When it comes to the attack on Sony's PlayStation Network, the only thing we're sure of is what we don't know: how it was done and who did it.
In the past four weeks since Sony shut down the gaming network, security researchers have been cobbling together theories of how someone broke into the PlayStation Network (PSN) and Sony Online Entertainment site, exposing personal data from more than 100 million accounts.
Security experts believe whoever was responsible exploited one or more security holes--but how they were exploited and who did it remains a bit of a mystery, despite a disputed to link to the loosely knitted hacking organization Anonymous.
Sony has said only that between April 17 and 19 an unauthorized person gained access to Sony's PSN servers in San Diego by hacking into an application server behind a Web server and two firewalls. The attack was disguised as a purchase, so it did not immediately raise any red flags, and the vulnerability exploited was known, according to Sony. A week and a half later, the company said that during its investigation into the PSN breach, it discovered that attackers may have also obtained data from the Sony Online Entertainment system. The network and online site were restored last weekend.
Chris Lytle, security researcher at Veracode, said he thinks there were actually multiple concurrent breaches, not necessarily by the same person or group. "Sony just happened to be a low-hanging fruit because of what was publicly known at the time, and they got attacked from every direction at once," he said in an interview this week.
Sony: PSN back, but no system is 100 percent secure
Anonymous: Group didn't hack Sony, but members may have
The PlayStation Network breach (FAQ)
Lytle discusses several theories in a recent blog post and notes that information from Sony would indicate that a SQL injection was used to exploit a hole in the database layer of an application or that the database server was publicly accessible and exploitable.
In chat logs dating back to February that were circulating around the Internet after the PSN attack, some PlayStation 3 modders (hackers interested in modifying their consoles so to give them additional functionality) were claiming that PSN Web servers were running outdated versions of Apache and Linux.
"If sony is watching this channel they should know that running an older version of apache on a redhat server with known vulnerabilities is not wise, especially when that server freely reports its version and its the auth server," a user with the handle "Trixter" wrote in the Internet Relay Chat discussion.
Last week Trixter, whose real name is Bret McDanel, wrote in a blog post that he doesn't have any first-hand knowledge of the attacks and doesn't know who is responsible but was basing his comments on public Sony statements and Web server logs he has seen.
"According to web logs that Sony had been leaking for months prior to the attack someone from a US Department of Defense IP from the 220.127.116.11/8 netblock had probed Sony's systems for two weeks prior to the intruders gaining access," he writes. A program called Whisker, which only checks for known vulnerabilities, apparently was used to perform the scans, he added.
"Had Sony used an intrusion detection system prior to the attack they would have been alerted that someone was probing their network for 6 weeks prior to the successful intrusions. They could have responded by upgrading their systems to mitigate against such an attack," McDanel writes. "I find it suspicious that the probes from the US DoD IP halted 2 days before Sony acknowledged the attack."
Script kiddie to blame? Anonymous? Rebug hole?
McDanel also dismisses the notion that Anonymous was involved, as Sony has hinted, because only one IP was used for the scanning and it predated the Anonymous distributed denial-of-service attacks on Sony's sites in early April. (Anonymous was trying to cripple Sony's sites to protest the company's legal squabbles with PS3 hacker George Hotz.)
McDanel also speculates that the scanning was done by a so-called "script kiddie"--or someone with limited hacking skills--because the hacker did not appear to try to hide his or her tracks. "They just got lucky that Sony was so incompetent in security matters that they were not noticed," he wrote.
There is another theory floating around--that someone had been able to get into Sony's network by using a PS3 to connect to a PSN server that either had a hole or was misconfigured. Rebug, a firmware tool that lets PS3 users access features only found in developer kits, was released in late March. Someone figured out how to use Rebug to get access to PSN via developer networks and from there how to get free content using fake credit card information. People were exploiting that hole, according to Lytle.
"It is possible that one of the PSN instances [set of servers connected to the Internet] meant for internal use only had certain flaws or was configured in such a way that a rogue PS3 could have leveraged it against the rest of Sony's network," he writes in his blog post.
"It looks like a vulnerability in an application was the initial point of entry for this breach," Lytle writes. "Whether or not this was done using a modified PS3 is up for debate, and there isn't any solid proof one way or another."
Imagine if a script kiddie tested some doors to the Sony network to see which would open and/or PS3 modders raided the fridge, but it was financially motivated criminals following behind that actually looted the cash drawer.
"If you were an attacker and you just happened to stumble into this modder forum it would be as simple as grabbing the tools and going after Sony," Lytle said.
"That's why Sony's response seems so scattered," pulling the PSN and Sony Online Entertainment networks offline and the Facebook games, as well as moving PSN servers into a single secure location, according to Lytle. "It looks like they were responding to a lot of different threats."
A Sony spokesman did not respond to e-mails or phone calls seeking comment for this story.
Depending on what actions Sony took or didn't take to secure its systems and how old any potential vulnerabilities were, the question of negligence could be raised, said Eugene Spafford, a computer science professor at Purdue and executive director of CERIAS (Center for Education and Research in Information Assurance and Security) at the university.
"It would seem, from what we've heard, that it is possible they didn't exercise due care," he said in an interview with CNET. "If you park your car in a high-crime area and leave the doors unlocked and the keys in the ignition, you are being careless when you should know better. That makes you somewhat culpable for the losses."