Xbox Live & PlayStation Network hacks: can they be stopped?

Hacks on gaming services have become more and more common of late, but what are they, why do they happen, and can they be stopped?

It may shock you, but real life hackers don’t wander around in cyberpunk garb, skateboarding everywhere and hanging out at gaudy, neon-soaked youth bars. And, although they may try to be, they’re not “cool.” Contrary to flamboyant Hollywood depictions like those seen in Hackers, most real-life hackers are normal, everyday people, often with normal jobs, or even still spending their days at school. The term “Hacker” is also often misused, and many of the attacks we’ve seen recently aren’t actually hacks at all, but we’ll come to that later.

The point here is that the general public often perceives these attacks as more than they actually are, and from the early days of the Internet, popular media has painted these kinds of incidents as major threats, courting controversy and scare tactics. Hackers are often seen as the kind of super-intelligent, all-knowing characters we see in movies, and so the belief that these people can steal our lives and bring the world to the brink of chaos is very real, if a little misguided. The actual truth behind all of this is more complicated than that, and although hack attacks are worrisome, some more than others, they’re rarely on a scale some may believe.

Recent attacks

Undoubtedly the most high profile hacking attack on gaming in recent times has to be the 2011 PSN outage. This attack took Sony’s online gaming service down completely, and it was out of action for 23 days. The most serious aspect of the attack was the theft of user account data, which potentially contained usernames, passwords, addresses, and payment details. With over 75 million accounts affected, according to Sony, it’s considered to be one of the largest, publicly known attacks, and caused Sony a lot of problems, not only with the actual outage, but the repercussions in the aftermath.

Sony was forced to compensate users for the outage, offering free games and other services, and the attack reportedly cost the company around $170 million, and led to a $3.1 billion total loss for the 2011 financial year. However, you could argue that this wasn’t the biggest problem. More dangerous for Sony was the loss of faith in its user base.

Ad – content continues below

Many Sony customers were upset at the breach in security, as well as the lack of precautions taken to prevent data theft, and even the U.S. House of Representatives and Department of Justice got involved. And that’s not to mention the various legal cases fired at Sony from users claiming damages. Sony’s slow response, taking over a week to inform the public of the data theft, was also criticized. Yes, Sony was in hot water. It’s taken a long time for the company to build bridges with many. Sony has updated it’s end user conditions to prevent further law suits should similar situations happen again. So, it was particularly bad for Sony when, along with Microsoft, it was the victim of another attack this past Christmas.

When lizards stole Christmas

What’s the worst possible time for a gaming service to be taken down? Well, possibly the launch day of a new console, but a close second has to be Christmas. On a day when thousands upon thousands of gamers, many of which are young children, are filled with glee after ripping the wrapping of their new console, it’s particularly upsetting to find out that the online service that’s all-but essential to the new console has been taken offline.

That’s just what happened when individuals apparently linked with Lizard Squad (some around 12-15, according to various reports) claimed responsibility for an attack on both PSN and Xbox Live’s servers. This attack made both services unavailable, meaning users couldn’t sign into their accounts or play online, and new console owners couldn’t properly set up their accounts at all.

Why was this attack launched? Well, reports vary, from the culprits themselves saying “it was for the lulz,” to claims that it was to demonstrate Sony and Microsoft’s ineptitude when it comes to server security, and to force their hand with needed upgrades. The latter claim was far less credible, however, as the attackers demanded retweets of their status on Twitter, and also accepted the intervention offer from Kim Dot Com to stop the attacks. Whatever the reason, it’s clear the group had no interest in the general public, and thought nothing of inconveniencing millions of people in the process.

One thing I should clear up is the nature of the attack. Unlike the 2011 hack, in which hackers broke through PSN and Sony’s security and stole data, this recent attack was not an actual hack. Instead, it was a DDOS attack.

For the uninitiated, a DDOS, or Distributed Denial Of Service, isn’t an actual intrusion, so no hackers actually broke into Sony or Microsoft’s servers. Instead, this is what’s called an external attack. Basically, the attackers used a series of servers/botnets to bombard PSN and XBL with false requests. This spike in fake traffic overloaded the servers, thus resulting in unstable, and eventually unavailable services.

Ad – content continues below

Why is this an important distinction? Well, remember. Lizard Squad claimed it was attacking PSN and XBL to demonstrate a lack of security. A DDOS doesn’t really exploit any security, not in the usual sense. It simply overloads a service, and nothing more. It’s just as if millions of people all tried to use the same road at once. The end result would be a backup of traffic, and a very long traffic jam. Technically, even the most secure service in the world can fall to a DDOS, regardless of how much money a company ploughs into it.

Sure, there are steps that can be taken to prepare for such an attack, to limit the damage, and reduce the time taken to restore services, and in this regard, both Sony and Microsoft could probably learn a thing or two. Well, Sony more so than Microsoft, as Xbox Live was up far sooner than PSN, so it would appear as though Microsoft has better policies in place to prepare for this kind of issue. Regardless, it wasn’t a real security issue, but more about traffic management.

Other hacks have occurred over the last few years, many of which most won’t hear about, and in some situations, these attacks are actually more worrying. Actual data thefts and security breaches happen all the time. It’s happened to multiple games and services, such as World of Warcraft, Minecraft, Steam, and so on, and elsewhere, not limited to the game world, there have been many severe breaches, most recently the suspected North Korean hack on Sony Pictures Entertainment, which distributed dangerous malware throughout the company, malware that threatened to delete data from hard drives. It all apparently revolved around the Seth Rogen film, The Interview. Unlike the PSN and XBL Christmas DDOS issues, this was an actual hack, and was enough to prompt an official response from Barack Obama.

No defense?

With hacking-related issues surfacing more and more in recent years, it would seem as though there’s an even greater need for security, including within the gaming sector, but is this possible? Can such attacks actually be prevented, or stopped if they do happen? The real answer is, no. Although good security can help fight hackers, and certainly limits any potential damage, hackers have proven that there’s no such thing as a locked door, and any and all security can be bypassed with time. Maybe one day an unbreakable encryption algorithm or form of security will be created, but I’m willing to bet there’s a hacker waiting in the wings to break it.

So, if these hacks can’t be stopped, what can be done? That’s the subject of much debate, both online and within corporate security departments. It costs millions to develop new security measures, and this money is often wasted as chinks in the new armor are quickly found and exploited. Perhaps the only real answer is to plan for the worst, and ensure there’s a way to recover from the attacks quickly, and to minimise data loss. This is certainly a good tactic for the prevention of DDOS-related problems. A better, more secure procedure of storing and retrieving user data would be a good start too. Harsher penalties, and increased resources for law enforcement bodies to pursue and deal with offenders may also help, as general public belief is that these issues aren’t taken as seriously as they should be by governments and law enforcement.

Ad – content continues below

This is actually something that may soon change, as the US government, and Barack Obama have recently outlined new legislation that deals with the increase in computer security, including the authority to shut down botnets, and to prosecute those who create and sell them.

The new rules would also look at hardening infrastructures against attack, but would only be applicable to US-based interests. Botnets purchased by hacker groups from services abroad would not be covered. With luck, however, these laws may just be the start, and it’s good to see computer security become more of an issue. It also remains to be seen if this new legislation will be enforced, or is simply a way to force the hand of private companies to step up their game, otherwise the government will step in an do the job for them.

The new laws, if put into action, could be a turning point, and one that could help control further attacks, certainly of a DDOS nature. Whether it’ll stop groups like those responsible for recent attacks, we’ll have to wait and see.

Hacker Roll Call

So far we’ve covered gaming-centric hacks, but if you want to delve into the far more dangerous world of hacking, you need to look elsewhere, where some hacks were so serious, and high profile, those responsible have even ended up in prison, and with feature films made about their story. We’ll finish up with a quick look at some of these infamous hackers.

Kevin Mitnick

Arguably the world’s most famous hacker, Mitnick is apparently considered by the Department of Justice as the most wanted computer criminal in U.S. history. Why? Because he hacked into various secure networks, including the national defense warning system, and for the theft of many corporate documents.

Ad – content continues below

Mitnick served a couple of stints in prison, with his last being a five year sentence. After this, and his years of computer crime, he changed his direction and became a security consultant, owning his own firm, Mitnick Security Consulting LLC.

Kevin Poulsen

With his handle of “Dark Dante,” Poulsen initially used his skills to hack into a radio station phone line in order to fix a competition, which netted him a new Porsche. After this, his hacking spree took a turn for the more serious, as he hacked into various federal systems to steal data. He was caught, though, and sentence to over four years in prison.

After he served his time, he also turned his life around, and moved into journalism. He also helped authorities track down and identify over 700 sex offenders who were using then-popular social networking site, MySpace.

Gary McKinnon

Diagnosed with Asperger’s Syndrome and based in the UK, McKinnon, AKA “solo” is responsible for what many have labelled the biggest military computer hack of all time. Claiming to be looking for evidence of the suppression of free energy and UFO cover-ups, he hacked into the military and NASA over the course of a 13-month period. It’s claimed by US authorities that he deleted critical files that caused the shut down of the Army’s computer network in he district of Washington. He also reportedly delete weapon logs, and stole account and password data.

Ad – content continues below

As he was based in the UK, McKinnon was able to avoid the long arm of the law for a while, but was eventually the subject of an extradition request in 2005. If successful, this would land him with a sentence of around 70 years. After several years, and many appeals, however, it looks as though he may have escaped this fate, as in 2012 Home Secretary, Theresa May blocked the extradition on the grounds that McKinnon would have a high risk of ending his own life. So far, he remains free.

Adrian Lmao

Arrested in 2003, Adrian Lmao was found guilty of hacking into a number of networks, including Yahoo!, The New York Times, and Microsoft. He was apologetic for his crimes, and later helped convict U.S. soldier, Bradley Manning, who had leaked masses of US government documents to WikiLeaks. Manning was sentenced to 35 years in prison.

More recently, Lmao has been publicly critical of the media coverage of the hacker group, Anonymous. He believes that the media have only contributed to the group’s status, and considers its goals to be pointless, and that they’re far from untouchable.

Jonathan James

Known by is handle of “c0mrade” online, James was convicted for crimes he committed whilst he was still a minor. When he was 15, he hacked into the networks belonging to the likes of Bell South, NASA, and the Department of Justice.

Ad – content continues below

According to reports, he downloaded NASA assets involving the International Space Station. This attack brought the NASA network down for three weeks.

In 2007, James’ story came to a tragic end, when he was accused of involvement in the large-scale TJX intrusion (appaently launched by a large hacker group reporting to hacker, Albert Gonzalez). In 2008 James’ committed suicide, and stated in his suicide note that he had noting to do with the TJX attack, and that he had no faith in the justice system. He still feard he would be sent to jail.