Wired
Armchair cybersleuths on the trail of the PlayStation Network hackers have been focusing attention on a chat log that shows several technically sophisticated PlayStation tinkerers discussing Sony’s security vulnerabilities in knowing detail just two months before the breach.
“If Sony is watching this channel they should know that running an older version of Apache on a RedHat server with known vulnerabilities is not wise, especially when that server freely reports its version and it’s the auth[entication] server,” writes “Trixter,” one of the chatters.
The Feb. 16 chat was held in the IRC channel “#ps3dev.” It’s a gathering spot for people hacking their PlayStations for various purposes not approved by Sony, such as installing custom firmware, trying to restore the console’s ability to run Linux, or working to build a home-brew version of the PlayStation Network.
The parts of the discussion that delve into Sony’s security posture appear eerily prescient in the wake of the intrusion that exposed personal information on 77 million users, and copies of the chats are now lighting up gaming blogs and Twitter feeds. “IRC chat of PlayStation Network hacker!” reads one post.
But in an interview with Threat Level, “Trixter” says he had nothing to do with the breach. He might add, “Here we go again.”
That’s because Trixter is 38-year-old Bret McDanel, who made news in 2003 after serving a 16-month sentence for a computer-hacking crime he didn’t commit.
McDanel got in trouble for warning 5,000 customers of his former employer, Tornado Development, that the company had a serious security hole that made customer e-mail vulnerable to hackers. The government charged and convicted McDanel under the theory that the e-mailed warning itself violated the antihacking Computer Fraud and Abuse Act because it “impaired the integrity” of the vulnerable system.
It was such a bizarre reading of the law that, on appeal, the Justice Department filed a rare “Confession of Error” conceding that McDanel hadn’t committed a crime. The department joined with the defense in asking that his conviction be overturned. It was overturned, but by then he’d already done the time.
McDanel, who now has a small telecom business outside Sacramento, says that despite his past experience, he’s not particularly worried about being linked to the massive PlayStation Network breach.
“I’m willing to bet that the actual intrusion is going to point to somewhere completely different,” he said in a telephone interview Thursday.
McDanel says he got involved in the PlayStation-modding scene about three months ago. He claims his primary interest is user privacy: He wanted to see what information the PlayStation collects and sends to Sony and its partner companies through the PlayStation Network.
To that end, he used a man-in-the-middle hack to monitor the SSL-encrypted traffic from his home console to Sony’s servers. He loaded a self-signed certificate onto the console, and directed the traffic through a proxy server on his own network. When he pored through the traffic, he noticed that Sony was running outdated versions of the Apache web server.
Sony, it turns out, uses a cluster of Apache servers to authenticate PlayStation consoles, a different cluster to serve downloadable content, another to store image files, etc. All of them are directly accessible from the internet, he says –- there’s no VPN between the console and the PlayStation Network. And he claims all the servers were all at least a little out of date.
“Literally everything goes through a web server somewhere,” he says. “Different [Sony] divisions maintain different servers. I never saw a current version of Apache on any of them.”
Sony did not respond to an inquiry from Threat Level on Friday.
McDanel admits he doesn’t know that Sony’s web servers were vulnerable to attack. The authentication server he mentioned in the chats was running Apache 2.2.15, which was superseded in June 2010, but has no remote-access vulnerabilities listed on Apache’s website.
The other main participant in the February chat was “SKFU.” He’s a German engineer who — along with his colleague “iQD” — was analyzing Sony’s protocols with the goal of writing emulation software that could let devices other than a PlayStation use the PlayStation Network. “For example, you could use an Android phone to communicate with your PS3 friends,” says SKFU.
But he adds that he has no plans at the moment to publish his research. “It’s just too risky at this time that Sony could come and say, OK … you’re sued for $10 million.”
SKFU, too, says Sony’s security is poor. By way of example, he says he and other researchers found unused functions buried in the PlayStation firmware that can be executed on the network. “Like, you could join the PlayStation Network as a guest, or access any environment they use.”
But SKFU doesn’t believe the focused work of the modding community would be useful for the kind of broad network-security breach Sony suffered this month, nor that his fellow tinkerers were involved. “This more likely seems to be a hack because of the money behind it,” says SKFU. “Get them to show me the logs and servers, and I will tell you.”
McDanel says he agrees that a profit-oriented intruder was likely behind the attack. “If they were behind on Apache, they were probably behind on their mail server; they were probably behind on their DNS server,” he says. “They were probably behind on everything.”
“It wasn’t an attack against Sony,” he speculates. “It was an attack against a big computer that held a lot of information.”
http://www.wired.com/threatlevel/2011/04/trixter/
