As of today the total number of attacks against Sony number nine in total.  The latest report is an exposure of Sony’s Japanese websites database by LulzSec, a hacking team that has exposed Fox in recent news.  The group has taunted Sony:

“Stupid Sony, so very stupid”

“This isn’t a 1337 h4x0r, we just want to embarass Sony some more”

Within these series of attacks, one of the most critical breaches was the exposure of a trove of consumer data that counted up to a hundred million.  It puts the incidents altogether up there with the most significant compromises of all time, in terms of sheer numbers.  And still, we hear little from Sony directly other than apologies, a retracted bounty, and promises to pay for identity protection service.  The utter lack of information on what happened is bordering on criminal. That is, it might be criminal had stringent cybersecurity policies been enacted at this time.

Theories abound on what happened during the most significant event.  One of the most interesting involves the Amazon EC2 outage in April.  Is this related to the Sony breach?  Amazon has done a magnificent job of detailing the events that took place that caused the outage.  And it starts with the description of a routine network change. It has recently been reported that Amazon’s EC2 service was used to mount the initial attack on Sony.  So how do those two tie together?  Well the timing was close enough to lend some credence to a relationship.  Is it possible that Amazon’s routine change was actually in response to a DDoS or brute force attack against Sony?

For certain, Sony and Amazon will continue face scrutiny in light of these events.  Sony will unfortunately continue to face defacement and attack as they have become a target for hackers around the world.  The reasons are many, but it is obvious that part of this has to do with their position in the world of Anonymous and furthermore, starting with their continued glaring problems with security.  Sony’s biggest issue has been with PR and handling all this.  Why Sony has been keeping everyone in the dark is anybody’s guess.  The proper way to deal with this is to disclose hard details on these issues and what is being done to rectify them.  Having the PlayStation Network go down to reliability is one thing, having 100+ million accounts compromised is another.  There are no guarantees in information technology.  Nothing is 100% reliable, nothing is 100% impenetrable, nothing is 100% bug-free code, or impervious to crashing, I could go on.  Sony must learn its lesson that reasonable transparency into their technology methods is absolutely critical to salvaging their sinking revenues. Any security statement they put forward needs to be direct, serious and credible and thus far they do not have it.

In the meantime we will have to endure these absurd and not-so-absurd theories and questions.  Is the Isilon technology a component of how the hackers were able to access the information?  Was there a failure in encryption?  Was that failure a result of compromised RSA keys?  Was it a failure of Isilon in the Sony network?  Was it more of a combination of poor security practice than anything else?  Are Sony’s PSN networks a hybrid cloud?  Are they more of a traditional data center?  Questions, questions, questions. I’ve got more if you need them.

To be clear, I don’t give any credence to the Amazon outage theory.  It only exists as a manifest of the void of Sony information.  All we have are leaks of details and continued hacks, and they appear to be coming daily.  Again, Amazon has no reason to cover for Sony.  The press for such a thing if exposed would be real bad, even worse than what they have already endured. They certainly have something to deal with in terms of the attack vector as this is not the first time their services were used to these ends.  Amazon has the potential to raise security awareness through their own practices and coalition with these targets and others.  They have an unrealized interest in modeling a security plan and communication of that plan to the general public and perhaps in alliance with Sony, be able to help that company’s misfortunes.  Sony is losing brand confidence and revenue and must take action, if not for the computing community, then for the consumers whose information they have asked for and been entrusted with.