Post: Hardening Any PlayStation Account — Mitigating Social Engineering and Vulnerabilities
10-09-2018, 06:37 PM #1
Hydrogen
Super Mod
(adsbygoogle = window.adsbygoogle || []).push({}); Introduction

Hello everyone,

It's been a while since I wrote an article here on NextGenUpdate. I hope everyone has been doing great these months that have passed. Previously, I shed light on this beginner tutorial on how you can secure your account on PlayStation. I wanted to dive in-depth inside of this topic from my previous one that you can find You must login or register to view this content.. In this lesson, I'll be conveying multiple vulnerability holes I've learned from others or found. This will help you mitigate information leakage, protecting you from adversaries, and hopefully building confidence when it comes to security.

*WARNING* This thread is for learning purposes only. I'm not responsible what you do after reading this. I'm only adding the "Attacker's Role" so you can have a basic understanding of how people do these types of things. I'm not promoting any of this, and just want to make sure you know what to look out for when protecting your information. For thread removal, contact me via Twitter: (at)hydrogenNGU

For a quick second, let's jump into the attacker's shoes. We will be acting out as an adversary to have a mindset like one. After, we will bring all the information we learned to prevent the actual user from not getting attacked. This will let us be more aware of our surroundings, what's possible, and how we can mitigate these attacks. If you would like to skip the attacker's role, scroll down until you find the Victim's Role. I'm not done with this thread, but it shall be reviewed and finished by tomorrow.




Brainstorming


  • What are we trying to accomplish?
  • Is it possible to do it?
  • What resources will I be needing?
  • Is the time worth it?


There are many questions to ask before planning a strategy. Always make sure what you're aiming for. If this isn't the case, you'll always find yourself in a bad spot. If you think like an adversary, you're the adversary. First thing's first, let's gather information over a PlayStation Account named AttackMeThree.




Database Harvesting

With an easy search of Google or DuckDuckGo, pasting that name and searching for it will give us opportunities to see if this name has been used in previous websites. For example, if AttackMeThree was found using MySpace. There was MySpace Database hack that grew like a wildfire which exposed over 427 million account's information. Developers not only used SHA1 encryption, but they didn't salt each password which is basically a second layer of protection if an adversary did breach into their servers; they would not be able to just automatically read the passwords.

If the adversary plans to use that against you, he/she can harvest personal information from you which is the first step to compromising an account. Now, remember, this isn't only just MySpace. There are thousands of databases that contain any data breach ever released on to the internet. Facebook, MySpace, Chillis, Twitter, SnapChat, etc. The first time you ever create an account on the Internet, you're agreeing to your own terms and services that you will forever be stuck in it. This isn't anything bad though, but it's definitely something you should be aware of.

Pulling information from databases which I will not post here, is simple to get anyones:


  • Date of Birth
  • Full Name
  • Email
  • Passwords
  • Security Questions
  • Address
  • IP Address


Scary isn't it? Yes, but this is the reason why I tell everyone. If you're not paranoid about the Internet, start now. Having your awareness high is a successful tip to staying cyber safe. Always question yourself before signing up on a website, clicking links, or agreeing to terms and services. For the most part, if the email isn't a Yahoo, AOL, or Hotmail. You should be somewhat... safe. The reason I say this is because these three email providers are extremely vulnerable and I don't suggest owning one. If your email has been inactive for a certain amount of years, they wipe it off their system. This literally lets anyone re-create your email and send a password reset to the account associated to it. Not only that, the amount of data breaches they've received is unbelievable.

I highly suggest creating a You must login or register to view this content.. They do offer different choices you'd like to receive encryption end-to-end. If that's not the case, if you're serious over privacy and anonymity, look into You must login or register to view this content..




Harvesting API and VPN

Many of us have seen it! Resolvers. If you're a skilled programmer, this is your set of field if you're attacking a victim. Creating a website or a tool to type in a username to retrieve information is widely popular these days. If someone makes it public, the entire world can have at it. Sad to say, if you're not running a VPN, you'll be vulnerable. While online on any device, it is recommended to run a VPN to make sure you're location is scrambled. If you're not the type of person to do bad things on the net, you should be okay. Just remember, VPNs can be unscrambled, especially by nation states. We'll talk about VPNs in another lesson.

If the programmer can make a functional resolver, he can retrieve information such as IP Address and Internet Providers. This is the reason why I say VPNs are okay in this situation. You might bump into a normal adversary or a guy that just uses tools from other programmers, but if you're not affiliating yourself with the bad guys, they'll most likely not know how to decrypt anything from your VPN or correlate data. Key pointer, if you're a cybercriminal, VPNs can always bite you back in the ass. The FBI made a world popular VPN provider, HideMyAss, give them information on a person which automatically highlighted him as a LulzSec member. You can find and read the article You must login or register to view this content.

Running VPNs?


  • They are useless if you're going against nation states.
  • They can be unscrambled and decrypted.
  • Question yourself before trusting a VPN Provider.
  • OpenVPN and AES256 is a fine set to run for normal people.





Phishing The Maltese Ray

You must login or register to view this content.


Many of us have heard about phishing links. They're common, but can be tricky to spot if you're dealing with an experienced programmer. Phishing links are used to trick the end user to click on a vulnerable link that can be used in many ways. For example, we want to make a twitter log in link and website that looks similar to the original one. We can create a domain named "[url]www.twitler.login.com[/url]". Not only does it look legit, but it can be used in two different ways for the victim.


  1. Similar to a resolver, you can pull more than just location. It's used for computer OS, history, and hostnames.
  2. Redirects the end user to a fake page. If the user logs his credentials on the website. It drops a 404 Error and sends the information back to the attacker's computer.


If you're not sure if the link is legit, you can always hover over it. At the bottom left, the website pop up will show up and give you the real URL. Many high-end jobs give you training over phishing which I believe is amazing. The job I recently got hired at gave me phishing training which was always cool to refresh my memory. Just remember, if you receive one in your e-mail. It will most likely be sent to your spam folder. If the email is written with poor vocabulary, grammar or fake post stamps. It's a good idea to report it and delete it.

Key pointer, emails can be spoofed! If I wanted to use the president's email domain to send it to Hillary it is possible! Don't let anyone fool yourself. You're the front line of defense. I'll make an exclusive lesson on this topic in the near future. Think before you click! Oh, and if you're wondering how I came up with the topic called "Phishing The Maltese Ray" is because that fish is an endangered species. Killing the last fish means it will never be alive anymore. If I phish another victim, using his information means his identity will be breached and will no longer be private.

Cross Contamination

Cross-contamination is a cybersecurity term used when you're trying to have a structured strategy for anonymity or pseudonymity. Separating your IRL Data vs Alias Data. This is a serious act everyone should think about. Recently, the alleged hacker blamed for WannaCry, Sony Pictures, and Bangladeshi Hack is now wanted by the FBI after correlating data and finding out he cross-contaminated information throughout his operational accounts. This is why things become a chain. Every little crumb you leave will be followed by the magical magnifying glass.

You must login or register to view this content.


If the attacker can search your username on a database, and if you used your personal email on a website that you used for an Alias account. If the website's database has been dumped there. He/she can harvest new information that can be trailed back to your actual information. Confidentiality at this point has been broken and now available to the attacker. Always remember to question yourself before signing up on a website; especially if it is HTTP. Jokes on me, I'm on an HTTP site. I chose to do it, and I agree on the problems it could face me. For PSN, this has happened before with a guy I met a long time ago. Cross Contaminating isn't something you should ignore... protect yourself. Use your personal information on separate accounts you believe will not be used for fake identities and can't be connected with each other.




Social Engineering PlayStation

Ah, the art of manipulating others for information. This may be the most stressful technique you can ever learn if you become a professional pentester, but sometimes letting the wrong person learn how to do it becomes a serious issue for criminal activity. If you believe programming isn't for you, having this under your belt can be powerful. When you work for a company they teach you to be robotic. Ever called PlayStation before and they say the same lines over and over? Act really nice so they can make you feel welcomed? Yeah, it's their duty, and they also are trained against social engineering. Most of the time, they receive new reps since they terminate a lot of employees for not following the correct rules most of the time. If you can make them feel your emotions, they'll be able to get out their comfort zone to help you out.

Here's an actual a solid example of what I mean. A mother, stressing over here baby since she's in a hurry trying to reset her email to an account. In reality, she's targetting a guy's account. Watch this video to find out more.



This exact method has been used on a PlayStation Representative before with a slight twist. As the attacker, you will act like a dad, who's about to be late to drop off his daughter. Having a backup person like a younger sister or a smaller sibling can work. She's having a party and all her friends will be there. You have to let emotions out so it sounds legit. The key is to make the rep feel emotional. This will let them get out there comfort zone and try to help you out without thinking correctly. This won't work all the time, but social engineering is all about time and patience. Don't rush it, be yourself. It's simple to get information out this way, and it's the reason why security breaks with all these layers. At the end of the day, you can have all the protection you need. Manipulating the person behind the computer is the last resort if they let their guard down, you're technically screwed.




UK Support Spiral

A method I'd like to share is called the Support Spiral. If you follow the UK PlayStation on Twitter, ask them for an e-mail reset through a tweet. They'll end up sending you a support chat through Direct Messages. Once you're in here, social engineering isn't the main cause an attacker would do here. There used to be an old method where you would give the rep the account name which had to be from a UK Region. Once the rep didn't give you absolutely any information and closed the chat line. The next URL would literally give out the user's email. Yes, that simple. That's how easy it was to take an email from a UK Account. This has now been reported and patched.

A method I had found was to skip through queue time and directly send you to a rep which would save thousands of hours for attackers, but I politely sent this to Sony which they patched within a week. Once you're in a support chat with the UK, once the rep ended the chat. All you had to do is click CTRL+Z+F5 simultaneously. This would directly send you to the same/new rep.

Pros for an attacker:


  • Faster way to compromise accounts.
  • Skip the queue
  • New reps for easier chances for accounts.


Cons for PlayStation:


  • Spam/Troll
  • Users would have to wait longer in queues.
  • Could potentially overload servers if a programmer found a way to make bots.


Mitigating Against The Attacker

We've covered multiple ways attackers think. There are more sophisticated methods people use, but if you're just a normal person looking to be on the safe side, you should be fine. This time, what can we do to prevent all these new methods they're releasing to fight against us? There is one possible answer I can't say enough, but it's true. There is absolutely nothing you can do... No, I'm not scaring you. If you're not going against a nation state, government, or another programmer that knows what he's doing, you'll be fine. Don't worry, let's attempt to mitigate these issues.

Friends With Security Benefits?


I'm not too sure if PlayStation still does this, but before they blacklisted my number a few years ago. You can personally call a rep, and ask them to send you to a higher staff employee; mainly a manager or ASM. From here, talk to them personally and speak about wanting your account locked or "pinned". This means once you lock it, the only way an attacker can compromise your account is by stealing the serial number behind your console.

The Four Major Hierarchies


Security

suggest everyone on a PlayStation Console do this. Breaking this section down consists of four major hierarchies.

  • Password
  • Question/Answer
  • PIN
  • 2-Step Verification


Password

Passwords are important when it comes to security. If you're the type of person to have your social media accounts with the same password. An adversary can control your entire social media. NEVER have the same password for all of your accounts. Make sure your PSN Account is unique and lengthy. Most individuals who crack accounts use word lists/email lists to use bots to guess your password. So if you have weak passwords 4-15 digits, the easier it is for them to crack your account. Make sure you have a 20+ digit password with Lower Case + Caps + Symbols to make it harder to crack. A good password would be: JWj8ofF#f8w(2#&@(2497SK%S(@#R^h2

Security Question/Answer

Choose your Security Question, or make your own, which I would prefer making your own. Don't put anything basic either, I have seen some people getting their account compromised because of this. "Where were you born?" is a weak security question which can cost you your account. If was I spear phishing you, all I would need is a simple one on one conversation through PlayStation. Hey man, how's it going? Nothing, it's just pretty cold here in North Carolina, where you from? Never trust anyone on the Internet. Zero Trust Model is a strategy used in Cyber Security. You may talk to people, sure, but they will never be your friends. Choose something hard that they won't ever try to ask you. Even if they ask you, it's pretty much common sense what they are trying to do. The "name of your mother's maiden?" - this wouldn't come up at all in a conversation.

PIN

This is a tiny step, but I still suggest you do this! Having a backup PIN can secure your account if you ever forget things. It might be a useless thing to use, but you never want to have second thoughts whenever someone is on your account. Want to have a tank secured account use this to the best ability. Don't use simple pins either nor your date of birth, Having random PIN Generators will be nice. 11111, 12345, 00000 are more guessable so don't use them.

2-Step Verification

This is the most important step overall when it comes to security on your account. If hackers can get through most of these things that you have on right now, this can give them the most difficult time of their lives to get into your account. If the hacker manages to get into your account, you will receive a text on your phone telling you that this is your 2-Step Verification Code to enter to log in.

Now, before I do get into this. If Sony still offers 2 Step Authentication for only phone numbers, it's sad to say this, but don't do it! Never give your phone number for security. The formula is how it goes...

SMS != 2FA

Giving out your phone number is a direct call from your adversary. People aren't that slow nowadays. Reversing phone numbers is simple. If the attacker gets a hold of your number, they can perform an attack named "SIM Swapping". I've seen fellow people get arrested for doing this, and it's not cool at all. The attacker purchases a new sim card and goes to a physical store that's your own mobile provider. With a little Social Engineering, the attacker now controls your entire life. It sucks to say if you're an investor with cryptocurrency or with sensitive data. SMS Verification is deadly to you.

If PlayStation doesn't offer any type of other services such as Google Voice or Dual Authy, don't use 2FA for PlayStation. If you still want to add it in, you can find that here:

To find 2-Step Verification, it's on the Security Tab at the bottom:

You must login or register to view this content.

You must login or register to view this content.

The following 6 users say thank you to Hydrogen for this useful post:

aeneax, SQUID-EYE, Vicodin10, Vince, Wosley and 1 other user.
10-09-2018, 07:28 PM #2
aeneax
Nothing To See Here
For section on data breaches, might be worth adding that the great majority (or maybe safer to say majority since I can only rely on my own experience) go undisclosed so as much as people tend to freak out whenever the public learns about a new one, they're actually underreported.

In many jurisdictions (including US) the law requires public companies to disclose breaches of customers' protected information only if the company's shareholders (not the customers, but the shareholders) would find that breach to be relevant. Meaning, if a reasonable investor would think it would affect the company's fair stock price. "Activist shareholders", as any shareholder with a conscience has come to be called, while becoming more and more common and even putting their own choices on the boards of many major multinational corporations, are not considered "reasonable" under the law, meaning what people think in general about data privacy doesn't count. Just the cold hard market.

There's usually a preliminary assessment made when there's a data breach that looks at how many were affected, the sorts of pieces of information that may have been compromised, what sort of business the company is in (it's more relevant for a cybersecurity firm to suffer a data breach than it is for a hardware store, for instance) and, if any companies in the same industry have had breaches of similar scale and decided to disclose it, whether there was an effect on the stock price. Then the lawyers recommend whether or not to disclose and management makes the ultimate decision. It's been one of the hottest areas in the law for a decade, and yet most of it is never discussed because the answer reached is usually "no material effect, hence no disclosure." Oh, and if the company is private instead of public, there are some general guidelines but not much real law to follow there.

For attacker mindset, I understand what you're attempting to do, but it makes me a bit uncomfortable. It reads very much like a playbook or training manual. Isn't it enough to make people aware of how real and prevalent the danger is, and how the attacker is skilled, sophisticated, and trained to manipulate Sony employees, maybe the video to emphasize the point? Without actually giving a roadmap for anyone unscrupulous enough to take advantage of your quite well done, very thorough and helpful article?

Thanks again. Great expansion on previous article.

Copyright © 2024, NextGenUpdate.
All Rights Reserved.

Gray NextGenUpdate Logo