Koz and Effect

PSN Hacked

The PS3′s security is in the news again, this time with the PlayStation Network. Those of you who spend time on it have no doubt heard by now that the network was compromised, and was shut down as a result.

There’s been a lot floating around on the rumor mill, both as a result of speculation and the deafening silence coming out of Sony. I’ll try and explain why this is probably the case.

In the beginning of any incident, the amount of knowledge known is little. Something, somewhere, alerted Sony to the fact that a breach had taken place. And by breach, we mean any successful penetration of the security perimeter (the line demarcating where Sony’s control over their network infrastructure ends.) It is not:

• An nmap scan against their firewall. That sorta thing happens all of the time, and is outside their perimeter.
• Buying things off of PSN with a stolen credit card. (That’s another problem entirely.)

A breach means that someone was able to gain access to a device or devices in a way that they shouldn’t have had permission to do. That’s it. At that point, Sony is in incident response procedures.

It’s important to make that note because once it’s been determine that an illegal entry has taken place, (and it is illegal.) then it’s absolutely essential that they do things by the book. At the point that they know they’ve been compromised, care must not only be given to finding out exactly what happened, but preserving that information in such a way as it can be used in a criminal investigation later. There are also legal obligations of reporting and notification that are required if say, personal or financial information is comprimised, and only with detailed informaton on hand can those be fully met.

Sony’s take down of the system was a wise move in that regard, because it enabled them to freeze the state of their system so that they could conduct their investigation without worry of the system being further modified by either the attacker or through normal operation. Much like preserving the scene of a crime, proper incident response requires the system owner to freeze the system state so they can be confidant that the system has been unchanged since the time the breach was discovered.

Once that is done, there’s tons of questions to be answered. Keep in mind, at this point, all the system owner knows is that the system was in some way compromised. There’s questions to be answered:

1. What information was accessed? What wasn’t?
2. How was it accessed?
3. Who did it?

Note my numbering here. “who” is placed last. While this is no doubt important, the primary concern will be to determine if sensitive information was compromised and how. Maybe the attacker was able to log into an authentication server, but was unable to access the database containing personal information? Maybe he was able to access that as well? These questions are important in determining the actual risk incurred, the amount of work needed to be done to clean up or mitigate the breach, as well as identifying later what worked and what didn’t.

To figure out what the attacker accessed means tracing back from the point of entry every action the attacker did. Much like a detective will try to determine the events of a crime, the computer forensics team will need to determine what was accessed, when, and how. To do so means combing through tons of logs, ACLs, and any errors or alerts that fired. This could be made easier or harder depending on the level of logging they had configured and any systems they had in place to aid in this process. Maybe logging was configured on all devices, or only some? What events were being logged, and were any not being logged that would be essential later? Is there any sort of log aggregation device that is being used (syslog) or do they have to be collected individually? Are there any parsing tools being used that will help in sifting through the data, or does it all have to be combed through by hand? Did the attacker access the logs, and in that case, can they be trusted? All of these things will determine the speed and accuracy by which Sony will be able to determine what happened and how.

At this point, Sony has determined that personal information was compromised (see their FAQ) and is in the process of trying to find out conclusively if financial information was gained as well. Depending on the answers to the questions above, they may or may not be able to say so with certainty. In this case, assume “worse case”, that the attacker obtained it.

Unfortunately, we won’t know any more unless Sony releases their “After-action” or “Lesson’s learned” reports after the fact. This, while no doubt helpful to the security community and other organizations seeking to avoid a repeat, will most likely paint Sony in an unflattering light. It’s for that reason that we rarely see those kinds of disclosures, the lessons are never shared, and why this sort of event gets repeated so many times for so many businesses. Any guesses as to how the attacker purported the attack will likely remain unknown for a long time, unless authorities actually succeed in bringing him to justice.

There’s little point in speculating as to how the breach occurred. While most of rumors have pointed towards an entry through the PlayStation itself or some other method through the PSN authentication servers, it’s by no means limited to that. Nor is it necessarily the work of even an external attacker (though Sony alludes to this.) Nevertheless, I will engage on a bit of speculation on my own and suggest that someone did get through “the front door” as it were, given the poor security of the console and the hacking community’s repeated abilities to authenticate to PSN with hacked and comprimised consoles. We’ve seen other instances of poor key management and lax authentication from the PS3 design, and it’s not hard to speculate that some of this carried over into the PSN’s design.

If this were the case, (and do make note of the “if”, as this is entirely speculation here) then it calls into question what sort of protections exist between the public-facing PSN servers, and the back-end payment processing and database servers that house customer information. It’s been my experience in the past at least that it’s all common for many system owners to throw a firewall and SSL on the front end, and call it done. Defense-in-depth is key. And even in places where a DMZ does exist (firewalls in both front and behind your public facing servers), they’re not always configured correctly. And your databases still need to be hardened and configured for least-privilege. There’s a tendency for things to be lax on the back end, with the argument that “no one should be back here anyways”. That may be true, but that doesn’t mean that someone won’t be eventually, and those successive lines will be the difference between reporting a breach of your DMZ and calling it a day, and reporting the leak of 70 million plus records. =P

The other talk has been of “why”, and why has Sony made themselves such a target. Why not Microsoft or some other?

Certainly, XBox live could have been the target of something like this, and it’s entirely speculative as to whether or not their service is better hardened against this sort of thing. I’m inclined to think that perhaps it is, given their tendency to deploy their own solutions in-house before helping their customers do the same.

But more importantly, Sony has made themselves a target. The PS3, when released, was billed as a “do everything” console, and in addition to being an entertainment console, it was built to resemble a hacker’s dream: It used an exotic, but open and well supported foundation in the form of the Cell processor for which there were plenty of APIs and compilers available, and it readily supported the installation of other operation systems and applications.

The problem here for Sony though was that selling an open console did not fit with their strategy of being an exclusive provider of the buyer’s media and applications. Piracy no doubt played a role in this as well, but in the process of stamping that out, they also shut the door on thousands of people who bought the platform for it’s homebrew and hacking applications. This is combined with the fact that it’s hard to justify paying for Sony applications and services when it’s entirely possible to throw your own operating system on the machine and gain those abilities through an independent channel. Sony does not make money on selling you just the console, and so this is a losing proposition for them.

So Sony has been in a losing position due to trying to sell and support a console that is built for a purpose other than their business strategy. The 360 suffers from none of these issues, because it was never an open platform to begin with. Microsoft’s console strategy is no different than Sony’s, but becuase it was never a viable platform for homebrew to begin with, it never raised people’s hopes enough to begin with.

It’s worth mentioning that the Kinect is an entirely different scenario, but Microsoft no doubt makes money on the sale of each of these devices, and so it is entirely fine with providing them to anyone who wants to do something with it. Consoles on the other hand, make their money through the sale of games and services, not from the console themselves, and so anything that breaks the model of ensuring that consumers buy from only the services provided by the console vendor makes selling them a losing proposition.

This model is contradictory to the model by which most people are used to buying things, in which the item becomes yours and yours to do with as you please once you’ve purchased it. This has been the expectation of those who bought the PS3 console in particular. Sony’s model however, is built on the idea that you’ve instead paid to license the console from them, and they dictate what you can and can not do with it. This is no different than Microsoft or Nintendo’s model, but by raising the ire of the community by going out of their way to promise and deliver an open platform, only to take it away a couple of years later, has made them the target of the community’s ire, with attacks such as this one.

Your PS3 is not transmitting in the clear…

There’s a PDF going around today that’s been getting a lot of attention in claiming that Sony is transmitting user information in the clear:

Unfortunately, the paper is loaded with irrelevant information, dubious claims, and poor understanding of internet transactions. But there is a little nugget of good information in here, which I’ve tried to pick out.

The section on “sensitive information” seems to contain a lot of filler, and doesn’t make too much sense. He claims that Sony uses HTTPS/SSL, but that this “isn’t good enough”. He then goes off topic about how Sony is a large network and that the IP addresses of this large network are all publicly accessible. This is all true, but does not contribute to his argument that the information is not secure. But he does seem to insinuate that there’s a way to phish user data, partictuarly in his mention of SSL, custom certificates, and third-party DNS servers.

Let’s look at the HTTPS/SSL issue.

When an SSL session is negotiated by your PS3 with Sony’s servers, you fetch a certificate from the PS3 server that is authenticated against a CA, verifying that the server claims to be who it says it is. In that certificate is the server’s public key, which is used by the client to encrypt information to send to it. Information cannot be decrypted by the public key, only by the server’s private key, which only it possesses.

So the information being sent to Sony is encrypted, and it’s using SSL, the accepted standard for banks, remote terminal sessions, your gmail, and generally anything else of importance. There are no current flaws in this protocol when implemented correctly.

The ability to forge a client certificate on the PS3 weakens this somewhat, but not directly, and the paper fails to describe this. But I think I can identify what he’s trying to get at.

The PS3 needs to have a trusted root certificate from a Certifying Authority (CA) stored in the console in order to verify that when contacted by a system claiming to be a Sony PSN server, it can verify that is really is a PSN server. (This is the same mechanism that identifies your bank to be who they claim to be.) The ability to create custom firmware (CFW) means that a hacker could distribute a CFW that possesses an altered, additional, or different trusted root CA.

Recall whenever your web browser gave you an alert upon finding an expired certificate, or probably more appropriately, a self-signed certificate. If you’re using HTTPS on a home router, you probably have one of these. Since there is no pre-loaded root CA on your system, you need to decide if you can trust it yourself.

By having a CFW loaded, you’re never prompted for this, and unless you audit the code yourself, you won’t know if there’s other root certificates loaded. Any that are loaded are assumed trusted.

Here’s where we get to the “third-party DNS” that he mentions. Assuming you’re not running your own DNS server (to say nothing of if it’s secured) it is possible that the DNS server you connect to could be spoofed to identify a Sony PSN server’s host name as a different IP. At that point, assuming you’re running a CFW that has a crafted root CA loaded, the PS3 will recieve the spoofed address, the altered certificate will identify the server as legitimate, and a connection will be established. Voila, your information is being sent.

So the short of this:

Your information is not being sent in the clear, but is being sent via industry standard HTTPS/SSL.

For an attack to succeed:

• An attacker must persuade you to load a CFW that has a self-signed root certificate loaded on it
• The attacker must successfully poison the DNS cache of a DNS server that YOU use
• The attacker must then wait/hope/pray that you connect to the server he spoofed so that you can authenticate to him.

That, ladies and gentlemen, is a pretty tall order, though it’s by no means implausible. But it is the sort of issue that gets a lot of attention these days (and is a large part of the reason why certificate validation has become so visible in web browsers as of late.)

Of course, it could certainly be a lot simpler than that. If we can convince someone to load our custom firmware, why not have it contact our servers directly? We could dispense with SSL all together, install our own application data, and pull all of the information we want directly. A CFW allows the writer of it to exercise control of the system if he/she wanted to, just like the writer of a trojan or rootkit gives an attacker control over a PC.

So if you’re not using a CFW, then you’re pretty safe. If you are, then you need to ensure that no other forged or crafted root CAs exist, and that you are using a relativity secure DNS server. In my opinion, any DNS server by a major ISP should be more than sufficient.

If Sony has a good argument for persuading people not to use a CFW, then it’s this one here. Remember the tenant of security: “If a bad guy can persuade you to run his code on your computer, then it’s not your computer anymore”. PS3 hackers are suddenly discovering this. With root access, you can see a lot that you couldn’t previously. Would they be just as surprised to know that this very same information is sent to your bank, or Paypal, or WoW account, every time you use your PC?

I am just as excited as most at the possibilities of running custom code on the PS3 hardware. But with such power comes responsibility, as well as danger. Always ask yourself if you trust the source of your software, and what mitigation are in place. For CFW, those mitigation’s could be few indeed. Keep your personal information off a cracked PS3, and if feasible, off the internet entirely. I have no doubt that Sony will find ways to keep cracked PS3s off PlayStation Network for good, so there’s little to lose here. The important thing is to recognize the risks that follow a CFW, and act accordingly.

(Parts of this post were originally posted here, comments, page 3)

Letter to Congress on security

As promised, the text of the email I wrote to the Honorable Jim Webb, Mark Warner, and Gerry Connolly, Senators and Representative, respectivally:

———————————————————————–

Dear Sirs,

I am writing to you to share some of my concerns regarding recent decisions with regards to airline security and the general security approach of the United States in general.

Starting sometime after the discovery of bombs hidden in printers aboard cargo planes, the Department of Homeland Security through the TSA decided to implement full-body scanners and pat-down searches at all airports. Whatever the misconceptions and notions surrounding these techniques, I fail to comprehend the cause and effect between the attempted delivery method and the countermeasures used.

More importantly however, I am increasingly disturbed by the increasing willingness to infringe on privacy, courtesy, and respect, in the attempt to make us “safer”. It is my opinion that these measures are not only ineffective, but insulting to a society that supposedly prides itself on it’s freedom and liberty.

Throughout our history, we have trumpeted our ability to stand up to hostile action and adversity, and resist intimidation, fear, and danger in order to preserve the fact that our nation was created around common virtues, and not some racial or geopolitical basis. Our founders espoused mottoes such as “Give me freedom or give me death!” and “Live free or die.” to illustrate the fact that they believed that it was better to risk one’s life as a free man than to guarantee safety under oppression.

It is not an easy thing to be able to stand tall and say “I accept the risk” when such horrific implements can be used against us. But that’s just what we as Americans have done in the past, and has given us a reputation of bravery towards our ideals.

Our intelligence and police agencies continue to do their best to sniff out plots, worth together, and investigate wrongdoing. In every reported instance, we have either thwarted or quickly responded to every attempted act of terrorism, often through good old-fashioned detective work. This has shown to be a proven and effective method of dealing with the threats we face while maintaining a free and civil city, and we should continue to support these people where we can.

There will always be a residual risk however, one will, invariably, get through. It is in these times in which our fellow citizens, not our soldiers or police, will be tested. And just as those citizens in history decided it was better to risk their lives in war than live under oppression, so do we need to accept a degree of risk, however minute, in order to live according to the freedoms and liberties we all desire and espouse, that so many gave their lives for centuries ago.

Our world is in many ways, safer than it has ever been. Our time-tested and honed methods keep the likely-hood of being affected by such an attack to a tiny amount. It is up to us ordinary citizens to carry the rest, to resist the urge to investigate our neighbors, to spy on their conversations, to search them in public without probable cause. I ask you to help set this example and do your best to repeal these practices, and remind the rest of the world what it truly means to live in a free society.

Thank you for your time.

~Chris Kozlowski

The Price of Freedom

“Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety.”

-Benjamin Franklin

I often wrestled with the above statement, re-quoted so many times by so many people in the face of any security argument. In the urge to “connect the dots” after 9/11,  I often wondered what Ben Franklin would have thought of his now famous statement. Would he still agree? Is it too much to ask to purchase a little safety?

The world we live in today is much different from that 234 years ago to the day. We live in a time of magic and awe. Six billion people inhabit this planet, many of them able to share their thoughts and ideas with millions of others instantly regardless of distance or location. We are able to send anyone or anything anywhere on the globe within 24 hours. A butterfly flapping it’s wings in Africa may be able to eventually spawn a hurricane in the north Atlantic, but that’s nothing compared to the speed of an email or  Twitter wave.

Never before has the world been so open and interconnected, and every day the lives of thousands everywhere gets incrementally better as the walls that held back human progress in the remote locations of the world come crumbling down. Yet the same mechanisms that whisk thoughts and goods and people from place to place also send threats and malcontent over the same channels. Some are terrified at the rapid changes in people’s lives, and are driven to violence. Others believe that the rest of the world should stay as it is, that we should build the walls again, and leave the rest to it’s machinations.

To the latter group, it is a fool’s wish. The world will never close up again. And it is here we find ourselves today.

I wondered what Ben Franklin would have said. If we were not to give up liberty for security, then were we to give up security? Would it be inevitable that people would be bossed and shoved around? Terrorized? Harmed? Killed? Who would advocate this? No, I thought, people were being too thin-skinned. It doesn’t matter if the FBI or so is reading your email, they’re not out to get you anyways. An extra security line here or there to check for bombs is fine. The nation got it’s fill of seeing people jump out of skyscrapers to their deaths to avoid being burned alive, and we would all toughen up to avoid having to go through that ordeal again.

I thought this for a while, until I passed a New Hampshire license plate.

It’s been said so much from such an early time that the words became meaningless to me, and yet one day, driving down the interstate, it clicked. There was a time, when people didn’t have a say in how their affairs were run. They were forced to pledge loyalty to some guy an ocean away, who didn’t give a shit about them unless the taxes we note being paid. People were tried and convicted in mock courts, under laws that were suspended at will, and where death by hanging could be the penalty for a trivial offense.

The people who endured this chose not to fall in line, but rather, they declared war.

The statements “Live Free or Die”, “Give Me Liberty, or Give Me Death!” are quotes that are referred to often. They were spoken by ordinary men who were fully willing to embrace the threat of harm to ensure the right to live as they pleased. A terrible conflict ensued, and thousands perished.

We honor this day and others during the year and speak to those days when those citizens before us decided enough was enough and they would be terrorized no longer. We celebrate, rightfully, what was a monumental occasion.

It has been over two centuries since that conflict. But these days I feel that sentiment, the lessons from that struggle, are more relevant than ever. Our world holds untold promise and prosperity, but also new threats and dangers. We face risks and read about horrors that the founding fathers never would have imagined.

Many in this country think we should do everything we can to protect our citizens from every conceivable threat and attack. This is a laudable, if unrealistic, aim. Nevertheless, we try. But in doing so we often erode those liberties the founding fathers spoke of. We read email, install full body scanners, take off our shoes at airports. You can no longer photograph some buildings or officials, for fear of undertaking reconnaissance. Some declare that the constitution should no longer apply to those accused of terrorism, U.S. citizen or not.

Those in the security business would tell you that these measures work to a marginal extent. A determined attacker will get through eventually. However, many would argue that any measurable increase in security is worth the price.

The founding fathers would disagree.

No one would argue the need for practical measures, for vigilance, for a strong military and law enforcement. But the day will arrive, occasionally, where harm is done or lives are lost. And it is we, the ordinary U.S. citizen, who must remember that it is the price we pay for enjoying such little interference in our affairs, for the right to do as we please while upholding the rights of others, for the right to choose, to speak out, to condone and complain.

We are not defenseless. Bravery, ingenuity, cleverness, and tenacity continue to protect this nation of 300 million every day. We are not on the verge of being annihilated, and we were wise to structure our government in such a way in that we rely on no one man or family for continuity. Our military, our intelligence agencies, federal and local police, all of our lines of defense filter and stop so much. But there is a threshold at which point security begins to trump liberty, and it is there where we must accept that residual risk and bear the burden ourselves, as the revolutionaries once promised to do, and did.

Have a happy 4th of July everyone. =)

Cyber Command

I was reading over Schneier’s blog on the recent hearings for Lt. Gen. Alexander’s nomination to head the US Cyber Command, which would be a new unified DoD command to address IA issues, both offensive and defensive. Reading through Schneier’s comments and those who replied to his post, I was a bit taken aback.

I didn’t find anything in his remarks that are particularly alarming, (the comment that DHS and the FBI would be the primary agency to address domestic IA issues spoke volumes to his views on his command’s AOR)  but lots of snide comments from the peanut gallery that somehow, the military is wasting it’s time and that the threat to DoD information assurance is somehow a myth.

Granted, DoD, just like a private organization, is loathe to acknowledge when they’ve been compromised, but most readers here I’m sure would recognize that it’s occurred many times in the past. So I’m a bit puzzled when DoD starts discussing a unified command to deal with these issues that they’re met with ridicule.

There is justifiable and wholly appropriate questions being asked on just how DoD intends to defend it’s networks, and they and outside individuals correctly recognize that the nature of the internet means that threats will originate from inside and out, across a myriad of state lines, sovereignties, various agencies and organizations. People have a right to know how DoD will respond in these cases, but don’t be surprised or offended if they come knocking.

Government agencies, which control VAST networks handling everything from taxes to health care and military communications is starting to finally get serious about network security, and they need our help. (They can start by dropping the “cyber” part of their name. =P ) But the cries of “BULLSHIT”, “Buy American!” and “wahhh! Wiretapping!!!” echo Tea Party-like cries of boogymen and conspiracies that are not there.

Be concerned. Question, critique. But please, don’t expect them to sit back and do nothing while they’re getting lambasted online and off. The Government moves much slower than we’d all like them to, but at least we’re starting somewhere. The Cybersecurity Act and this command are at least a starting point. The former got lots of good input and revision before it was done. We can do the same here.

P.S. Everyone knows what a probe is. (Hint, it’s not just a ping sweep.) No, he didn’t spell it out for the congressmen in the room, and he didn’t need to. Remember, these people interviewing him send “internets” to one another. =P