Cathode Tan - Games, Media and Geek Stuff
logo design by man bytes blog

Friday, April 29, 2011

More on the PSN Fail

I really don't want to keep blogging about this, I would think the message should be pretty clear: change your passwords and watch your accounts. However I'm almost mystified by the two extreme reactions on the net right now. The first is just pure impatience that PSN is down ... which is totally understandable, I've got some Portal 2 Coop to play after all ... but really seems to be missing the proportions of the breach in general. This thing was huge, and I can't imagine what all is going on over at Sony right now ... but I'm sure some engineers aren't getting much sleep in the process.

Then we have this:

Meanwhile, the New York Times reports -- citing security researchers -- that discussions on forums have popped up from hackers claiming they snagged credit card numbers from PSN users.

An excerpt from the article:

"Kevin Stevens, senior threat researcher at the security firm Trend Micro, said he had seen talk of the database on several hacker forums, including indications that the Sony hackers were hoping to sell the credit card list for upwards of $100,000. Mr. Stevens said one forum member told him the hackers had even offered to sell the data back to Sony but did not receive a response from the company."

The New York Times also says they could not prove this list exists. On Thursday, Sony revealed credit card data was encrypted and there was no evidence that numbers had been swiped.
-- PlayStation Network roundup: Impact on Sony, compensation, more

So here's what happened. Some guys on IRC were talking about the hack, and they talking about rumors that the DB was up for sale. On his twitter account, security research Kevin Stevens mentioned the chatter - which somehow media sources took as a recipe that the whole thing was probably on like Donkey Kong and start reporting that millions of credit card numbers are now up for sale, and that Sony turned down an offer to buy them back.

Woah. Let's slow the fsck down. The IRC log isn't even from anyone claiming to have seen the database, just people talking about rumors they've heard. They certainly seem familiar with the details, the security implications, etc. - but it's not like these are the actual hackers talking about how they can cash in data or anything. It's actually a pretty fascinating conversation, especially one key bit I'll get to in a bit, but it's no smoking gun. And that Kevin Stevens tweeted about it doesn't mean that Kevin Stevens is commenting on the authenticity of the rumors. It's all hearsay. But media outlets are now treating Stevens as if he intended to add credibility to the claims, which he makes clear in a later tweet that he wasn't. It was, as he puts it, "seeing a post on a forum and tweeting about it." It's one thing to tweet about it - but if you're a major news source and you are putting in a bit which ends with "we have no proof about any of this" ... maybe don't put it in at all.

Probably the biggest problem with the rumor is that there is a claim that the CVVN (CVV? CV2 - fsck, I can never remember) is part of the data. That's the number on the back of the card which which you enter with phone and online purchases these days. It was huge push back several years ago to help prove that you were in fact holding the card you said you were using and most online retailers use it now.

And for that reason, it should never be stored anywhere after the purchase is complete. It completely destroys the reason for its existence. So I'm willing to believe Sony wasn't storing them, and I don't recall ever giving it to Sony in the first place. So unless there was another massive breach somewhere, I don't see how that could be up for sale.

Unless, of course, the whole thing is fake and there's just a bunch of people trying to con a phony database on to people. Which is probably the most likely scenario, and the New York Times and USA Today just gave them free advertising. Bang up job, there, real journalists.

So database up for sale? I call shenanigans on that one.

However, there's one bit from this whole sordid tale which still has me on edge. In their first Q&A, Sony revealed that the personal data was unencrypted. Which, OK, obviously I wish it was encrypted but I can imagine a lot of companies don't encrypt information like billing address, first name, etc.

But my password?

My fscking password?

Please, someone from Sony, please, clarify this bit and tell us that the current PR blitz wasn't specific. Because when I first read that the passwords were certainly breached, I did - as should anyone - assume that meant that a hacker would eventually be able to read them.

But to think that my username and password were both sitting in a datatable within Sony's network with only "a very sophisticated security system" between it and prying eyes ... I ... I.

OK, look, I'm not a security expert. I did a stint as a Data Security Analyst for a major insurance company many, many, many years ago. I've got friends in the hacker community which I don't really keep in touch with that much. And yet, data security 101 will tell you never to store passwords unencrypted at any time. It's just too sensitive. The only person on this planet who should be able to see their own password is the user. It's just a fundamental concept of data security. That password is the key piece of evidence that you are you. If anyone can read it? Then anyone can be you. Everything you do after that is simply a fail. You have lost the game.

I called PlayStation support to clarify. They could not (not too surprising, and I don't envy their job right now so I didn't hassle them on it). Sony's blog hasn't clarified. Then I read this in the log from Kevin's tweet:

[21:54:45] I doubt sony stored passwords in plaintext on the server
[21:55:04] kkk: they either did that or they hash em cause they are sent plaintext
[21:55:49] kkk: unsalted hashes wouldn't be too far from plaintext anyway :D
-- #ps3dev log

So a hashed string is essentially an encrypted string. "Unsalted" means that the encryption has no additional randomization to it, and these days hackers can use something called a rainbow table to unencrypt it. Salting adds randomization, which makes rainbow tables time/cost prohibitive to use.

But you know what? I'd at least like confirmation that Sony encrypted the damn things in any way. I'd prefer it to be a decent enough way that the hackers would at least have to break a sweat to get it. I don't need, or even want, to know the exact methods Sony used to encrypt my password.

I'd just like to know they bothered to do so. It doesn't mean I can ignore the fact that they're out there in the wild.

But at least I could assume Sony's data security wasn't being run like this.

Have a good weekend, people.

1 comment:

David said...

I'm not equating the two, but I know for a fact that Virgin Mobile in Australia displays username, password, both security questions, and their answers on the screen store employees use to look up customers. (They did it for me when I was a customer, and I looked at my own account information once to verify something. Shocking!) No masking or anything. If Virgin Mobile can do it, there's no reason to believe that Sony didn't.