SCIENTIFIC AMERICAN - Fear of Cyberattacks Should Not Lead Us to Destroy What Makes the Internet Special

"Freedom and Anonymity" by Jonathan Zittrain, Scientific American 2011

It’s starting to get weird out there.  When WikiLeaks released classified U.S. government documents in December, it sparked several rounds of online conflict.  WikiLeaks became the target of denial-of-service attacks and lost the support of its hosting and payment providers, which inspired sympathizers to counterattack, briefly bringing down the sites of MasterCard and a few other companies.  Sites related to the hackers were then attacked, and mirror sites sprang up claiming to host copies of the WikiLeaks documents—although some were said to carry viruses ready to take over the machines of those who downloaded the copies, for who knows what end.  Months before, an FBI official said disruption of the Internet was the greatest active risk to the U.S. “other than a weapon of mass destruction or a bomb in one of our major cities.”

Attacks on Internet sites and infrastructure, and the compromise of secure information, pose a particularly tricky problem because it is usually impossible to trace an attack back to its instigator.  This “attribution problem” is so troublesome that some law-enforcement experts have called for a wholesale reworking of Internet architecture and protocols, such that every packet of data is engraved with the identity of its source.  The idea is to make punishment, and therefore deterrence, possible.  Unfortunately, such a reworking would also threaten what makes the Internet special, both technologically and socially.

The Internet works thanks to loose but trusted connections among its many constituent parts, with easy entry and exit for new Internet service providers or new forms of expanding access.  That is not the case with, say, mobile phones, in which the telecom operator can tell which phone placed what call and to whom the phone is registered.  Establishing this level of identity on the Internet is no small task, as we have seen with authoritarian regimes that have sought to limit anonymity.  It would involve eliminating free and open WiFi access points and other ways of sharing connections.  Terminals in libraries and cybercafes would have to have verified sign-in rosters.  Or worse, Internet access would have to be predicated on providing a special ID akin to a government-issued driver’s license—perhaps in the form of a USB key.  No key, no bits.  To be sure, this step would not stop criminals and states wanting to act covertly but would force them to invest much more to achieve the anonymity that comes so naturally today.

The price to the rest of us would also be high.  The Internet’s distinct configuration may have made cyberattacks easy to launch, but it has also kindled the flame of freedom.  One repressive state after another has been caught between the promise of economic advancement through abundant Internet access and the fear of empowering its citizens to express themselves freely.  An Internet without the attribution problem would introduce a new issue: citizens could be readily identified and punished for their political activities.

We need better options for securing the Internet. Instead of looking primarily for top-down government intervention, we can enlist the operators and users themselves.  For example, Web site operators could opt into a system of “mirror as you link.”  Whenever their servers render a page, they cache the contents of the link.  Then, when someone tries to get to the site and can’t, he or she can go back to the original linking site and digitally say, “I can’t get that link you just directed me to.  Would you mind telling me what was there?”

Such a system of mutual aid would draw on the same cooperative and voluntary instinct behind the development of the Internet itself.  If I participate as a Web site, I will know that others linking to me will also mirror my material; we each help the other, not simply because it’s the right thing to do, but because we each benefit, spreading the risk of attack and cushioning its impact among all of us.  It’s a NATO for cyberspace, except it would be an alliance of Web sites instead of states.

A mutual aid framework could also make the Internet secure in other ways.  PCs can alert others not to run code that just sickened them, signaling health levels to others.  Internet providers could also develop technologies to validate their relationships to one another and ferret out misleading data, the way Wikipedia volunteers can quickly act to roll back thousands of acts of vandalism a day.

We rightly fear our networks and devices being attacked—but we should not let this fear cause us to destroy what makes the Internet special.  We have to become more involved and more subtle—and soon.

CYBER ATTACKS - Outdated Internet Browsers

"Your outdated Internet browser is a gateway for cyber attacks" PBS NewsHour 11/18/2014

Excerpt

JUDY WOODRUFF (NewsHour):  Major U.S. government agencies have been the target of cyber-attacks of late.  The State Department is the latest.  During the past week, officials had to temporarily shut down an unclassified e-mail system after a suspected hacking.  In recent months, the White House, the Postal Service and the National Weather Service all have been targeted.

Meanwhile, as the holiday season approaches, retailers and the business world are on the lookout for breaches.

A new book breaks down the pervasiveness of what’s happening.

Jeffrey Brown has our conversation.

JEFFREY BROWN (NewsHour):  Hardly a week goes by anymore without a report of some major cyber-breach, whether it’s targeting retailers, the government, or any and all of us.  The attacks are generated in a new netherworld of crime, some of it individualized, even chaotic, other parts of it extremely well-organized.

Writer and journalist Brian Krebs has uncovered some major breaches, including the one on Target that compromised the credit card data of tens of millions of people.  He writes about all of this on his blog Krebs on Security and now in his new book, “Spam Nation.”

And welcome to you.

BRIAN KREBS, Author, “Spam Nation”:  Thank you.

JEFFREY BROWN:  You are peering a world of cyber-crime that few of us ever see.  What does it look like?

BRIAN KREBS:  It’s a pretty dark place.

JEFFREY BROWN:  It is?

BRIAN KREBS:  Yes, absolutely.

But it’s not as dark as you might imagine.  If you’re somebody who doesn’t know their way around, there are plenty of people willing to show you the way.  They might take a cut of the action to help you do that, but it’s not as dark…

INTERNET - Criminals Steal 1.2 Billion Web Credentials

"After criminals steal 1.2 billion web credentials, how to protect personal info from data breaches" PBS NewsHour 8/6/2014

Excerpt

GWEN IFILL (NewsHour):  Computer hacking and the breaches of privacy that come with them are becoming a regular and unwelcome feature of our wired world.

Now The New York Times and a security firm based in the Midwest are reporting a massive one that includes the collection of more than a billion username and password combinations and more than 500 million e-mail addresses.  What’s more, the perpetrators appear to be a shadowy Russian crime ring.

Details, including the names of the victims, are hard to come by.  But the news has raised eyebrows around the world.  So, how serious is it?

For that, we turn to Dmitri Alperovitch, co-founder and chief technology officer of CrowdStrike, a Web security firm.

Mr. Alperovitch, tell us just in context of all these other breaches we have had in the past year, say, how — relative to those, how big is this?

DMITRI ALPEROVITCH, CrowdStrike:  Well, the number is certainly striking; 1.2 billion credentials is a lot.  In the past, we have seen some big breaches that numbered in the hundreds of millions.

But this is certainly the biggest one that I — that I can remember.

CYBERCRIME - Who Orchestrated the Target Breach

"Were criminal gangs involved in the Target security breach?" PBS Newshour 1/18/2014

Excerpt

HARI SREENIVASAN (Newshour):  Another story that we wanted to follow up on tonight is the state of credit card security, or lack of it.  This following discourse is about major security breaches at big retailers, including Target and Neiman Marcus.  Now new details are emerging about who was behind it, and how it was accomplished.  For more we are joined now, from Washington, by Mike Riley with Bloomberg News.  So, there was a big report out - it started to layout the details.  How do these hackers get all the credit card numbers?

MIKE RILEY, Bloomberg News:  So, they have a pretty sophisticated piece of malware that goes on the point of sales system itself, so that is the terminal that sits in front the the cash register that we all swipe our cards on.  So, the malware goes there and it takes advantage of a quirk, where within that machine, all that information that is taken off that card is sent from one memory chip to another.  It is not encrypted in that process, and they grab it right there.

HARI SREENIVASAN:  And so, who is writing this malware?

MIKE RILEY:  It looks like it is Eastern European or Russian criminal gangs.  Some of the most sophisticated hackers in the world are Russian or Eastern European.  What they have done is they have gotten really good systems.  It is like a supply chain that you can buy pieces of malware.  If you are good enough, as in this case - they have bought a specific piece of malware, called Black POS.  It is a pretty good piece of malware to begin with, but then they customized it.  They made it better.  They made it harder to find, and then they figured out a scheme to get into Target's computers, and stuck it on the point of sales system.  It is also pretty clear that the same gang, or a group of different hackers using the same malware, are targeting other retailers.  We have not seen the end of this.

CYBERCRIME - Robbers Hit ATMs for $45 Million Worldwide

"Cyber ATM Robbers Grab $45 Million Worldwide Within Hours" (Part-1) PBS Newshour 5/10/2013

JEFFREY BROWN (Newshour):  And we turn to a major cyber-theft, global in scope and raising new questions about our vulnerabilities in the digital age.

The thefts took place in broad daylight at ATM machines, and the thieves wore no disguises.

U.S. ATTORNEY LORETTA LYNCH, Eastern District Of New York:  This was a 21st century bank heist that reached through the Internet to span the globe.

JEFFREY BROWN:  U.S. authorities say the reach of the international cyber-crime was wide; 27 countries -- Russia, Japan, Egypt, Colombia, Canada and beyond.

The criminals hacked into companies that process prepaid debit cards for two banks in the Middle East, stole the data and then copied it onto doctored cards with magnetic strips.  Yesterday in New York, U.S. Attorney Loretta Lynch explained what happened next.

LORETTA LYNCH:  They become a virtual criminal flash mob, going from machine to machine, drawing as much money as they can before these accounts are shut down.

JEFFREY BROWN:  On Dec. 21st, thieves hit 4,500 ATMs in some 20 countries, stealing five million dollars.  Then on Feb. 19th, they upped their game.  In 10 hours, they stole $40 million dollars in 36,000 transactions worldwide.

In Manhattan alone, a team of eight so-called "cashers" allegedly made their way from ATM to ATM making 2,900 withdrawals totaling $2.4 million dollars.

Two of the suspects took photos of themselves and the stacks of cash they allegedly stole.  To round out the crime, authorities say the suspects laundered the money by purchasing luxury goods in the form of Rolex watches, Gucci bags and expensive cars.

"International ATM Cyber Hackers Hid 'in Plain Sight' to Overcome Computer System" (Part-2) PBS Newshour 5/10/2013

Excerpt

SUMMARY:  The global network of thieves who targeted ATMs struck 2,904 machines over 10 hours in New York alone, withdrawing $2.4 million.  For more on the attack and the aftermath, Jeffrey Brown talks with Loretta Lynch, the U.S. attorney for the eastern district of New York and the federal prosecutor in the heist case.

INTERNET - Guarding Personal Information

"A Perilous Cyber World: Guarding Personal Information from Hackers and Thieves" PBS Newshour 8/14/2012

Excerpt

JEFFREY BROWN (Newshour): And we begin an occasional series about the way we live ever more of our lives online in the digital age, and some of the risks and rewards connected with this evolution.

In coming segments, we will discuss the connections and disconnections of online life, the differences between engaging online and in the physical world, and what does it mean exactly when a video go viral.

We begin with a look at just how much of us, our identities, are online, and how vulnerable that can make us.

Mat Honan learned this firsthand recently when he was hacked and lost control of his phone, email and personal computer. He told the tale in "Wired" magazine, where he's a technology writer.

Also joining us is Peter Pachal, who watches this world closely as the technology editor for the Web site Mashable.

As a long-time computer & IT professional, my advice for Laptop and Desktop PCs:

• The HIGHEST security is NOT to be online unless you need to be, this includes turning off your system when you are not using it
• Passwords - The old advice about NOT using any part of your name or your wife's or children's, even your pets', applies
• Passwords - Do NOT use any part of an address where you have lived, worked, or gone to school
• Passwords - Do NOT use your nickname(s)
• Passwords - Do NOT use birthday dates; yours nor your family's (not even if you reverse or scramble, more later)
• Passwords - DO have one Master Password that is for very limited use, examples: system Administrator Account (NEVER have a blank password for Administrator), access to a password management tool you use, access to your ISP or eMail providers
• ALWAYS, always run a good Antivirus Utility (and "free" antivirus utilities are NOT good), one that includes protection against Root-Tool-Kit, Trojans, etc, and KEEP THE DEFINITIONS UP-TO-DATE

Here's the 'more later': If you've seen the move "True Lies" with Arnold Schwarzenegger, there is a scene where one member of the 3-man team (the computer geek) has to hack into information stolen from a target's hard drive. Arny and the other member walk away making a comment that they will come back much later. They are only 5 paces away when the geek says he's in. The password was the target's wife's birth-month, the son's birth-year in reverse, and the daughter's birth-day (or something like that). This is what hackers can do with information that is just out there on record.

CYBERCRIME - Battle Over Online Piracy

"Film, Music Industries Battle Leading Internet Companies Over Online Piracy"
PBS Newshour 12/15/2011


Excerpts

JEFFREY BROWN (Newshour): Alright.

Markham Erickson, first, do you acknowledge piracy is a problem? I mean, all over the Internet, one can get copyright -- there are copyright violations.

MARKHAM ERICKSON, Open Internet Coalition: Well, sure. People are doing bad things on the Internet. And we agree that there are ways to try to deal with the very real problem of sites that are located outside of the jurisdiction of our court system and our legal system that are engaging in theft and illegal activity.

JEFFREY BROWN: What's the problem with the way they are proposing?

MARKHAM ERICKSON: The problem is, the proposals in Congress right now are not targeted to the problem of dealing with offshore illegal piracy.

We think there is a way to deal with that. And we've proposed a solution, which is to follow the money. The offshore sites are there to make money. They're there to profit from illegal activity. The companies I represent -- represent are some of the biggest ad networks and payment processors in the Internet ecosystem.

And they want to work with the rights-holders that, when an offshore site is engaged in illegal activity, they will shut off the economic lifeblood to those sites. And, if they do that, those sites will disappear.
----
JEFFREY BROWN: And what -- Mr. O'Leary, what about the proposed other -- the alternative route for dealing with this that he raised?

MICHAEL O'LEARY, Motion Picture Association of America: Well, I think that it's the -- to look at it from a positive perspective, it's encouraging to see a recognition that something has to be done about this problem.

I think that what we have concerns with the alternative proposal is that it sets up a separate court in the ITC. And that is not something which is necessarily used to deal with copyright. It's slow. It's bureaucratic. And, frankly, when someone is stealing from you, you don't have 12 to 18 months to work -- to let the bureaucratic court process work.

What we're proposing, what has bipartisan support, we have a broad support from not just the political spectrum, but across all types of American businesses is something which is a tool which will allow law enforcement to go after bad actors that are hiding overseas. We think it's more effective and more efficient.

COMMENT: As a techie in this area I support Mr. Erickson's view.

Note that Mr. O'Leary is NOT a computer network expert, he's only repeating what others have told him. His assertion that the proposed law is "more efficient" is wrong. Having the online payment processors shut-down payments to illegal sites is actually more efficient because it would NOT *require* courts at all. This could be done by the online payment processors themselves.

What the copy right industry SHOULD be doing is making a partnership with online payment processors to identify then block illegal sites. What I am proposing is that the film, music, and book industries with the online payment processors start their own origination to find, track, then block illegal sites.

The courts would only intervene IF a site disputes being blocked. Note that the online payment processors have total rights and control on just who they allow to use their services.

What is wrong with the proposed laws is that they will NOT work, because it can ONLY effect organizations within U.S. jurisdiction. They will have little effect on sites overseas that they are so concerned about.

INTERNET - Open Letter on "IP Act" and "Online Piracy Act"

"An open letter to Senator Leahy regarding Internet censorship" on Newsgroups: alt.politics.usa.constitution

Dear Senator Leahy;

I am very concerned about the over-reaching authority which appears to be in the Protect IP Act and the Stop Online Piracy Act.

References:

Protect_IP_Act

Stop_Online_Piracy_Act

I am a software developer on the Internet. My main site is nodes.net which I have owned since 1998. I am working on a "quality discernment system" to advance the concept of an "intelligent web."

An integral part of the vision I hold is for individuals to "endorse" specific URL's on the web. These URL's could be something I call "metalinks" which are basically re-programmable re-directs to other web sites. These MetaLinks allow people to make a short, easy-to-
remember link for a web search or a web page.

For example, http://oil.nodes.net will redirect you to Energy Prices at Bloomburg. http://occupy.news.nodes.net will produce a search of news for "occupy" at Google news. There are many other search engines which are being included in this syntax at nodes.net

For example, http://vermont.wiki.nodes.net will take people to Wikipedia's entry for Vermont. I didn't program this metalink specifically. It is automatic. You can search for any word or phrase by substituting your word(s) for "vermont" in this URL.

In similar fashion http://05401.weather.nodes.net will take people to the weather for Burlington, VT and http://paris.time.nodes.net will take people to the current time in Paris. There are several dozen of these interfaces to other web sites and there will be hundreds, even thousands more in the near future.

I am concerned that the legislation currently being considered will limit the development of new technology to create an "intelligent web."

While the Metalinks currently in use have all been defined by someone I plan to allow intelligent software to create metalinks in the future.

It would be unwise to restrict the use of intelligent software to define links in my opinion. It's wrong to assume that all links are created by individuals operating independent of each other. Links could be a result of composite or collaborative intelligence.

In the future, metalinks will represent our "collective intelligence" or "community wisdom." That's what I'm working on now. I'm working to
create an "intelligent web." The concept I am working with is "augmented human intelligence" rather than "artificial intelligence."

I am asking you to put this legislation on the shelf for a minimum of 30 days, until 2012, so that there can be more input by the public and
a more careful analysis of what it means for all of us.

Consideration is a virtue. Please consider the effects this legislation would have on me and others who are working to advance the evolution of human intelligence on the Internet.

Sincerely,

Steve Moyer
Internet Developer
Founder, NODES Network
http://steve.nodes.net ( see what can be done with my technology )

P.S. You can see a link of all the Metalinks currently in existence, not including automatic search interfaces, at http://metalinks.nodes.net

CYBERCRIME - JoD Protections, Pro and Con

"How Effective Is Justice Department Crackdown on Counterfeit Goods Dealers?" PBS Newshour 11/29/2011

Excerpt

GWEN IFILL (Newshour): We look now at the government crackdown on the online sale of counterfeit goods. The Justice Department used Cyber Monday, the biggest online shopping day of the year, to shut down 150 websites that were allegedly peddling fake shoes, sporting goods and handbags. But was this the right approach?

Joining us to discuss that are Steve Tepp, chief intellectual property counsel at the U.S. Chamber of Commerce, and Larry Downes, author of "The Laws of Disruption," a book about law and innovation in the digital age.

More significant excerpts

STEVE TEPP, U.S. Chamber of Commerce: It's a massive problem that's growing every day, because many of these sites are located outside the United States, where there is no remedy.

For the sites located in the U.S., or at least where their domain name is registered in the U.S., dot-com, dot-net, then our enforcement agencies, like the Immigration and Customs Enforcement and the Department of Justice, who are both doing fantastic work on this, protecting the American people, can go to court and seize those domains with a court order.

That's what happened yesterday, and that's 150 domain names that will not be used to steal American jobs, to harm American consumers today.
----
LARRY DOWNES, "The Laws of Disruption": Well, first, it should be noted that, you know, what we're seizing here is not the website itself, just the domain name. It's a largely symbolic act.

What happens is, the site is still there. It can be accessed directly from the I.P. address. Or what often happens is the site comes back a little bit later under another domain name. So whether that is effective or not, it doesn't matter.

CYBERSECURITY - Internet WEB Threat

"Hacker Rattles Security Circles" by SOMINI SENGUPTA, New York Times 9/11/2011

Excerpt

He claims to be 21 years old, a student of software engineering in Tehran who reveres Ayatollah Ali Khamenei and despises dissidents in his country.

He sneaked into the computer systems of a security firm on the outskirts of Amsterdam. He created fake credentials that could allow someone to snoop on Internet connections that appeared to be secure. He then shared that bounty with people he declines to name.

The fruits of his labor are believed to have been used to tap into the online communications of as many as 300,000 unsuspecting Iranians this summer. What’s more, he punched a hole in an online security mechanism that is trusted by millions of Internet users all over the world.

Comodohacker, as he calls himself, insists he acted on his own and is unperturbed by the notion that his work may have been used to spy on antigovernment compatriots.

“I’m totally independent,” he said in an e-mail exchange with The New York Times. “I just share my findings with some people in Iran. They are free to do anything they want with my findings and things I share with them, but I’m not responsible.”

In the annals of Internet attacks, this is likely to go down as a moment of reckoning. For activists, it shows the downside of using online tools to organize: an opponent with enough determination and resources just might find a way to track their every move.

It also calls into question the reliability of a basic system of trust that global Internet brands like Google and Facebook, along with their users, rely upon. The system is intended to verify the authenticity of a particular Web site — to ensure, in effect, that Gmail is Gmail, and that the connection to the site is encrypted and difficult for an outsider to monitor.

Hundreds of companies and government authorities around the world, including in the United States and China, have the power to issue the digital certificates that the system relies upon to verify a site’s identity. The same hacker is believed to be responsible for attacks on three such companies.

In March, he claimed credit for a breach of Comodo, in Italy. In late August came the attack on the Dutch company DigiNotar. On Friday evening, a company called GlobalSign said it had detected an intrusion into its Web site, but not into more confidential systems.

Armed with certificates stolen from companies like these, someone with control over an Internet service provider, like the Iranian authorities, could trick Internet users into thinking they were safely connected to a familiar site, while eavesdropping on their online activity.

Fearing the prospect of other breaches similar to those carried out by this hacker, Mozilla, the maker of the Firefox Web browser, last week issued a warning to certificate authority companies to audit their security systems or risk being booted off Firefox.

“It is a real example of a weakness in security infrastructure that many people assumed was trustworthy,” said Richard Bejtlich, the chief security officer of Mandiant Security in Alexandria, Va. “It’s a reminder that it is only as trustworthy as the companies that make up the system. There are bound to be some that can’t protect their infrastructure, and you have results like this.”

SECURITY - Cybercrime, Attacker Arrested

"British Police Make Arrest in Net Attacks" by SOMINI SENGUPTA, New York Times 7/27/2011

Excerpt

The British police announced the arrest on Wednesday of a 19-year-old man who they said was the spokesman of the online vigilante group Lulz Security, which has claimed responsibility for a string of attacks on the Web sites of government agencies and private corporations.

In a statement, the police said the man used the online alias Topiary and had been picked up during a raid on a residence in the Shetland Islands, the rugged archipelago off the northeastern coast of Scotland. The police said they were also questioning a 17-year-old but had not arrested him.

On Twitter, Topiary described himself as a “simple prankster turned swank garden hedge.” His missives were often facetious, suggesting the handiwork of someone who relished playful language.

Lulz Security, the offshoot of a larger and more amorphous hacker group called Anonymous, has said it was responsible for attacks on the sites of PBS, the Senate, the Arizona Department of Public Safety and a company associated with the F.B.I.

CYBERCRIME - Latest on Hacker Attacks

"Gauging the Impact, Motivations of Today's Hackers"
PBS Newshour 6/1/2011


This is the related story mentioned in video

"Google Says Hackers in China Stole Gmail Passwords" by JOHN MARKOFF and DAVID BARBOZA, New York Times 6/1/2011

Excerpt

Google said Wednesday that hundreds of users of Gmail, its e-mail service, had been the targets of clandestine attacks apparently originating in China that were aimed at stealing their passwords and monitoring their e-mail.

In a blog post, the company said the victims included senior government officials in the United States, Chinese political activists, officials in several Asian countries, military personnel and journalists.

It is the second time Google has pointed to an area of China as the source of an Internet intrusion. Its latest announcement is likely to further ratchet up the tension between the company and Chinese authorities.

SECURITY - Cybercrime With World-Wide Impact

"Sony PlayStation System Hacking Incident Highlights Web-Security Gaps" PBS Newshour Transcript 4/27/2011 (includes video)

Excerpt

RAY SUAREZ (Newshour): The latest episode involved millions of people around the world who use Sony's PlayStation video game system and who may have had their credit card information stolen in a hacking incident.

The intrusion caused the company to shut down PlayStation's Internet network a week ago. It provides access to online gaming, music, movies, sports and TV shows. Seventy-seven million user accounts were disconnected worldwide. But it wasn't until yesterday that Sony disclosed a hacker obtained information, including players' names, addresses, birth dates, email addresses, passwords and log-in names.

And on the company's blog, Sony spokesman Patrick Seybold said, "While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility."

Near Sony headquarters in Tokyo, some said the breach may stop them from using PlayStation.

KAZUNORI SANO, resident of Tokyo (through translator): I will be afraid of playing with the game machine after hearing of this. I don't want my credit card information to be leaked out somewhere else in the world.

RAY SUAREZ: And in Australia, police urged PlayStation users to be vigilant.

DETECTIVE SUPERINTENDENT COL DYSON, New South Wales State Police Force: It would appear that the risk in relation to credit cards may be low. But if people have concerns, they should be talking to their banks and watching for unauthorized usage of the cards.

RAY SUAREZ: Some industry experts say the scale of the breach could cost the company billions of dollars.

THOMAS PUHA, "Pelaaja": This is going to have a very negative impact on a business that they have built up, because I think a lot of -- obviously, a lot of consumers will really be very wary of putting their credit card information back online or even buying anything.

RAY SUAREZ: Sony said it expects the PlayStation Network to be restored in a week. In the meantime, an outside security firm has been hired to investigate what Sony deems the malicious intrusion.

For a closer look at all this, we turn to Kevin Poulsen, senior editor at Wired.com. A former hacker himself, he's also author of a new book, "Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground."

And, Kevin, for those people who aren't gamers, why would you have to load personal information into a game console in the first place?

KEVIN POULSEN, Wired.com: Well, a lot of gaming takes place now online. You have multiplayer games where you could play with or against opponents live in real time.

And, of course, a game console isn't just a game console anymore. You want to be able to download movies and other content. And all -- you pay for all of that, which means you have to give up this information.

RAY SUAREZ: Sony says it has no direct evidence that credit card numbers were taken, but it says -- quote -- "We cannot rule out the possibility."

When you have had a breach, when someone has been rifling around in your files electronically, can you tell what they have seen and what they haven't?

KEVIN POULSEN: There are usually -- there's usually some kind of trail left, yes. But if the hacker is good and took steps to cover his or her tracks, then it could -- it could take a while to extract that.

I imagine that's why Sony took so long to announce this. They were probably hoping to find better news. They were probably hoping to find evidence that the -- that information wasn't accessed. Now that they have brought in an outside company, I expect they will know a lot more than they do now, eventually. Of course, they -- they may know more than they're telling us now.

RAY SUAREZ: The PlayStation system has been down for over week, disappointing a lot of people who are frequent users.

Does that long-term shutdown tell you something about the seriousness of the breach, that they're not patching it, but rebuilding the whole network?

KEVIN POULSEN: Absolutely.

It's a really radical measure to take. And it's surely going to cost them a lot of money and a lot of fan loyalty. There are people that aren't even going care about the breach itself who are just going to be extremely angry that they were denied access to the PlayStation Network for so long. So, it's bad news all around.

If this had just been a casual intruder, a recreational intruder, some kid working from his bedroom, I doubt they would have taken this measure. So, they probably have some indication that this was a serious, focused attack.

RAY SUAREZ: Well, as we reported earlier, they got user names, passwords, various other kinds of personal information. What's the risk to account holders at this point?

KEVIN POULSEN: You know, the biggest risk is probably with the personal information, especially the passwords, because a lot of people use the same passwords everywhere.

So, that, coupled with your email address and your real name and your date of birth, the hackers will, if this was done for profit, then, all of that could wind up being sold on the black market, probably for a nice sum of money.

And then, whoever buys it, other computer intruders could use the information to try and hack into other accounts held by these PlayStation Network users. It could be anything from Facebook to online banking. You could use it to stage scams targeting the users in other ways.

So, it could be -- it could wind up that this becomes the first stage in a lingering problem that haunts users for a long time, if, in fact, that that was the nature of the breach.

Stress this quote, "You know, the biggest risk is probably with the personal information, especially the passwords, because a lot of people use the same passwords everywhere."

HINT, do not use the same password for all your online accounts.