there, said the person, who requested anonymity because the information is confidential. The account has been shut down, the person said.”
While it’s mildly interesting that criminals choose to use Amazon servers, it’s not really surprising. Amazon Web Services offers great services at good prices, and attracts a wide range of customers – individuals, small business, and large enterprise all leverage their services. Given the alleged sophistication of the attack, EC2 is simply an obvious choice.
While a shift in attention to Amazon might be good for Sony, we should expect criminals to use EC2 like everyone else. Criminals also use rental vehicles, disposable mobile phones, and WiFi hotspots. They probably even purchase their computers the same places we do.
The Sony PlayStation Network data exposure has two causes:
- Security deficiencies at Sony. While we don’t know what the specific weaknesses were, the fact that information on PlayStation Network customers – including credit card information — was stolen across the Internet would make it pretty difficult for Sony to convince us that they had appropriate security controls in place.
- The criminals. Let us not forget that Sony was the victim of a crime.
Like TJ Max, the Sony security breach should be a wake-up call. Consumers often feel safer dealing with larger, more established companies. But it appears that some of them don’t have security right yet.
We also need to understand that tracking down cyber criminals is becoming increasingly difficult. Cloud-based services aren’t anonymous – while false identities can be used, criminals still need to connect to the cloud-based service from somewhere. However, with the widespread proliferation of free WiFi hotspots and disposable mobile phones and data devices, we need to accept the fact that tracing an attack back to the source may not be possible and that more traditional investigation methods – like following the money trail – remain important and techniques must be constantly updated.