lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110510062352.GL22495@tracyreed.org>
Date: Mon, 9 May 2011 23:23:52 -0700
From: Tracy Reed <treed@...raviolet.org>
To: "Thor (Hammer of God)" <thor@...merofgod.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Sony: No firewall and no patches

On Tue, May 10, 2011 at 02:49:05AM +0000, Thor (Hammer of God) spake thusly:
> I agree - You can chalk that one up to the auditors.  There was mention of
> that in the article, and I too would be interested in what auditing firm
> signed off on that one.   

Things can change after the audit so don't be too fast to crucify the auditors.
What was running during the audit may not be what was running when the
intrusion happened. PCI Compliance is very much a point-in-time sort of thing.

Not only that, but there may have never been an audit. Sony is probably
comprised of a number of level 2 merchants. Not one giant Sony Corporation
Level 1 which would invoke an audit. It might even be smart for them to try to
arrange it that way as audits can be very expensive for an infrastructure as
large as theirs. We're talking hundreds of thousands of dollars.

If they are not a Level 1 merchant their system administrators and maybe
internal Sony auditors probably self-assessed and filled out SAQ-C or D on
their own. That works on the honor system. Although I hear the economic
consequences can be severe if you lie on the SAQ and it is found out after a
compromise. So there is no guarantee that there was ever an outside PCI audit.

Each payment card brand generally requires more than 6 million transactions of
their brand annually to be considered Level 1 and require on-site audits with
that brand. Visa has around 44%, MasterCard 31%, Amex 20%, and Discover 5% of
the payment card market. 

So if Sony's payment card market share follows the industry average they would
have to do at least 6M Visa, 4.2M MasterCard, 2.7M Amex, and .7M Discover. For
a grand total of 13.6M transactions annually to be likely to have hit Level 1
status with Visa. Sony says 77M user accounts have been compromised. It is hard
to extrapolate how many credit card transactions that might be though.

PSN has been operating for 4.5 years. 77M records over 4.5 years is 17M records
per year. And that is if everyone does one transaction per year and buys the
1year subscription for $4/month. A lot of people probably buy the 3 month or
maybe there is a month to month option in which case the number of transactions
would be a lot higher. And I have no data on subscribers who drop off and don't
renew which would make it less. So...it seems plausible that they could have
been a Level 1 merchant, especially by the fourth year when presumably their
user base is at its peak so far. We'll just have to wait for more details to
know for sure.

-- 
Tracy Reed

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ