So after our report on Monday – Sony Rebuilding PlayStation Network (PSN) – Down 4 Days So Far – news had been spilling out about this whole thing pretty much non-stop. It appears the network is still down and there was some serious data loss including user data for millions of users being stolen.
All kinds of personal data was leaked including birth dates, names, e-mail address and it was originally though the hackers had also got hold of user credit card details.
A funny tweet I saw on the matter was “Hello my name is SONY. I like long walks on the beach, DRM, rootkits and losing your cc info.” from @rodolfor.
Sony is warning its millions of PlayStation Network users to watch out for identity-theft scams after hackers breached its security and plundered the user names, passwords, addresses, birth dates, and other information used to register accounts.
The stolen information may also include payment-card data, purchase history, billing addresses, and security answers used to change passwords, Sony said on Tuesday. The company plans to keep the hacked system offline for the time being, and to restore services gradually. The advisory also applies to users of Sony’s related Qriocity network.
Sony’s stunning admission came six days after the PlayStation Network was taken down following what the company described as an “external intrusion”.
Sony had already come under fire for a copyright lawsuit targeting customers who published instructions for unlocking the game console so it could run games and applications not officially sanctioned by the company. The criticism only grew after Sony lawyers sought detailed records belonging to hacker George Hotz, including the IP addresses of everyone who visited his jailbreaking website over a span of 26 months
What worries me is how much of their data was stored in plain text, I guess they assumed their system and network was so secure it would not be breached. But still, the important stuff should have been behind some kind of encryption layer and things like passwords should be hashed.
There was an official update from them too on the PlayStation blog here:
Update on PlayStation Network and Qriocity
They did warn users to remain vigilant and provided ways on how to be prepared for credit card. There were some rumours going around that PSN users were seeing $10 debits from the credit cards they had linked to their PlayStation accounts.
Hackers howled with displeasure saying they should have a right to modify the hardware they legally own. Sony recently settled that case, but Hotz, whose hacker moniker is GeoHot, has remained highly critical of the company. Many have also objected to the removal of the so-called OtherOS, which allowed PlayStation 3 consoles to run Linux.
Sony’s advisory on Tuesday means that the company was likely storing passwords, credit card numbers, expiration dates, and other sensitive information unhashed and unencrypted on its servers. Sony didn’t say if its website complied with data-security standards established by the Payment Card Industry.
Sony reminded users located in the US that they’re entitled to receive one credit report per year from each of the three major credit bureaus. The company didn’t offer to pay for any sort of credit monitoring service to help ensure the information it lost isn’t used in identity-theft ruses against its users.
“When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password,” advises a letter that Sony is sending to its users.
The latest news is however that the credit card details are actually encrypted, so they should be safe. The details came from an updated in Q&A format from the PlayStation blog:
Q&A #1 for PlayStation Network and Qriocity Services
Their statement is as follows:
The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.
So the user data is out there but the credit card data should be safe, even if the table was stolen it’s encrypted – let’s hope the hacker didn’t swipe the keys too.
The case has also triggered a lawsuit with a user of the network suing Sony over the data loss, more from Information Week here:
Sony Sued Over PlayStation Network Hack
Source: The Register
David Shepherd says
So the credit card info was encrypted but I have to believe majority of folks use the same passwords for PSN as they would for other services, email, banking and so on. The unencrypted data is far more criminally valuable! You have to use strong passwords that are unique to each system and service. How is the difficult part. I use LastPass
PS3 faggots says
HAHAH THE PS3 SUCKS HAHA
DeborahS says
“if the table was stolen it’s encrypted – let’s hope the hacker didn’t swipe the keys too.”
This could be why it’s taking Sony so long to scope out the extent of the breach. If the hacker swiped the keys, it might be very difficult to verify that to a reasonable degree of certainty.
Bogwitch says
Delays, delays, delays. I am quite suprised at the time it is taking for the PSN to become active. Granted, it is a service provided free of charge but I believe it is included in the price of a PS3 and the purchasers of PS3s fully expect to have access to it.
So, the question for me is WHY it is taking so long (9 days so far) for the PSN to return to functionality. I see a few possibilities.
1. Their site code is proprietary, the hacker(s) found a way through it and obtained the site code. The network operators were aware of more security issues in their code but had been relying on ‘security through obscurity’, (a false premise) and that obscurity, being removed, would take considerable time to replace.
2. Their site code is COTS but is unmaintained (for whatever reason) I suspect this is less likely but with a network as large as PSN, it is possible. If they had no mirror reference system to test patching, there would be a huge reluctance to patch the live system. As I said, I think this is unlikely.
3. Given the litigious nature of Sony and it’s affiliates, they will measure this downtime in cold, hard cash. If they have information leading to who had penetrated the network, they have less incentive to bring the network back in a timely manner, instead, they can sue the perpetrator for the sums lost. I appreciate there will be no payout from the hacker(s) involved although the penalties inflicted by a compliant judiciary will increase with reported losses and the losses, I assume, will be transferred to insurance to cover.
4. The operators of PSN are _COMPLETELY_ hopeless. Difficult one to believe, since they kept a network serving 77 million people running with a reasonable uptime (I don’t know this for a fact, as I’m not a PS3 owner)
5. PSN are using this time to implement several significant changes.
Of course, it is possible to combine some of these theories to come up with what may be the truth, I doubt we’ll ever know for sure.
On a related note, I was astonished to see Sony release their competition to the iPad 2 during the week, a product launch that would be greatly overshadowed by the PSN shiftstorm (i appreciate that PSN is not directly operated by Sony but there is an association there)
Anyone want to buy the Sony tablet offering? It’ll probably come with a rootkit fitted prior to shipping :P
Bogwitch says
….and now, Sony believe the credit card information may have been stolen. Only 10 million though, as not all of the 77 million users had registered a card but it seems that 10 million credit card details is all they had.
http://venturebeat.com/2011/04/30/sony-says-10m-credit-card-numbers-may-have-been-exposed-fbi-investigating/
It is also mentioned in the above article that they were using software with a known vulnerability, that stuffs up my ‘bespoke’ theory.
I get the feeling that a large amount of information is being withheld and is being slowly released, is this a damage limitation exercise? I am truly at a loss as to what Sony are thinking, I guess only time will tell….
Darknet says
Oh dear, it’s really not looking good for them is it?
Bogwitch says
Not really. Another 25million accounts now? The slow drip continues…
Darknet says
Yah SOE hacked as well, was just writing about that. What do you think about the theory that PSN is powered by Steam?
Bogwitch says
Not something I’ve heard, to be honest but then, I’m not heavily into the gaming scene.
Or did you mean their technology seems so out-dated that it is powered by boiled water?
Hacking Tricks says
My question is… how the hell were they caught off guard…because This is seriously an expensive mistake. And they are claiming the credit card and other vital information of their customers were encrypted. Who the hell is gonna believe that.
DeborahS says
@Hacking Tricks
The simple answer is that they weren’t “caught off guard”, because they didn’t have any guard posted to begin with. From the reports I’ve read, they may have encrypted their credit card database, but that’s about all they did in the way of security. They didn’t even firewall their servers! Looks like they’re putting some better security in place now, but it’s a bit too late to avoid a major breach.