"If a picture is worth a thousand words, then this one is probably worth about 10 million or so. After Sony‘s press conference last night, this is one of the illustrations that was given to the press"
I dont understand that diagram. Someone make sense of it please.
They sent some sort of worm into a vulnerable spot that bypassed like two firewalls... or something.
They sent some sort of worm into a vulnerable spot that bypassed like two firewalls... or something. " the answer is (3) firewall's, not including other software defenses!
These hackers make me sick ruining millions of PSN users using the technique shown in the diagram. Hope the FBI do catch them.
The diagram doesn't actually say anything that wasn't already obvious. We already knew that Sony had firewalls in place, and that the firewalls had to be bypassed in order for an intrusion to occur. This is just filler.
"These hackers make me sick ruining millions of PSN users using the technique shown in the diagram. Hope the FBI do catch them." what are the female body investigators gunna do?
Get them laid..
looks like malarkey
Yeah, it does have a certain sock gnome order towards profit quality to it.
A little vague (not surprising) But there's your answer to anyone who thinks that can sue Sony for negligence. Three firewalls between the internet and the main database. Yes someone found a crack in the system to get through them, but it will be hard to prove that sony did not put in enough effort to protect the system.
They were negligent because they had no trip wire defense system in place. They had no centralized log server, and they left their servers unpatched to known exploits. They had no official data security policy in place. There was no one on staff capable of devising such a policy. Again, their core server being rooted, then having a rootkit installed does not bode well for their audit of PCI-DSS compliance (they are supposed to be running some sort of anti-virus software... lol) Sony is on the hook for all the damages caused here. Also, their continued lawyerly non-answer about cc#'s and c2v numbers is all you need to know. Why is Sony gonna pay for you to change your cc# if they are not responsible, hmm? The hackers got in, they were in there undetected for a while, they got EVERYTHING. This is bigger than RROD.
I've never had to pay to change my credit card #. I travel all over the planet on a regular basis so it's almost inevitable that I occasionally have some mysterious charges show up. I've had to change card numbers several times in the past 10 years and it's never cost me anything other than 5 minutes on the phone.
I can't believe SO much personal info was just left un-encrypted! Passwords etc were just left with no protection if accessed!
@WhittO Sony said passwords weren't encrypted, but "hashed".
My only concern right is that we will probally have some black outs and glitches once PSN is up because Sony did start the upgrade from scratch and they wont have time to BETA test it.
all these days of down times are for testing .. a modification is simple ..but then there are plenty of tests and verification to see that it works properly for everyone
You have a point, but anyone is reading PS Blog? ''Q: When will the PlayStation Network and Qriocity be back online? A: Our employees have been working day and night to restore operations as quickly as possible, and we expect to have some services up and running within a week from yesterday. However, we want to be very clear that we will only restore operations when we are confident that the network is secure. ''
There really isn't an easy way to say this. 1. Find and utilize a vulnerability in the Application Server by sending data through the Web server as a "customer" and analyzing the response from the application server. 2. Inject a tool onto the application server that can be used to route db attack protocols through the vulnerability. Personally not sure how one would do this, though I'm assuming that CFW opened up some information on how data is sent from the customer perspective. 3. Run attacks against the db through the injected tool, resulting in eventually opening up each table to viewing. If you have access to the db, you can eventually access the data. Best practice for DB security is to prevent access to it. #1 and #2 are not basic attack concepts and requires a high level of technical knowledge and know-how.
WHAT! I don't know what the hell you just said. You lost me at "Find" then everything went black. lol....Dont know why but it made me want to play MGS4.
1. That is what every hack attempt to do when trying to get to the database. You prod the server to try and blue-print the stack. 2. Try to inject some code (like a buffer overun) to get shell access. 3. It was mention that they attacked an admin account, something equivalent to a root? Open the database and voila! Now, if data was encrypted a lot less damaging. Without more details of the actual hack, sounds like standard fare to me.
1. Not every. Most Web sites, for example, only require bypassing Web Server level security to get to the db. 2. This is where I don't have any experience. Specifically with sending code that wouldn't be stripped by either level of securities (Web and Application Server) to create a protocol that would act as your pathway to the db. I can imagine it being done, but I wouldn't know what one would need to do in order to do it without being caught by IDS/IPS. 3. Not sure it would matter once you got to the level that they did. DBs are way too easy to get into once you have fairly direct access, which you would from the Application Server. Combination of binary and hex data prods if they're on SQL servers and it will pretty much open it up for you. This is a huge issue right now with ASP VBScript sites still running out there since Microsoft stopped supporting it. Lots of ways to bypass certain protocols to spoof data through your header data.
Must of been an Windows Application server (lol)or is it custom Linux boxes??? Also it is obvious that they did not heavily invest in the security of our personal data as the cost would not of been worth the actually loss incurred by this breach. So for a publicly traded company I say this " next time think of your customers not your Dollars!" I hope this doesn't take away from them building a PS4 with SSD drive in it!! Also whats the BS with KZ3 having no in game custom sound track like part 2????? If this is the case with PS4 I will gladly by go back to PC gaming!!
Speak english my good man. You really make me feel like a moron with your extremely technical dialect.
The fact that they had an Application server at all nearly proves that they use Microsoft servers (like 95% of large companies do). So the hackers looked up some latest vulnerabilities for IIS. Pretty simple. There is no IIS network in the entire world that is secure, none, not one, ever. Sony will be switching to a full Linux system right now. (except office workstations, so they are still vulnerable... lol)
"Best practice for DB security is to prevent access to it." major problem being that you need some access to it in 99.99% and application server injection has already passed by firewall. but if you mean to say it should be exposed with restricted API done in specialized custom built protocol and run in userland chrooted environment. yes, hiding is best practice;) @bozebo: "The fact that they had an Application server at all nearly proves that they use Microsoft servers (like 95% of large companies do)." you really don't know what application server is, don't you? i'm avid linux fan and wouldn't touch windows even with remote on empty batteries. but, ... application server categorizes any protocol exposed API. even apache and webservice made script fit the bill. not to mention any application that does it fully, like multi tier db access for example. and, if you are linux enthusiast like me, i'd suggest hoping that sony will avoid it like plague. sony meddling into it would only bring sorrow. imagine broadcom, nvidia and likes are actually really friendly to linux compared to sony
***but if you mean to say it should be exposed with restricted API done in specialized custom built protocol and run in userland chrooted environment. yes, hiding is best practice;)*** That would be covered under "preventing access"... Whether it's through parameterization, user access limitations, middleman web services, and others, it's a method of preventing access. Perhaps better word would have been limitation of access... but that's a preventive measure unto itself.
networking not being my strong point pretty sure it goes vulnerablity in access to application server and to my understanding they could fake a legit application trying to access psn database, since the application server has full trusted access your shit gets stolen and totally bypasses all the firewalls in between edit: cgoodno said it better
This diagram is actually very generic, and isn't really specific to this PSN attack. Most corporate sites can be looked at this way. I.E., 3 layers: the website, which sits on top of an application server, which sits on top of a database environment. Websites make constant requests and submissions to the application server, meaning that a clever person can figure out ways to interact with the application server in ways not intended by the developer. If the hacker somehow manages to do so, and successfully plants a means of obtaining further control at that app server level, they are now "inside" and in many corporations would have an easy route to the database.
It would be interneting to see where this application they used came from.
The Hackers are suppose to detect those holes and let them know to the owner (like in various cases) there is a hole in the system, without harming, stealing, or to improve security and in the end is a WIN WIN in both sides (the white hat Hackers), this is not the case. This annoying Hackers, are the Crackers, also known as the ''Black Hat'' Hackers, they steal and harm everything.
A blue guy using a laptop, over the internet, sent arrows to communication tools and account information. The bricks and concrete shows how a house is supposed to be made. The top concrete joins with the bottom followed by 3 large blocks of bricks.
Of course! It was right in front of us the whole time. This makes perfect sense! :P Lol nice one! :D
MS Powerpoint, trying to make sense of information you can't comprehend since 1987. (Don't disagree with my funny comment!) (Sad face)
lol i thought it was funny
Hey, it has been good enough to help countless clueless MBA's contribute to tanking our economy, so it's good enough for us!
they should had use the LBP powerpoint, i would had understand it better.
They should make a level with Sackboy with a wolf mask and the other three as the little pigs. Blowing them houses down.
Good idea. Show a sackboy hopping over a wall of fire. After a few jumps he gets a room full of bubbles. What's not to get?
Haha! You sir are awesome!
Id agree. But "Professional" people wouldn't like it, then "news" sites will be all over the "sony is wasting time with LBP Presentation" headline.
Very interesting. So Sony DID have security measures in place, 3 firewalls, encryted card numbers etc. But some clever exploit (SQL Injection?) bypassed it all. Reading comments on the source site it sounds like the sort of attack that many websites/networks could fall foul of, and very difficult to detect. So Sony did well to spot it at all. People shouldn't be so hard on Sony, this could happen to almost anyone (if it's as clever as it sounds).
sql injection is not a clever exploit. It's taught in basic web programming 101.
i wonder what the hackers were looking for in paticular? surely hackers hack shit and get info without companys knowing? unless they are just stupid.i dont know lol
These were likely not hackers but thieves set out to actually get financial information. Console companies are easy picks as they know that the majority of users/customers will have multiple electronic communication networks while getting the best chance of people that have little concern for security of credit information or proper passwords. As specified before... Sony security had been brought to the forefront in many blogs and posts and it became common knowledge that they were using out dated security software. Sony themselves should have people assigned to be monitoring these sights that post the exploits. I can't fathom why a security update wasn't made other then the pure fact of disbelief that they were capable of being accessed? And that is the number one point when it comes to security... never think that you can't be broken into. With that in mind they really should have had there own personnel doing routine attack attempts on the system. Even routine probes would have released information pointing out security holes that were noticed on PS3 hacking blogs. Note this was not a console hack... it was a system access... the console itself had nothing to do with the access to this security information. It was the mainframe that was attacked. And firewalls are useless if they are not maintained properly and aren't structured to actually keep imformation from being accessed. It has been a long while since I have been in class learning Cobol and Fortran (ageing myself I know) but some of this is common sense to anyone that has dealt with computers and mainframe networks.
They should have had a CIO position before this all went down. That probably played a big roll in having out dated security software. It's funny they decided to actually add that position after this all went down. But if you remember or were reading about things in the tech world a few years back, Two major Antivirus companys had their networks hacked. One of those companys was Symantec, and if someone can get into their network then others should be easier by comparison.
The hacker / hackers used a custom made tool to breach a weak spot in one of Sonys webpages. Thus giving them access to the user database. Sony did have a lot of security with 3 hardware firewalls in between servers. So basically the hackers took the back door. It's like someone would design a fortress with a wooden door in the back.
time to get a 360 -_- i can't believe sony was so foolish and lacking from now on im geting a 360 for multiplat and 360 exclusives keeping my ps3 for ps3 exclusives. another week with no psn thats shameful come on sony your suppose to be better then this get your Sh*t together i can't believe this it's going to be 3 weeks or more in total before we see psn and a month before we even look at the ps store this is BS!!
Bye, I'm sure no one will miss you. If you think the 360 can't be hacked in the same manner, you're dead wrong.
I'm sure i won't miss any one..but u fail never said i was selling my ps3.
So why get a 360? The 360 can be hacked the same freaking way.
The 360 Network hasn't been hacked. Both the PS3 and 360 systems have, but only the PS3 when it comes to networks. When was the 360 network hacked?
XBox Live is just as susceptible as PSN. When did I say the XBox Live was hacked?
Why not have both systems anyways? In this day and age gamers have to deal with BS like lawyers trying to make stricter laws because some deranged, backwoods, idiot of a teenager killed someone and happened to like FPS games. So the lawyer blames the gaming industry and wants to set in place laws prohibiting certain content in games. If you don't have both systems already then your missing great games. If I didn't have my 360 then I would miss out on Halo, Gears of War, Fable, Alan wake and of course Mass Effect until recently. If I didn't have my PS3 I would miss out on God of War, Metal Gear, GT5 and Socom. Not sure why people are so extremely loyal to one company when there are so many great exclusives for each system. Who cares what system a game is on, if it's a great game then that's all that matters. But I'm guessing a lot of the people can't afford to have more then 1 system or their to young and their parents will only buy them 1 system. Either way, there's no reason to think the system you don't have sucks just because you don't have it.
Dam you mathew broderik and your war games.
My yahoo account for hacked, luckily I was able to reset everything within half hour of this happening. It doesn't look like they did anything mostly because the only cc info I had was an old one that I canceled 2 weeks ago when this whole thing happened..
I wonder which vendor of Firewall/UTM Appliances SONY used? Does SONY change vendor? I would hope, the design is not that through.
lol, blame is never on vendor. you can give "holly wonder secure inc." products to bad admin and security will still suck. security is always just as good as admin and developers are. it was bad design with holes in psn topology. although, truth be told, design without flaws cannot exist. every system has something that is hackable. question is just how much is accessible after hack and how much work hacking takes. and take it with a grain of salt, being able to access db is not good sign for security.
There is no fool proof solutions, every security vendor only provide 99.999% solutions. But looking at the diagram, there are other ways to do it more effectively, maybe using a combination of vendors; eg' SourceFire and Lumensions, or Check Point with Lumension, or CISCO and IBM ISS. Never go with one vendor I believe.
Wow they planted a work behind the lines and used it to take down the firwalls. Reminds me of troy. The question is how did they get the worm over?
First Bin Laden is dead, now Sony is using Microsoft Visio for their presentations. Wow. World piece imminent? What's miracle is gonna be next? DNF ready to ship this summer!? One can only dream...
i dont think hackers got everything, going threw that first firewalls and uploading the tool in the application server threw the web server. it probably took a while to even have access let alone download billions of lines of information. how big in kb is one account? and you have to take the firewall, internet connection, harddrive read write speed. the only way to get all of it really fast is if they had access to a server room to attack sonys server. which im sure narrows down who ever attacked PSN. they either got a little or alot.
All I have to say is look at all my previous comments on the subject of Sony having a secure network, then look at all the responses people had as "rebuttal." Now I just want to say, I told you so and I do know a thing or two about the law.
I have this unusual feeling that Charlie Sheen is behind this.
Whoever was behind this hack, he was definitely talented.
These guys are criminals, plain and simple. Don't think of their justifications. The fact remains that this wasn't done in all the years of PSN until after all the hacker threats to Sony, during and after the George Hotz case. That cannot be coincidence. But the question isn't why... Its how was it done, and where are these criminals. All I want from Sony is a more secure system and for the authorities to track these people down (which I doubt is possible). Its a blow to the entire Industry and it affects all of us. But like the underdogs we play in video games, everything will turn out okay in the end. It will just take some time, a bit of patience, and several attempts at passing that final stage.
criminals? definitely. do i like them? hell, i hate them but, since it is known everything is hackable it is in your best interest not to piss of entire hacker population. sony simply didn't get that lesson until now. everything they did in last year or so just accumulated to this situation. if someone would be stupid enough to jump in lions cage while writing his todo list for next week... how would you call him?