backtop


Print 102 comment(s) - last by crazyblackman.. on Apr 29 at 11:58 PM


PlayStation Network customers have had their personal information and possibly credit cards stolen. Sony just now decided to tell them after six days of service outage for undisclosed reasons.
Playstation Network and billing system has been down for six days, company just now decide to let users know the worst

Sony Computer Entertainment America LLC has just announced some very bad news for Playstation Network (PSN) users (accessible via the PlayStation 3 and PSP) who have made purchases -- they have had their personal info and possibly credit card numbers stolen.

Writes Sony:
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
Sony contracted a cloud services provider, Qriocity to manage its customers' data.  Sound familiar?  That's not surprising.  In recent months email relationship firms Epsilon and SilverPop suffered similar data breaches, losing personal information of customers of Krogers, Walgreens, Best Buy, Chase Bank, and more.

But this recent breach is arguably the worse yet, given just how much data is said to have been stolen and the possibility that credit card data was stolen.

Sony states:
We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience.
But, it writes that customers are now responsible for monitoring their credit card statements and credit stores to watch for any damage.  In short the message reads something like, "Sorry guys, but you're on your own now!"

According to outraged commenters the PSN has been down for six days now, but Sony is just now owning up to the fact that there was a massive security breach.  Secondary sources point to the network being down since at least April 21.

One must wonder how many more companies will see their customers violated before tech firms start to get the idea that handing valuable data to small third-party providers might not be the best idea.  It may be cheap, but as these recent incidents show, the utter lack of security and accountability can lead to many a nightmare.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Hashed Passwords
By lightfoot on 4/26/2011 5:23:38 PM , Rating: 1
If credit card data was compromised, then all bets are off. Industry standards or not.

Credit card data typically must be stored at least as securely as password data.

Even if a hash is stored and not the password it is fairly trivial to reverse the hash if you know the hashing algorithm (which we should assume was also compromised.)


RE: Hashed Passwords
By Murst on 4/26/2011 5:40:10 PM , Rating: 3
quote:
Even if a hash is stored and not the password it is fairly trivial to reverse the hash if you know the hashing algorithm (which we should assume was also compromised.)

I don't know why you would assume that. There is a significant difference between data being compromised and the hashing algorithm being compromised. Cracking the passwords from the hashes should also be pretty much impossible, since it is likely that some form of time sensitive salt was added to the password hash.

If the hashing algorithm was compromised, that would pretty much mean that the hacker not only got access to the database, but also got access to the source code of the PSN servers/software.


RE: Hashed Passwords
By lightfoot on 4/26/2011 7:52:52 PM , Rating: 1
quote:
I don't know why you would assume that. There is a significant difference between data being compromised and the hashing algorithm being compromised. Cracking the passwords from the hashes should also be pretty much impossible, since it is likely that some form of time sensitive salt was added to the password hash.

Why on earth would you assume anything wasn't compromised? They have already admitted to a MASSIVE data breach and their network is still down. They also don't appear to have audit trails of exactly what was breached. Assuming that they handled password security correctly is a huge assumption when it is clear that they weren't even handling credit card security correctly.

If you added a salt to the hashing algorithm it too would need to be stored (you must be able to duplicate the hash to validate that the password is correct.) This makes it more difficult to generate a lookup table of hashed passwords, but not impossible.

To unhash all of the passwords may be cost prohibitive, but only a single password needs to be compromised to be considered a breach.

We can continue making assumptions about how good their security should have been, but it's kind of moot given the fact that they have already been breached.


RE: Hashed Passwords
By donjuancarlos on 4/27/2011 9:12:59 AM , Rating: 2
Nah to all this password cracking stuff. My money is on social engineering. Some admin likely gave up his password or downloaded and ran an email attachement...


RE: Hashed Passwords
By lightfoot on 4/27/2011 12:18:54 PM , Rating: 2
Actually we are discussing how difficult it would be to extract all the user passwords from the database after the database was compromised.

We know that the system was compromised - Sony admitted as much.

The question is now that the system has been compromised what security did Sony have in place to protect sensitive user data?

Clearly the username and most customer details were stored as clear text in the system and have been compromised.

The credit card account numbers should have been stored using no less than 128-bit 3DES encryption according to the Payment Card Industry Data Storage Standard (PCI DSS.)

The discussion here is if the 3DES encryption was breached why some people assume that a more basic hashing algorithm was not. And if Sony was not using 128-bit 3DES for the credit card account numbers why would they assume that they were using a more secure system for the account passwords?


RE: Hashed Passwords
By lightfoot on 4/27/2011 12:28:04 PM , Rating: 2
quote:
If the hashing algorithm was compromised, that would pretty much mean that the hacker not only got access to the database, but also got access to the source code of the PSN servers/software.

Or they could have gotten their hands on the executable code and had a halfway decent decompiler... No original source code required. If the database server was compromised it's a fair bet that the app server was also compromised given the fact that the two servers would likely need to communicate with one another.

In any case it is unlikely that it (the application) was also compromised, but we can't assume that it wasn't.


RE: Hashed Passwords
By MozeeToby on 4/26/2011 5:40:00 PM , Rating: 3
quote:
Even if a hash is stored and not the password it is fairly trivial to reverse the hash if you know the hashing algorithm (which we should assume was also compromised.)
Not if they add a randomized salt, which isn't industry practice yet, but probably should be. And even if you know the hashing algorithm, it can still be too computationally complex to reverse it. For example, ask a computer to calculate 3969 * 7351 * 2539 and you'll get an answer back in milliseconds. On the other hand, ask a computer to calculate the prime roots of 74,078,166,141 and you'll be waiting for a much longer time.


RE: Hashed Passwords
By JasonMick (blog) on 4/26/2011 5:43:22 PM , Rating: 3
quote:
On the other hand, ask a computer to calculate the prime roots of 74,078,166,141 and you'll be waiting for a much longer time.


Let's hope they don't have quantum computers!

(for the record, quantum computers can't currently calculate huge primes, but that's one of the purposes they're expected to eventually fulfill...)


RE: Hashed Passwords
By MrTeal on 4/26/2011 6:12:04 PM , Rating: 5
quote:
Let's hope they don't have quantum computers!


If they did, I think they would be to busy making billions legally to bother with stealing some gamers' CC numbers. :)


RE: Hashed Passwords
By someguy123 on 4/26/2011 6:56:10 PM , Rating: 1
Maybe they were testing it expecting it to fail, then were suddenly flooded with credit card numbers?


RE: Hashed Passwords
By BigDH01 on 4/26/2011 11:16:54 PM , Rating: 2
Define fairly trivial. SHA1 has yet to be reversed. If the passwords were hashed with SHA1 then the attacker is basically stuck looking for collisions with brute force or dictionary attacks. I think the one thing to take away from this is to require users to make strong passwords.


RE: Hashed Passwords
By Flunk on 4/27/2011 9:35:27 AM , Rating: 2
Your comment is only valid for two-way encyption. The passwords were stored with one way encryption. The hashes are not reversible. What you'd have to do is create rainbow tables of all the valid hashes and compare them to the actual hashes.

This means that if you have an obvious dictionary-based password it's fairly easy to derive, but more complex things would need a lot of compute time to discover.


RE: Hashed Passwords
By lightfoot on 4/27/2011 12:05:44 PM , Rating: 2
If even a single account is compromised using a lookup table of the 100 most common passwords then user account passwords have been compromised. Period. You don't need to break every password in the system for it to be considered a breach.

And hashes by definition don't need to be reversible, just repeatable and computationally easy to compute. This makes creating a lookup table a trivial task. Using a salt will obviously increase the difficulty, but does not make the cracking process any more complex, just more time consuming.


"Game reviewers fought each other to write the most glowing coverage possible for the powerhouse Sony, MS systems. Reviewers flipped coins to see who would review the Nintendo Wii. The losers got stuck with the job." -- Andy Marken

Did You Partake in "Black Friday/Thursday"?
Did You Partake in "Black Friday/Thursday"? 





0 Comments












botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki