Print 14 comment(s) - last by DoctorBeer.. on Oct 13 at 1:04 AM

Sony's new security chief appears to be orchestrating a more proactive response

Sony Corp.'s (TYO:6758) new SVP & Chief Information Security Officer, Philip Reitinger, certainly has his work cut out for him.  While beloved by many gamers, Sony is also loathed by many hackers for its such tactics as trying to sue modders of legally purchased consoles into oblivion and trying to get PSN users to sign away their rights to sue Sony for negligence.  

That vehemence led to it getting mauled in a series of intrusions  [1][2][3][4][5][6][7] this spring, which struck a massive blow both financially and in terms of reputation for the electronics giant.

Reitinger announced on Monday that his staff had detected a major, concerted effort to attack Sony's online services --  the Sony Entertainment Network (SEN), the PlayStation Network (PSN) and Sony Online Entertainment (SOE).  The new security chief accounts:

We want to let you know that we have detected attempts on Sony Entertainment Network, PlayStation Network and Sony Online Entertainment (“Networks”) services to test a massive set of sign-in IDs and passwords against our network database. These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources. In this case, given that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks. We have taken steps to mitigate the activity.

The attacks appeared to use a large database of usernames and passwords, which Sony believes came from a third-party.  Sony backs this hypothesis by point to the fact than only 0.1 percent of accounts appeared to have been compromised out of those where login was attempted.

While that's relatively good news for Sony, it still means that "93,000 accounts globally (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000)" were compromised.  As a precaution, Sony has locked down all of these accounts.  The company will be issuing affected users an email, allowing them to reset their password.

Sony warns users that they should exercise common sense when making their passwords.  Mr. Reitinger writes:

We want to take this opportunity to remind our consumers about the increasingly common threat of fraudulent activity online, as well as the importance of having a strong password and having a username/password combination that is not associated with other online services or sites. We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account.

The incidents appears to be the first major test of the new chief's mettle.  He certainly has an impressive resume, having recently departed from a cybersecurity role in Obama administration.  Previously he served as head of the Department of Defense's Cybercrime Center and at the Department of Justice as the deputy chief of the Computer Crime and Intellectual Property division.  Reitinger also served as an advisor to the Federal Emergency Management Agency (FEMA) on cybersecurity emergency management as a member of the FEMA Advisory Council while employed as a strategist for Microsoft, Corp. (MSFT).

Phillip Reitinger
Meet Philip Reitinger, Sony's new security chief. [Source: Sony Rumors]

Thus far Sony appears to be responding much more quickly and much more definitively to his incident, compared to the confusion that swept it during the April and May attacks.

While it's hard not to find fault with Sony's management, if reports of layoffs worsening the late spring attacks are true, on the other hand it's equally hard to begrudge Sony for getting attacked this time around.

The fact of the matter is that if enough people don't like you online, there's always some large databases of leaked usernames/passwords floating around and these databases can be used for a direct attack as appears to be the case here.  About the best a company can do to stop such an attack is to block the attacking IPs and lock down the affected accounts.  And that appears to be exactly what Sony did.

Source: PlayStation Blog

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: I guess....
By VTHokie on 10/12/2011 2:15:38 PM , Rating: 2
Another option to consider is using "Disposable Credit Card Numbers". You can get online through certain banks. I have not tried this myself but my brother has been doing this for many years though Citibank. You login into the bank generate a one time use credit card number and make your online purchase. NO worries about Sony or any other site being hacked to get your credit card number because the number is no longer any good after the one time purchase.

Here is an article that list a few other banks that support this.

RE: I guess....
By Murst on 10/12/2011 4:45:24 PM , Rating: 2
I've had this option for one of my cards, but it just seems like a hassle.

All of my credit cards have fraud protection. Sure, if there is a problem, it would require about 30 minutes of my time to fix (I would need to request a new card, and mail back a signed form stating that I did not make the purchase). However, that 30 minutes is nothing compared to if I had to create a new virtual number for each of my purchases.

Creating a new number would probably waste 30 minutes every 2 weeks or so with my online purchase frequency. I have had to deal with one case of fraud on my credit cards in 14 years.

I'd rather waste 30 minutes once every 14 years than 30 minutes every 2 weeks....

RE: I guess....
By rttrek on 10/12/2011 5:53:22 PM , Rating: 2
That article points to Discover Card, but the link takes you to a page that explains why they discontinued those numbers a month ago.

"So, I think the same thing of the music industry. They can't say that they're losing money, you know what I'm saying. They just probably don't have the same surplus that they had." -- Wu-Tang Clan founder RZA

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki