backtop


Print 56 comment(s) - last by JW.C.. on May 7 at 10:12 PM


Sony is offering freebies to lure customers back onto PSN. Some customers might fear, though, that given Sony's poor security track record, that they might be walking into a trap by subscribing.
Company wasn't even using encryption for its non-CC data

The hits just keep coming for troubled giant Sony Corp. (6758).  The maker of the PlayStation Portable and the PlayStation 3 announced last week that hackers broke into its PlayStation Network (PSN) database and stole its 77 million customer database.

Sony waited an entire week while investigating the breach before notifying customers.  In the meantime the PSN was down.

I. New Details -- 10M CC's Lost

This week Sony revealed new details in media comments and posts to its PlayStation blog.  It commented that up to 10 million users' credit card numbers were likely obtained by the intruder.  

Until now it was unknown whether or not the hackers had gained access to the part of the database containing credit card numbers.

They state it was unclear whether the information thief could gain access to users' credit cards as the numbers were encrypted.  Sony indicated that it did not encrypt any of its other user records -- including username, real name, address, email addresses, and birth date.  Those records were stored as plain-text and should be easily usable by a malicious party.  

Passwords were not encrypted, but were hashed.  They were reportedly not salted, which means reversing the hash should be feasible for a savvy cyber-criminal.

Kaz Hirai, Sony's executive deputy president, addressed the public in a streamed press conference [video] late last week, bowing deeply in the traditional Japanese expression of regret.  He stated, "We offer our sincerest apologies"

The timeline of events in the intrusion has now become clearer.  The intruder gained access between April 17 and 19, apparently having free reign of Qriocity servers.  Then on April 19 Sony detected the intrusion and locked out the system.  

The PSN service was shut down on April 20.  Sony hired three independent firms to investigate the breach.  It declined to notify users' though, until April 25.

II.  Sony Offers Freebies to Lure Users

In its bid to regain users' trust and try to lure old and new users back onto PSN, Sony is offering its customers a number of freebies

Leading the way is a limited offer for a 30 day free subscription to PSN for new users.  For existing users, those who choose to remain will get a temporary 30 day boost to a "premium" membership level, which comes with special perks (free applications, etc.).  

And Sony is offering to pay users' credit card renewal fees should they find themselves victims of identity theft.  But it says it will require users to prove they suffered damage.

Users on Sony's blog seemed to be reacting positively to the company's updates and freebies program.  Writes "mcbuttz78":

Tell all your staff thank you and we all really appricate (sic) every thing you guys are doing to keep the psn network going strong and better than before. It really means alot . We also at the psn legion would like to wish the sony sercurity (sic) team happy hunting and dont forget the old detective saying” to hunt a criminal in the dark is best case, becuase (sic) he never knows hit’ em

But some seemed less enthused.  One user, "Jimmy_Cosmos" writes:

Just leave the PSN off, stop making PS3s and wait a year or two while building a much better & robust PSN network and launch the PS4. You’ve already given up on the PSP and the PSPGo. This gen is a disaster for you Sony. Rushing to build a brand new PSN in a few weeks is just asking for another disaster like you just had. How can you possibly be sure what you’re rushing to do in a couple of weeks will be better than what you’ve had to make secure in the past 5 years?

Some analysts think the damage will last for some time.  States  Jay Defibaugh, director of equities research at MF Global in Tokyo, in an interview with Reuters, "Damage has been done to Sony whatever the scale of the content giveaway at this point, and Sony is facing a prolonged effort to regain customer trust. Anything that undermines consumer willingness to divulge credit card details to Sony is a problem for the network strategy."

The breach has impacted customers worldwide in the North America and European regions.  Customers in Asia may have been affected as well.

To clarify, Qriocity -- the entity who maintains the PSN and whom Sony has been referring to in third person in its blogs -- is actually part of Sony.  The group offers streaming video and music services, in addition to maintaining Sony's online gaming efforts.  The trade name was put in place in June 2010 and Sony has been referring to it in third person ever since.  Some have complained that Sony is obfuscating its own role in the breach by sharing the blame with Qriocity in its releases, when in fact Qriocity is a part of Sony.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

30 day trial?
By cochy on 5/2/2011 10:28:30 AM , Rating: 4
Wow what a slap in the face.

We're so so sorry. To make up for it here's a 30 day TRIAL?????? Are you freaking kidding me? Wow did Sony ever lose me big time as a customer.

I bet the free download will be Tetris or something.

I expected better from the Japanese.




RE: 30 day trial?
By tekzor on 5/2/2011 10:41:58 AM , Rating: 1
This happened right before I got my pspgo.
Great paper weight.


RE: 30 day trial?
By stalepie on 5/2/2011 11:46:59 AM , Rating: 1
They're not really Japanese. The head of Sony is Howard Stringer.


RE: 30 day trial?
By cochy on 5/2/2011 1:46:25 PM , Rating: 4
He wasn't even present at the press conference. When he's gone the new CEO will be Japanese.


RE: 30 day trial?
By kattanna on 5/2/2011 1:54:46 PM , Rating: 3
hey.. imagine how the existing premium customers feel.. they dont get anything


RE: 30 day trial?
By someguy123 on 5/2/2011 4:11:57 PM , Rating: 2
Indeed. I really don't understand sony's though process here. They seem to believe their brand image is strong enough to maintain their egotistical attitude towards their customers.

You're not apple, sony. People used to buy your products because they were of decent quality, not necessarily insane brand loyalty, but it seems like they're just asking for customers to leave.


RE: 30 day trial?
By cmdrdredd on 5/2/2011 4:27:50 PM , Rating: 2
PSN is free unless you sign up for premium so what are they giving you 30 days trial of? It's free so...I don't get it.


RE: 30 day trial?
By dananski on 5/7/2011 9:40:52 PM , Rating: 2
Yeah, I didn't even know a premium PSN existed - I thought XBox Live was the only console network that charged. Besides, PSN isn't up and running in any shape or form yet is it? I couldn't sign on yesterday at any rate.


RE: 30 day trial?
By SCOTTxSEMPERxFI on 5/3/2011 12:19:31 PM , Rating: 2
This is why we have xbox and pay for it so none of this BS would happen im not sorry but playstation SUCKS


RE: 30 day trial?
By abhaxus on 5/6/2011 9:56:50 PM , Rating: 2
Comments like this make me hope that xbox live gets hacked as well. Not because I'm loyal to Sony, but because morons think this has anything to do with the console "wars."


RE: 30 day trial?
By JW.C on 5/7/2011 10:12:25 PM , Rating: 2
And yet, the hackers have been after the xbox network since the day it went online. They have yet to make an impact on more than themselves. Sony doesnt even have their system completely up yet and they have already been hacked in a major way.

Now I am not a big fan of either, but if I had to pay for a service I would have to go with xbox live simply due to security.


Incomptetent
By zlandar on 5/2/2011 11:32:22 AM , Rating: 5
Just finished calling my CC company for a replacement card.

Sony has totally lost any credibility in my eyes when it comes to securing my personal account info.

Their "compensation" is a complete joke. You coughed up my address/email and +/- my CC and you offer a garbage 30 day trial? Sony can take that trial and shove it up their other end.




RE: Incomptetent
By Uncle on 5/2/2011 1:52:01 PM , Rating: 3
Sony is low balling to see how many (suckers) take the offer. Sony is a product manufacturing company. They are not into gaming. The online ps3 gaming was an after thought because some bean counter figured it would help sell the ps3, nothing else. This whole fiasco proves that out. Has Valve been hacked, and their not even close to the size of sony, but they are into gaming and know what it takes because that is valves business. Sony should stick to selling their products. This is what happens when companies get so big that they can have a major fu*kup like this because it really doesn't hit their bottom line. If sony did they would show more respect to their customers and help them out more then what they have. To sony your just a cash cow.


RE: Incomptetent
By chick0n on 5/2/2011 5:26:47 PM , Rating: 2
You do know that Sony has been having Online gaming for a long time in Japan?

not to mention, you ever heard of a game called "Everquest", right?

jesus stop saying shit that u know nothing about, makes u look like an idiot if you are not already one. Thanks.


RE: Incomptetent
By Uncle on 5/3/11, Rating: -1
Requirement: Pay 1 year of ID theft protection
By Goss4444 on 5/2/2011 11:01:49 AM , Rating: 2
Is Sony going to pay for 1 year of ID theft protection everyone that was compromised? Let's see... 10 million users times $150 is $1,500,000,000. Wow, how are they going to get around this?




By DanNeely on 5/2/2011 11:20:36 AM , Rating: 2
Simple, the IDtheft protection companies might charge you $12/mo for their service, but that's almost all gravy. The amount they'd charge a company going to buy coverage for 10M IDs in a single package is far less. Even if they're only making $1/person/year out of the package it's still a big wad of almost free money for them, and if company X isn't willing to offer a massive discount, company Y will in order to get the contract.


By Netscorer on 5/2/2011 3:27:42 PM , Rating: 3
Not so easy. Knowing that those 10 mln accounts were actually compromised, the insurance risk becomes much larger and even with super duper volume discount you may look at some pretty big premium. It's like agreeing to take over 10 mln health policies knowing that each and every person in the group was exposed to high dosage of radiation and therefore runs risk of developing all sorts of illness.


Some hackers need to go to prison
By Beenthere on 5/2/2011 11:21:48 AM , Rating: 2
20 years in the slammer would be appropriate for whomever hacked Sony's network. If your cc details were stolen you can expect nightmares for a long time.




By slyck on 5/3/2011 5:18:13 AM , Rating: 2
Sony is the one most responsible here. Sony executives are the ones deserving of jail time. Take all their money and give them forced hard labor.


By Visual on 5/3/2011 10:13:42 AM , Rating: 2
That's your point of view. I would say 20 years for the people that designed their security, and a reward for the hacker.

Well, that was before they sold it to some spammers, anyway :p

Now fire away on the downrate button, though I've had that plenty for my views about hacking in other articles, and will still not change my mind.


Sony is Lame
By LetsGoCheifs on 5/2/2011 11:06:54 AM , Rating: 2
Sony really doesn't care to much, it what it seems like. I mean the company is worth over 70 billion dollars, and they give us trials....its crazy. At least they could spend some of that money on keeping there money safe, and a there company name strong. The day after all this junk happend I bought a xbox 360 slim its crappy but at least they won't get took down by a some teenager at his moms house.......




RE: Sony is Lame
By StevoLincolnite on 5/2/2011 11:10:42 AM , Rating: 2
How is the Xbox any worst than the PS3?
From my perspective, both machines have their Pro's and Con's and graphically they aren't leagues apart.
Not like comparing Console against PC for instance.


Dummy
By LetsGoCheifs on 5/2/2011 11:10:10 AM , Rating: 1
Hey dummy cyber crimes are hard to stop and hard to trace.....why would sony say that its a 100% fact that the cards where stolen and take a even harder hit....if it wasn't serious read the legal reports dummy




RE: Dummy
By HrilL on 5/2/2011 12:38:12 PM , Rating: 2
New York Times had an article that said the Hackers were selling the numbers so I'm pretty sure they were stolen.
Tried to post the link but the spam filter is set to level Nazi.


By frobizzle on 5/2/2011 11:21:01 AM , Rating: 3
Sony should be fined, oh... let's say, $100,000 for each credit card number that was stolen. That would add up to a tidy little sum of $1,000,000,000,000. Do you think a trillion dollar fine would get their attention? Do you think Sony and other companies might take security a little more seriously with that type of possible fine?

I can happily say that I have avoided all Sony products ever since their root kit fiasco a few years ago!




changing credit card
By stalepie on 5/2/2011 11:52:39 AM , Rating: 2
It's not very hard to get a new credit card reissued, at least with VISA. My mom got it done after about 15 minutes on the phone. Although this was shortly after it happened, days ago, so maybe they're lines are busier now. Good to call earlier in the day, if you can, like late morning hours. I think?




RE: changing credit card
By cmdrdredd on 5/2/2011 4:24:22 PM , Rating: 1
15minutes? I do it through my bank on about 5.

me: Hey I notice something fishy, I didn't buy this thing.

Lady: Ok thank you sir one moment, ok you will have that removed from your account and all funds returned within 24hours here is the confirmation number. In addition your new card is on the way and the old one will be permanently cancelled. Is there any reason that you might need to use this card before you receive your new one? If not I can cancel it immediately.

Me: Nope just cancel it and I'll wait for the new one thank you.

Done!

Seriously it's no hassle at all, unless you live off your CC in which case you're an idiot to begin with.


hypothesis
By stalepie on 5/2/2011 11:45:40 AM , Rating: 2
Maybe there was an employee at Sony who helped the hackers.




CC
By wallijonn on 5/2/2011 12:12:26 PM , Rating: 2
Was the theft isolated only to PSN members? Or did it include everyone who has a Sony CC? Capital One has taken over the Sony CC business (Chase Card). And none too soon, it seems.




Qriocity
By An12376 on 5/2/2011 12:29:27 PM , Rating: 2
Where did you dig up all this crap from?

Qriocity is Sony's Music/Video service , like Apple's is iTunes.

It has nothing to do with Maintaining the PSN.




Actually
By Strunf on 5/3/2011 8:19:52 AM , Rating: 2
I have a PS3 but never bought anything on PSN, so whatever they got from is pretty much useless for them... I just hope I'll be lucky enough to get something free out of it.

Anyways I find this whole thing rather funny, to see people astonished with this when pretty much every month a big company is reporting that they lost "private" info from their users, heck even agencies from the government are loosing data to hackers.
Even funnier is when the news is twisted enough that you don't even blame the hackers but SONY, it reminds of what some religious freaks say "when you dress like a whore you're literally begging to be raped"...




Did the writer read the playstation blog
By cb900f1982 on 5/2/11, Rating: -1
By Gzus666 on 5/2/2011 10:58:24 AM , Rating: 2
They did clearly say that, they are all blowing this out of proportion without supporting evidence. I have seen people saying that because someone had a PSN account and their credit card was misused, clearly it was stolen during the PSN hack. I hate that they don't teach basic logic in schools so we get illogical idiots that don't understand correlation does not equal causation.


RE: Did the writer read the playstation blog
By bug77 on 5/2/2011 11:19:29 AM , Rating: 3
DB access is not proof enough? Not many databases are set up to log every select.

Sony's statement is like saying: they had access to my locker, but there's no evidence they ever peeked.


RE: Did the writer read the playstation blog
By Gzus666 on 5/2/2011 11:55:49 AM , Rating: 3
Considering they said the CC numbers and personal information were stored separately and the CCs were encrypted, no, it isn't proof at all. Apparently you don't understand what proof means, I would recommend you buy a dictionary.


RE: Did the writer read the playstation blog
By bug77 on 5/2/2011 12:10:24 PM , Rating: 2
Encrypted does not mean inaccessible.


RE: Did the writer read the playstation blog
By Gzus666 on 5/2/11, Rating: 0
RE: Did the writer read the playstation blog
By bug77 on 5/2/2011 3:11:45 PM , Rating: 3
Ok, if you wanted to show off your programming skills, you failed.

The passwords were not encrypted, they were hashed. So there's no AES in there. Hash usually means MD5 or SHA. And no salt was used, so there's a very good chance to recover weak password with a dictionary based attack.


By Gzus666 on 5/2/2011 3:41:31 PM , Rating: 2
I'm not a programmer. Last piece of information I read said they were encrypted, not hashed. If you have something stating otherwise, I would be interested to see it but according to Sony, it was in fact encrypted, not hashed.

While I am not a programmer, I am a network engineer who has to deal with encryption and hashing, so I am not completely in the dark when speaking of the two.


RE: Did the writer read the playstation blog
By Gzus666 on 5/2/2011 4:17:43 PM , Rating: 2
It looks like you are confusing the passwords with the CC numbers. The passwords were hashed, the CC numbers were encrypted.


RE: Did the writer read the playstation blog
By Yames on 5/2/2011 5:25:32 PM , Rating: 2
Hashes are not reversible, and in order to use your credit card "on file" without reentering all your information, it would have to be stored encrypted. If the hacker was good enough, they may have been able to get the encryption key.


RE: Did the writer read the playstation blog
By bug77 on 5/2/2011 5:54:43 PM , Rating: 2
quote:
Hashes are not reversible


They are not, but given the same input, they always yield the same output. So you use "mom" for password, an attacker can just go ahead and hash all words in a dictionary and compare the output.
And while it's not exactly my field, afaik MD5 itself is not exactly secure.


RE: Did the writer read the playstation blog
By adiposity on 5/2/2011 7:32:28 PM , Rating: 2
Since I didn't use "mom" or any other dictionary word, it shouldn't be a problem, right?

Whether or not MD5 is secure is kind of moot; did they use md5 or SHA2?


By DanNeely on 5/3/2011 6:29:39 AM , Rating: 2
no. Calculating a rainbow table with all the passwords in it isn't that hard since they weren't salted. Once they have that, they have everyone's password.


RE: Did the writer read the playstation blog
By B3an on 5/2/11, Rating: -1
RE: Did the writer read the playstation blog
By Pirks on 5/2/2011 12:06:43 PM , Rating: 2
oh man, mick is not even worth an asher's armpit smell, jee I miss asher too :( best tech blogger ever :(


By JakLee on 5/2/2011 12:54:39 PM , Rating: 2
Anyone know what happened to Masher?
I never did hear where he went?


XBL FTW!
By Lord 666 on 5/2/11, Rating: -1
hmm... feeling gullible now..
By stalepie on 5/2/11, Rating: -1
/lk;lh
By stalepie on 5/2/11, Rating: -1
Comments
By skipinVegas on 5/2/11, Rating: -1
By StevoLincolnite on 5/2/2011 11:07:38 AM , Rating: 2
I might be missing something... As I can't work out the connection to your post and the Article.
Now... What the hell does all that have to do with the price of beans in China?


By RedemptionAD on 5/4/2011 9:36:07 AM , Rating: 2
I needed a place to put it and the article had to do with money (credit cards). I had a positive alterior motive when I posted it. Try it, it works. I left out a few details for securities sake, but it does work.


"DailyTech is the best kept secret on the Internet." -- Larry Barber














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki