On Tuesday, Sony officially disclosed a humongous data breach against the Playstation Network or PSN (recently renamed to Qriocity), which allowed external attackers to get their hands on the Personally Identifiable Information (PII) of around 77 million gamers. Worse yet, they may have even stolen their credit card information, too.
If you read security news, or follow me (@SecAdept) on Twitter, you’ll know this incident has been brewing for around a week now. It first started last Wednesday, when PSN went down for all Playstation 3 users. At the time, I’d imagine that most customers assumed the outage was some sort of routine maintenance. However, with Sony recently coming out of a DDoS battle with “Anonymous” over the Geohot Playstation hacking lawsuit, paranoid security professionals like me suspected this outage might be related to more “Anonymous” hijinks. Unfortunately, we have since learned that that wasn’t the case (I wish it was).
Over the next few days, the story continued to slowly unfold, mostly on security and gaming sites. Sony blog posts (some which were later removed) eventually admitted that the issue may be related to an “external intrusion.” However, Sony was not quick to confirm the details, or share what the attackers got. If you are interested in how the story slowly unfolded, PCWorld has a great timeline of the incident. In any case, Sony finally sent an email to all its PSN subscribers Tuesday night, sharing exactly what the bad guys stole — and unfortunately the cretins hit pay dirt.
If you’d like to read Sony’s email in full, check out this forum post, but I’ll quickly highlight what it claims the attackers stole from all PSN subscribers:
- Your name,
- address (city, state, zip),
- email address,
- PSN password and login
- PSN online ID and handle
- purchase history,
- billing address (may be different than normal one),
- security answers,
- and possibly even your credit card information (excluding security code)
Unfortunately, this is a huge repository of valuable information for identity thieves and attackers wishing to target your other online accounts. On the surface, the biggest concern is whether or not attackers gained access to credit card (CC) numbers. Sony is not very clear on this count. They claim they have no evidence to suggest so. However, they immediately backpedal, saying they cannot rule out the possibility. A more recent Sony Blog update has at least shared that the CC date was encrypted, and that they didn’t store any security code info for CCs. Well, at least that’s semi-good news.
So what’s a PSN subscriber to do?
Being one myself, I immediately asked myself that very question. Here’s what I’ve come up with:
- Do you follow best password handling practices? If not, change your passwords. One well known, but often ignored, password security practice is that you should NOT use the same password everywhere. Unfortunately, many people, including security professionals, don’t follow this practice. If you are one of those people, the first thing you need to do is go to all the important sites you visit and change your password. If someone has your email address and a password, that will get them into many popular sites you may frequent.
- Cancel/change your credit card. This one really sucks. It can be a pain to get new credit cards, mostly when you don’t know for sure whether it is entirely necessary. Unfortunately, I have to lean towards being safe and not sorry. If you shared your CC with PSN (it’s possible you may not have), you should probably get new cards. Granted, Sony does say the CC data was encrypted. So ultimately, it is up to you if you want to take the chance.
- Watch your credit information. There’s really nothing you can do about that fact that a lot of your PII data is out there. This is the same data bad guys use to setup fraudulent accounts in your name. Luckily, attackers didn’t get one crucial (at least in the US) piece of data; your social security number. Without this, they probably can’t setup financial accounts in your name. Nonetheless, you should still monitor your credit via your country’s credit agencies. You may even considering submitting a fraud alert or credit freeze, which will make it harder for attackers to create new accounts in your name.
- Remain vigilant for follow-up attacks. Since the attackers didn’t get Social Security numbers, they don’t have all they need to totally steal your identity. However, they often follow up these sorts of attacks with other attacks (email phishing), trying to gather any additional info they need. Furthermore, they can often leverage the information they’ve already stolen to help trick you into trusting them. So remain vigilant against phishing and social engineering attacks, asking you for private info.
The last question that I’m sure is one everyone’s mind, is how did Sony actually get hacked. The short answer is, we don’t know yet. Sony’s not sharing. There has been a number of rumors, though:
- Geohot did it. This is the guy that hacked the Playstation 3’s DRM and copy protection. Sony sued him for it, and he settled the case (saying he’d leave Sony stuff alone). This guy’s smart enough to breach networks, but I’m pretty sure he didn’t go after PSN, mostly after settling with Sony. So I doubt this is the case.
- “Anonymous” did it. Anonymous is that random group of hackers that went after HBGary. They also sided with Geohot during the PS3 hacking case, and likely launched DDoS attacks against Sony in early April. However, they claim they had nothing to do with this breach. I tend to believe it as Anonymous tends to stick more with headline grabbing stunts, than these highly illegal, malicious breaches. That said, some solo-Anonymous hackers may have acted alone.
- The attack is the result of a custom PS3 firmware (called Rebirth). When Geohot hacked the PS3 DRM, he made it possible for homebrew coders (and pirates) to load their own modified firmware onto the PS3. These modification could allow playstation users to do all sorts of cool things that Sony didn’t originally intend the PS3 to do. However, some of the latest custom firmwares coming out of the PS3 “scene” included modifications that would allow hacked PS3 to regain access to PSN, or worse, the PSN developer network. One of those firmwares was called Rebirth. Due to the timing of Rebirth’s release, and some of it’s features, some people suspect it has something to do with how the PSN attackers were able to breach Sony’s PSN network. In fact, it seems very likely that the modified firmware was at least used to fraudulently download PSN games without valid CCs. Of the rumors presented, this one seems most possible to me. That said, the creators of Rebirth have claimed they weren’t responsible either. However, they admit users have found interesting ways to use their firmware.
Besides those rumors, other experts have shared their own guesses about how this breach might have happened. For instance, one mentioned that it could have been a spear-phishing email, that got malware on an administrator’s computer. That guess is as good as any. After all, that’s basically how the Aurora attackers got into Google — it’s certainly possible. Yet, it’s still just a guess. Until Sony, or someone else, shares the real story, all we can do is wonder.
Not knowing exactly how the breach happened makes it harder to give you a specific defense that can help prevent this from happening to you, but that’s where good ‘ole “Best Practices” come in (something we also learned during the HBGary incident). Two things come to mind for me:
- Defense-in-Depth. Security guys hear this so often that it stops feeling relevant. It still is. It’s simple math. The more defensive layers you build up — things like Firewalls, IPS, AV, application control, cloud reputation, etc. — the better statistical chance you have of detecting and blocking an attack. That is why WatchGuard created our XTM appliance. We want to make it as easy as possible to incorporate as many defenses as possible, in one easy to manage appliance, and to have a platform that allows you to evolve your defenses in the future. That said, when most people think “Defense-in-Depth,” they only think about the hard, preventive technology measures, such as the ones I’ve mentioned above. They don’t think as much about the softer security measures, such as visibility tools that may also help you recognize unusual incidents, like security breaches. When you are building your layers of defense, don’t forget to include products that offer visibility tools as well (we have great visibility tools, and plan to make them even better).
- Focus your perimeter on your data center! One of my predictions for this year was that your perimeter will not go away. It will just shrink, harden, and focus on your data center. The huge increase in mobile workforce and technologies, has caused the security industry to largely focus on mobile security technologies — for good reason. However, just because you need mobile defenses, doesn’t mean you can tear down the walls around your castle. Instead, the huge increase in big data breaches, like this PSN incident, has shown that we need strong, evolving perimeter defenses around our data centers, today more than ever. Your perimeter shouldn’t only protect your data center from the world, but also from your own workforce. Based on what Sony’s doing to improve their PSN security, it sounds like they now agree with my prediction.
This PSN data breach will surely have resounding affects on network security for years to come. I wouldn’t be surprised to see it cause PCI changes, trigger politicians to suggest new laws, and result in new business regulations. I will continue to follow the story and post any interesting new details I find. — Corey Nachreiner, CISSP. (@SecAdept)