PSN Breach Details | TechSNAP 3

Posted on: May 2, 2011

Posted in: Featured, TechSNAP, Video

Comment on This Video

Share This Video

Embed This Video

PSN Breach Details | TechSNAP 3

We cover the amazing details of the Playstation Network breech, we share some of the most interesting details in this episode. Following the theme of service outages, Allan and Chris share their things to keep in mind when looking at hosted services.

Plus find out why the US Government is shutting down 137 data-centers, and we wrap up with another Dropbox controversy!

iTunes & RSS Feeds:

[ad#shownotes]

 

Show Notes:

Topic: PSN Security Breech

  • A new custom firmware allowed users to access the PSN development network
  • The development network accepts fake credit cards and is designed for testing
  • Users with access to this development network managed to pirate paid content
  • Someone then managed to compromised the PSN Developers network some time between April 17th and 19th
  • Developers network had increased privileges, access to content and customer data
  • At first Sony claimed to not know why PSN was down
  • Sony took a number of days to admit that PSN had suffered an intrusion and that it would not be back online anytime soon.
  • Sony waited a week to tell customers their personal data has been exposed, likely hoping to avoid the PR black eye
  • Sony claims the Credit card database was encrypted
    • Encrypting credit cards with a single Symmetric key only provides limited protection. (The key must be accessible by the application that saves the card data, and so is likely to have been compromised along with the database)
    • Using Asymmetric keys can be an option, where the public key is used to encrypt the card, and only the private key can decrypt it, but if used pragmatically, the private key must be accessible by the application and therefore may be exposed as well.
    • Another trick is to AES encrypt each customers credit card with their password. This way the credit card can only be accessed by that customer, and cracking the encryption becomes a much bigger task, especially if the users password is stored using a cryptographic hash. A side effect of this is that the customer must re-enter their password when they wish to use the stored credit card, but this is actually good form anyway. A downside is if the credit card is required for subscription billing and it is encrypted such that the users password is required to read it.
    • Sony says the CVV numbers were not compromised because they do not collect them, and therefore never stored them. It is against the PCI DSS policy to store the CVV, this is explicitly so that when databases of credit cards are compromised, the CVV is not.
    • Sony says it is physically moving the PSN to a more secure facility. Was this a physical attack or an inside job? Was Sony outsourcing its network security to the data center?

https://www.joystiq.com/2011/04/27/sony-new-ps3-firmware-to-accompany-psn-relaunch-network-being/

Topic: When a cloud provider goes under

https://hardware.slashdot.org/story/11/04/26/1425255/What-Happens-To-Data-When-a-Cloud-Provider-Dies

After the scare with amazon last week, a number of companies are reconsidering their choice of cloud provider, or of using the cloud at all. This brings to light a number of issues, especially vendor lock-in (how difficult it is to move from one cloud to another), and how much trust you put in the cloud provider from an information security prospective, as well as availability and the continued viability of their business model. Over the last number of months, 4 providers have closed down their clouds, leaving customers with many questions.

  • if you close your account, will your data be securely deleted?
    • their backups and replication will likely still have copies of your files even if they are “deleted”, this is why your data should be encrypted
    • if your data is encrypted and you hold the private keys, then you can ensure they can’t read it
    • if they hold the keys, and say they deleted them, that is better than nothing, but there are no guarantees
  • if the cloud goes under, how can you get your data back
  • if the cloud goes under, who will get your data in the end, will it be destroyed safely

Cloud is not primary storage, but acts as a convenient online archive.

Topic: US government to consolidate its data center operations

https://www.datacenterknowledge.com/archives/2011/04/28/feds-will-shutter-137-data-centers-in-2011/

US government will close 137 data centers this year as it moves to consolidate and take advantage of the cloud. Will we see a bunch of these data centers bought up, or is the age of the small to medium sized data center over?

Government agencies have identified 100 email systems and 950,000 mailboxes to migrate to a cloud computing model as part of Kundra’s ‘Cloud First’ initiative.”

Topic: Google releases video from it’s data centers to promote the security of Google Docs

https://www.datacenterknowledge.com/archives/2011/04/22/video-googles-data-center-security/

  • Google talks about the security at their data centers
  • Google rotates the hard drives from it’s servers on a regular basis, as well as when sub-optimal performance is detected (indicating failure)
    • This may also have to do with google’s previous hard drive reliability tests, after a specific age the chance of the drive failing increases, so it is rotated out preemptively
  • Google destroys the drives by deforming the spindles and then shredding the drives
  • Google anonymizes the data and fragment/shards it as well as keeping multiple replicas. If an individual server were compromised, data would be reasonably secure

comparison at ScaleEngine:

  • Badge or Escort to enter main gate
  • Badge and Fingerprint Scan to access building
  • Man Trap (Single Occupancy check) and Biometrics to enter datacenter floor
  • Individual Pods require Biometric Authentication (You can only enter PODs that you are authorized for)
  • Physical Locks on each cabinet/rack/cage to ensure security of individual customers
  • Telephone pass codes required for all remote-hands requests
  • Location staffed 24/7/365
  • Chilled water cooling from on-site well with cooling towers, fail-over to city water supply plus regular CRAC cooling
  • N+2 Electrical Generation Redundancy with 1MW locomotive style Generators

Topic: More security problems, Dropbox tries to kill an open source project to protect its security by obscurity

https://razorfast.com/2011/04/25/dropbox-attempts-to-kill-open-source-project/

Dropbox security problems again. Rather than fixing the problem, Dropbox sends DMCA notices.

  • Using the hash of a file and an external app, you can add a specific non-public file to your dropbox via the dropbox de-duplication system (make dropbox think you uploaded it when you never actually had a copy of the file)
  • A simple brute force attack could net you all kinds of interesting files
  • Security by Obscurity – Dropbox security depends on keeping their client-server protocol secret, this is unbelievably bad practise.
  • Using legal rather than technical means to try to maintain security will always be a losing battle

Download:

Question? Comments? Contact us here!