PSN: The Security Scandal
"One of the biggest security breaches of the internet age."
"If Sony is watching this channel they should know that running an older version of Apache on a Red Hat server with known vulnerabilities is not wise, especially when that server freely reports its version and it's the auth server."
Today's re-emergence of an IRC chat log featuring PlayStation 3 hackers discussing PSN's security failings puts a new, unwelcome perspective on Sony's security crisis. The log, dated 16th February and posted the same day on PS3 hacking sites, should of course be treated with caution: easily forged and easily edited, the provenance of these sources is dodgy at best.
However, the content has been described to me by one informed source intimate with the PlayStation 3 as "looking about right", and it ties in with previously established information on how PS3 talks to the PSN servers. This opens up a whole new can of worms about what is swiftly transforming into one of the biggest security breaches of the internet age.
The inference is simple: PSN vulnerabilities were well-known and being discussed in public months ago, and Sony didn't act soon enough. Bearing in mind the colossal wealth of evidence the platform holder has lifted from PS3 hacking sites and presented during the Geohot legal case, it's clear that ignorance of these claims doesn't hold water. Sony is clearly paying close attention to the hacking "scene" and has been since the original PSJailbreak appeared last summer.
The information Sony has released about the nature of the hack is alarming enough, but there are hints that the story is far from over. Many believed that PSN was down in order to patch a security hole that allowed custom firmware users to exploit developer testing servers into authenticating pirate game and DLC downloads. Unfortunately the truth was far more shocking.
PSN security has been breached server-side and all the information the user entrusts to Sony when signing up to the service has been compromised. Names, addresses, login details, security questions and passwords have been purloined – and while the platform holder isn't 100 per cent sure that credit card details have been stolen, it won't rule out the possibility.
The whole notion that password details have been taken defies belief. There's a reason that most internet sites can't tell you what your own password is and can only reset it – it's because the server itself doesn't actually store it at all. Your chosen password is hashed when it's first transmitted, and only this checksum is stored. When you enter your login, the password is hashed again and compared to what is on the system – if we have a match, you are granted access.
In short, there is no actual need whatsoever for your password to be stored server-side at all. Sony's statement suggests that it was actually storing sensitive information in plain text format, which defies belief. The only other explanation is that hackers only got access to the hashes and may have compromised a small minority of passwords by running this data through something like a dictionary look-up. However, from the tone of Sony's apology this does not appear to be the case.
Updated: In a new message released on May 2, 2011, Sony has confirmed that it did use a cryptographic hash function.
If hackers have access to your name, address and date of birth, that information on its own is more than enough to cause trouble, and the notion that the security questions may have been compromised too only adds to the severity of the damage that can be done. Information of this kind is of immense value to ID fraudsters, but just your name and address can be enough for a skilled fraudster – as I know to my cost.