Koz and Effect

PSN Hacked

The PS3′s security is in the news again, this time with the PlayStation Network. Those of you who spend time on it have no doubt heard by now that the network was compromised, and was shut down as a result.

There’s been a lot floating around on the rumor mill, both as a result of speculation and the deafening silence coming out of Sony. I’ll try and explain why this is probably the case.

In the beginning of any incident, the amount of knowledge known is little. Something, somewhere, alerted Sony to the fact that a breach had taken place. And by breach, we mean any successful penetration of the security perimeter (the line demarcating where Sony’s control over their network infrastructure ends.) It is not:

• An nmap scan against their firewall. That sorta thing happens all of the time, and is outside their perimeter.
• Buying things off of PSN with a stolen credit card. (That’s another problem entirely.)

A breach means that someone was able to gain access to a device or devices in a way that they shouldn’t have had permission to do. That’s it. At that point, Sony is in incident response procedures.

It’s important to make that note because once it’s been determine that an illegal entry has taken place, (and it is illegal.) then it’s absolutely essential that they do things by the book. At the point that they know they’ve been compromised, care must not only be given to finding out exactly what happened, but preserving that information in such a way as it can be used in a criminal investigation later. There are also legal obligations of reporting and notification that are required if say, personal or financial information is comprimised, and only with detailed informaton on hand can those be fully met.

Sony’s take down of the system was a wise move in that regard, because it enabled them to freeze the state of their system so that they could conduct their investigation without worry of the system being further modified by either the attacker or through normal operation. Much like preserving the scene of a crime, proper incident response requires the system owner to freeze the system state so they can be confidant that the system has been unchanged since the time the breach was discovered.

Once that is done, there’s tons of questions to be answered. Keep in mind, at this point, all the system owner knows is that the system was in some way compromised. There’s questions to be answered:

1. What information was accessed? What wasn’t?
2. How was it accessed?
3. Who did it?

Note my numbering here. “who” is placed last. While this is no doubt important, the primary concern will be to determine if sensitive information was compromised and how. Maybe the attacker was able to log into an authentication server, but was unable to access the database containing personal information? Maybe he was able to access that as well? These questions are important in determining the actual risk incurred, the amount of work needed to be done to clean up or mitigate the breach, as well as identifying later what worked and what didn’t.

To figure out what the attacker accessed means tracing back from the point of entry every action the attacker did. Much like a detective will try to determine the events of a crime, the computer forensics team will need to determine what was accessed, when, and how. To do so means combing through tons of logs, ACLs, and any errors or alerts that fired. This could be made easier or harder depending on the level of logging they had configured and any systems they had in place to aid in this process. Maybe logging was configured on all devices, or only some? What events were being logged, and were any not being logged that would be essential later? Is there any sort of log aggregation device that is being used (syslog) or do they have to be collected individually? Are there any parsing tools being used that will help in sifting through the data, or does it all have to be combed through by hand? Did the attacker access the logs, and in that case, can they be trusted? All of these things will determine the speed and accuracy by which Sony will be able to determine what happened and how.

At this point, Sony has determined that personal information was compromised (see their FAQ) and is in the process of trying to find out conclusively if financial information was gained as well. Depending on the answers to the questions above, they may or may not be able to say so with certainty. In this case, assume “worse case”, that the attacker obtained it.

Unfortunately, we won’t know any more unless Sony releases their “After-action” or “Lesson’s learned” reports after the fact. This, while no doubt helpful to the security community and other organizations seeking to avoid a repeat, will most likely paint Sony in an unflattering light. It’s for that reason that we rarely see those kinds of disclosures, the lessons are never shared, and why this sort of event gets repeated so many times for so many businesses. Any guesses as to how the attacker purported the attack will likely remain unknown for a long time, unless authorities actually succeed in bringing him to justice.

There’s little point in speculating as to how the breach occurred. While most of rumors have pointed towards an entry through the PlayStation itself or some other method through the PSN authentication servers, it’s by no means limited to that. Nor is it necessarily the work of even an external attacker (though Sony alludes to this.) Nevertheless, I will engage on a bit of speculation on my own and suggest that someone did get through “the front door” as it were, given the poor security of the console and the hacking community’s repeated abilities to authenticate to PSN with hacked and comprimised consoles. We’ve seen other instances of poor key management and lax authentication from the PS3 design, and it’s not hard to speculate that some of this carried over into the PSN’s design.

If this were the case, (and do make note of the “if”, as this is entirely speculation here) then it calls into question what sort of protections exist between the public-facing PSN servers, and the back-end payment processing and database servers that house customer information. It’s been my experience in the past at least that it’s all common for many system owners to throw a firewall and SSL on the front end, and call it done. Defense-in-depth is key. And even in places where a DMZ does exist (firewalls in both front and behind your public facing servers), they’re not always configured correctly. And your databases still need to be hardened and configured for least-privilege. There’s a tendency for things to be lax on the back end, with the argument that “no one should be back here anyways”. That may be true, but that doesn’t mean that someone won’t be eventually, and those successive lines will be the difference between reporting a breach of your DMZ and calling it a day, and reporting the leak of 70 million plus records. =P

 

The other talk has been of “why”, and why has Sony made themselves such a target. Why not Microsoft or some other?

Certainly, XBox live could have been the target of something like this, and it’s entirely speculative as to whether or not their service is better hardened against this sort of thing. I’m inclined to think that perhaps it is, given their tendency to deploy their own solutions in-house before helping their customers do the same.

But more importantly, Sony has made themselves a target. The PS3, when released, was billed as a “do everything” console, and in addition to being an entertainment console, it was built to resemble a hacker’s dream: It used an exotic, but open and well supported foundation in the form of the Cell processor for which there were plenty of APIs and compilers available, and it readily supported the installation of other operation systems and applications.

The problem here for Sony though was that selling an open console did not fit with their strategy of being an exclusive provider of the buyer’s media and applications. Piracy no doubt played a role in this as well, but in the process of stamping that out, they also shut the door on thousands of people who bought the platform for it’s homebrew and hacking applications. This is combined with the fact that it’s hard to justify paying for Sony applications and services when it’s entirely possible to throw your own operating system on the machine and gain those abilities through an independent channel. Sony does not make money on selling you just the console, and so this is a losing proposition for them.

So Sony has been in a losing position due to trying to sell and support a console that is built for a purpose other than their business strategy. The 360 suffers from none of these issues, because it was never an open platform to begin with. Microsoft’s console strategy is no different than Sony’s, but becuase it was never a viable platform for homebrew to begin with, it never raised people’s hopes enough to begin with.

It’s worth mentioning that the Kinect is an entirely different scenario, but Microsoft no doubt makes money on the sale of each of these devices, and so it is entirely fine with providing them to anyone who wants to do something with it. Consoles on the other hand, make their money through the sale of games and services, not from the console themselves, and so anything that breaks the model of ensuring that consumers buy from only the services provided by the console vendor makes selling them a losing proposition.

This model is contradictory to the model by which most people are used to buying things, in which the item becomes yours and yours to do with as you please once you’ve purchased it. This has been the expectation of those who bought the PS3 console in particular. Sony’s model however, is built on the idea that you’ve instead paid to license the console from them, and they dictate what you can and can not do with it. This is no different than Microsoft or Nintendo’s model, but by raising the ire of the community by going out of their way to promise and deliver an open platform, only to take it away a couple of years later, has made them the target of the community’s ire, with attacks such as this one.