Originally posted by
LordKat.com
If you've been following me or my live stream at all then you know I've been picking on, and even laughing at, Sony for its recent breach of the Playstation Network and the fact that data for 77 million registered users was accessed for a period of three days between April 17 through April 19; but, why am I placing the blame solely on the shoulders of Sony and not on the perpetrators of the attack? Well, it comes down to one simple reason: network security is your own damn problem.
There are two things from this utter catastrophe that are becoming apparent: the Sony Playstation Network was not designed with basic security principles in mind, and Sony never took preventative measures to mitigate damage should their network become compromised.
According to statements made by Sony, the Playstation Network infrastructure is being rebuilt from the ground up to better guard against attacks. Most networks, if they're built correctly, do not need to be completely rebuilt in the event of an "external intrusion" - what needs to happen, more often than not, is a change in human procedure (see also the TJ Maxx intrusion, which was more social engineering). When a secure-access network has to be rebuilt from the ground up it indicates a fatal, systemic flaw that originated from a bad initial design.
Yes, Playstation users, you're learning a hard lesson here: the PSN was badly designed from Day 1.
Of course, more blame is placed on the shoulders of Sony here because it's obvious they took absolutely no preventative measures to mitigate damage should the network become compromised. In this case, I'm assuming they allowed several things to happen:
Have all user data located in one, accessible, database
Not limit database transactions from a single source
No pattern matching to DB queries
No alarms based on suspicious DB activities
There was no distribution of this network - the Playstation Network is a very centralized network with a central point of control and (as we're going to find out in the coming days) a central point of failure. If this was a more distributed network - localized to different regions - the damages could have been significantly mitigated. There are several ways of accomplishing this:
First, you distribute user data across regions with no one central server. While this is no guarantee of your network not getting compromised, if it is the damage done is localized and containable, which protects the rest of the userbase.
Second, separating the database between users who use pre-paid cards and users with a credit card on file would have given Sony the opportunity to further secure the users with credit card information on file. This split in user data allows you to more tightly control internal network credentials by giving only highly trusted network engineers local access to the credit-card database information. Discreet access is a key element to network security when multiple humans are involved.
Finally, under no circumstance should user passwords be stored in plain-text or unsalted hash tables. Ever. User passwords should never be compromised because they can be easily read or compared to a rainbow table. Hell, even my simple Drupal installation uses salted hashes for storing passwords, making dictionary and rainbow table attacks more difficult.
How do I know any of this is the case? Well, in truth, I don't. All of this is conjecture based on the press releases from Sony. In the case of passwords, Sony has stated that user information - including passwords - was compromised. I have taken this to mean that Sony has either stored passwords in an insecure hash table, or simply in plain-text. Had Sony stated something to the effect of "it is possible, though unlikely, that passwords have been compromised" then that would indicate to me that their internal security policy included salted hashes (or at least hashes - this company is FAR too arrogant, in my opinion, and in all likelihood determined that their network was so secure that further securing an often-used database was too much of a performance problem).
Remember, it's PR - they exist for self promotion and damage control, and if they could have included key phrases like "possible but unlikely" they would have.
While I agree that the attackers responsible for this should be held accountable, Sony really needs its feet held to the fire on this one: poor database protection, poor access procedures, no discreet data access, and plain-text/unsalted passwords are very exploitable, amateur mistakes for a multi-national, multi-billion dollar company to make.
Also, keep in mind that this is a Day 1 failure, which means that these problems have been present for years now - how can anyone be sure their data hasn't been accessed for these past few years? Until more information comes to light about how the attack was executed (it wont, it's Sony), you cannot trust that your information on the Playstation Network has ever been secure.
Then again, if you're a proper security nut, you don't trust that your data is safe anywhere
