Nota: Este post está disponible en Español
The Sony PlayStation Network (PSN), which allows the possibility of on-line gaming, movie and TV program watching among other exclusive contents, went offline and entered into maintenance mode on April the 20th. On April 26th the Company released a press statement where they declared that personal information belonging to 78 million users was extracted from their servers during a security breach, becoming this way one of the biggest data breaches in history.
The Sony PlayStation Network (PSN), which allows the possibility of on-line gaming, movie and TV program watching among other exclusive contents, went offline and entered into maintenance mode on April the 20th. On April 26th the Company released a press statement where they declared that personal information belonging to 78 million users was extracted from their servers during a security breach, becoming this way one of the biggest data breaches in history.
The extracted information consisted of: Full names, full address (city, state, zip code and country), e-mail addresses, date of birth, PSN user and password and Credit card data (presumed in 10 million numbers).
The big question we are all asking ourselves is: how could this happen to Sony? The truth is that in the information security world, no one is excluded of incidents. This is so, because there is no 100% effective safeguard. What one can do is to perform a risk analysis of the IT infrastructure and implement the required safeguards to reduce the risks at an acceptable level for the Company.
So, the real question here is: Is Sony accountable for the incident? Did it execute a Due Diligence and Due Care to prevent this from happening? To answer these questions, I took the liberty to analyze the PSN network and the attack itself.
How does the PSN work?
The PSN uses the Internet (HTTPS protocol) to connect the PS3 consoles to the servers where the user accesses different network functions. The communication between these two is done through the use of Web Services, which is a software that uses a group of protocols and standards that allows applications to exchange data (in this case, between the PS3 consoles and the servers). Because the protocol in use is HTTPS, it requires a Web server like Apache or Microsoft IIS.
The IT infrastructure of the PSN is based on a 3-tier architecture:
1. Application Layer (presentation or frontend): interacts with the PS3 consoles and communicates with the following layer (logic layer).
2. Logical Layer: Processes requests from the application layer and requests information from the data layer.
3. Data Layer (Backend): Database servers. It’s an independent layer and its main function is to store and retrieve data.
Between layers, the PSN has implemented firewalls to control the traffic access flow. This is done because in theory, the application layer should not interact directly with the data layer. These are known as multitier architectures.
The Identification & Authentication process between the PS3 and PSN is as follows:
1. The PS3 establishes an SSL connection with the PSN authentication server. The PSN server authenticates with the SSL Certificate to the PS3.
2. The PS3 then sends a passphrase (a long password) as authentication to the PSN.
3. Then it sends parameters, such as Firmware version (i.e. 3.60) used by the PS3.
4. Then user credentials are sent among other transactions.
How secure is the PSN?
The Company designed the console in such a way that it could only play authorized games and prevent user’s access and modifications. This made many users disappointed and created a motive for various users and hackers to jailbreak the PS3 in order to execute any game or program. Sony based the PSN security on the foundation that console was secured: Big mistake.
This mistake was confirmed when the hacker GeoHot (which became famous after jailbreaking the iPhone), hacked the PS3 with other hackers and found the private keys (root keys) of the console. These keys allow a user to digitally sign and install software not authorized by Sony, including Operating Systems (like AsbestOS, a compact Linux). This permitted the distribution of custom Firmware (called homebrew) that contained all the necessary hacks for the users to have full control of their PS3.
Sony tried to block the access to the PSN of the hacked PS3 consoles by filtering the Firmware version and by implementing authentication methods (a passphrase). Still, users got access by performing a man in the middle attack, as follows:
1. First they needed to understand how the protocol worked between the PS3 consoles and the PSN. Since the traffic between them is encrypted with SSL, they implemented modifications to the PS3 in order to intercept the traffic. What they did was:
a. Created a Certificate Authority (CA) to issue a SSL certificate to the domain auth.np.ac.playstation.net (this domain points to the IP of the authentication PSN server).
b. Installed a proxy server between the PS3 and the Internet and configured it with the issued SSL Certificate.
c. Modified the PS3 DNS configuration to point the domain auth.np.ac.playstation.net to the proxy server’s IP address.
d. Copied the CA public root certificate to the PS3 console, so the certification path was valid.
2. With this steps, this is what happened when the PS3 connects to the PSN:
a. The PS3 resolves the domain auth.np.ac.playstation.net to the local proxy IP
b. It establishes an SSL connection with the Proxy. Since the fake SSL certificate is signed by the CA certificate copied into the PS3 and it was issued to the domain auth.np.ac.playstation.net, the console assumes that the connection is authentic
c. The Proxy establishes the connection to the real auth.np.ac.playstation.net server and resends all the traffic to that server and backwards.
3. Now the users can see all the encrypted traffic between the PS3 and the PSN.
4. From the traffic analysis, the users obtained two important protocol parameters:
a. The PS3 sent to the authentication server the current firmware version (i.e. 3.66 or 3.56), used to block unwanted consoles.
b. The latest Firmware sent an authentication passphrase, which was the same for all PS3.
5. To bypass these controls implemented by Sony, they used the Proxy to modify these parameters on the fly. For example, when the Firmware parameter entered the proxy with value of 3.55, it was changed to 3.60 and sent to the PSN servers. The same happened with the passphrase parameter.
¿How was the PSN attacked?
In the last press conference, Sony did not provide many details on the attack, but they did explain us how it was achieved:
1. The attackers knew the existence of a known vulnerability in the Apache web servers. We can assume that they obtained this information from the traffic analysis of the PS3 or by fingerprinting the servers.
2. They sent a valid transaction to the Web Service with a code that executed the vulnerability. This allowed them to install communication software, compromising the logical layer of the PSN. Since it was a valid transaction, the firewalls where of no use.
3. Once inside the logical layer, the attacker started a privilege escalation attack to obtain access to the data layer.
Due to the lack of information from Sony and analyzing the attack, we can assume that the communication tool was a backdoor and the fact that it was a valid transaction, might imply that a hacked PS3 console and Proxy was used.
Sony’s PowerPoint slide illustrating the attack
Is Sony accountable for the incident?
If we do a quick review of the security infrastructure of the PSN, we could establish the following:
· The security was based on the concept that the PS3 console was secured: One of the basic Information Security principles is “do not trust the client”.
· The PSN does not contain a strong Identification & Authentication method: Using the same passphrase for all PS3 consoles was a mistake, since it was easy to obtain.
· The PSN servers authenticated to the PS3 by using SSL certificates, but the PS3 only by using a shared passphrase: Why they did not implement double authentication mechanisms? Why they did not use Digital Certificates to authenticate the PS3?
· Servers with vulnerabilities: Why Sony did not patch their servers? Why Sony did not know their servers were vulnerable?
· Intrusion detection safeguards: Why Sony did not implement an N-IDS (Network Intrusion Detection Systems) and/or H-IDS (Host based Intrusion Detection Systems) in combination with a WAF (Web Application Firewall) to detect and stop the attack?
· Data encryption: Why critical personal data was not encrypted? Only the credit card numbers were and the passwords were hashed.
· Application controls: Why the application layer did not detect the incorrect payload in the transaction?
· Incident Response: Was Sony ready for an incident of this magnitude? Why it took them 6 days to notify the customers?
· Information Security Governance: Why in the press conference on the 1st of May they announced that a new CISO position was going to be created to monitor the security of the PSN?
If Sony did not know that they servers where vulnerable, then they were responsible for not executing a proper risk assessment on their IT infrastructure (Due Diligence). If they knew their servers were vulnerable and did not patch them, then they did not execute Due Care and are responsible for that.
By Agustin Chernitsky
Thanks to: Fer Spettoli, Rami Corletti and Leo Rosso for their input
Of course Sony is accountable for the incident. They are being held to account by the public, including by those customers whose personal information was stolen. The details of how the attack happened are irrelevant to their accountability: they have plainly failed to protect the personal information placed in their care.
ReplyDeleteRubbish, their accountability is entirely based on whether their system was appropriately secured.
DeleteIf they were attacked by multiple zero day attacks on commonly used, peer reviewed systems expertly configured with appropriate procedures in place, then there could be little blame placed on them. With the appropriate resources any IT system, physical vault or corner of space can be accessed. This is life.
They weren't, they were attacked by documented vulnerabilities which had patches available and they didn't have appropriately configured systems or procedures in general. Thus, they are completely accountable for what happened.
Great technical analysis. I've featured on my IT Compliance and Security Blog, the Risk Report. http://mid.typepad.com/home/2011/05/egregious-sony-data-breach.html
ReplyDeleteDoug Meier, CISSP
Hi @Gary, thanks for your comment. One of my collegues (Jeffrey A. Miller) pointed out something very interesting in the Linedin CISSP group that I would like to share:
ReplyDelete"Because there is no law stating that a company must have certain Information Security protections in place only means that Sony cannot be held criminally liable for the breach. Civil law on the other hand can find Sony negligent in exercising the due care/diligence in protecting their systems and award monetary damages in the class-action suit filed on behalf of those people with hacked accounts."
I think his input was great.
@practicaldr, glad you liked it. There are lots of info on the net regarding the PS3 hacking and the users are doing with it. google for "PS3 cluster" :)
Please, be my guest and use this material as you wish. I'll be honored if you feature it.
This website was... how do I say it? Relevant!! Finally I have found something which helped me.
ReplyDeleteThanks a lot!
Feel free to surf to my website ... ps4 cfw
Helpful information. Fortunate me I discovered your site by chance, and I am stunned why this coincidence did not came about in advance!
ReplyDeleteI bookmarked it.
Also visit my homepage: ps4 jail