Over the last few weeks there’s been a lot of commentary around the breach of Sony’s PlayStation Network. Sadly, there has been no good discussion of how PSN was breached. What this breach means for Sony is largely defined by how it happened. Before we get to that though let’s go over a quick timeline of some of the important points in the breach’s timeline.
Jan 2, 2011: Months of battles between Sony and PS3 hackers reaches a climax when George Hotz aka GeoHot publishes the Root Key for the PS3. Among other things this allows users to sign and run any code they want on the PS3.
Jan 11, 2011: Sony responds to the releases of the Root Key by filing suit against Hotz and several other prominent PS3 enthusiasts in Sony Computer Entertainment of America LLC v. Hotz et al. Sony brought charges against the hackers on multiple charges including violation of the DMCA and Computer Fraud and Abuse Act, breach of contract, and trespass.
March 31, 2011: Rebug custom firmware released. Rebug allows access to many of the features only found in PS3 developer kits (PS3 dev kits were notoriously expensive. At one point the PS3 Reference Tool cost upwards of 10,000 USD.)
March 31, 2011: Sony Online Entertainment lays off 205 employees, an estimated 1/3 of the division.
Early April 2011: Internet group Anonymous responds to SCEA v. Hotz by launching OpSony, a DDoS of PSN and other Sony owned properties with a web presence.
April 20, 2011: Sony detects an intrusion and PlayStationNetwork and Qriocity servers are taken offline.
From there Sony’s missive to Congress pretty well documents what happened.
So, with that background laid, we now need to ask how the attacker actually got in. Sony held a press conference on May 1st 2011, during which they issued this diagram describing how they believed the intrusion happened:
This seems like a roundabout way of saying that there was a SQL injection issue in one of PSN’s applications or that the database server could have been publicly accessible and exploitable from there. That’s not very descriptive or helpful though so let’s take a minute to take a look some of the alternative ideas on how the breach happened. Please take all of this with a grain of salt as some of this is speculation or cannot be confirmed.
- Unpatched server: A chat log of several PS3 modders probing PSN has been making the rounds. In it they claim that some of PSN’s webservers were running outdated versions of Apache and Linux (2.2.15 and 2.6.9-2.6.24 respectively). It is a solid bet that if those packages were outdated, the rest of the server hadn’t been patched in the last 5 years either. If that was the case, then the intrusion would have been as simple as firing up Metasploit and going to work. As a side note, Google’s web cache shows that Sony’s servers were up to date, so this whole theory may be bunk.
- Physical attack: Several of Sony’s press releases and blog posts have talked about moving the PSN servers into a single secure location. There have been suggestions that this indicates that there was a physical component to the attack. While this certainly is a possibility, it seems much more likely that this was already happening and Sony is merely highlighting it to promote the image of a security conscious company.
- Insider attack: While this is a threat actor, not an attack, it still merits mentioning. There is a possibility that one of the 205 SOE employees who were terminated on March 31st could have used their access to attack Sony. The retaliatory attacks over the GeoHot lawsuit would have provided the perfect cover for an employee who was angry with being terminated to leverage their access against Sony.
- Leveraging a PS3 against PSN: One of the interesting features of the Rebug firmware was the ability to switch which set of PSN servers the console connected to. For instance, in one attack modders found it was possible to force a PS3 to connect to the prod-qa instance of PSN. On this particular instance, the servers would not authenticate credit card information before adding credit to the account, so attackers could simply add unlimited credit for the PSN store. Much of this information was publicly available before the breach happened. Also an IRC chat log claimed that there were 45 Internet accessible PSN instances at the time of the breach. It is possible that one of the PSN instances meant for internal use only had certain flaws or was configured in such a way that a rogue PS3 could have leveraged it against the rest of Sony’s network.
Looking at these possibilities and their likelihoods I think we can form a pretty reasonable idea of what happened beyond the attack shown in Sony’s diagram. It looks like a vulnerability in an application was the initial point of entry for this breach. Whether or not this was done using a modified PS3 is up for debate, and there isn’t any solid proof one way or another. While it is extremely probable some of the machines in PSN weren’t up date on their patches, it seems that if exploiting an outdated web service was the way into PSN for the last 5 years, we would have heard about it much sooner, given all of the automated scan-and-attack tools available today. Also, Sony’s actions that look like responses to a physical attack are probably nothing more than management handing down a blank check to make sure that all of PSN’s defenses are bulked up.
And that’s all working on the assumption that there was just one breach! Perhaps the reason why Sony’s response has seemed a little disjointed is that we keep trying to shoehorn their actions to fit our notion of them responding to a single unrealistically complicated multi-vector attack, and not them responding to a slew of simple attacks that all happen to be coming from different vectors simultaneously. In the weeks that followed PSN being taken down, we have learned that other Sony-owned resources have been compromised and taken offline (e.g. DC Universe Online, Star Wars: Galaxies, Free Realms, EverQuest, and even Sony-run Facebook games like Fortune League) and that more personal information was lost than originally reported (plus an additional 12,700 credit card numbers were discovered stolen on May 2nd). It is unlikely that this is all the work of a single attacker. Even with a best case scenario of there being only two independent simultaneous breaches, so much went on in Sony’s network during those few days that trying to assess, attribute, and respond to what happened is quite a task. Expecting them to know exactly how to best respond to a breach of this magnitude and complexity without tilting their heads a little about what happened is just unrealistic.
Finally, I would bet that this was more a crime of opportunity than a targeted attack. Much of the work that modders were doing on exploring the different PSN instances was publicly available. If someone wanted to attack PSN, the recon was done for them and the tools were already made. Since several less-than-honest modders were using the aforementioned free content trick, someone who wanted to use this information to attack would need to do it before Sony responded and nullified all of that work. Also Sony was still shoring up their defenses from the DDoS of the prior weeks, so there was perfect cover for the attack.
All in all, we probably won’t ever know all of the details surrounding this breach. This should provide a little bit of insight into what probably happened and help a bit to interpret Sony’s response to the breach.
Veracode Security Solutions
Software Testing Tools
Static Analysis Tool
Web Application Security
Static Code Analysis