The Spanish police say they've taken down three of the people allegedly behind the massive PlayStation Network security breach in April. But while it's probably comforting for Sony to have someone to blame, this doesn't mean the company has any reason to rest easy when it comes to security threats.
For the record, Sony doesn't have anything to say about the arrests. "We don't comment on pending investigations," said company spokesman Patrick Seybold in a statement. But whether or not Sony was in any way involved with identifying the three detained by Spanish police, just the fact that Sony is popping up in the news again in connection with claims made against supposed members of the hacking collective Anonymous could invite more payback.
The three are said to be associated with Anonymous. Internet chat rooms frequented by people associated with the group are already abuzz today with threats of retaliatory attacks. And a blog posted to AnonOps simply had a picture of the "V" from the movie "V for Vendetta," titled "V for Spain" with the caption "Expect us."
And on Twitter it added, "We are Legion, so expect us."
The "legion" thing is what makes it hard for Sony, the Spanish police, or anyone to rest easy. Anonymous and other hacking collectives like to emphasize how widespread their networks are and, in turn, why finding and arresting one or three people won't stop them from cybersecurity shenanigans.
And it's not just Anonymous that Sony and others have to worry about. The growth of "hacktivism," or groups of hackers with political agendas, has been rapid in the last six months, said Dave Jevans, Chairman of IronKey.
"In this environment right now, hacking has become far more organized. There are new hacking collectives being formed every month or two it seems," Jevans said. "They've politicized hacking so the environment is far more dangerous than it was six months ago."
In the last few months, we've seen RSA, Google, Citibank, Acer, PBS, FBI partner Infragard, and the Turkish government targeted in separate cyberattacks. And Sony has taken some of the worst blows, including the attack that left its PlayStation Network out of commission for almost a month. Though no one has publicly taken credit for that breach, other groups have repeatedly targeted Sony, seemingly at times just because they could. There have been about 20 attacks on Sony just in recent months.
Sony turning into hackers' whipping boy is likely to be related to the state of Sony's Web security, which is still widely regarded as subpar.
The hacking group Lulzsec taunted Sony for its poor security on Twitter for days before posting 150,000 records it stole from SonyPictures.com and Sony BMG in Belgium and the Netherlands last week. The group subsequently posted source code it took from the Sony Computer Entertainment Developer Network.
On the site Pastebin, where Lulzsec dumped the information stolen from Sony's sites, the group said breaking into Sony's sites was not that complex.
"What's worse is that every bit of data we took wasn't encrypted," the group wrote last week. "Sony stored over 1,000,000 passwords of its customers in plain text, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it."
Jevans, who besides heading up IronKey is the chairman of the Industry Anti-phishing Working Group, says Sony has a lot of work ahead of it before it can feel comfortable with security threats out there.
"The information we've learned on the data breach as far as how Sony was storing information indicated to me a fundamental lack of security expertise as a company," he said.
Sony will basically have to overhaul its entire security operation, which is no small task.
"Now is the time to aggressively hire really good people and review millions of lines of their code," said Jevans.
"It took years of Microsoft training and hiring security people," to get where they are today, he said. Similarly, Sony will have to "put new policies put in place, get training for all their developers. It'll probably take two years to get to the point where the right security stuff is in place."