The PlayStation Network Breach: How, Why, And By Whom?

Sony has come out and stated that the PlayStation Network has been compromised. But what does this mean? Is this an attack by Anonymous or something more sinister? And just how at risk are your personal details. Has Sony been doing right by its customers so far? We spoke to two of Australia’s foremost security experts about the PSN security breach and its wide-ranging implications.

At first it was merely a harmless inconvenience, a minor distraction. Most Australians were packing their desks for the long weekend as reports began circulating that the PlayStation Network was down. Nothing major. A pain for those looking forward to five days of online gaming, but nothing more.

But then the story gathered steam, momentum - as more details were slowly released, it became evident that Sony, and the PlayStation Network, was on the receiving end of a major security compromise.

Someone, somewhere may be in possession of your personal details. They may even have your credit card details. How did it come to this? How did this breach occur? And who is responsible?

THE BAD GUYS “Well, the bad guys are targeting in the cloud services, that’s becoming clear. We’re seeing a lot of events like this as of late where the bad guys are able to get in and compromise services and get the information that might be stored by these kinds of services. This Sony one is yet another incident in a long line that have happened over the last six months.”

Lloyd Borrett is the security evangelist for AVG, distributors of Internet Security products across Australia and New Zealand. According to him, the Sony breach is just the latest in a long line of attempts by well-organised cyber criminals, or, as he calls them – "bad guys".

“The bad guys are starting to realise they can have massive success by targeting those kinds of services rather than the piece meal approach of going after individuals. They are obviously putting increased efforts into targeting these repositories of information.”

But just who are these potential bad guys?

“The bad guys are organised cyber criminals with links into organised crime," claims Borrett. "There are a few smart cookies that write the exploits and they market it to others who buy the services and create things like the botnets and other stuff. They also provide monetisation services, because you or I can spend $400 on the service and set it up, but to monetise the information we get that’s something else again.

“Cyber crime is so organised and multi-tiered that the whole process is part of a huge network. Someone might be skimming credit cards, but other might be taking that information and then selling it. Others are selling the services that help gain that information.”

ANONYMOUS Rumours swirling around the net have stated that Anonymous may have been behind the attack, especially in the wake of the George ‘Geohot’ Hotz legal saga. It’s impossible to say at this early stage but, according to Kaan Kivilcim, Security Consultant at Sense of Security, the more sophisticated the attack, the less likely it was that Anonymous was the culprit.

“It is possible,” begins Kaan. “Anonymous is pretty opportunistic – if they see a target that’ll get them publicity they’ll definitely attack it. It’s entirely possible that a group like this instigated the attack. It might also be possible that it was the work of someone more skilful.

“Not to discount the skill of anonymous, but a lot of their hacks have been traditional hacks, other major hacks like RSAs – that hack was incredibly sophisticated, so depending on how the attack came through and how Sony were compromised, based on the level of skill required, then you can draw conclusions on whether it was anonymous or not.”

REBUG We asked Kaan whether, in his professional opinion, Sony were properly prepared for this assault on their security.

“Yes and no,” says Kaan, “the way they’ve approached their network to date has been pretty good -they haven’t had any real significant compromises over the past couple of years, so I guess you can take it in two different ways - you could say, yes, they have good security or you could say they’ve just been lucky so far.

“They have a similar approach to Apple in that the firmware on the PlayStation is closed - they don’t provide an option to install a different OS on the device, which means they have a better amount of control. But one of the things we’ve been looking into over the past couple of months is a new custom firmware called ‘Rebug’ for the PlayStation 3, which is the result of someone cracking the cryptographic keys for the PlayStation firmware.

“'Rebug' basically allows you to build custom firmware for the device. When you install it on your PS3 it allows you to gain access to some development features of the device. One of these development features actually allows you to make purchases that doesn’t validate the credit card number.

“So from that perspective, perhaps Sony haven’t done the right thing - in that the protection measures they’ve put in are solely relying on the fact that the firmware is this obscure thing and once you’ve got access to the firmware and how it works it could be a trivial thing to circumvent some of their security measures."

Lloyd Borrett sees the incident as an example of just how vigilant companies have to be with the increase of more sophisticated methods of cyber crime.

"I think everyone’s got to take a hard look at the services they provide in the cloud," claims Barrett. “We all love the benefits the internet brings us but it comes with security risks. And we’ve got to make sure that when we set up these sorts of services that those things are taken into account. And that the right security policies are put into place.

“We’re increasingly seeing businesses moving towards in the cloud services, and when they’re involving third parties to do that they’re outsourcing some of the security risks involved. They’ve got to be mindful, when they put it in someone else’s hands that they’re going to handle it appropriately.”

A QUESTION OF TIME Most major criticism of Sony has been directed at their performance post the security breach. It took Sony just over a week to inform PSN users of the fact that their credit card details may be in the hands of hackers. According to Kaan Kivilcim, this delay is a matter of prudence and pragmatism – he’s been impressed by how Sony has kept consumers informed so far.

“The concern is that these companies have to balance the amount of information they disclose based on their investigations,” begins Kaan. “The fact that they’ve come out after a week and been upfront with their customers about the information leak and the credit card – I think that’s a pretty good reaction from a company like Sony. A lot of companies will actually keep the whole thing under wraps and not come clean until they absolutely have to – but Sony hasn’t done that.”

Kaan also mentioned, however, that Sony has been “coy” about the amount of information they’re releasing so far.

“The fact that Sony hasn’t given out any more information about how they were actually compromised, to me, probably indicates that the attack was quite sophisticated and they’re still coming to grips with exactly what happened,” says Kaan. “It could just be that they were totally unprepared - that they didn’t know they were vulnerable in this way and are now totally on the backfoot now trying to work out how the compromise occurred and what they need to do to fix it.”

According to Lloyd Borrett, Sony’s initial reaction – shutting down the PlayStation Network indefinitely – was absolutely the correct decision.

“By shutting it down they’ve locked them out from getting more information,” claims Borrett. “It could be that the horse has already bolted, that they’ve got all the information they need - but shutting it down gives them time to analyse what the bad guys have got, and helps them prepare plans with regards to what they can do. It also gives them a chance to rectify the security loopholes used by the bad guys. So I think that’s a prudent thing for Sony to do.”

WHERE CREDIT IS DUE The question on most PSN users is this: have my credit card details been stolen? Are these details in the possession of cyber criminals? According to Kaan, the answer to that question is dependent on a number of factors, the most prudent of which being precisely how Sony store your personal information.

“The compromise is quite significant,” says Kaan. “If Sony have not been following security best practice and they’re not storing credit card details with encryption, then someone may already have your details.

“On the other hand, it might be possible that the information has been compromised but is still in an encrypted state.”

Kaan claims that Sony’s admission that credit card details may have leaked is a huge deal – the decision to reveal that information would not have been made without some sort of evidence that said details could have been leaked.

“For Sony to come and say that the credit card information for millions of PSN users has been compromised, that’s not something Sony would do lightly. You wouldn’t do that unless you had doubts.”

For now, Kaan suggests you take every measure possible in order to secure any passwords you may have on any other services – particularly with regards to net banking.

“Best practice is to try and have a different password for all your different services,” claims Kaan. “If you have a net bank service make that password stronger and make sure it’s a different password. Password reuse is a way in which many people have been compromised in the past – so if you’re using your PSN password for anything else assume that all of those passwords need to be changed. Follow Sony’s advice – keep an eye out for any strange activity on your credit card and if anything happens contact your bank immediately.”

THE WAITING GAME For now, the important thing is to be vigilant with your own details. As to the specifics of who breached the PSN’s security, and for what reason, we’ll only know for sure when Sony start distributing the information themselves. It’s difficult to say what the impact of this whole incident will be in the long term but, for now, consumer trust in PlayStation has been shattered.

Sony has been one of the pioneers in console digital distribution, but with this breach Sony has lost the ability to confidently stride ahead as a leader in this growth market.

How Sony recovers depends majorly on its conduct in the coming days and weeks.

Stay tuned for more news.


Comments

    How ironic that a guy from AVG is being interviewed. A fraudster stole my credit card information last month and purchased online software from AVG. I asked AVG to cooperate with the investigation and provide me or police with the fraudster's IP and e-mail address, but they only replied with "Please be informed that we are unable to provide any details regarding orders unless the customer contacts us from the registered email address." Obviously, if I'm not the fraudster, I cannot contact them from the 'registered e-mail address'. And THEY talk about security...ridiculous

      Pretty simple really call the bank get them to reverse the spend and AVG lose their sale and money.

      Pretty sure they will be moved to cancel the AVG license stolen from them.

      If the police were to contact AVG and subpeona the information, they would have to supply it; it's that simple. They [police] have the authority to request that information, you do not; it's that simple.

      You're going to blame a security company for following a sensible privacy policy? If your credit card has been used for fraudulent purchases, contact your bank. They have the tools to deal with it.

    Another great piece of work Mr Serrels.

    Now, please, do us all a favour and pump Sony for info on how they store people's information and just how well it is encrypted (if at all).

      Plain Text communications and storage.

    The way Sony have handled this has been disgusting. 3 days without any press release, then a press release notifying of an entrusion, then 9 days from the initial incident we recieve the worst case scenario.

    Sony, don't piss on me and tell me it's raining.

      To be fair

      a) It was a public holiday. I imagine there would be a fair number of staff who were all off enjoying the break
      b) They were probably still working out what the cause was. They aren't going to say 'It could be someone's hacked the system' and then say the next day 'it was a false alarm, ha!'

        Easter and its associated days are not public holidays in the US.

    This is shit if it is a traditional hack than why can't they stop it are they stupid

    As Rihanna would say - Na Na Na Na Na come on!

    They've really dropped the ball on this one, I've pretty much lost all faith in the security of PSN. That'll be the last time I store my details on their network, thats for sure.

    *Face Palm*

    They have NOT handled this right and they're going to pay for it.

      And you could do better?

      I use the PSN service (not used the store in a long time and my bank card has since changed so I am not worried), and I have no issues with how they handled it.

      They are releasing the right amount of info, enough so that everyone knows what is going on, but not so much people panic about every detail.

        So your not affected by this issue, and your happy with the way they handled this? That's great for you.

        I have to cancel my credit card, check there were no transactions in the past week, and keep on the look out for suspicious emails to prevent identity theft. Excuse me if I'm not happy that Sony sat on their hands for a week and told us nothing.

          +1

          Exactly Thom.. it's not petty whining.. it's being reasonably realistic in our views of Sony's compromise. It wouldn't be any different if it was another company.

          Thom, that's got nothing to do with how Sony has handled this. I'm sure they are aware of the inconvenience the attack has caused to all the PSN users, but I believe they are handling the situation they way they are supposed to. Yes, it is an inconvenience that the attacks happened at all, but I believe they are handling the situation properly.
          Don't you?

          Its a damn gaming console, why the hell are you crying cause you cant play online for a couple days..if they told you earlier what could that possibly have done to help your situation, absolutely nothing..so get off your damn ass stop playing playstation and harden the fuck up

    I definately agree that this isn't the work of Anon. When Anon hacks, they do so, with the goal of disrupting and disorientating with DDoS attacks. Also, bear in mind that it was Sony who pulled the plug on PSN themselves, and not the external source.

    Of course, there's always the chance that Anon's tactics have changed, or we're COMPLETELY wrong in assuming that Anon's ranks are comprised soley of skriptkiddies. But, chances are this sort of thing is completely out of their comprehension.

    So, if you see any claims by Anon claiming that they're responsible, they're full of piss and vinegar, and they're e-gos have made them unaware that such claims are infact, detrimental to the hive.

      Anon have obtained and released user dox in the past, a recent one being security firm HBGary Federal, for many reasons. One such reason is to highlight inefficient security.

      I'm on the fence with this one. It's not out of the realm of Anonymous' varied "talents". That's not to say the door may have been opened by someone and cyber criminals just strolled on through the open door either. Then again it could be Sony just spinning a load of malarky to lobby for tougher internet restrictions?

      Whoever knows the full, or even real, story isn't talking.

    Great article, Mark. Much more informative than anything else I've read out there on the same topic.

    Thankfully for me, my PSN password is just a throwaway phrase. I'm not worried if that is discovered. I'm more worried about the credit card details, though. I'll wait to see what Sony have to say on that matter, before I go and cancel it.

    God some people are sooking alot.

    Sony has handled this fine, people have to remember this event has also occured over a holiday period which means they were probably running on a skeleton crew.

    Sony's told you, if you want you can cancel your card and considering until today the banks were all closed you would have been pretty screwed either way if you were dependant on that card.

    Although it's nice to know the custom firmware is still biting them in the ass. Which kinda places it as geohot's fault again :P

    Nice article btw Mark, it shows why you get awards you don't just copy paste press releases :P

      Nope. You can report a stolen/destroyed/lost credit card 24 hours 7 days a week

      with good reason too.

      Which public holiday fell on Monday 18th - which is when Sony knew about the intrusion?

        Sony did not know the severity of the intrusion until Monday 25th hence a press release yesterday, a prompt shut down was only done as they collected more and more evidence of information theft.

    Everyone make sure to cancel your credit cards now and renew them.

    So here's the question on my lips, being an Xbox 360 user - what's Microsoft got to say to reassure the public that this won't happen to Xbox Live? Mark, can you get a comment from their reps?

      Given that Sony haven't disclosed how this hack was perpetrated against PSN, it would be pretty much impossible for MS to tell us what measures, if any, they've taken to safeguard against the same thing happening. They probably don't know much more than we do about exactly what happened, although I'm sure they'd be keen to find out just so they can make sure they've got it covered.

        That's the issue, no one actually knows what was done to get bypass all the security.

        I've seen alot of comments over the internet that suggest that Sony has security measures somewhere between "leaving the keys in the door" to "a bank vault door".

        Every system has weak points and perhaps there was nothing Sony could have done about THIS instance.

        I would honestly like for both MS and Nintendo to have a scare like this also soon, just so the internet drops the console war bullshit and to prove that no-one is 100% safe.

        This incident is an inconvenience, something I would rank on par with Banks with system glitches that lock us out of our accounts which we've seen abit of recently.

        They might not be because of outside hacks, but it proves that systems are not perfect and when they run fine we don't care as soon as something happens it's all...

        ""OMG, 2012!! End Of The World! Selling my PS3, never buying Sony ever again happens""

        The ironic thing is that I have already seen people start listing their PS3 for sale over this, now some of these people might not be too smart and potentially won't Format the PS3, so their account remains on the system, with PSN down, they can't login to remove details either, so when it comes back up the new owner potentially might have access to the sellers data anyway.

          It's nothing to do with "console war bullshit." MS, Sony etc are operators of an online community and gaming service that provides opportunities to purchase digital items, and they invite\ their user base to supposedly "securely" store their personal and credit card details, ALL providers (Sony, MS, Nintendo etc) have a responsibility to their customers and the community to ensure these details stay secure and not fall into the wrong hands.

          I'm not saying Sony have or have not been negligent (remains to be seen) in this regard, but MS (and any other similar service) should take heed and learn from this, run a diagnostic on their own services and also reassure their 30 million strong user base their details are safe.

          In the digital age, information is a precious commodity. Especially personal and credit card details. A CC can be cancelled, and most banks have a fraud protection policy if you get ripped off. But if someone has your name, address and DOB, that's plenty of information to steal your identity and take out loans, whatever etc.

          I personally know a married couple who (after a break-in at their house) got their identities stolen, loans taken out in their name, savings accounts cleaned out, etc - it was horrible!

          IMHO I think the release of 77 million users details to unkown persons is far more than a 'glitch,' dude.

            When you see comments "I won't ever trust Sony, selling my PS3 and getting an XBOX/Wii", there is an insinuation they are suggesting that someone like couldn't happen on another platform. Perhaps these users are simply trolling, who knows, but some of those are listing their products.

            I understand that when you sign up to services, you expect your details to be safe, there is no denying that.

            MS haven't come forward as yet, but I'm sure they are doing that as we speak, as there are already reports that users with previously banned consoles are able to get back online with them after doing an update. This could suggest they are trailing new measures as we speak.

            That's the other thing, Sony probably boasted those numbers in the past, but +70million users is biting them in the arse, would be surprised if the REAL figure was even half or even a third of that, how many people do we all have multiple accounts? I have a JP, US and UK one myself..

            We'll disagree about this vs the glitch with banks, but imagine you had to go this long without any access to any funds, the overall point was that any system is fallible, either from outside hacks or from simple oversights.

      Xbox Live already has pretty decent security, so you don't need to worry too much. Not saying that its impossible to get hacked, but probably a lot safer then PSN

        It's impossible to draw that conclusion without knowing intricate details of the operations and infrastructure of both PSN and Xbox LIVE.

        Both Xbox live and PSN were designed by the same network consultation firm.

          plmko do you have a source for this? because if this is true i am taking my shit off live asap.

    Definitely not Anonymous. There's people in that collective that would be capable of it, but they would be after stuff to gain access to Sony info and shame them for publicity - stealing credit card info from users doesn't fit their MO and would also end up affecting other members since there's a very high chance at least some of them have PSN accounts.

    Sony were relying on security through obscurity. It was revealed a while back that transmissions between PSN and the PS3 were plain text, so it was open to a man-in-the-middle attack at the very least.

    Very strong argument to go back to point cards :(

      Some reassurance would be welcome, though. I hope that a part of my 80 dollars per year (very reasonable for what you get with Xbox Live) goes towards maintaining the integrity of their user database. My CC details are on there too and I must admit I am a little worried.

    Anon are quite capable of fairly sophisticated hacks.

    This is a great read and tells how Anon hacked a security company that was working with the FBI. The CEO stepped down afterwards.

    http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars

      i read that a while ago that story, its an amazing read.

      It was an interesting read but like the article points out it wasn't a sophisticated attack. They took advantage of widely-known exploits and simple techniques to get in. Admittedly all the good breaking and entering is done with that stuff. You don't pick the lock of an open door afterall.

      All that said I don't think Anon really cares about being sophisticated. The simple stuff seems to work best for them.

    I informed my bank this morning and had my card cancelled just to be sure. Not worth the risk for the sake of saving myself 3-5 days without a credit card.

    It does really destroy my confidence in using the PS Store anytime ever again with my CC though. I guess Sony might see an uptick in PSN Card sales!

    “On the other hand, it might be possible that the information has been compromised but is still in an encrypted state.”

    ...

    "creditCard.paymentMethodId=VISA&creditCard.holderName=Max&creditCard.cardNumber=45581234567812345678&creditCard.expireYear=2012&creditCard.expireMonth=2&creditCard.securityCode=214&creditCard.address.address1=example street%2024%20&creditCard.address.city=city1%20&creditCard.address.province=abc%20&creditCard."

    Yep, you're fucked. Unless of course they've actually started encrypting the data.

      Maybe some kind soul will encrypt it for Sony and send it back to them with the encryption key?

      Obtained from this chat log in February? http://pastie.org/private/97oth9v5tspkiztwwdmnga

      Wow... Since February this has been public knowledge...? Oh, Sony...

        Well, I obtained the actual information from ArsTechnica, but yes, it came from there originally. As I said though, I haven't seen anything that implies that Sony have fixed the problem.

          If that information is being sent in the clear without the use of SSL to a web service, then that's bad. This would only impact user's who suffer from a man-in-the-middle attack and not all accounts within PSN. This information (you'd hope) would be processed and then stored securely (or not?) in their backend.

            I agree. But if this is how they're sending the info, then it's safe to assume thats how they store it.

            When its my credit card information at stake, I generally tend to assume the worst... which thankfully it isn't, because I only got my CC recently, and have not made any purchases on the PSN (and after finding out how they send the information, I think I'll be sticking to the prepaid card things, I just can't take the chance).

            Reading the chat log, it sounds like what they're saying is that while the credit card data is sent over an SSL connection, there is no further encryption of that information.

            So assuming the console properly authenticates the server it is talking to, it shouldn't be possible for eavesdroppers to capture that information.

        http://pastie.org/private/97oth9v5tspkiztwwdmnga Line 85 is so right it's scary.

    This is just getting worse and worse. This is going to be devestating for Sony.

    Great article, Mark.

      If you have the same (or even similar) passwords to PSN for other uses, email for example or heaven forbid Internet banking - change it quick smart and use the situation to make a stronger password.

      And if you can't easily replace your credit card keep an eye on any transactions.

      I guess this "could" happen to Steam (this issue is not Steam/Valve's fault btw) or XBox Live users too. Better to be safer than sorry. On the Steam issue I understand that GabeN had concerns about security a while back.

      And while I would LOVE to have Steam via XBox 360 too I can understand any reluctance by Microsoft at this - especially this - stage.

    I find it really intriguing that someone piggybacked on top of Anonymous's DDoS attacks. Very clever. While all eyes were on Anonymous, they were able to slip under the radar. I want to know who they are.

    They rock - not for stealing my personal information, but for pulling it off in this way. They > Anonymous.

      Never likely to know unless they come forward. Unlikely as you can be sure Sony would have the FBI and others involved now. This is pretty serious for Sony. Could affect new unit sales. I for one am now much less likely to "splash out" on a PS3 now. I mean Portal 2 on PC is better because you can use a mouse anyway!

      I'd like to see this guy get caught and locked up. Then he can spend a couple of years trying to take security precautions against "external intrustions" into his rectum.

        I'm sorry, but I have to share this quote!
        Lock up the bastard! (cue angry mob)

    Just saw you on ABC news! I had to lol at the end, silence.

    Look, I respect Sony for trying to defend their console unlike the other consoles that have been either jail-broken or hacked. But really Sony? It doesn't take 6 days or more to fix a network breach caused by a few hackers and also Sony has made a bad decision to announce the playstation tablet now because right now, the PSN is down and there is over 18 million angry gamers globally. But since its the first time PSN has been hacked, I'll give Sony a break.

      Have you seen the anti-piracy software on the 3DS? If you use illegal software, Nintendo can legally brick your system for certain amounts if time. Don't say that no-one else is taking anti-piracy measures.

      Are you saying you could analyse exactly how it was hacked, exactly what was taken, figure out what needs to be fixed and then build a potentially hack-proof security system for the PS3 in 6 days? Because if you are maybe you should give Sony a call.

      I however would expect them to devote AT LEAST a week of meticulous building and testing to make sure they got it right this time. Any less than that and it would just be plain lazy.

        He can then look and see that it was good, and rest on the 7th.

    How to hack PSN: The guidebook.

    1. Go on computer.
    2. Send e-mail to Sony saying that you are a Nigerian Prince and that if they give cc details, they will double their investment.
    3. Wait for the daily PSN crash.
    4. Send 2nd e-mail to Sony saying that you hacked the PSN and stole cc details.
    5. Wait for Sony meltdown.
    6. Profit.

    In recent news, thousands of PSN accounts have been hacked. Because a Sony employee forgot to take them out of his pants when they were washed.

      70M+ - pretty much all of them.

    One thing I haven't really seen addressed anywhere is what effect this is having on developers? In particular those who have made PSN-exclusive games - those games would currently be producing no revenue at all since there's no disc-based version or XBL/PC version to keep the money coming in.

    It's already been a week - if this goes on much longer we could see some smaller developers start to have serious cash-flow issues. Especially those who have released games in the past month or two, since most games get a large percentage of their sales in that first month or so on sale.

      There would be something in the contract absolving said service providers for this. Not ideal - and RARE but there you are.

    I think that's the truth. They cannot solve it. They should pay for it.

      Yo did not pay. What recompense do you expect? Even the rare XBox Live downtime is minimal by comparison and yet they are under no legal force to provide compensation. It is a grey area - I'd be more worried about your new home or car loan you just got with that nice new 47" HDTV.

    This is a ear-ringing shout for those sleeping system administrators -hello. Too bad for Sony's sales I do hope they can catch the culprit asap though i doubt it is anonymous, but come to you got a point, they might have been just lucky. Look forward from this update.

Join the discussion!

Trending Stories Right Now