For as low as three pennies an hour, hackers can rent Amazon.com Inc. (AMZN)?s servers to wage cyber attacks such as the one that crippled Sony Corp. (6758)?s PlayStation Network and led to the second-largest online data breach in U.S. history.
A hacker used Amazon?s Elastic Computer Cloud, or EC2, service to attack Sony?s online entertainment systems last month, a person with knowledge of the matter said May 13. The intruder, who used a bogus name to set up an account that?s now disabled, didn?t hack into Amazon?s servers, the person said.
The incident helps illustrate the dilemma facing Chief Executive Officer Jeff Bezos: Amazon?s cloud-computing service is as cheap and convenient for hackers as it is for customers ranging from Netflix Inc. (NFLX) to Eli Lilly & Co. (LLY) Last month?s attack on Sony compromised more than 100 million customer accounts, the largest data breach in the U.S. since intruders stole credit and debit card numbers from Heartland Payment Systems in 2009.
?Anyone can go get an Amazon account and use it anonymously,? said Pete Malcolm, chief executive officer of Abiquo Inc., a Redwood City, California-based company that helps customers manage data internally and through cloud computing. ?If they have computers in their back bedroom they are much easier to trace than if they are on Amazon?s Web Services.?
Sony on May 14 partially restarted its PlayStation Network and Qriocity services, which had been shut since April 20 because of the intrusion. The company has hired three security firms to investigate and is working with the law enforcement officials. Sony has faced a backlash from regulators and customers over the time it took to warn customers that their data may have been stolen.
Search Warrant
Drew Herdener, a spokesman for Seattle-based Amazon, the world?s largest online retailer, declined to comment. Amazon didn?t respond to a request to speak with Bezos. Patrick Seybold, a U.S. spokesman for Tokyo-based Sony, declined to comment beyond public statements made on the matter.
The Federal Bureau of Investigation will likely subpoena Amazon or seek a search warrant to access the history of transactions, trace who had access to the specific Internet address at the time and get details on payment data, said E.J. Hilbert, president of the security company Online Intelligence and a former FBI cyber-crime investigator.
FBI Special Agent Darrell Foxworth, a spokesman for the agency?s San Diego office, said he couldn?t comment on whether the bureau served Amazon with a search warrant or subpoena and that investigators are following up ?each and every lead.? Amazon?s Herdener declined to say whether his employer had been subpoenaed or served with a search warrant.
Amazon Web Services leases computing space to companies so they don?t have to buy their own servers to store data and handle a surge in visitors.
?Bad Guy?
Prices for EC2 range from 3 cents to $2.48 an hour for users in the east coast of the U.S., according to its website. Signing up to the service requires a name, e-mail address, password, phone number, billing address and credit card information. Users get an automated call from Amazon and are asked to dial in a four-digit verification code to complete the registration process.
That?s not enough to scare off hackers seeking to conduct attacks anonymously, and Amazon doesn?t have the means to detect illegal uses of its servers, Abiquo?s Malcolm said.
?Realistically, Amazon can?t do anything to prevent it,? Malcolm said. ?There is no way of telling who?s a good guy and who?s a bad guy.?
Web Services generated about $500 million in revenue for Amazon in the past year, according to estimates at Barclays Capital. That?s about 1.5 percent of 2010 sales at Amazon, which doesn?t disclose sales from the unit.
Security?s Role
Amazon fell $3.51, or 1.7 percent, to $202.56 on May 13 in Nasdaq Stock Market trading. The shares have added 13 percent this year. Sony lost 23 yen to 2,241 yen in Tokyo and has slid 23 percent in 2011.
As companies from Amazon to Microsoft Corp. (MSFT) build server farms worldwide, the services can help hackers hide their tracks, said Hilbert.
Cloud services are also attractive for hackers because the use of multiple servers can facilitate tasks such as cracking passwords, said Ray Valdes, an analyst at Gartner Inc. Amazon could improve measures to weed out bogus accounts, he said.
Hijacked Servers
The use of hijacked or rented servers to launch attacks is typical for sophisticated hackers, according to Hilbert. Chinese hackers used the servers of a major U.S. Internet service provider in 2008 to break into a government agency and several defense contractors, according to a secret Nov. 3, 2008, cable exposed by Wikileaks.
The hackers ?used at least three separate systems at the unnamed ISP in multiple network intrusions and have exfiltrated data via these systems,? according to the cable.
In some cases, hackers hide their tracks beneath several layers of proxy servers that can span the globe. A recent attack against computers in South Korea was controlled from servers in more than 20 different countries, according to Georg Wicherski, a security analyst at Santa Clara, California-based McAfee Inc. (MFE) The identity of the offenders is unknown, he said.
Malicious attacks in the U.S. are on the rise. They made up 31 percent of data breaches in 2010, up from 24 percent a year earlier, with each event costing U.S. businesses an average of $7.2 million, according to a March report by the Ponemon Institute. The study found that about 85 percent of all U.S. companies have experienced one or more attacks.
Rethinking Cloud
Last month?s incursion was ?very carefully planned, very professional, highly sophisticated criminal cyber attack,? Sony has said.
The episode will cause individuals and companies to rethink what data to put on the cloud and force companies to potentially double what they spend on application security, said Murray Jennex, an associate professor at San Diego State University who specializes in computer systems security. In the long run, it will be cheaper than being hacked, he said.
?This puts cloud computing into proper perspective,? Jennex said. ?Everybody?s been thinking it?s chic and ignoring the security aspect. I think this reminds companies that things that make them great need to stay under their control.?
When Sony started restoring its PlayStation network this weekend, it promised a welcome-back consolation package for users who have been patiently waiting for its return since it went dark on April 20.
This afternoon, the company provided some details on what returning users will receive, including free games, movie rentals, and virtual items.
"We developed the program as an expression of our gratitude for your patience, support and continued loyalty during the service outage. From all of us at PlayStation, thank you and welcome back!" Patrick Seybold, senior director of corporate communications and social media, wrote in a blog post. "This package will be made available to all existing registered PlayStation Network and Qriocity users in North America (US and Canada), and will be made available shortly after we have fully restored the service."
What do you get? All PlayStation Network customers can choose two of five PS3 games: Dead Nation; inFAMOUS; LittleBigPlanet; Super Stardust HD; or Wipeout HD + Fury. PSP owners can select two of four games: LittleBigPlanet; ModNation Racers; Pursuit Force; or Killzone Liberation. All games will be available for 30 days after the store is restored and can be kept forever.
Sony is also offering up a few other freebies, including:
A selection of free "On Us" movie rentals for PlayStation Network customers over the course of one weekend; movie titles will be announced soon.
Non-PlayStation subscribers will get a free, 30-day PlayStation Plus membership.
Existing PlayStation Plus members will get 30 extra days free.
Music Unlimited Premium/Basic subscribers will get free access for 30 days, plus time lost.
PlayStation Home will offer 100 virtual items.
Sony promised more free content, including the next addition to the Home Mansion personal space, and Ooblag's Alien Casino, an exclusive game. More specific details about these offers and eligibility requirements will be posted as the services go live.
"You will be able to access the above content shortly after services are fully restored. We are doing everything we can to make that happen as soon as possible," Seybold wrote.
Sony worked with Bigbig Studios, Codeglue, Digital Leisure, Guerilla Games, Heavy Water, Housemarque, Lockwood, Loot, Mass Media, Media Molecule, SCE Cambridge Studios, SCE Studio Liverpool, SCE San Diego Studios, and Sucker Punch Productions on the welcome-back deals.
While Sony is restoring its online services in the U.S. and Europe, Japanese regulators have not allowed Sony to resume the networks in Japan because they are not convinced the networks have been properly secured. Sony was forced to shut down the PlayStation Network for half an hour early Monday morning after its networks were inundated by customers trying to reset their passwords.
Sony Online Entertainment, which was also hit in the attack, is offering up freebies as well, including gaming perks and ID theft protection.
For more from Chloe, follow her on Twitter @ChloeAlbanesius.
Sony has been hacked, and one of its servers used to host a phishing site, according to Finnish company F-Secure.
The hack, which is not connected to Sony's problems with its PlayStation Network, has placed a phishing Web page on the Sony Thailand site, F-Secure chief research officer Mikko Hypponen told ZDNet UK today. F-Secure notified Sony, the company said in a blog post today.
"The phishers are looking for credit card details and log-ins," said Hypponen.
Read more of "Sony site used for phishing" at ZDNet UK.
Hard as it may be to believe, Sony has been hacked yet again.
According to a report in the Wall Street Journal, So-net Entertainment Corp., a Japanese ISP owned by the technology giant, said that hackers accessed its customer rewards site earlier this week and stole customers' redeemable gift points worth about $1,225.
The incident is the latest in a weeks-long string of hacks and breaches of security for Sony. The trouble began on April 19, when the company began investigating and ultimately discovered a massive breach of security on its PlayStation Network, a cyberscandal that compromised the personal information of more than 100 million users.
The PlayStation.com website was the target of later attacks, and on Thursday, the company took down a password-reset page it had built following the discovery of a "URL exploit" that the company insisted was not another hack.
A Sony spokesman said that the incident at So-net was most likely unrelated to the other assaults.
"Although we can't completely rule out the possibility that there is a connection with the PSN issue, the likelihood is low," Keisuke Watabe, a spokesman at So-net Entertainment, told the Wall Street Journal. He said it was unlikely because the method of intrusion used was so different.
So-net issued a warning stating that an intruder tried 10,000 times to access the provider's "So-net" service, which grants customers reward points that can be exchanged for Sony products and online currency. The company believes the hacker used the usernames of account holders and an automated software program to generate passwords, leading to the security breach.
The company said there is no evidence that any personal data such as names, addresses, birth dates or phone numbers were viewed.
Last month, U.S. lawyers filed a lawsuit against Sony on behalf of lead plaintiff Kristopher Johns for negligent protection of personal data and failure to inform players in a timely fashion that their credit card information may have been stolen. The lawsuit seeks class-action status.
__________________
I'll believe corporations are persons when Texas executes one.: LBJ's Ghost
When it rains for Sony, it pours for Sony. According to reports from the Wall Street Journal, hackers have managed to infiltrate Sony's subsidiary ISP, So-net Entertainment Corp., and make off with around $1,225 in redeemable gift points.
According to So-net, the company discovered the breach after receiving customer complaints on May 18. A subsequent investigation concluded that hackers were able to tap into approximately 128 different accounts across May 16 and May 17, stealing around 100,000 yen (or $1,225) worth of points from the account holders. An additional 73 accounts were also accessed, their points left unredeemed, and around 90 So-net email accounts were compromised in the attack.
"Although we can't completely rule out the possibility that there is a connection with the PSN issue, the likelihood is low," So-net Entertainment spokesperson Keisuke Watabe said.
To So-net's credit, whatever security system the company employs for its point system did manage to hold for quite a bit of time. That, or the hackers really had no other strategies other than what appears to be a brute-force attack on accounts. It allegedly took the attackers more than 10,000 different attempts before they were finally successful in accessing So-net's system.
Following the attack, So-net has alerted its customers and asked them to change their passwords on their accounts. The company has also stopped point exchanges across its network for the time being.
"At this point in our investigations, we have not confirmed any data leakage," said Watabe, offering up a bit of a silver lining for the attack. "We have not found any sign of a possibility that a third party has obtained members' names, address, birth dates and phone numbers."
The timing of the So-net attack couldn't be worst for Sony. An unrelated Sony attack was also discovered earlier this week, in which hackers managed to penetrate Sony's Thailand site and publish a phishing page on the company's servers. The page was dolled up to look as if it was for the Italian CartaSi credit card, and it asked users to submit all of their specific credit card information before redirecting them over to the official CartaSi site.
Once contacted by F-Secure's Mikko Hypponen, who discovered the phishing attempt, Sony removed the offending page.
For more from David, follow him on Twitter @TheDavidMurphy.
__________________
__________________
I'll believe corporations are persons when Texas executes one.: LBJ's Ghost
Linear Mode
