Sony’s PlayStation Network was breached between April 17 and April 19 and was taken offline by Sony on April 20. At the time of this writing, the service is still not available and it might not be available until the end of May. Much speculation has ensued on what has actually happened and the information released by Sony does not always match up with what is published elsewhere in print or on the Internet. What is clear is that more than 70 million user records have been stolen.
According to Sony’s notification sent to users, including yours truly, these records contained ‘name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID’ and possibly ‘profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers’. Finally there is a chance that ‘credit card number (excluding security code) and expiration date’ were also obtained. Some third-party sources claim that, in reality, even more information has been stolen. Alas, this is not the focus of this post and the details will surely emerge in time.
What I’m really interested in is how the breach happened and what security measures Sony had in place prior to the breach. There are two major documents available from Sony that share some technical details. First, there is a slide deck that shows the major network components attacked, including the security infrastructure that was circumvented (below).
While there is no information available on what kind of firewalls (WAF, general purpose network firewall, etc.) were used, what this slide clearly shows is that the attackers were able to completely bypass all of the firewalls, and then directly attack the database server.
Second, there is a letter to the House of Representatives which has some interesting details. The following are what’s sticking out to me:
· ‘Detection was difficult because the criminal hackers exploited a system software vulnerability.’ Really? This is what hackers do, they don’t stop by the doorman and leave a copy of their driver’s license. Instead, they climb through the broken window. Furthermore, it appears that Sony may have been running older, unpatched versions of Apache.
· ‘Among other things, the intruders deleted log files in order to hide the extent of their work and activity within the network’. Hiding their tracks has become a cornerstone of experienced hackers and relying on application–especially database–log files for forensic analysis is unfortunately not sufficient anymore. Good third-party activity monitoring tools are harder to disable unnoticed and do a better job in protecting forensic auditing data while providing more detail, and of course can alert security personnel of an ongoing attack.
· ‘We are reluctant to make full details publicly available because […] the information could be used to exploit vulnerabilities in systems other than Sony’s that have similar architecture’. Now this is striking a huge pet peeve of mine. Hackers frequently share information on underground networks. So, withholding this information does nothing to prevent other hackers from repeating the attacks somewhere else. Releasing it would help other organizations with similar architectures prevent similar attacks, or to help identify those that are already under attack.
· ‘The naming of a new Chief Information Security Office (CISO) directly reporting to the Chief Information Officer’. This is just too common, and a big conflict-of-interest problem. To me, it signals business as usual and no real change in corporate policy with regard to security. In many cases, the CIO will make profitability and performance a higher priority than security. The only way for a CISO to really stand up to the CIO is by having him/her report directly to the CEO or the board.
While this was a very specific attack on PSN, the methods used are pretty common when looking at database breaches. Circumvent the web application and perimeter network protection, install a communication tool inside the network and then attack where the data resides: in the database server. Current perimeter and web application protection is not able to prevent these kinds of attacks, which shows once again that organizations need to add a focus on database security.
Accepted best practices for this include database vulnerability assessment, staying up to date with the latest patches, secure database configuration management, secure user rights configurations with good separation of duties, and finally, database activity monitoring for both attacks, as well as fine grained audit trails.
I’m not sure how many more breaches it will take to convince organizations that perimeter security simply isn’t keeping hackers out, but you can bet this won’t be the last big one that we hear about in 2011.
Alex Rothacker is the director of security research at AppSec’s TeamSHATTER research team.