backtop


Print 30 comment(s) - last by thurston.. on Apr 30 at 12:15 AM


Customers who registered with the PlayStation Network have had their names, addresses, usersnames, passwords, and possibly credit cards stolen. Sony waited a week before telling the public.
Customer addresses, passwords, usernames, and emails -- and possibly credit cards -- were all taken

Sony Computer Entertainment America LLC is facing a firestorm of criticism following its admission that it handed the management of its PlayStation Network (PSN) to a smaller services provider, Qriocity, who apparently had appallingly bad security, allowing a massive loss of customer data.

In total users' names, usernames, and addresses were all lost.  They also lost users' passwords, indicating that their passwords may not have been hashed -- or at the very least weren't salted (a cryptographic technique to increase the difficulty of a foreign party reversing a hash).

Sony also says that credit card info may have been lost, though it says it isn't sure.

In an update the company admits that it waited an entire week before telling customers that it had lost their info.  The company writes:

There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon.

Some in the U.S. government have taken notice and they're not happy.  Senator Richard Blumenthal (D-Connecticut) is "demanding answers" from Sony.  He writes [press release], "When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised. Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach."

The loss of credit card info is particularly disturbing.  If the information is used to commit fraud, there's a strong likelihood that at least some customers' scores with the three major U.S. credit bureaus -- Equifax, Experian and TransUnion -- will be damaged. In cases of identity theft, the bureaus are supposed to work with individuals to fix their file and cleanse their record, but that process can take years and much grief.

Some suspect that members of the loosely organized 4Chan affiliated hacker group "Anonymous" may be behind the data theft.  Anonymous members had been organizing over IRC impromptu distributed denial of service raids on Sony's online properties in the wake of the company's recent lawsuit against George "GeoHot" Hotz.

Stealing customers' data seems out of character for most members of Anonymous, but it's important to remember that the group is very loosely organized and that its members have a wide range of philosophies when it comes to security and computer crime, so anything is possible.

Sony even writes:

4. Is the attack by “Anonymous” or another party?

We are currently conducting a thorough investigation of the situation. Since this is an overall security related issue, we cannot comment further at this time.

The company has a FAQ page that outlines many questions people might have and answers.  For example, it writes:

3. Why was Sony not prepared for a compromise of its network?

We are currently conducting a thorough investigation of the situation. Since this is an overall security related issue, we cannot comment further at this time.

It appears that international users, including those in the European Union, may also be affected.  Sony Computer Entertainment Europe's blog carried a press release announcing the breach, similar that in the U.S.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Top Democrat?
By Murst on 4/27/2011 9:46:50 AM , Rating: 5
I'm wondering what makes this guy a top democrat.

Richard Blumenthal has been a senator for just over 4 months. Prior to that, he was the AG of Conn.

This dude is pretty much a complete newbie in the Senate. And anyways, I thought that Obama was the top democrat.




RE: Top Democrat?
By Sebec on 4/27/2011 9:50:20 AM , Rating: 5
It's all part of the next reality show, "America's Next Top Democrat."


RE: Top Democrat?
By BladeVenom on 4/27/2011 9:52:18 AM , Rating: 2
He prefers to be on top. :)


RE: Top Democrat?
By quiksilvr on 4/27/2011 11:31:31 AM , Rating: 2
Why? Being on the bottom is much more pleasurable...I've said too much...


RE: Top Democrat?
By gamerk2 on 4/27/2011 12:11:26 PM , Rating: 2
To be fair, he IS an ex-Attorny General, so at least he has experiance in this type of thing...


RE: Top Democrat?
By Dr of crap on 4/27/2011 10:41:36 AM , Rating: 2
And why should our "top democrat" be involved in this?

And why do we want the govt involved in this?

Maybe Sony is still trying to figure out WHAT info was leaked out from which customers??


RE: Top Democrat?
By Mr772 on 4/28/2011 8:54:07 AM , Rating: 2
Maybe Sony is still trying to figure out WHAT info was leaked out from which customers??

Epic fail by Sony. Any security engineer worth his salt could have identified and killed the threat in less than 12-24 hours. A week is a catostrophic failure on their part.


RE: Top Democrat?
By Strunf on 4/28/2011 12:51:35 PM , Rating: 2
hmm maybe you should supply your CV to SONY then...

There are many companies and government agencies who had their systems compromised, so either most security engineers are a piece of crap or the hackers are just exploiting weaknesses that weren't easily identifiable from the start.

Anyways I think today no system is completely safe unless disconnected from the internet and without any way for the user to copy/save data.


RE: Top Democrat?
By kattanna on 4/27/2011 1:18:53 PM , Rating: 2
quote:
And anyways, I thought that Obama was the top democrat


while technically true, since it appears the senate brought it up, the top senate democrat would be the VP, at this time.


RE: Top Democrat?
By rcc on 4/27/2011 2:40:32 PM , Rating: 3
Either way, I wish Congress would stick to their jobs and quit trying to win brownie points on issues like this. At this point this is a law enforcement issue, a legal issue, and or a consumer rights issue. It's not a flippin' Congressional issue, and it certainly isn't their business to get involved at this level.


RE: Top Democrat?
By MrTeal on 4/27/2011 2:51:12 PM , Rating: 2
I wouldn't say that. If senate and congress didn't have things like this or convening grand juries to look into the possibility that people might have cheated at sports, they might actually start to function as a part of the government. Then you'd really be screwed.


RE: Top Democrat?
By morphologia on 4/27/2011 5:34:24 PM , Rating: 2
He's on some consumer rights committee or other. He's not chairing it, though, so it still doesn't make sense.

He's not top anything, and mentioning his party affiliation serves no purpose (other than giving Republicans a reason to complain about this article).


RE: Top Democrat?
By thomp237 on 4/27/2011 7:41:35 PM , Rating: 3
Actually Obama is the Bottom Democrat. He can only F*** up!


RE: Top Democrat?
By thurston on 4/30/2011 12:15:14 AM , Rating: 2
It's part of what Jason learned researching his sensationalism in journalism editorial series. "Top Democrat" makes it much more sensationalist and has a tendency to immediately politicize.


Thank god we have political internet experts
By MrTeal on 4/27/2011 10:21:04 AM , Rating: 2
quote:
"When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised. Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach."


I agree with this top senator; as soon as Sony knew there was a breach, they should have ran a sudo ls -stolen_data to get a complete list of all in the information that was taken, and then notified their customers. That whole thing about having to bring in investigators to actually determine what was breached, how severely, and what information might have been compromised is just a bunch of corporate hooey to distract people from them just being too lazy to let people know.

I heard Kim Jong Il is an internet expert too, maybe Senator Blumenthal could team up with him to get to the bottom of this.




RE: Thank god we have political internet experts
By Lanister on 4/27/2011 11:16:26 AM , Rating: 2
I am not being sarcastic and am really asking. I thought you could tell what users access what servers and if a DB or file was accessed and or copied? Hell my wife can tell if I looked at porn the last week I would think they could tell if the server was accessed right?

I am sure its not as simple as entering in a command but it should be possible to know if hackers got into the DB or server that stores the customer CC info fairly easily right?

The company I work for accepts CC's and we spend a lot of time and money reviewing all our systems to make sure we are PCI compliant, I would have to assume that Sony did also which would mean that the info is encrypted as one of the requirements is that all data at rest needs to be encrypted.


RE: Thank god we have political internet experts
By Taft12 on 4/27/2011 1:13:26 PM , Rating: 2
quote:
The company I work for accepts CC's and we spend a lot of time and money reviewing all our systems to make sure we are PCI compliant, I would have to assume that Sony did also which would mean that the info is encrypted as one of the requirements is that all data at rest needs to be encrypted.


Why would you assume this? Everything we've heard so far points to Sony NOT having done things "the right way"


RE: Thank god we have political internet experts
By Lanister on 4/27/2011 1:53:31 PM , Rating: 2
Good point, I had thought that being PCI compliant was a requirement; a quick Google search shows that it is voluntary.

Sony will not be trusted with my personal info anymore. Think I may get a prepaid CC I can just load funds onto to use for my online shopping from now on.

Now that I think about it, are the passwords stored for this site encrypted??


By Kurz on 4/28/2011 10:26:36 AM , Rating: 2
The password question I use a very simple password for my account here. Then I use more complicated passwords for my bank accounts, online shopping, anything dealing with money.


By Solandri on 4/27/2011 4:03:21 PM , Rating: 2
quote:
I am not being sarcastic and am really asking. I thought you could tell what users access what servers and if a DB or file was accessed and or copied? Hell my wife can tell if I looked at porn the last week I would think they could tell if the server was accessed right?

SOP in any sophisticated break-in is to modify the logfiles to remove any trace of the break-in. Like editing the surveillance video of the liquor store you just robbed to remove any trace of the robbery.

The work-around for this is to have duplicate logfiles created on another machine over the network (a secret VCR in the back room which generates a second duplicate surveillance video). But I would say that's the exception rather than the norm.


By bobsmith1492 on 4/27/2011 12:04:48 PM , Rating: 2
Protecting the American people is the government's primary role - police, military, and the court system.

Identity theft and monetary theft are both crimes that the government should prosecute; if they prosecute, they should also help defend.

Here's my analogy: steal cash from your house -> police catch criminal -> courts prosecute -> police patrol to help reduce initial rates of cash theft

steal identity and credit card money -> government catches criminal -> courts prosecute -> "cyber" police patrol to help reduce initial rates of identity/credit card theft


By Nfarce on 4/27/2011 12:38:58 PM , Rating: 1
quote:
Here's my analogy: steal cash from your house -> police catch criminal -> courts prosecute -> police patrol to help reduce initial rates of cash theft


And here's how that would go down in my house:

Break in and attempt to steal while I'm there -> get your head blown off while I claim self defense -> scumbag gets stored in a cold dark place until being moved to push up daisies.


By morphologia on 4/27/2011 5:36:15 PM , Rating: 3
Lots of bravado, short on logic, assuming the government is less capable than the average couch commando...you have all the symptoms of Reactionary Syndrome. :P


By rcc on 4/27/2011 2:46:01 PM , Rating: 2
I understand what you're trying to say, and I agree.

However, a Congressman getting involved in this is like using a bulldozer on your flower beds. It won't do the job, it'll tear up the flower beds (and house), but by God the neighbors will know you were serious about your flowers!!


It's Sony
By Cheesew1z69 on 4/27/2011 9:40:25 AM , Rating: 2
They think they can do no wrong....




RE: It's Sony
By morphologia on 4/27/2011 5:39:38 PM , Rating: 2
While companies like Apple get away with murder?

Lots of the anti-Sony sentiment, prior to this incident anyway, was due to the public's fanboy-ish support of hackers like GeoHot, so anything negative people say about Sony is only 75% due to the actual problem, and 25% fad hype. This is a real problem, but I have no doubt that anti-Sony bias is responsible for the level of outrage on this.


A silver lining
By Taft12 on 4/27/2011 1:16:30 PM , Rating: 3
I expect a lot of gov't slamming in this thread, but a high-profile incident like this that gets political attention may be the straw that leads to much-needed privacy legislation in this country.

It's right that Sony is getting nailed to the wall over this and charges are absolutely appropriate in cases where negligence leads to catastrophe.




Why ask questions?
By Kurz on 4/27/2011 9:39:53 AM , Rating: 2
Just file a class action lawsuit and Sony will push for higher security on all their products.




Please Dems and Reps
By Uncle on 4/27/2011 12:39:39 PM , Rating: 1
Please Dems and Reps, quit piggy backing on peoples misfortunes caused by your lack of innovative laws to protect the consumers. Sony took six days to bring this issue up, what I haven't heard is how long did it take Qriocity to know they were hacked before reporting to Sony.
Also
Qriocity.com
Sony also owns the domain qriocity.com and registered it somewhat recently.
So this statement "that it handed the management of its PlayStation Network (PSN) to a smaller services provider, Qriocity, who apparently had appallingly bad security, allowing a massive loss of customer data." This company is owned by Sony, I like how the big boys create smaller subsidiaries so they can off load the blame of their stupidity.




"Intel is investing heavily (think gazillions of dollars and bazillions of engineering man hours) in resources to create an Intel host controllers spec in order to speed time to market of the USB 3.0 technology." -- Intel blogger Nick Knupffer














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki