Risk
5/16/2011
11:20 AM
50%
50%

Sony Strengthens Security, Restores Some PlayStation Services

Online services get stronger encryption, more firewalls, and an early detection system to try to prevent future attacks; users are required to update gaming console's firmware and password before going online.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Sony has restored many of the services that it took offline in April after one or more attacks compromised PlayStation Network (PSN), Sony Online Entertainment (SOE), and other Sony websites, resulting in the exposure of more than 100 million user accounts.

On Saturday, Kazuo Hirai, who heads Sony's consumer products and services group, said in a video blog that while services are still being restored in phases, most users around the world will now have access to PSN, Qriocity, online multiplayer games, and third-party services such as Netflix and Hulu. The full restoration is scheduled to be completed by the end of the month.

Hirai said that PSN and other services have remained offline while Sony bolstered their security features. "Our upgraded system includes components such as advanced security technology, increased levels of encryption, additional firewalls, and a new early warning detection system for any unusual activity that could signal an attack on the network," he said.

Security-wise, Sony also released new firmware (version 3.61) which will be mandatory for using a PlayStation 3 (PS3) to go online. The firmware also requires all PS3 users to change their passwords before they can use the machine to go online. The password can only be changed from a user's own PS3, or from the PS3 on which a PSN account was first activated. First-time users can create a password by using their registered email address.

But on Sunday, Sony was having difficulty keeping up with the large number of resulting password-reset requests. Patrick Seybold, Sony's senior director of corporate communications and social media, said in a blog post that "we're currently experiencing an extremely heavy load of password resets, and so we recently had to turn off services for approximately 30 minutes to clear the queue." Going forward, he said that password reset requests might not be immediately fulfilled.

Sony is also offering free identity theft insurance in countries where such programs exist. But it's unknown whether the company will release police reports related to the intrusions. That would allow affected consumers in the United States to create a free credit freeze to further protect against identity theft.

As PS3 users regain access to online Sony services, another question remains: How was Sony breached? To date the company hasn't provided a full explanation of how attackers broke into its systems.

On Friday, Chris Lytle, a security researcher at Veracode, said in a blog post that Sony's fullest explanation of the attacks--in a letter to Congress--"seems like a roundabout way of saying that there was a SQL injection issue in one of PSN's applications or that the database server could have been publicly accessible and exploitable from there." Of course, that still doesn't include much detail.

But Lytle says that based on what's known, it's likely that Sony's site was compromised using one of four techniques: physically attacking a Sony server; via an insider attack possibly related to Sony laying off 205 SOE employees on March 31; using a PS3 with developer credentials to hack into PSN; or via an unpatched server.

In terms of using a PS3 against PSN, "in one attack modders found it was possible to force a PS3 to connect to the [production/quality assurance] instance of PSN," said Lytle. "On this particular instance, the servers would not authenticate credit card information before adding credit to the account, so attackers could simply add unlimited credit for the PSN store. Much of this information was publicly available before the breach happened."

But hacking Sony via an unpatched server seems the most likely explanation. For starters, it's bolstered by a supposed pre-attack chat log that says PSN was using unpatched versions of Apache and Linux. "It is a solid bet that if those packages were outdated, the rest of the server hadn't been patched in the last five years either," said Lytle. On the other hand, "Google's Web cache shows that Sony's servers were up to date, so this whole theory may be bunk."

But Bloomberg on Friday quoted an unnamed source who said that "hackers using an alias signed up to rent a server through Amazon's EC2 service and launched the attack from there." If that's true, it strongly suggests that attackers found unpatched server software on the Sony site and used known vulnerabilities to gain entry to Sony's systems.

In the new, all-digital issue of InformationWeek: Our 2011 Strategic Security Survey shows increased executive interest in security. Here's what you should do next. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5027
Published: 2014-12-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-2062. Reason: This candidate is a reservation duplicate of CVE-2010-2062. Notes: All CVE users should reference CVE-2010-2062 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2010-1441
Published: 2014-12-26
Multiple heap-based buffer overflows in VideoLAN VLC media player before 1.0.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) A/52, (2) DTS, or (3) MPEG Audio decoder.

CVE-2010-1442
Published: 2014-12-26
VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) AVI, (2) ASF, or (3) Matroska (aka MKV) demuxer.

CVE-2010-1443
Published: 2014-12-26
The parse_track_node function in modules/demux/playlist/xspf.c in the XSPF playlist parser in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty location element in an XML Shareable Playlist Format...

CVE-2010-1444
Published: 2014-12-26
The ZIP archive decompressor in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted archive.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.