Was the Massive PlayStation Network Hack the Work of Amateurs?
The massive network intrusion last week that exposed the personal details of 77 million people and forced Sony to shut down the PlayStation Network may have been the work of mere amateurs.
Chatroom postings appearing on the Internet today (April 27) and retweeted by security blogger Brian Krebs show discussions between "modders," bored gamers who've installed unauthorized firmware on their PlayStation 3s to give them extra capabilities or let them back into the PlayStation Network after being banned.
One version of the firmware, called "ReBug," grants ordinary PS3 users access to the back-channel development areas of the PlayStation Network, where only authorized Sony personnel and third-party game programmers are normally allowed.
The chat logs, dated Feb. 16 of this year, record the modders' amazement upon discovering that Sony apparently stored users' credit-card data in unencrypted form.
[user2] cuz its way too easy todo scamming at this point
[user2] for example:
[user2] [redacted plain text code, includes false credit card number]
[user2] sent as plaintext
[user3] did you censor that card?
[user2] ya its fake
[user1] wow, plaintext :S
[user5] plaintext wow
[user3] im never putting in my details like that
[user2] ya is all fake lol
[user2] i never used cc on ps3
[user2] normally you ATLEAST enccrypt the securtity code, even if its ssl
[user5] id hope sony would do such in a safe manner
[user5] psn cards probably plain text to then
[user2] fake certs are known since years as vuln so companies encrypt such data twice normally
[user2] but hey its sony > its a feature
Before Sony's announcement yesterday that a huge data breach was responsible for its shutdown April 20 of the PlayStation Network and a related entertainment service, theories had been floating around the Internet that prankish intrusions by modders had forced Sony's hand.
"Some people over at NGU [the online gaming forum NextGenUpdate] found out that you could provide fake CC# info and the authenticity of the information was never checked as you were on Sony's private developer PSN network (essentially a network that Sony trusted)," wrote a user identifying himself only as Chesh420 on the popular discussion board Reddit. "What happened next was extreme piracy of PSN content. Sony realizing the issue here shut down the network."
It seemed and still seems far-fetched that Sony would take the entire PlayStation Network offline worldwide just because some bored kids were found where they shouldn't have been.
The announcement that credit-card numbers had been stolen by the millions also pointed to a professional operation.
However, Sony has in fact said little about this incident. Technically, if a few dozen kids were to get access to plain-text credit-card information, that would be as much of a data breach as an intrusion by Russian cybercriminals or skilled Chinese state-sponsored hackers.
It's also possible that the real bad guys heard about the back door into the PSN developer areas, and simply followed the same path to steal the user data.
Requests for comment from Sony were not immediately answered.