So over the past week, Sony shut the Playstation Network down with no warning or communication to its users. Originally, speculation was that it was a byproduct of the conflict between Sony and the hacker group known as Anonymous due to Sony's overreaching legal practices regarding the jailbreak of their PS3 console. Anonymous had previously attacked Sony's DNS servers and brought nearly all of their services down as a result, but in this instance, Anonymous claimed they had changed their target to avoid collateral damage to PSN. Soon after, people began putting together the puzzle pieces and, as the service remained down with little to no word from Sony, whispers of a much more troubling picture began to emerged.
Finally, after days of silence, Sony made an announcement on this past Tuesday, April the 26th. The event was a worst case scenario. A breach which not only compromised the network, but also leaked the user data of every user on the network, including passwords, email addresses, and potentially even credit card numbers and expiration dates. The network has an estimated 77 million users. Sony has announced that the PSN will be down for the foreseeable future as a result, while they try to plug this massive hole that has been revealed by this attack.
So what happened? Well let's look over what is known before we begin to speculate about the events that transpired.
-A commenter on Reddit, identifying himself as a PSX-Scene moderator, made mention of Rebug potentially being related to the intrusion shortly before the Sony announcement. I've quoted the relevant portion below:
Ok, I've seen a bunch of speculation of why people think PSN is down, and I thought I should just post what the community knows in comparison to what Sony is telling everyone. The truth is, there was a new CFW (custom firmware) released known as Rebug ([1] http://rebug.me). It essentially turns a retail console into a dev console (not fully, but gives you a lot of the same options that usually dev's only have access to). Anyway, this new CFW was quickly figured out by 3rd parties (not Rebug) to give CFW users access to the PSN network again via the dev networks. With a little manipulation of the URL's through a proxy server you could get your hacked console back online. Not that big of a deal, right? Well, it also turns out that some people over at NGU found out that you could provide fake CC# info and the authenticity of the information was never checked as you were on Sony's private developer PSN network (essentially a network that Sony trusted). What happened next was extreme piracy of PSN content. Sony realizing the issue here shut down the network. Now, before you go freaking out about the latest information posted about Kotaku, no ones personal information was accessible via this hack. Not to say they couldn't get it, but no one is admitting to it being available. Anyway, that's the real reason for the PSN downtime. Sony is now rebuilding all of it's PSN servers to be more secure and (hopefully) make sure the CFW users cannot get online anymore.-It's notable that there were reports that CC info wasn't being checked on the developer network before purchasing, which lead to widespread piracy of PSN content. This implies that there was no validation on the dev side of the PSN.
So what does this mean? Well, it provides an attack vector. It's likely that the reason validation didn't exist on the dev network because the dev network is older than the consumer facing network, and was never updated with proper validation, etc. Now this raises the question of whether it at least validated against SQL injections into the credit card and user data fields. I would bet it did not, and this seems to be a likely avenue for attack.
Now in Sony's announcement, they did not specify whether the stolen data was encrypted. But if it were, why wouldn't they say so? Absence of evidence is evidence in this scenario. The PR nightmare would be severely mitigated if the data were all encrypted, so by not stating either way, the implication is that it was not.
User data should, of course, always be encrypted with something like AES256, using a key that's mathematically mangled by the code. For example, take the sign up date, change it to the unix timestamp, and do some math on it to use it as key. Maybe use two data sources if you have them, like the userid. This makes the key unique to each user, easily retrievable, and impossible to decrypt without direct backend server code access, which the hackers likely never obtained.
Had Sony done these things, this would be a non issue. The hackers would have a ton of data, none of which they could use or decrypt without a key which they had no access to.
So who is to blame in all of this? The hackers who may have stolen the data definitely broke the law, but it was Sony's lax security which allowed this to happen in the first place. If you're sitting in a sinking boat, you do not blame the water for rushing in and sinking you. You look to the hole in the hull, because that's the problem you can actually act on and fix.
No matter what industry you're in, hackers will ALWAYS look for and exploit attack vectors in your code, be it for financial gain, notoriety, or even just for laughs. It was the JOB of Sony's devs to anticipate and plan for this. Instead, they left a massive hole in their network in the form of the developer network, which checked the developer status not by comparing it to a registered list, but instead by simply asking the console "Are you a developer?" and therein lies the underlying problem. The first rule of programming server side code: never trust the client sending the data. This is especially true when the client is out there in the wild. It does not matter how secure the client is. If it is your only mode of defense, then you have failed in securing your system.
So yes, I blame Sony. Because if it wasn't the exploitation of the homebrew community's hack, it just would've been someone else's. Someone quieter, someone less vocal, who would've used the hack themselves and stolen this data and Sony would've never known. Blaming hackers is like blaming the wind for knocking over a poorly built house. There are two factors that caused the collapse, and you can only control one of them.
