The Sony PlayStation Network Exploit

Just days after Sony relaunched its PlayStation Network, it was shut back down due to an exploit. While the previous exploits highlights deficiencies in the operation of Sony’s Information Security Management System (e.g., failure to adequately leverage application penetration tests, network penetration tests, etc.) this issue demonstrates a deficiency in the design of this process. Interested to understand what Sony should have done, I decided to sit down and talk with Marc Silverman, Sr. Security Consultant at Pivot Point Security, to see what his thoughts were on the subject.

This is what Marc had to say.

This isn’t really a hack, per se, but a weakness in the password reset system that Sony was relying on. Sony UK indicates that the following information was exposed:

• Name
• Shipping address
• Billing address
• Country
• E-mail address
• Birthdate
• PSN/Qriocity ID
• PSN/Qriocity password
• PSN/Qriocity security question and answer
• Purchase history

The issue this time is that no one stopped for a moment to consider that the elements that are relied upon to reset a password (e-mail & Birthday) were among the elements that were stolen.

The net result is that a hacker could reset your PSN account password, locking you out of your own account.
There really isn’t much for the end user to do other then wait for Sony to develop a proper method of authenticating account holders.

PSN Authentication Advice

• Using an element that wasn’t compromised (e.g. part of the most recent CC #) – This would depend on Sony having some customer data that was not compromised. This would be the lowest impact solution, but it require Sony to be absolutely sure that the new element was not compromised, or run the risk of users losing all faith in the PSN network.
• Proactive re-authentication (e.g. Sending a scratch-off code to the shipping address of each customer) – Assuming that the shipping address was not tampered with, this has the highest degree of assurance as it is not susceptible to sniffing (unlike sending an e-mail with a new code via e-mail) or forgery (unlike sending a new code to Sony from an account holder’s e-mail address). While this solution would likely cost more than the first, there’s going to be some portion of the PSN users who may have had stale PSN shipping addresses, forcing another form of authentication.
• Collateral re-authentication (e.g. Requiring a new CC for the account) – Assuming that most hackers would be unwilling to provide valid CC data, Sony could require all users to provide a new CC (effectively signing up as a new account), and they provide them an option to identify their old account. While this is the most beneficial to Sony, consumers may not be thrilled with providing a new CC, not to mention the logistics involved in migrating old account details to the new one (licenses, achievements, friend lists, etc..).

It will be interesting seeing how Sony resolves this. – Marc

Like Marc, I am interested to see where this goes. As a Sony PlayStation Network user myself, I hope that this is the end of the issue. However, as a person who works for a company that performs application security audits on a regular basis, I am not sure if I count this as the end.

Scott

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information