Sometimes, in the rush to be the first person to publish an idea or design; people will overlook security in the planning phase. Redspin would like to propose something different.
There is lots of buzz based on the congressional testimony on how lax the security was on the Sony PlayStation Network. Since there were no sources cited in the testimony we wondered if there is publicly available info to corroborate that view point. A bit of digging in some of the public forums turned up some interesting information. It turns out users periodically have reported getting errors when trying to access the Playstation Network. While the fact that they were unable to access the network isn’t all that interesting, the detailed error messages that they posted reveal some information about the servers used on PSN. For examples of the error messages see the thread on one of PSN’s own forums here: Sony Forum and a third party site: SupraFourms.
In these two cases rather than PSN returning a “generic” please try again error, it returns a 500 server error with tons of verbose debugging information. Here is an excerpt from an error message a user received when trying to sign into the PlayStation Network on 3/11/2011. This is just a few weeks before they were hacked. Note this is a small portion of the error since the original is to long for this post.HTTP Status 500 –
type Exception report
description The server encountered an internal error () that prevented it from fulfilling this request.
javax.servlet.ServletException: Unable to find resource ‘/pc//external/index.vm’
note The full stack trace of the root cause is available in the Apache Tomcat/5.5.23 logs.
We don’t know where this system is on the PSN network, or if it was part of the breach. But we can glean a few things:
- The obvious: something is broken and the server is generating an error
- The error message is very detailed. If basic security hardening of the box had been performed they would have turned off verbose error messages. This error message leaks all kinds of information about the server. Verbose/debugging error messages should never be enabled in a production environment.
- Most concerning is the software version. At the end of the message it identifies the webserver that is running as Apache Tomcat 5.5.23. This version was released in 2007 and is over four years old (an eternity in the software industry). There have been many security problems identified and patched in Tomcat since then. Without updating their version or applying the patches they are vulnerable to many security flaws.
If this system is indicative of the state of the PSN and these types of flaws existed elsewhere it is likely that the hackers had a very easy time gaining access.
What lessons can we learn? Make sure you are doing the security basics. Harden your servers before deployment. Religiously apply security patches to make sure you are not vulnerable to attacks.