Print 56 comment(s) - last by JW.C.. on May 7 at 10:12 PM

Sony is offering freebies to lure customers back onto PSN. Some customers might fear, though, that given Sony's poor security track record, that they might be walking into a trap by subscribing.
Company wasn't even using encryption for its non-CC data

The hits just keep coming for troubled giant Sony Corp. (6758).  The maker of the PlayStation Portable and the PlayStation 3 announced last week that hackers broke into its PlayStation Network (PSN) database and stole its 77 million customer database.

Sony waited an entire week while investigating the breach before notifying customers.  In the meantime the PSN was down.

I. New Details -- 10M CC's Lost

This week Sony revealed new details in media comments and posts to its PlayStation blog.  It commented that up to 10 million users' credit card numbers were likely obtained by the intruder.  

Until now it was unknown whether or not the hackers had gained access to the part of the database containing credit card numbers.

They state it was unclear whether the information thief could gain access to users' credit cards as the numbers were encrypted.  Sony indicated that it did not encrypt any of its other user records -- including username, real name, address, email addresses, and birth date.  Those records were stored as plain-text and should be easily usable by a malicious party.  

Passwords were not encrypted, but were hashed.  They were reportedly not salted, which means reversing the hash should be feasible for a savvy cyber-criminal.

Kaz Hirai, Sony's executive deputy president, addressed the public in a streamed press conference [video] late last week, bowing deeply in the traditional Japanese expression of regret.  He stated, "We offer our sincerest apologies"

The timeline of events in the intrusion has now become clearer.  The intruder gained access between April 17 and 19, apparently having free reign of Qriocity servers.  Then on April 19 Sony detected the intrusion and locked out the system.  

The PSN service was shut down on April 20.  Sony hired three independent firms to investigate the breach.  It declined to notify users' though, until April 25.

II.  Sony Offers Freebies to Lure Users

In its bid to regain users' trust and try to lure old and new users back onto PSN, Sony is offering its customers a number of freebies

Leading the way is a limited offer for a 30 day free subscription to PSN for new users.  For existing users, those who choose to remain will get a temporary 30 day boost to a "premium" membership level, which comes with special perks (free applications, etc.).  

And Sony is offering to pay users' credit card renewal fees should they find themselves victims of identity theft.  But it says it will require users to prove they suffered damage.

Users on Sony's blog seemed to be reacting positively to the company's updates and freebies program.  Writes "mcbuttz78":

Tell all your staff thank you and we all really appricate (sic) every thing you guys are doing to keep the psn network going strong and better than before. It really means alot . We also at the psn legion would like to wish the sony sercurity (sic) team happy hunting and dont forget the old detective saying” to hunt a criminal in the dark is best case, becuase (sic) he never knows hit’ em

But some seemed less enthused.  One user, "Jimmy_Cosmos" writes:

Just leave the PSN off, stop making PS3s and wait a year or two while building a much better & robust PSN network and launch the PS4. You’ve already given up on the PSP and the PSPGo. This gen is a disaster for you Sony. Rushing to build a brand new PSN in a few weeks is just asking for another disaster like you just had. How can you possibly be sure what you’re rushing to do in a couple of weeks will be better than what you’ve had to make secure in the past 5 years?

Some analysts think the damage will last for some time.  States  Jay Defibaugh, director of equities research at MF Global in Tokyo, in an interview with Reuters, "Damage has been done to Sony whatever the scale of the content giveaway at this point, and Sony is facing a prolonged effort to regain customer trust. Anything that undermines consumer willingness to divulge credit card details to Sony is a problem for the network strategy."

The breach has impacted customers worldwide in the North America and European regions.  Customers in Asia may have been affected as well.

To clarify, Qriocity -- the entity who maintains the PSN and whom Sony has been referring to in third person in its blogs -- is actually part of Sony.  The group offers streaming video and music services, in addition to maintaining Sony's online gaming efforts.  The trade name was put in place in June 2010 and Sony has been referring to it in third person ever since.  Some have complained that Sony is obfuscating its own role in the breach by sharing the blame with Qriocity in its releases, when in fact Qriocity is a part of Sony.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Did the writer read the playstation blog
By bug77 on 5/2/2011 5:54:43 PM , Rating: 2
Hashes are not reversible

They are not, but given the same input, they always yield the same output. So you use "mom" for password, an attacker can just go ahead and hash all words in a dictionary and compare the output.
And while it's not exactly my field, afaik MD5 itself is not exactly secure.

RE: Did the writer read the playstation blog
By adiposity on 5/2/2011 7:32:28 PM , Rating: 2
Since I didn't use "mom" or any other dictionary word, it shouldn't be a problem, right?

Whether or not MD5 is secure is kind of moot; did they use md5 or SHA2?

By DanNeely on 5/3/2011 6:29:39 AM , Rating: 2
no. Calculating a rainbow table with all the passwords in it isn't that hard since they weren't salted. Once they have that, they have everyone's password.

"When an individual makes a copy of a song for himself, I suppose we can say he stole a song." -- Sony BMG attorney Jennifer Pariser

Latest Headlines
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
The Samsung Galaxy S7
September 14, 2016, 6:00 AM
Apple Watch 2 – Coming September 7th
September 3, 2016, 6:30 AM
Apple says “See you on the 7th.”
September 1, 2016, 6:30 AM

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Yahoo Hacked - Change Your Passwords and Security Info ASAP!
September 23, 2016, 5:45 AM
A is for Apples
September 23, 2016, 5:32 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki