Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: SonyPictures Site Compromised - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SonyPictures Site Compromised

We have written diaries on Sony’s security woes over the past few months, first one was a DDoS against its infrastructure [1] followed by the hacking of the Sony PlayStation network that took their network offline for several weeks, affecting all its PlayStation customers [2]. This week, SonyPictures was compromised by a group of individuals calling themselves LulzSec who took over 1,000,000 unencrypted plaintext customer password. Last week, another attack took place, this time against Sony Music Entertainment Greece website [3] who took usernames, passwords, email addresses and phone numbers.

One question comes to mind. With all of this data lost, if a PCI compliant corporation can be this easily targeted and compromised, is PCI a good standard to measure security posture?

[1] http://isc.sans.org/diary.html?storyid=10654
[2] http://isc.sans.org/diary.html?storyid=10768
[3] http://mashable.com/2011/05/24/sony-hacker-attack

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Guy

418 Posts
ISC Handler
Back in the days of the Sony BMG CD rootkit, we learned that Sony had a fundamental problem with the concepts of information security and privacy. It looks like they didn't improve much.

My take is if they were found to be PCI-compliant at one time, it was only for the components reviewed, and only at that time. Who knows what they might have done the day after.

As long as organizations use compliance to try to achieve security we will have this problem. They need to have security achieve compliance. It doesn't seem to work any other way.
Shane

7 Posts Posts
While I am not very knowledgeable of PCI I do believe I read somewhere that this standard demanded everything stored encrypted, even databases. How could Sony be compliant if they were storing passwords as unhashed plaintext?

Seems Shane is right that they are worried more about meeting the compliance inspection than actually following the standard thoroughly.
BGC

23 Posts Posts
Check-the-box security a.k.a "rubber-stamp security", and so it goes...
e.b.

16 Posts Posts
And there's the rub....were they PCI compliant?
James

32 Posts Posts
compliance != security
Anonymous
Posts
PCI is also only concerned with the security of the scope of payment-handling systems and processes. Most of their breaches aren't mentioned as exposing card data, so the user names and passwords may simply not fall under PCI controls because they're out of scope.
Tim

5 Posts Posts
Good point, the user data may have been out of scope for PCI compliance. That only re-inforces the comments of several others, PCI compliance does not mean you have any real security...
BGC

23 Posts Posts
I don't believe that's necessarily true. PCI compliance means that you have a specific set of security controls on your Card Holder Environment, and if that was an honest self-assessment or competent external audit, then I would think that you *do* have some real security. Whether or not its adequate against any particular attack will depend on that attack, but it's a good baseline anyway and probably more than what a lot of companies are doing. Like other people have mentioned, this is only the CHE, and if this system was outside that scope, it would not have been audited via PCI (it does appear that this fell through the cracks of Best Practices though.)
Shawn

29 Posts Posts
From what I've read, the Sony PlayStation network was not PCI compliant at the time of the breach. PCI rules require firewalls to be in place and security updates to be maintained on devices where credit card information is stored *and* on the company's other devices that have network access to devices where credit card information is stored. Several articles have indicated that firewalls were not in place and that security patches were not up-to-date on the servers involved in the breach. Sony may have had a ruber stamp from a corrupt or incompetant PCI auditor to indicate that they were compliant, but the credit card companies can still try to hold them responsible for lack of compliance.
James

12 Posts Posts
"and that security patches were not up-to-date"

There is an important caveat to that comment. From the PCI FAQs:
---------------------
Would older operating systems that are no longer supported by the vendor be deemed non-compliant with the PCI DSS?

Systems that use operating systems that are no longer supported with new security patches by the vendor, OEM, or developer are not necessarily out of compliance. Compensating controls could address risks posed by using older operating systems. Exploit of legacy code is the main risk posed by an older operating system. Since well-known exploits are typically included as signatures to anti-virus, IDS/IPS and firewall filtering, a compensating control to consider is performing an exhaustive search to ensure that all known exploits for that operating system are identified, and that anti-virus, IDS/IPS and firewall rules are all updated to address those exploits. Other compensating controls could include monitoring IDS/IPS and firewall logs more frequently than required (for example, the requirement is for daily log reviews, so more frequently may be continuously and automated), or isolating and segmenting their POS systems via firewalls from the Internet and other systems in the cardholder data environment. The eventual solution is to upgrade to a new and supported operating system, and the entity should have an active plan for doing so. For more help with compensating controls, and for questions about whether a specific implementation is consistent with the standard or is 'compliant', please contact a Qualified Security Assessor.
-----------------------------
So as long as you're running end-of-life systems but have applied all of their patches, you could be found compliant. There is a caveat in the external vulnerability scan that says an out of date operating system is an automatic fail, but I've never seen that diagnosis made reliably by an automated tool from the Internet.
Anonymous
Posts
re: PCI

Everyone repeat after me "Compliance is NOT Security!!!!!"
Anonymous
Posts
It's been said a few times, but here's another way to see it

While PCI is a compliance that includes many (if not the most) technical controls, it is not meant for securing a corporation.

The only reason PCI exists is to handle risk; those of the credit card houses, not the corporation being made compliant.

If your corporation is adequately secure, it will be compliant. Not the other way around...
Anonymous
Posts
The basic premise of PCI compliance is that credit card numbers should never be stored. There is no reason to keep them. Yet Sony, Microsoft and countless other organizations store credit card numbers. It's time that the credit card companies started laying out some heavy fines to these guys, and maybe they will begin to think seriously about security.
RobM

14 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!