A Cautious New World: AVG’s Chief Research Officer Talks Sony, How To Stay Safe and The Inevitability of More Attacks

A week ago, the PlayStation Network was brought down after an unknown hacker, or group of hackers, managed to circumvent the PlayStation Network’s security and steal up to 77 million member’s account information, possibly including their credit card data. To find out how you should ensure you are safe, whether Sony are still a target and if they can secure the network in just 2 weeks, PlayStation LifeStyle talked to Roger Thompson, Chief Research Officer for the leading anti-virus and Internet security software company AVG in part one of a wide ranging interview.

Do you think Sony are partly to blame for the hack?

Hindsight is always 20-20. It’s easy to be critical of someone for getting their website hacked, but website security is pretty tricky. The whole internet was always based on a trusted protocol, and we still suffer from that. The original people on the original DARPA net were defense contractors and researchers that were trusted and were all known to each other. It didn’t matter, you didn’t have to have real security and ever since then we’ve been trying to patch it to have some. It’s all been band-aids going on top of it, so it’s tricky, I have no criticisms of Sony for getting hacked – it sucks, anybody can get hacked.

How about how they handled it?

They’re possibly open to some criticism there, although I’m sure they were reluctant to say because it was a bad hack. If 77million credit cards have leaked then that hurts. Any way its sliced, that hurts.

What should consumers do?

If it was mine I’d be cancelling my credit card post-haste. I mean, I lost my wallet the other day, and its akin to losing your wallet – people have to think “Ok, what would I do if I lost my wallet and it didn’t go in the trash, I’m pretty sure a villain actually got it”. So people need to take the same precautions as they would if that happened, and I would think that would include cancelling your credit card and putting a fraud alert on your name. I’ve never had a PSN account, but I imagine they had to answer some security questions as well as put in some credit card details. And, see here’s the bit that sucks: most people tend to use the same security questions for most websites; “what was your maiden name? What was your favourite pen? Or, what was your third favourite teacher?” The banks, everybody sort of asks the same sort of questions and people tend to use the same set of answers. That’s the really scary bit, they’ve probably disclosed an email address, a password. See, I use a different password for pretty much every account that I’ve got, so that if one of them falls, I lose that. But if you’re using the same password for your bank account and a bunch of other potentially important accounts… anybody who is doing that should change things post-haste.

Should websites come up with their own security questions then?

You’re right, but I don’t think it’s practical. I think that the best thing that people can do is to have decent passwords and write them down. See, back in the dim, dark ages of 15-20 years ago all of us clever security guys told everyone to have one password and make it really complicated so that people can’t possibly guess it, and never write it down. And that made sense when you only logged in to two places – maybe an email account somewhere, and maybe you logged into the corporate network, but now you log in to Facebook and perhaps MySpace and probably Twitter, and maybe a Gmail account and your bank account and an iTunes account and if you’re using the same password for each of them, you’re only as good as the weakest one. So the alarming thing to me is that a lot of people have probably lost the keys to the kingdom.

So do you think that the whole ease of use over security is a worrying trend? – Sony would rather you could just click and buy a game rather than make you enter your details in every time to make sure it’s safe.

[Emphatically] There is no question that that is so. Security and functionality exist in an inverse relationship which is to say the more functional they make something, the less secure it inherently becomes.

Looking forward, say 5-10 years from now, everything will probably be cloud based – what kind of dangers does that bring?

Well, looking forward 5 years, that’s a long way. Even just a couple of years, tho, I think that… You see, the problem is that the sum of clue is a constant on the internet, the people who actually know what their doing isn’t getting any bigger, there’s a lot of people who don’t know what they are doing tryna use this stuff. It’s dangerous, there’s people making a business of stealing this stuff, and they’re good at it. The single most important thing people can do is learn to use a different password, learn to use a past phrase – a phrase like “I like to play darts”, something that’s easy to remember. Then you take the first letter of each word and then you put a number at the end or the beginning, perhaps an exclamation mark or a question mark or punctuation mark if it’ll let you. And that’s a good secure password, that can’t fall to a dictionary attack, it can only fall if they manage to get in and hack it. So, use past phrases and write them down and stick them in your wallet, and if you lose that at least you know you have to change all these things, but if one account gets attacked you don’t lose the keys to the kingdom. And going forward the next two, three, four, five years, if more people did that the world would be a better place.

Well with the PlayStation, considering it is a closed system – they have a lot more control over what you can and can’t do – do you think that they should have some kind of video or text to teach people about that?

That’s a really good question, and I don’t know if I’ve got a sensible answer to that, it’d be easier to say yes, but I’d suspect that an awful lot of people online with Sony are fairly young and might not get it.

I could be 8, use my parent’s credit card info and sign up – is that a growing risk on the internet?

It’s not just Sony that falls into question. A whole bunch of online gaming communities… I’ve got small children and they have, they play large numbers of gaming communities where they get on and play for free, and their constantly saying: “Dad, dad can you buy me access for $20 or $30?” And I basically say ever so nicely “No way, Jose” . I wouldn’t give a credit card for anything like that.

Also looking at closed systems: There’s Android and iPhone, with open Android you can get AVG antivirus protection, but with iPhone it’s Apple, with PS3 it’s Sony only protection. Do you think that that is the wrong direction? The more people looking to protect things the better?

I think that’s exactly right, that’s a flaw on behalf of Apple and that’s a flaw on behalf of Sony. They’d be better off if they encouraged it… I mean it’s really hard to develop antivirus software for Apple, I don’t think they’ll approve any of it, and yet the world would be a better place if they did.

Looking back at the cloud and integrated systems – do you think Sony’s breach will slow people’s uptake of the cloud and damage the industry as a whole, or will people quickly forget?

I live in a country where every time there’s a thunderstorm the weather channel reminds people not to drive into water of an unknown depth so I suspect that people will forget pretty quickly.

Overall, or PSN users too?

Well, if they don’t cancel their credit cards they probably will be subject to fraud, and they might remember that for a while. If they do cancel their credit cards, I think they’ll move on.

If they are victims of fraud, who is liable? Sony or the bank?

I think the banks have had a fair bit of pucker factor for a while now, and I think that their getting really nervous about guaranteeing this sort of thing.

Do you think that the government should help inform people – they advertise to not drink and drive etc, should they teach people about how to protect themselves?

That’s an interesting question, I grew up when it was not mandatory to wear a seatbelt, or even have a seatbelt in the car, and in fact I used to drink water from the garden hose, and I turned out OK. And yet it probably is safer for the government to have certain rules. Motorcyclists never used to wear helmets when I was a lad, and yet there’s no doubt they are safer with these rules. A bit sad, but you’re right, they probably should.

It’s the balance between being over-protective and sensible…

Yeah, the reality was if there were some laws, more people would pay attention. I mean, there are still some people who drive without a seatbelt on until they get caught by the coppers, but by and large the majority of people listen to the rules. It’s actually probably not a bad idea.

I’ve been doing security for a long time, I don’t know whether you know about the Swiss cheese analogy…


If you think about a slice of Swiss cheese it’s full of holes right? But if you get a second slice of Swiss cheese they tend to cover up each other’s holes, and then you get a 3rd piece of cheese and put that on top, and there’s probably no holes left.

Computer security is a lot like that, any particular layer of security doesn’t have to be perfect by itself, provided there’s a bunch of layers in place. Each one will catch 60, 70, 80% of the problem. Get enough of them in place and you’re really quite secure. So having some laws, some government mandated laws, would not be perfect by any means, there would be lots of holes in it, but it would be a good layer, it would make the world safer.

Another thing Sony did say, was when they bring the PlayStation Network back online they would rebuild the security system. Without going into specifics obviously, how difficult is something like that – creating an entire new system in about 2 weeks?

Hats off to Sony if they can do it, I don’t personally… this is just my personal opinion. I’ve been a programmer for a long time as well, and you can have software right or you can have it quickly. Pick one.

So it’s going to be difficult to say the least?

Yeah, I can’t believe they could do that and get it right. I think they might have put a band-aid on it to bring it back online. In two weeks, in my humble opinion, they’ve put some band-aids on, and that is it.

So definitely, if you sign back on to the PSN when it’s up, be careful. Maybe don’t straight away put your credit card data in?

That’s exactly right. I’ve guess what they’ve done, is they might have figured out the whole that this particular bloke exploited, and they might have changed that, they might have fixed that one hole. So, I guess that’s what they’re trying to do. They certainly couldn’t have changed all that much – you just can’t write that much software that quickly. But they might have plugged a hole.

But does the fact that hackers know there was a hole mean hackers will see Sony as a target and think “This is a place to make some money”?

I could bet folding money on it; I think that they have painted a big bull’s-eye on themselves.

Stay tuned to PlayStation LifeStyle for part two of the interview later today here.