by Catalin Cosoi, on 06 June 2011
Capitalizing on large customer database is the name of the game
Less than a day after hitting Sony, the same hacking group bashed the network security of another popular video gaming console producer, Nintendo. Despite the fact that this time the attackers didn't grab/leak any names, addresses, birth dates, emails, phone numbers or password, as in the previous case, I guess we can detect here a pattern that is ultimately aiming at ripping off significant amounts of sensitive information from not-very-secured servers.
This type of organization, which stores and processes such data, is definitely a desirable target as we’re talking about hundreds of millions users around the globe. Actually, this has been a favorite target for malware writers for several years now, and is a direct consequence of the fact that gaming is an addictive occupation – i.e. users purchase any upgrade for their favorite games or go beyond the legal border and download pirated games. It’s not something new to say that some users will often kill their AVs in order to be able to play their favorite game, even if the antivirus says that the torrent-downloaded file they try to install is packed with malware.
However, the most important aspect in these two attacks is not the motivation of financial gain. According to the hackers, it was all about making a statement and proving that network security should be a serious business. Not only for megacorportions, but for those whose job is to guard the very infrastructure of the country and Internet too, such as FBI and its partners, which weren't too careful in securing some passwords leaked by the same group.
What should these organizations do to avoid compromising their networks and preventing data leaking?
SQL injections and DDoS seem to be the favorite attack methods. As I'm ready to bet that this story won't end up here and we will hear more about similar incidents in the months to come, chances are that users' interest into purchasing goods and services from companies not able to secure their data will drastically decline.
To avoid such scenario, these organizations should make sure that any information leaving their premises is encrypted and useless for the attacker. The incident that took place on Friday revealed that at least one of the two companies had been storing passwords in plain text, which is not exactly the ideal situation, especially when a database sums up millions of entries. As for DDoS, they might consider re-designing their server network architecture and use appropriate protection technologies.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.
Chief Security Researcher