STE WILLIAMS

NEW Sony Playstation Hack Affects User Accounts

Four days after the PlayStation Network reopened, Sony has taken down login and password recovery pages for the service following reports they contained a serious flaw that was actively exploited to hijack user accounts.

The vulnerability, which was first reported by UK-based gaming news site Nyleveia.com, required only that an attacker know the date of birth and email address associated with a targeted user’s account, Daniel Pilkington, the site’s founder, told The Register. He said he observed internet chat relay discussions that showed a small number of people exploiting the flaw “to take control of an unknown number of accounts.”

“It had the potential to be used maliciously, but we think Sony acted soon enough,” Pilkington said.

Once Sony disabled the login pages, the attacks were no longer possible, he explained.

After this article went live, the company published a blog post that said:

“We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.”

Pilkington said he stood by his account. Sony didn’t elaborate on the URL exploit or say when the web-based pages would be restored. Password reset features that use the PlayStation console continue to work normally.

The blunder raises new doubts about Sony’s ability to secure the PlayStation Network just as the company is trying to regain the confidence of dubious government officials and its 77 million account holders. Sony took down the service on April 20, following the discovery that core parts of its network had suffered a criminal intrusion that stole names, user names, passwords, birth dates, addresses, and other sensitive details of all its users. Company executives have said they can’t rule out the possibility that credit card data was also taken.

Pilkington said he was initially skeptical of the vulnerability claims until one of the participants in the IRC chat demonstrated the attack on a test account Nyleveia had set up.

“The exploit was possible on any account the email and date of birth was known for, regardless of if the password was changed or not, or what region the account was tied to,” the website reported. “It was demonstrated to one of our empty accounts, then we were able to repeat the process ourselves after figuring out the method. This was additionally confirmed when a Twitter user provided us with his data and requested that we change his password as proof.”

Pilkington said he emailed the details to a Sony public relations official, and the login pages were disabled about 15 minutes after a representative sent a response.

Pilkington described the exploit process this way:

The exploit involved the bypass of a digital token system that Sony used when users reset their PSN password. Attackers could carry out the attack by visiting https://store.playstation.com/accounts/reset/resetPassword.action?token and then, in a separate browser tab, opening a different page on us.playstation.com and following Sony’s reset procedure, which required only the date of birth and email address associated with the account.

The attacker would then return to the original tab and, armed with the browser cookie just issued by Sony’s servers, complete an image verification on the page. The attacker would then proceed to a scree allowing him to change the victim’s password.

“The page https://store.playstation.com/accounts/reset/resetPassword.action?token, acts as though you had clicked the unique link sent to you via Sony for completing the second page’s password reset,” Pilkington said during a discussion over instant message. He said it’s “highly unlikely” the exploit technique was discovered until Tuesday evening.

Sony has yet to issue any confirmation of the flaw, which Pilkington said has affected PSN users since Monday, when it was reopened following 24 days of continuous outage. On the company’s European blog it said only that PSN sign-in services were down for PlayStation.com, PlayStation forums, the PlayStation blog, and complementary services including Qriocity.com, Music Unlimited via web browsers, and all PlayStation game title websites.

“Unfortunately this also means that those who are still trying to change their password password via Playstation.com or Qriocity.com will be unable to do so for the time being,” the Sony blog said. “This is due to essential maintenance and at present it is unclear how long this will take.”

Sony is requiring all PSN users to change their password before they can use the reopened service. The removal of the reset webpages means users for the time being can reset their pass phrases only through their PlayStation consoles, which remain unaffected by the outage.

The PSN was restored to most of the world but has remained unavailable in Japan because of doubts that country’s government had about its security.

 

Source

Sony tweets ‘secret’ key at heart of PS3 jailbreak case

An official Sony Twitter account has leaked the PlayStation 3 master signing key at the heart of the company’s legal offensive against a group of hackers being sued for showing how to jailbreak the popular game console.

Kevin Butler, a fictional PS3 vice president, retweeted the metldr key in what can only be assumed was a colossal mistake.

“Lemme guess… you sank my battleship?” he wrote in a post to the micro-blogging website that has been preserved for all the world to see. It goes on to include the key and the ironic words “Come at me.” The message was later removed from Butler’s tweet stream with no explanation why the key was leaked and then removed.

In a lawsuit filed in federal court in San Francisco last month, Sony accused well-known jailbreaker George Hotz, aka geohot, and more than 100 other hackers of violating US copyright law by disclosing the key, which is used to sign games and software that run on the PS3. Last week, Sony expanded its legal dragnet when it filed a series of motions seeking the identity of YouTube and Twitter users who did nothing more than discuss the issuance of the key or view videos showing how the latest hack worked.

Sony contends that videos and web postings disclosing the key violate provisions of the Digital Millennium Copyright Act that prohibit the circumvention of technology designed to prevent access to copyrighted material. Two weeks ago, the judge presiding over the case tentatively ruled Sony was likely to prevail on those claims and issued a temporary restraining order to prevent what she said would be “irreparable harm” if Hotz wasn’t required to surrender all his computer gear and remove all references to the hack that he posted online.

Sony’s gaffe shows just how futile Sony’s attempts are to prosecute people who discussed the key, said Stewart Kellar, the San Francisco attorney representing Hotz.

“It just demonstrates that the restraining order here will not prevent imminent irreparable harm to Sony because if there is harm it’s already occurred,” he told The Register. “The key is already out there. Restraining George will not stop the key from being distributed.”

A court hearing is scheduled for Thursday in the case so the judge can hear arguments that the temporary restraining order is overbroad and should be rescinded.

Sony, which says it’s sold about 44 million PS3s, has said its suit is necessary to prevent pirated games from running on the console. Hotz and members of the fail0verflow hacking collective, which in December published a PS3 jailbreak technique independent of Hotz, insist the hacks expand the functionality of the console so it can run custom, “homebrewed” applications that aren’t covered by copyright.

Last year, the US Copyright Office exempted iPhone jailbreaking from the DMCA so the handsets can run apps not officially sanctioned by Apple. Game consoles are unaffected by that act.

A email sent to Butler and a phone call left to Sony’s PR department weren’t returned?

No court order against PlayStation hackers for now

A San Francisco federal judge declined to order New Jersey-based hacker Geohot to turn over the technology he used to root the PlayStation 3, saying she doubted Geohot was subject to her court’s authority.

The move by US District Judge Susan Illston on Friday was a blow to Sony, which argued that the 21-year-old hacker, whose real name is George Hotz, should be forced to surrender his computer gear and the code he used to circumvent digital rights management features in the gaming console. Illston rejected arguments that Hotz’s use of Twitter, PayPal, and YouTube, all located in the Northern District of California, were sufficient contacts with the region to establish personal jurisdiction.

“If having a PayPal account were enough, then there would be personal jurisdiction in this court over everybody, and that just can’t be right,” Illston told James G. Gilliland Jr., an attorney representing Sony. “That would mean the entire universe is subject to my jurisdiction, and that’s a really hard concept for me to accept.” (more…)

PlayStation 3 code signing cracked

Hardware hackers claim to have uncovered the private key used by Sony to authorise code to run on PlayStation 3 systems.

The hackers uncovered the hack in order to run Linux or PS3 consoles, irrespective of the version of firmware the games console was running. By knowing the private key used by Sony the hackers are able to sign code so that a console can boot directly into Linux. Previous approaches to running the open source OS on a games console were firmware specific and involved messing around with USB sticks.

The same code signing technique might also be used to run pirated or counterfeit games on a console. That isn’t the intention of the hackers even though it might turn out to be the main practical effect of the hack.

The group, fail0verflow, who also run the Wii’s Homebrew Channel, gave more information about the crack and a demo during the annual Chaos Communication Conference hacker congress in Berlin. Sony’s weak implementation of cryptography was exploited by fail0verflow to pull off the hack, as explained in a video on enthusiast site PSGroove here.

More discussion on the console jailbreaking hack can be found on a PlayStation forum here