Cyber Security Assignment On MyFitnessPal And Sony Playstation Network
Task: Part A: Answer the following questions
- Search the web for news on computer security breaches that occurred during April-August 2015-2018. Research one such reported incident. Prepare a report focusing on what the problem was, how and why it occurred and what are the possible solutions
- Explain why asynchronous I/O activity is a problem with many memory protection schemes, including base/bounds and paging. Suggest a solution to the problem.
Part B: Research the 2011 Sony PlayStation Network outage case on the web and prepare a report focusing on the following questions:
- What was the problem?
- Who were affected and how?
- How was the attack carried out?
- What could have been done to prevent the attack?
This assessment task is based on the following topics discussed in the subject: the overview of Information security fundamentals, security threats, cryptography, malicious software and its countermeasures, operating system security and software security .
The assessment task is aligned with the following learning outcomes of the subject: On successful completion of this subject, students will
- Be able to justify security goals and the importance of maintaining the secure computing environment against digital threats;
- Be able to explain the fundamental concepts of cryptographic algorithms;
- Be able to examine malicious activities that may affect the security of a computer program and justify the choice of various controls to mitigate threats.
- Be able to compare and contrast the security mechanisms of a trusted operating system with those used in a general purpose operating system;
Security breach that occurred during April-August 2015-2018
Problem: The chosen security breach as mentioned in the task of cyber security assignment occurred at Under Armour, May 2018. It is said that breach had affected nearly 150 million users MyFitnessPal application which has stored the food and the nutrition plans. Based on the investigation it is known that the information which has been breached includes the usernames, email address and the passwords which has been hashed. The shares of Under Armour has been dropped by 3.8 percent and the users were informed that the data has been compromised. Since the payment has been processed separately, it has not been breached. Since there was no hacking of the personal identifiers since it does not collect the government identifiers which includes the social security numbers and the number of the driver license. 
How it had occurred?
MyFitnessPal is the fitness tracking application which has been founded in the year 2005. It has enabled the users to monitor their calorie intake, the exercise they do. This application has been acquired by Under Armour. The organizations has let its users notified about the breach and asked to protect the data by changing their passwords. It is still not available that how the security breach has occurred. The approach shown by the traditional cybersecurity can be trusted but it needs to be verified since the data is being stored in the cloud based devices. 
Why it has occurred?
Since the application mentioned in this cyber security assignment does not contain any of the financial information, those information was not compromised which is considered as the silver lining of the security breach. The hacked data includes the usernames, email address and the password which has been hashed. The main of the hack as mentioned in this assignment for network security was just for the gathering of the information of the users. The organization has also collected the credit/debit card numbers but those data was monitored in another way and hence those data were not breached. Hence due to this breach, the users has lost the interest in the data based on the confidentiality and the privacy of the information. It has also not collected any of the government number hence it’s considered as the greatest advantage. The hacking spree which is done by the Under Armour is considered as the better option when it’s being compared to the other applications. The usage of the SHA-1 hashing algorithm to protect the password is also considered as the greatest advantage. The application not only consists of the information of the users and their exercise activities but also the advice provided by the experts. The organization might have known that the information needs to be security by using the safeguard class members’ private identifiable information since it leads to the data breaching. The main reason behind this is that the organization has failed to safeguard and also protect the plaintiff class member form the unauthorized users since it has all the possibilities of the data to be exposed.
It is suggested by the GDPR in this cyber security assignment that, the organization needs to explain the users through the plain language that what is the need of their data and why it’s been collected. It has also said that if it’s not needed to conduct the business, its better not to collect it. The organization has also said, since the most of the passwords has been hashed through the robust bcrypt hashing function known as the SHA-1 function. It has also not given the reason whether the bcrypt passwords has been salted for the extra protection or not. In order to protect the user passwords, the security requirements of the GDPR needs to be fulfilled so that it is being protected. It also needs to use the robust hashing function as well as the salting user passwords. It was also suggested that since the email address and the login credentials were only breached, and not the payment data or the sensitive data such as the SSN. If the users tends to use the same login credentials on the site there are possibilities that the hackers could attempt the hacking on them through banking, shopping, and social media access once again. The passwords should not be reused again and it is necessary to change the password. The cyber security officials started to monitor the information security threats by protecting the organizations. It has also notified the uses through the message and asked them to be aware of any of the solicitation before the data such as the personal information is being provided by clicking any of the suspicious emails or links. It has also provided the information on how to protect the password and how to change the password along with the bunch of security breach questions. 
Asynchronous I/O activity is a problem with many protection schemes
The asynchronous I/O is also called as the non-blocking I/O is defined as the input/output processing. The system calls are returned as soon as the I/O is being passed down to the hardware as well as the OS/VM. Here the process are not blocked during the execution hence it’s called as the non-blocking. This asynchronous function is defined as the function which usually returns the data back to the caller through the event handler which is also called as the call back function. This function can be called at any time based on the time taken for the asynchronous. Based on the instructions the function returns the value. It is said that Asynchronous I/O activity is not available and it exists it leads to the serious problems. The relocation ability is provided by the fence register. There are two separate user areas such as the start address which is called as the base address and the other are called as the offset. If the user is using an address space which is beyond its given limit there comes an option known as the upper bound which restricts the user form entering the address of the other user area. The upper bound registers are called as the bound register. Mainly for the separation of the data and for the integrity of the data the base as well as the bound registers are used and implemented. In order to limit the user specific area, the lower and the upper bounds are being used. By doing this, the area of a user is being protected from other users. Paging is the process of dividing the program in to the equal size pieces. Here the memory is also divided in to the page frames. With the help of this, the page table name is being related to the memory address and finally it’s being stored in the page table. In order to access the various address, it important to have the page and the offset value. The main advantage of operating system is being with the fence register. This has the ability to relocate. And for the multi user environment it is more important. It is not known to any user that which program will be loaded first and gets executed. The relocation register is used to solve this issue. It is solved by providing the base address and the starting address. The variable fence register is also called as the base register. This register provides the lower bound and does not provide the upper bound. The upper bound is used to find the space which is allocated for the forbidden areas. This issues is overcome by using the second register. Here based on the contents of the base register is added to the address. The process involved in protecting the program address being modified by other. For a user the operating system needs to change the contents of the bound and the base register to reflect the true address space of the user. This is called as the context switch. 
On the asynchronous mode, the process discussed in this network security assignment that might also read/write in the input/output asynchronously. When the input and the output is being passed to the hardware or is being queued in the VM. This is a function which returns the data to the caller through the event handler. Hence the call back function is being called at any time in order to execute the instructions.
2011 Sony PlayStation Network outage case
Problem: The problem occurred over here in this section of network security assignment was the Sony PlayStation Network outrage which was the result of the external intrusion. The attack was occurred in April 17 and April 19, 2011. It has forced the Sony to shut down the network on April 20. Later on May 4, Sony has confirmed that the personal identification information has been exposed. And the count was 77 million. It has been outage for 23 days. It was considered as the one of the largest data breach in the history. Sony has released a statement that on April 26, it has attempted to get the online services in a week and on May 14, it has releases the security path for PlayStation 3. It also requires the users to change the password. Since the network was offline when it has releases the path, no one has executed the patch. And on April 20, 2011 it has notified in its personal blog that certain functions on the PlayStation network was down. And when the users tries to sign in through the PS3, it has displayed a messaged “Undergoing Maintenance”. After the investigation, Sony had confirmed that “external intrusion” has affected its system and it has occurred in between April 17 and April 19. 
Affected people: Sony took a week to announce to its users that their information has been compromised. They had said to its users that the credit card details may be at the hand of the hackers. After a week of investigation and being upfront, found the customers’ information has been leaked along with the credit card details. This act was considered as the good act since the other organizations keeps it as secret and wraps it off until they clean everything. It has also said that it had lsot nearly 260 billion yen during the year March 2011. It was result of the non-cash charge. Nearly 70 million user’s data has been compromised. Millions of the gamers were inconvenienced and forced to stay offline. It is done for the sake of the users as well as the sake of the company. Here the organization has also maintained the higher level of the communication and the transparency level to the customers. It has also announced in this network security assignment that its users that network is going to remain down since the organization is rebuilding the system and strengthening the network infrastructure which may take time. 
The way how the attack was carried out
Sony confirmed about the hacking attack and hence it has led to the network being down. It shut down its online PlayStation Network due to this security breach. Sony failed to intimate it to its uses the reason for the shutdown. After a week, it has posted on the Sony website that it has suspected that unidentified individuals has stolen the user’s personal information. It includes the name of the user, address, email address, DOB, network passwords along with the login information. Later it has also added that the credit card information has also been stolen. Again Sony remained shut down for a month and later it resumed on the month of May 14, 2011. The organization discussed in this network security assignment was criticized for not informing the customers the reason for the network shut down for a week. Observers started to draw the unfavorable comparisons with Apple and Microsoft. The data breach has called the members for the private as well as the public reforms to protect the personal information. It has criticized for the lack of the data security and for the poor financial performance.
The loss is estimated as 10 billion of dollar according to the observer. It has seeked for the coverage from its insurers. They had found that bad guys targets the services which are based on the cloud. Those bad guys able to get the service which is being compromised and it was able to get the information. The distributor of the internet security products has said that this security breach has been carried out by the well-organized cyber criminals also called as the bad guys. They have started to realize the massive success by targeting the services instead of chasing the individuals. They also increase the efforts in order to target the information of the services. These cyber criminals are linked to the organized crime. They write the smart cookies and markets to the buyers who needs those services. Here as a result the monetization services are being provided. These organized network may need the credit card information whereas the other might need the information about the users. Few has guessed it as the Anonymous. They were the behind the attack. They perform the attack in the most traditional way. It was also said that Sony don’t have the better network security. It is due to the custom firmware which is called as the ‘Rebug’ available for PS3. Where it has resulted in the cracking the cryptographic keys in the PlayStation firmware. This firmware allows to gain the development feature on the device and allows to purchase without validating the credit card number. 
Prevention of the attack
In order to prevent this attack the prevention measures are taken which are mentioned in this network security assignment. If the user gets the access to the firmware it is possible to take up the security measures. The benefits of the internet brings the security risks along with it. It is also necessary to set up the services and bring the right security policies. Since all the business are moving towards cloud, it is necessary to outsource the security to the third party which helps them to handle the data in the better way. In order to stop the hackers from getting more information it has locked out. It has taken time to look for the security loopholes which is being used by the bad guys. The organization has also looked for the coverage from its insurers in order to protect themselves from the cyber related loss. It has also seeked for the commercial general liability insurance in order to cover the wide range of the risks and the solution plan for the future loss.
B. Quinn and C. Arthur, "PlayStation Network hackers access data of 77 million users", the Guardian, 2019. [Online]. Available: https://www.theguardian.com/technology/2011/apr/26/playstation-network-hackers-data. [Accessed: 21- Apr- 2019].
J. Newton, "https://digitalcommons.ciis.edu/cgi/viewcontent.cgi?article=1079&context=ijts-transpersonalstudies", International Journal of Transpersonal Studies, vol. 34, no. 1-2, pp. 172-186, 2015. Available: 10.24972/ijts.2015.34.1-2.172.
S. Anthony, "How the PlayStation Network was Hacked - ExtremeTech", ExtremeTech, 2019. [Online]. Available: https://www.extremetech.com/gaming/84218-how-the-playstation-network-was-hacked. [Accessed: 21- Apr- 2019].
"Under Armour says data breach affected about 150 million MyFitnessPal accounts", CNBC, 2019. [Online]. Available: https://www.cnbc.com/2018/03/29/under-armour-stock-falls-after-company-admits-data-breach.html. [Accessed: 21- Apr- 2019].
"Lawsuit Filed in Wake of Under Armour Data Breach", Bankinfosecurity.com, 2019. [Online]. Available: https://www.bankinfosecurity.com/lawsuit-filed-in-wake-under-armour-data-breach-a-11051. [Accessed: 21- Apr- 2019].
"The 10 Biggest Data Breaches of 2018... So Far", Blog.alertlogic.com, 2019. [Online]. Available: https://blog.alertlogic.com/10-biggest-data-breaches-2018-so-far/. [Accessed: 21- Apr- 2019].
F. Allen, R. Greiner and D. Wishart, "CFM-ID Applied to CASMI 2014", Current Metabolomics, vol. 5, no. 1, pp. 35-39, 2017. Available: 10.2174/2213235x04666160620100011.