Full Disclosure mailing list archives
Re: Sony: No firewall and no patches
From: Tracy Reed <treed () ultraviolet org>
Date: Mon, 9 May 2011 23:23:52 -0700
On Tue, May 10, 2011 at 02:49:05AM +0000, Thor (Hammer of God) spake thusly:
I agree - You can chalk that one up to the auditors. There was mention of that in the article, and I too would be interested in what auditing firm signed off on that one.
Things can change after the audit so don't be too fast to crucify the auditors. What was running during the audit may not be what was running when the intrusion happened. PCI Compliance is very much a point-in-time sort of thing. Not only that, but there may have never been an audit. Sony is probably comprised of a number of level 2 merchants. Not one giant Sony Corporation Level 1 which would invoke an audit. It might even be smart for them to try to arrange it that way as audits can be very expensive for an infrastructure as large as theirs. We're talking hundreds of thousands of dollars. If they are not a Level 1 merchant their system administrators and maybe internal Sony auditors probably self-assessed and filled out SAQ-C or D on their own. That works on the honor system. Although I hear the economic consequences can be severe if you lie on the SAQ and it is found out after a compromise. So there is no guarantee that there was ever an outside PCI audit. Each payment card brand generally requires more than 6 million transactions of their brand annually to be considered Level 1 and require on-site audits with that brand. Visa has around 44%, MasterCard 31%, Amex 20%, and Discover 5% of the payment card market. So if Sony's payment card market share follows the industry average they would have to do at least 6M Visa, 4.2M MasterCard, 2.7M Amex, and .7M Discover. For a grand total of 13.6M transactions annually to be likely to have hit Level 1 status with Visa. Sony says 77M user accounts have been compromised. It is hard to extrapolate how many credit card transactions that might be though. PSN has been operating for 4.5 years. 77M records over 4.5 years is 17M records per year. And that is if everyone does one transaction per year and buys the 1year subscription for $4/month. A lot of people probably buy the 3 month or maybe there is a month to month option in which case the number of transactions would be a lot higher. And I have no data on subscribers who drop off and don't renew which would make it less. So...it seems plausible that they could have been a Level 1 merchant, especially by the fourth year when presumably their user base is at its peak so far. We'll just have to wait for more details to know for sure. -- Tracy Reed
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Sony: No firewall and no patches Thor (Hammer of God) (May 09)
- Re: Sony: No firewall and no patches Ivan . (May 09)
- Re: Sony: No firewall and no patches Christian Sciberras (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches James Matthews (May 11)
- Re: Sony: No firewall and no patches Ivan . (May 09)
- Re: Sony: No firewall and no patches The Security Community (May 09)
- Re: Sony: No firewall and no patches Nick FitzGerald (May 09)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches Ivan . (May 09)
- Re: Sony: No firewall and no patches Valdis . Kletnieks (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches Pete Smith (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 10)