backtop


Print 56 comment(s) - last by JW.C.. on May 7 at 10:12 PM


Sony is offering freebies to lure customers back onto PSN. Some customers might fear, though, that given Sony's poor security track record, that they might be walking into a trap by subscribing.
Company wasn't even using encryption for its non-CC data

The hits just keep coming for troubled giant Sony Corp. (6758).  The maker of the PlayStation Portable and the PlayStation 3 announced last week that hackers broke into its PlayStation Network (PSN) database and stole its 77 million customer database.

Sony waited an entire week while investigating the breach before notifying customers.  In the meantime the PSN was down.

I. New Details -- 10M CC's Lost

This week Sony revealed new details in media comments and posts to its PlayStation blog.  It commented that up to 10 million users' credit card numbers were likely obtained by the intruder.  

Until now it was unknown whether or not the hackers had gained access to the part of the database containing credit card numbers.

They state it was unclear whether the information thief could gain access to users' credit cards as the numbers were encrypted.  Sony indicated that it did not encrypt any of its other user records -- including username, real name, address, email addresses, and birth date.  Those records were stored as plain-text and should be easily usable by a malicious party.  

Passwords were not encrypted, but were hashed.  They were reportedly not salted, which means reversing the hash should be feasible for a savvy cyber-criminal.

Kaz Hirai, Sony's executive deputy president, addressed the public in a streamed press conference [video] late last week, bowing deeply in the traditional Japanese expression of regret.  He stated, "We offer our sincerest apologies"

The timeline of events in the intrusion has now become clearer.  The intruder gained access between April 17 and 19, apparently having free reign of Qriocity servers.  Then on April 19 Sony detected the intrusion and locked out the system.  

The PSN service was shut down on April 20.  Sony hired three independent firms to investigate the breach.  It declined to notify users' though, until April 25.

II.  Sony Offers Freebies to Lure Users

In its bid to regain users' trust and try to lure old and new users back onto PSN, Sony is offering its customers a number of freebies

Leading the way is a limited offer for a 30 day free subscription to PSN for new users.  For existing users, those who choose to remain will get a temporary 30 day boost to a "premium" membership level, which comes with special perks (free applications, etc.).  

And Sony is offering to pay users' credit card renewal fees should they find themselves victims of identity theft.  But it says it will require users to prove they suffered damage.

Users on Sony's blog seemed to be reacting positively to the company's updates and freebies program.  Writes "mcbuttz78":

Tell all your staff thank you and we all really appricate (sic) every thing you guys are doing to keep the psn network going strong and better than before. It really means alot . We also at the psn legion would like to wish the sony sercurity (sic) team happy hunting and dont forget the old detective saying” to hunt a criminal in the dark is best case, becuase (sic) he never knows hit’ em

But some seemed less enthused.  One user, "Jimmy_Cosmos" writes:

Just leave the PSN off, stop making PS3s and wait a year or two while building a much better & robust PSN network and launch the PS4. You’ve already given up on the PSP and the PSPGo. This gen is a disaster for you Sony. Rushing to build a brand new PSN in a few weeks is just asking for another disaster like you just had. How can you possibly be sure what you’re rushing to do in a couple of weeks will be better than what you’ve had to make secure in the past 5 years?

Some analysts think the damage will last for some time.  States  Jay Defibaugh, director of equities research at MF Global in Tokyo, in an interview with Reuters, "Damage has been done to Sony whatever the scale of the content giveaway at this point, and Sony is facing a prolonged effort to regain customer trust. Anything that undermines consumer willingness to divulge credit card details to Sony is a problem for the network strategy."

The breach has impacted customers worldwide in the North America and European regions.  Customers in Asia may have been affected as well.

To clarify, Qriocity -- the entity who maintains the PSN and whom Sony has been referring to in third person in its blogs -- is actually part of Sony.  The group offers streaming video and music services, in addition to maintaining Sony's online gaming efforts.  The trade name was put in place in June 2010 and Sony has been referring to it in third person ever since.  Some have complained that Sony is obfuscating its own role in the breach by sharing the blame with Qriocity in its releases, when in fact Qriocity is a part of Sony.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Did the writer read the playstation blog
By cb900f1982 on 5/2/2011 10:47:36 AM , Rating: -1
I beleive the PSN blog stated that it was Unlikely but possible that up to 10 million CC #s were obtained. Also stating there was no evidence that cc #s were taken but they could not rule out the possibility. How does that turn into 10m cc numbers likely obtained? Maybe you should complete your research before you commit anything to cyberspace.




By Gzus666 on 5/2/2011 10:58:24 AM , Rating: 2
They did clearly say that, they are all blowing this out of proportion without supporting evidence. I have seen people saying that because someone had a PSN account and their credit card was misused, clearly it was stolen during the PSN hack. I hate that they don't teach basic logic in schools so we get illogical idiots that don't understand correlation does not equal causation.


RE: Did the writer read the playstation blog
By bug77 on 5/2/2011 11:19:29 AM , Rating: 3
DB access is not proof enough? Not many databases are set up to log every select.

Sony's statement is like saying: they had access to my locker, but there's no evidence they ever peeked.


RE: Did the writer read the playstation blog
By Gzus666 on 5/2/2011 11:55:49 AM , Rating: 3
Considering they said the CC numbers and personal information were stored separately and the CCs were encrypted, no, it isn't proof at all. Apparently you don't understand what proof means, I would recommend you buy a dictionary.


RE: Did the writer read the playstation blog
By bug77 on 5/2/2011 12:10:24 PM , Rating: 2
Encrypted does not mean inaccessible.


RE: Did the writer read the playstation blog
By Gzus666 on 5/2/11, Rating: 0
RE: Did the writer read the playstation blog
By bug77 on 5/2/2011 3:11:45 PM , Rating: 3
Ok, if you wanted to show off your programming skills, you failed.

The passwords were not encrypted, they were hashed. So there's no AES in there. Hash usually means MD5 or SHA. And no salt was used, so there's a very good chance to recover weak password with a dictionary based attack.


By Gzus666 on 5/2/2011 3:41:31 PM , Rating: 2
I'm not a programmer. Last piece of information I read said they were encrypted, not hashed. If you have something stating otherwise, I would be interested to see it but according to Sony, it was in fact encrypted, not hashed.

While I am not a programmer, I am a network engineer who has to deal with encryption and hashing, so I am not completely in the dark when speaking of the two.


RE: Did the writer read the playstation blog
By Gzus666 on 5/2/2011 4:17:43 PM , Rating: 2
It looks like you are confusing the passwords with the CC numbers. The passwords were hashed, the CC numbers were encrypted.


RE: Did the writer read the playstation blog
By Yames on 5/2/2011 5:25:32 PM , Rating: 2
Hashes are not reversible, and in order to use your credit card "on file" without reentering all your information, it would have to be stored encrypted. If the hacker was good enough, they may have been able to get the encryption key.


RE: Did the writer read the playstation blog
By bug77 on 5/2/2011 5:54:43 PM , Rating: 2
quote:
Hashes are not reversible


They are not, but given the same input, they always yield the same output. So you use "mom" for password, an attacker can just go ahead and hash all words in a dictionary and compare the output.
And while it's not exactly my field, afaik MD5 itself is not exactly secure.


RE: Did the writer read the playstation blog
By adiposity on 5/2/2011 7:32:28 PM , Rating: 2
Since I didn't use "mom" or any other dictionary word, it shouldn't be a problem, right?

Whether or not MD5 is secure is kind of moot; did they use md5 or SHA2?


By DanNeely on 5/3/2011 6:29:39 AM , Rating: 2
no. Calculating a rainbow table with all the passwords in it isn't that hard since they weren't salted. Once they have that, they have everyone's password.


RE: Did the writer read the playstation blog
By B3an on 5/2/11, Rating: -1
RE: Did the writer read the playstation blog
By Pirks on 5/2/2011 12:06:43 PM , Rating: 2
oh man, mick is not even worth an asher's armpit smell, jee I miss asher too :( best tech blogger ever :(


By JakLee on 5/2/2011 12:54:39 PM , Rating: 2
Anyone know what happened to Masher?
I never did hear where he went?


"I'd be pissed too, but you didn't have to go all Minority Report on his ass!" -- Jon Stewart on police raiding Gizmodo editor Jason Chen's home














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki