• 2,2 millions dont 150 000 allemandes
• Citation de l'article : "les procureurs généraux de 22 états US, la section cybercrime du FBI et la Federal Trade Commission ont ouvert une enquête".

Gnommy, le 29/04/2011 - 08:42

Hihihi...


Quelqu'un pour nous confirmer que chaque pays a ' son ' psn ?

One interesting point I found is a not secured access log of a PSN environment .
You will quickly notice the IP 214.1.211.251, which sends requests like a vulnerability scanner.
The IP points to the DoD Network Information Center, based in Ohio USA.

The first log entry of this IP is [03/Mar/2011:07:10:38 -0800]. As the DoD is knows as beeing easy to hack

214.1.211.251 – - [15/Apr/2011:09:40:11 -0700] “GET /officescan/cgi/cgiChkMasterPwd.exe HTTP/1.1″ 404 336 “-” “-”

178.202.110.92 – - [22/Apr/2011:19:05:00 -0700] “GET /admin/cdr/counter.txt HTTP/1.1″ 404 343 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16″

214.1.211.251 – - [15/Apr/2011:09:40:09 -0700] “GET /_vti_bin/fpcount.exe?Page=default.htm|Image=3|Digits=15 HTTP/1.0″ 404 325 “-” “-”

214.1.211.251 – - [15/Apr/2011:09:39:51 -0700] “GET /scripts/foxweb.exe/ HTTP/1.0″ 404 324 “-” “-”

214.1.211.251 – - [15/Apr/2011:09:39:48 -0700] “GET /phpwebfilemgr/index.php?f=../../../etc/services HTTP/1.0″ 404 328 “-” “-”

214.1.211.251 – - [15/Apr/2011:09:39:49 -0700] “GET /board.php?FID=alert(document.cookie) HTTP/1.0″ 404 314 “-” “-”

214.1.211.251 – - [15/Apr/2011:09:39:38 -0700] “GET /servlet/webacc?User.id=”>alert(‘eeye2004′ HTTP/1.0″ 404 319 “-” “-”

214.1.211.251 – - [15/Apr/2011:09:39:30 -0700] “GET /modules.php?name=Reviews&rop=postcomment&title=%253cscript>alert%2528document.cookie);%253c/script> HTTP/1.0″ 404 316 “-” “-”

xxx: I don't think there are many people involved in circumventing PSN access in /this/ channel [ "application/x-i-5-ticket" reason=40 > PSN error 80710101 ]
talk about network stuff?
nice
i just finished decrypting 100% of all psn functions

you can forget all the history wiper and log remove apps
theres a independant check
which transfers all games and their playtime
every time you login
you can modify it like the firmware version tho
it looks like:

aswell they can detect backups this way
hash is eboot.bin to check for version?
if you use a backup it will look like this:
32'' TFT-TVOEMreleasecex
i cannot find my PS3 connect to host with 'updptl' in the name
returns tv, fw version, fw type, console model
also i found data it collects when i had usb device attached etc etc
so if they ever sue someone for psn stuff, they will be sued themselves as most of the data they collect is just not legal
user2, at what time does it connect to that host?
during the PSN logon?
sec i check
user2 how can you modify that data?
user2: do you now know enough to wipe all traces so that people who never had their consoles on the internet can avoid sending this information now?
no DNS request for a host with 'updptl' in the name in my packet captures :-\
@user5: it sents directly after user profile load and sometimes; - it seams random, just when u play a game or anything
ohh
@xxxx: we could modify the data via proxy between the tunnels, like delete all data between the xml tags or somehow
oh so its not on the ps3 hdd itself?
user2: aha, so this information is actually encrypted?
ya
the list is stored online
and updated when u login psn and random
damn
but where is it stored before that? I have never been online with my ps3...
so it must be somewhere
was hoping it would be on the ps3 hdd
then lock it or so
the only avoidance is block all *.playstation.net
MAYBE - i rly dont know - it doesnt save it at all on hdd
so only transfers the games and stuff in one ps3 session when you go online
so if u have ps3 offline and play a game, then shutdown and turn on again
it MAY not transfer update
cuz i didnt find any info for that list on hdd
it could be that its used for online playtime or psn logged in playtime
aswell you should never ever install a CFW from someone unknown
cuz its way too easy todo scamming at this point
for example:
creditCard.paymentMethodId=VISA&creditCard.holderName=Max&creditCard.cardNumber=4558254723658741&creditCard.expireYear=2012&creditCard.expireMonth=2&creditCard.securityCode=214&creditCard.address.address1=example street%2024%20&creditCard.address.city=city1%20&creditCard.address.province=abc%20&creditCard.address.postalCode=12345%20
sent as plaintext
uh
did you censor that card?
ya its fake
good
wow, plaintext :s
plaintext wow
im never putting in my details like that
ya is all fake lol
i never used cc on ps3
normally you ATLEAST enccrypt the securtity code, even if its ssl
id hope sony would do such in a safe manner
psn cards probably plain text to then
fake certs are known since years as vuln so companies encrypt such data twice normally
but hey its sony --< its a feature
lol
lol
yeah if you go public with your info they either remove the store or psn all together
as an update
I doubt it
from all the actions they've taken the past years, we can only deduce that Sony don't care about their customers
impossible

they wont update their whole psn lol
but this should really get out there, but I guess it's on psx-scene.com in a matter of minutes already
3.60 removal of psn
i know a few guys who worked @ sony's psn backend. just when the ps3 was released we talked bout the first psn, at this time ALL was http and unencrypted. so you could see userpass etc plain. i asked em why is it that way. lame answer was "we thought it was adressed." - lol
sony qa --< trainees
that fits nicely into the "#define rand() 4" mentality.
yep
or more of
ECDSA_PRIVATE_KEY privateKey;
lol
and PrivateKey is in a header file
and it's static
xD
and ECDSA_RANDOM in a header file
and so on
another funny function i found is regarding psn downloads
its when a pkg game is requested from the store
in the url itself you can define if you get the game free or not. requires some modification in hashes and so on tho
..
is like

my god
drmff
lol
lol
:facepalm:
well, that's one way to offload the server.
still wondering when the big ban wave arrives
if they ban everyone, even using backups legally in their country (but in their opinion a TOS violation), it will be a huge tsunami, not a wave
ask ur friends
prolly they take it like it is now, unstoppable anyways
new firmware to ban all further actions and done
an open psn would be nice
even if it was just a player matching service
ya
a PSN host by the community
that actually could be perhaps possible
if you can get auth working
and all
a new np environment
the friend list management is easiest
simple jabber server
don't some games use their own servers?
some use p2p
which check from the official psn servers whether you're logged in and who you are
imagine the traffic load
whod pay this xD
yes, but even p2p games do use publisher or sony provided servers for matchmaking
NpCommerce2
I am getting behind everything on doing my security analysis
started a couple months ago monitoring SSL stuff, and theen got distracted with blackops and havent pursed it, seems a lot of people are starting to take interest in it now
and regarding matchmaking and lobby systems
the functions built in firmware and/or game
how would you answer them
the server side code we dont know of
some stuff appears to be in lv2 and not in sprx for network stuff
so we can not create proper answers
you can try to analyze the protocol and say "if X then Y" type responses the problems come up when you get something you haveent seen before
that was done with counterstrike for example so that people could cheat
so its not entirely impossible although it is time consuming
sometimes its happy accidents, reason code 21 means bad cipher, 51 bad firmware version - for x-i-5 tickets for example
wasn't cs/hl server software available for anyone to download even back then?
anyone found a way to change DVD region on ps3 yet, btw?
for psn you can't even get binaries for the server side
user2 i remember some months ago you made a psntool with a psn messenger in it but not yet functional is that still being worked on?
but for stuff like that the ticket has to exist on the psn side of things because if I send my ticket to a vendor server they will validate it against psn and if its not there it will fail
xxx: wasn't syscall 0à—363 0à—19004 3rd byte usefull for that?
@xxxx: at this time i could finish the tool yes but im not sure if it is useful at all
xxxx: no but you can monitor traffic, even send some "bad" things and watch the responses... I discovered x-i-5 reason code 21 by accident, I did not force my proxy to mirror the cipher that the ps3 presented
i mean why would someone want to chat with a someone on ps3
while any1 anyway have msn/icq/aol
know this, sony in realtime, monitors all messages over psn
I verified that, its part of my privacy threats thing I am doing
ok too bad id like the psn messenger on pc
the realtime monitoring is a bit bothersome to me
user1: such information is quite useless to me, as I'm not that into the technical stuff was more hoping someone had an easy way to do it.. like a DVD region changer or something.
@user12: the realtime jabber monitoring as most likely for realtime censor of messages
they appear to have at the very least keywords they look for, not sure just how invasive the whole thing is, but ...
well they have osme odd things in there
yeah they have that dumb automatic word filter
the censor word-list is ridiculous
psn messenger would be helpful, just yesterday was killed 2 times when typing response on the message + its so slow loading
a psn code that is not really valid if you sent that via email it becomes valid but you cant add funds to your wallet. The fact that emailing that code to someone makes it valid for you is odd ... why monitor that code?
which makes it much more difficult to have a sensible conversation in languages other than english
why change its state on sending it?
the censor words in home is on your system, it downloads a dict list of words
an empty file resolves that
tryin to find my jabber logs... >.<
so it only censors on receipt not on transmission
dunno how the other stuff does it
mostly because I have yet to look
now you have me curious I am gonna go redo my network a little bit to start monitoring again
btw aswell a reason AGAINST pc to ps3 messenger is spam
cuz there actually is an easy way to get userlists
would fuck psn pretty hard if some skiddy releases a spam app
the highscore and matchmaking lobbies you can request per game id and get user mails for psn
ugh, yeah
huge list + spam app == sux
argghhhh
why do my trophies never sync to np
anyway sony just would have to open a port on the jabber server, so you could login with icq
lol
and we all know what happens if cool homebrew arrives, remember open remote play
sony just releases an official tool lol
thing is the more people do things and discuss what they do and explain how to do it the more likely sony will lock down psn in the future
psn is a core feature of ps3
making it harder and harder to do anything, like using older firmwares to log in, that will probably be the first to go away
they would be sued like with otheros
yeah but they also blocked open remote play
user12: that already went away, didn't it
if you are not running current firmware you do not have a right to psn
user12: even for debug users
not really, not yet anyway
3.56 did not break it but the next release might
especially because it stops people running backups and other stuff on psn
well i mean 3.41
ya would be all possible for them
not sure what, if anything, changed with 3.41
you used to be able to sign in on debug 3.41 until someone released that psn enabler hack
one way more difficult than the other so i think they first will go on with backup ban on psn
even though 3.42 and 3.50 had already been released
via playlists and stuff i meantioned before
a secure way to fix it would require firmware and server update tho
wondering what prevents em of this way
I just got a new ps3 yesterday, has 3.40, gonna put 3.55 on it and do my work
I *might* try with 3.40 and see if I can do enough of my work, that would make it somewhat harder though
banwave possibly, new FW + plus they still need to fix that 3.56-1st/2nd harddrive exchange bug in the next version
because my work is specialized and very limited in scopee
the psn has 45 environments all working independant
prolly that is the reason
we could just change to another environment
and they also need to have an eye to the official developers which use environments too
and the qa
which needs to work with older firmware sometimes
so they cant update all environments and block all
probably so much ITIL process management so they can't fart without a work request
hehe
the way that people are getting on now is to change the user agent in the login request, well x-platform-version specifically. but if the x-platform-passphrase changes in how its constructed then its easy to detect people trying to use an older firmware
they can even without the xi
as the firmware version is in a lot more requests than the auth
version is sent to the getprof servers also
ppl change only the xi one atm
and ena.
but its in netstart, xi, game starts
I understand that part of it, I was just talking about x-i-5 auth stuff
many many functions send the real fw version
but only xi5 is checked
I realize that many functions send the fw version, anything that uses libhttp.sprx does
ya
remember I have been donig this for a couple months
even wrote software that lets me do the ssl parts on the fly instead of to a fixed server, mirroring the CN of the real server
what is the data in xi5 at 0xC0 ->EOF ? some crypto/salt ?
luckily they use CN=*.*.np.community.playstation.net which saves a bit of hassle, just calling openssl from your app user12 ?
openssl libs
not the app itself
and I do it for *ALL* ssl connections in realtime
so even if you use the webbrowser it will generate certs for that too
nice tool you made
it is similar in function to "sslsniff" but mine works with the ps3 and logs correctly
for the first i think ppl should use a replace of all 3.5.5 and 355 strings but regarding to the user agent, else psn wont load
user12 which certs u use?
only 05 i guess ?
CA i mean sorry
user2: I use them all
there is a place that the firmware version is in lv2 that is not a "string"
its 'decimal' "035500" not sure if its 32 or 64 bit in size though,
btw u know the login url for auth is like:
but that is not the ascii 3 its the decimal value
&serviceid=IV0001-NPXS01001_00&loginid=MYMAIL&password=MYPASS&first=true&consoleid=MYID
I have complete logs for the auth stuff
did u already change the "first" param?
i wonder what it does
first=true is only there if you had not previously loggged into psn
ah ok
its missing if you were previously logged in but you need a new ticet
ticket
hi
please not connect
to external dns ip
with your ps3
your passwords and email and other data is revealed on the external side
which you need for each service id that you need one for, meaning if you sync trophies you get 1 ticket, when you play a game you get a 2nd ticket, when you watch netflix you get a 3rd
spam people can use this info
most likely if they are mapping that host
if its just the firmware check then no, because there is nothing private sent in that http (cleartext) request
so it depends on what hosts they are looking at
to start a spamming attack
hm didnt check that ticket stuff yet
as when i used a ticket
for a test POST
i worked with 1 only
and always worked
prolly many to identify the service
the ticket is sent to say a game, netflix, etc. anythibng that uses psn. That way you do not send credentials to anyone but sony
if its like u say then this is another vuln lol
cuz as i tested if always first ticket works
you could hijack a session
the ticket and session i used didnt timeout
and if it always creates a new ticket as u say
there would be many sessions
I also haave yet to monitor how long the tickets are valid for, I know that the ps3 does not reuse them between apps but that could just be the way its coded (they might be valid even though a normal ps3 will never reuse)
for one user open
it may invalidate old ones on issuance of a new, I never looked
I just know that I saw it getting one at app launch
hm wierd with the tickets
i know the ticket is build outta few params
the serial
the userid
issueddare
service id
online id
many many
I also know that the server that does the x-i-5 tickets is a bit more tight about the ciphers than any other system in sonyland
if sony is watching this channel they should know that running an older version of apache on a redhat server with known vulnerabilities is not wise, especially when that server freely reports its version and its the auth server
its not old version, they just didnt update the banner
I consider apache 2.2.15 old
which server
it also has known vulnerabilities
auth.np.ac.playstation.net
ya the displayed version u see via banner is not the real version
unless they updated it in the last couple weeks
I doubt that since its not trivial to change that
its a bit more invasive than just setting it to Prod like they do on their other servers
you know, watching this conversation makes me think about whether it was a good idea after all to buy a couple of games from psn using a visa card
its just backported security patches
i did remove all my info after downloading the games though
that is just psn not the store
they are running linux 2.6.9-2.6.24 on that box too
that too is old
lol @ buying on store
yes, but their general attitude towards security just seems...ugh
sony wont misuse the info i bet xD
but just prevent using cfw's of unknown ppl
even better from ALL ppl
make ur own lol
so I doubt that they are spoofing the network stack on that box as well
my guess is that it really is undermaintained "it works why change anything"
could be
sony really should update that stuff to something more current
ya
but imagine
psn == 45 environments
and for example
every env has 50 subdomains
to external machines
its rly rly huge
who wants to do this xD
ppl r lazy
wont change

/*... I am not the professional translator, so this is my personal transation only...,
...since I got 2 credit cards rgist in PSN system, gotta understand this well....
.. I got the report that one of CreditCard was having international transaction bill..
...so maybe I will need this data later for legal matter....the bracket parts is my comment...
..wrote this in rush too, for mistyping.. sorry...*/

/* Additional.. just got the notification to delete this.. please copy it to somewhere..
...if this document link will not be up again terribly sorry..*/

//(Announcer words)...Hirai-san was appologized to the public.. bows...
//(Announcer words)...As a apologising present the game and music will be freely downloadable in PSN!

BELOS IS THE Q & A BETWEEN REPORTER AND SONY:

Q. The accuracy of approximately 10 million credit flow
A. There is no firm evidence of leakage. Cannot say wether a leak or not.
There is no report so far.

Q. prospect of resuming services.
A. We want to restart the service country/region base. Basically approx within a week schedule.
(a week from today?.. previously we heard about same "a week matter..)

Q. How was it the effect to the business so far?
A. Cannot tell it yet, many things to handle one at the time.

Q. What was the condition when you firstly sense the trouble?
A. Hacking with the high skill technique was undergoing, was confirmed.
But we still dont know data was stolen / taken

Q. Why did you announce privacy data was stolen then?
A. The possibility existed, what/when/how was it still under investigation.
account numbers is between 7700000 to 7800000 accounts plus there are double accounts.

Q. What was your damage report and what is the legal actionyou took?
A. Basically SNE is business foundation in US, reported to FBI and asked for investigation.
It's still under investigation so cannot make more commane on this.
(.. this part is the right thing to do..)

Q. Was there any security vulnerability was used as the attack vector?
A. There was a well-known vulnerability which we(SNE) did not even know it exists in the system
(this could be a web base kinda vulns...)

Q. The attacked server was what kind of server?
A. If we answer it you will questioning us deeper more, so the answer is no comment.
(.. politics... politics..)

Q. You guaranteed the credit card reissue procedures for each account?
A. Privacy Protection Law is differed in each region, so it depends on area.

Q. Information Disclosure for this incident was very slow, do you recognize it?
A. we did the internal hacking announce, shutdown the system, requesting investigation,
shutdown was also done in steps,..in order to disclose, firstly the current data need to be analyze, was huge,
the time was taken more than expected.
(... looks like they don't know where to start..)

Q. Any relation with the previous hacking incident with the current one.
A. Currently we are not in the condition to decide it yet..

Q. Do you know what is the target of the current intrusion incident?
A. Whe have no idea why they attack our network, and what is the purpose/target of it.

Q. Are the passwords encrypted?
A. We made the intrusion prevention system as security therefore the password was not encrypted.

Q. How about the current damage in network strategy?
A. As a long-term response to this matter,
we will fix strategy both short-and-long-term security vision of the network service.
NGP and roadmap at the moment is unchanged.

Q. The currently registered account which needed to be deleted by users, how will you follow?
A. We will follow it right. One by one.

Q. How about the users which will not/dont/cant change the password for later,
you will provide the action from the PSN system?
A. We will announce the request to reset the password for all PSN users.
Wether system will perform some action aor not we will confirm it.

Q. How about the future hacking and cracking things?
A. We will provide PSN with much better platform which including the 3rd party collaboration for the future.
We won't forgive the customazation/modification in our product.

(UPDATE)(interrupt) Sony: "The password was not encrypted, BUT protected by HASH"
(...hashes... my password only protected by hashes.....good lord..)

Q. Do you know the risk of the current incident will be happened,
but WHY you keep continuing service? What will be your plan?
A. We will keep on continuing protecting the user's privacy.
So we took this hard lesson and supprting it accordingly.

Q. Why there is the different time lag regarding to the official blog announce between the
international to Japan one?
A. Between area/country the announce/communication way is differences, that was why.

Q. About the PS3 Root Key Cracking
A. For the security purpose we cannot comment much now, but, basically we will deal with it in business(or can be asumed as legal) basis.

Q. For the compensation you said you will consider to launch free download contents campaign,
But what about the FINANCIAL GUARANTEE for the compensation?
A. We guarantee the privacy of the credit card users,
we also guarantee for the loss related to the service shutdown,
if there is loss related to the card being used then we will guarantee and support it case by case.

Q. What about your Risk Management responsibility?
A. First thing that has ot be done is to bring back the market trust to the SONY product/service.
(...which that'll be he hard part to do I guess....)

Q. You explained before that you protecting systems with the best,
but in the end why you can get hacked?
A. We did the best we think for the security system.
You may say that we were weak, but we WILL improve it.

Q. SONY is Japan office too, why you did not eve cal to Japanese Police due to this incident??
A. There is no prejudice matter in it, the request for investigation was conducted to many countries authorities, not only to Japan.

Q. Until 20th there is no such announce from your side! Why? In the future what will you do about this miss?
A. Due to the after-intrussion we were busy focusing the monitoring.
The vulnerability was discovered at the same time too..
Can not support efforts to accelerate the cycle for everything at the same time,
as soon as we sure than we announce.
(...in a very diplomatic way to say.. this part needs my energy to make english corrent nuanse ..)

Q. Currently, how many PS2 and PS3 market share? How many users is actually exist now?
A. We don't have the latest data yet, we will reconfirm and inform later.

/* (UPDATE) there was the announce of the numbers of users and product sales.. but it was so mumbling.. cannot hear it well */

Q. While you released the information about the priacy stolen on 27th,
why you DID NOT make the press conference at that time??
A. The privacy leak possibility existance was clarified on 27th we made the announce of it in -
the same day by blogs, we are doing the press release today as per scheduled in the internal roadmap.

Q. You have FW and IPS yet the attack bypassed it, how? and why?
A. Firewall couldn't detect it as intrusion, it looks as the normal data-transaction,
looks like it was the regular commands process between clients-servers.

Q. How about the disclosure of the logs?
A. It is currently under investigation, we have nothing to inform at the time being.
regarding to the result it will bring possibilities which will effect the time line.
So ..No comment for now.

Q. Until now was there any kind of similar intrussion before?
A. There was not anything like this. for this kind of "intrusion" this is the first time.

Q. How about the PS3 firmware's current security condition related to this incident?
A. We will improve it.

Q. Back to the incident compensation matter, how much do you plan to pay to every users?
A. No such hard evidence for the privacy leak even until now, so we cannot response to your
question, however if there is any financial damage occured we will handle it case by case.

Q. It was detected that the user agreement rules has be changed in 28th, specially regarding to
the cancellation of registration terms by users or system due to incident,why was it?
A. The PSN system itself is not user's base registration system like software does,
so basically there's no such of user's agreement scheme that you assume. But we are-
considering the procedure for cancelling the user registration for the current special case only.

Q. You always said about credit card matters. It is not the matter of the Credit Card got stolen only,
above it, what do you plan for your PRIVACY LEAK incident?? (angry voice of a reporter)
A. If THERE IS ANY DAMAGE reported about this, we will start to deal with it,
deeply sorry about the privacy matter, but -
so far there is no report no claim come to us about this leaking matter (from japan at least it's what he meant)

Q. How soon the PSN will be up?
A. Cannot online or up soon. Approcimately in a max a week. The security assessment still ongoing.
The security syste, will be fix to be better, now there's so many things that has to be done.

Q. How about Anomymous group who said responsible to the attack?
A. It is only the mass media communication matters and irrelevant to the current incident,
could not find the connection of it.

Press conference was over, they bows and went away...

(end)

-----
Translated by @unixfreaxjp/twitter
Please do not misuse this information and this is my private log only
http://0day.