Lately I have been interviewed by a few newspaper type organizations in relation to the Playstation attacks. This is because back in February I commented on IRC (chat network) that Sony needs to fix their servers because they are running known vulnerable software and advertising the versions of that software and its modules to the world. I specifically addressed those comments to Sony knowing that Sony was monitoring at that time. Investigators from the law firm Sony hired to go after George Hotz and Fail 0verflow were seen in there as well as Sony employees.
Sony has claimed publicly in a press conference they held about PSN that the attacker exploited a “web server” and used a “known vulnerability but it was not known to Sony management”. This basically goes along with what I warned about months ago. Before I go too deeply into this I want to clear a few things up. I use the term “hacker” in the 1960s and 1970s context. It is someone who learns how things work, who modifies existing things to work the way they want. The media definition which started its rise in the 1980s is what I refer to as a “cracker” or “attacker“. This is a totally different group of people. A hacker as I use the term does not break into other peoples computers, they do not attempt to steal information like what the PSN and SOE attacks resulted in.
The ps3 development people that I associate with are the classical definition of hacker. Their goal is not to cheat at games or pirate software, in fact we have a no piracy rule for discussions on IRC, violators are ejected and repeat violators are banned. This includes incidental or veiled piracy such as backup managers. It is not tolerated, it is not welcome and it is not the topic of discussion. Their goal is to better understand the system, to be able to install software that they wrote (homebrew) and to reinstall OtherOS/Linux.
Who owns your PS3?
Sony maintains that they do. The case against George Hotz and Fail 0verflow and more recently Graf Chokolo is over whether or not you, as the person who paid for and possesses the PS3 have the right to write software for the PS3 without Sony’s permission. I contend that since you paid for it you own it. Sony’s actions are like an auto maker sending a remote kill switch disabling your vehicle and then filing a lawsuit against you because the fuzzy dice hanging from your mirror are not authorized.
When I originally purchased my PS3 I had two main advertised features, the ability to run Linux and the ability to play games online via PSN. Sony arbitrarily and unilaterally decided that I had to make a decision, I could either play games online or I could run Linux, but I could not do both. This is depriving me of a feature that I had paid for. I did not get a refund for half of the system being removed. I had no ability to contest this change.
Graf was working to put Linux back on the PS3. Linux does not enable piracy, it does not enable cheating in games, it merely lets you use your PS3 as a computer. Due to the processing power of the Cell processor for some tasks that can be an attractive idea. So attractive that the US Air Force has thousands of PS3 systems that run Linux for the sole purpose of it being cheaper for the same computing power than a more conventional approach.
Sony has rewarded Graf with two home visits taking all of his computer equipment each time. He was working on borrowed equipment because he cannot afford to replace it everytime Sony knocks on his door. Now he has a legal battle, all because he was trying to restore a feature that Sony removed. To make matters worse Graf is in Germany and there are EU trade laws that prohibit companies like Sony from advertising a feature then disabling that feature once they have your money. The court process has already begun there although due to the hoops that you have to go through it looks like it will take some time to complete.
By going after people who are not committing piracy, who are not doing anything to a computer other than the PS3 in their own home, Sony is making a claim that they own the PS3 and they can dictate what you are and are not allowed to do on it. This is insane, furthermore they have no right to make such a claim.
Onto the Attack
I have no first hand information on the attacks themselves. I was not involved in the attacks. I do not know who was. I do have what Sony has publicly said and some other information that I have seen, such as web server logs from Sony’s systems that they made public for months. Based on this limited information, which I admit is not a full picture since there are log files I did not have access to see I can make some guesses about what happened and who might or might not have been involved.
According to web logs that Sony had been leaking for months prior to the attack someone from a US Department of Defense IP from the 188.8.131.52/8 netblock had probed Sony’s systems for two weeks prior to the intruders gaining access. The attacks appear to have used a program called ‘whisker’ to perform the scans. Whisker checks for vulnerabilities in web servers, it also only checks known vulnerabilities since someone has to know about them to add them to the list of things to check for. Remember that Sony admitted that it was a web server and a known vulnerability that was the attack vector.
Had Sony used an intrusion detection system prior to the attack they would have been alerted that someone was probing their network for 6 weeks prior to the successful intrusion. They could have responded by upgrading their systems to mitigate against such an attack. The fact that the probes came from the US DoD they could have gotten help identifying and stopping the attackers. Two weeks of logs is quite a bit, and those logs are still floating around in various places if you know where to look, although Sony did finally remove them from public consumption.
I find it suspicious that the probes from the US DoD IP halted 2 days before Sony acknowledged the attack. It would seem strange to me that someone coincidentally was probing the Sony network and stopped right when another unknown and unrelated person manages to gain access. I believe for that reason that the probes and the intrusion are the same series of events by the same individual or small group of people.
Since only one IP was used for the attack I do not believe that it was a large unorganized group such as Anonymous merely because you would see more than 1 IP doing the probing, you would see duplication of the probes, etc. Anonymous has 0 organizational infrastructure. In short someone will post in a public place (think graffiti on a wall) that they think some entity (usually a corporation) did something they disagree with. Others who feel similarly will take action against that same corporation, but there is no leader, there is no organizer. The people posting suggestions for courses of action usually do not know who else is going to participate or even who else affiliates themselves with Anonymous. The result of this is if Anonymous had said “hack Sony” you would see many people trying different things from different IPs all over the globe. While it appears that Anonymous did a DDoS attack against Sony, that in no way grants access to view database records or get customer information or probe the network for weaknesses, it is closer to protestors locking arms at the entrance to a building and denying entry – something we have seen many times over the last few decades most recently by the unions in Michigan. The use of the US DoD machine predates the Anonymous DDoS as well making it less likely they are involved.
The use of a program like whisker eliminates a country like China as well. The China attack against Google was much more sophisticated and better cloaked. Whisker generates a lot of logs that make it easy to identify. It is by no means a stealth attack. Whomever used this program likely did not have much skill and just downloaded a program written by someone else and they barely, if at all, understand how it works. The level of logs generated and lack of discrete attempts to identify more probable attack vectors indicates a level of skill that is not that high. I have seen many attacks in the last 20 years of working in the computer security field and some are just downright sneaky. The network probes, the mapping of servers, identification of individual machines in clusters, etc are all things that do not appear to have been done in a meaningful way. This makes me think that it was someone who was less versed in penentration testing and more versed in downloading and installing applications written by others, or as some would call them a “script kiddie”. They just got lucky that Sony was so incompetent in security matters that they were not noticed.
The attack probes that I saw did not show any knowledge of the PSN design itself, rather they were generic web server attacks that had nothing to do with PSN specifically other than they targeted the systems that PSN operated on. PSN is a web based application similar to GMail or Hulu. You get content via information requests to a web server. The probes did not appear to be using anything specific to PSN itself. This shows that it was probably not someone who was affiliated with ps3 development.
The fact that the user database was sought indicates to me that revenge is not that likely of a motive. The database would have little value to anyone other than someone who wanted to use it or who wanted to sell it. This means that profit was the most likely motive for the attack. According to the FBI credit card numbers or similar information trade for about $1 each. A database comprised of 12 million users would therefore be worth about $12 million, a sum that would prompt some to seek to obtain it. If that database was to be used “in house” then the value could easily be about $60 million a month, merely by charging $5 to each credit card number each month and issuing a refund to each person that complained. Using a name that is similar to PSN many would probably not even notice that the charge was not authorized, and for those that did notice and complained they would get a refund so it would likely never be escalated to law enforcement for investigation. I genuinely believe that the motive was pure simple unadulterated greed.