Sony calls in data Sherlocks to unpick megahack disaster Sony has drafted in security experts to figure out who hacked into its systems - and how they did it - before stealing personal data on 100 million consumers of the company's services. Both the firm's PlayStation Network and Online Entertainment service remain suspended in the aftermath of high-profile hack attacks that have …
Even 1 exposed credit card, is one too many.
Stop being blinkered. The fact that personal info which could allow the setting up of fraudulent identities has been stolen that is worht worrying about. I assume your a PSN/SOE user whom feels comfortable in your bubble.
Imagine going to a bank and applying for a load to be asked when you plan on repaying the 4 other loans that have been taken out with your details that have been stolen. That my friend is a very real possibility.
Are you serious?
I would like to see you say only if yours was one of the credit cards...
or are you saying that it didn't matter that these 900 customer's data didn't qualify for the full data protection. Did they not spend enough money for the mega corp to be bothered with?
bet you work for Sony with a attitude to data security like that.
As with most public hacking cases you have to remember that it is only the ones that are noticed that come to light initialy. Now that they are doing a full forensics upon it they may indeed find that whoever hacked them was not the first to do so.
I was personaly involved in doing forensics on a major website hack many years ago and what I found was:
(1) The aforementioned server had been hacked at least 4 times in the past year prior to the defacement.
(2) What is publicly announced is a lighter side of the story as to what actualy happened, ie no customer data involved officialy were infact customer data was found.
(3) The server was procured and put in place by a internal department using external suppliers and not the formal internal approved ones.
So it is very much possible that there were credit card information unencrypted, indirectly stored in other cache area's or from online petitions for ID verification or indeed in the verifications system buffer. Remember that they have admited that email and favorite pet name and adress and DOB information has already passed away so with that it wouldn;t be hard to control that email address without its password and assuming its not one of the types that have one password fits all approach.
Sony may very well of had a internal security division more than able to prevent this but internal politics prevented them from being involved! Indeed the fact it was at a data center not located near there main offices would be some indication, indeed some of the best ways to hack somebody is get a box in same datacenter/colo and route via there central backup servers, which remarkably enough seem to almost always allow such sillyness.
For what it's worth Sony are doing all that they can now, and for most users that will be enough but for others it was one straw too many. I'm also supprised the USA etc don't appear to have the same level of data protection laws afforded us UK/EU people. Given how long ago the original data protection act was put in place. So at least thats one area that will help others when the USA changes/add's law's to accomodate this oversight.
I just hope Sony are honest and in a timely manner as to what went were it shouldn't of gone and fairly protect users accordingly from the fallout were applicable.
Sadly a gobal biometric ID card system would be useful but everybody is paranoid about being tracked so much they ignore the fact they use credit cards and store loyalty cards without even thinking.
BEER ICON becasue thats all joe public can do about this currently.
The fact that Sony have said they're moving data centers suggests that may very well be how someone broke in. Either they plugged into the same network, trojaned their way in or sat in the car park and broke in through the wifi network. It may well be that the public interfaces to the service were extremely well protected but if someone can gain access to the intranet you need more than that to protect yourself e.g. closing all non-essential ports to the data servers, using 2-way ssl, logging everything, limiting physical access to the servers, encrypting backups, not handing the keys to the kingdom to just a single person and so forth.
"Corporate negligence...... I'm guessing it got in by the front door." ....... Muckminded Posted Wednesday 4th May 2011 17:59 GMT
Quite so, Muckminded, not every crook wears a mask and sneaks in through a backdoor. Some of them are conspicuously wealthy and play systems for the fools they think IT is, ..... as this short tale tells ......... http://www.project-syndicate.org/commentary/sachs177/English
But it is their folly to think that they are free to do it for free.
"unidentified intruders may have made off with credit cards details of PlayStation Network gamers but is seeking to reassure its customers that the card data was encrypted"
"The method used instead was called a cryptographic hash function and Sony has provided a link to help PSN users understand the difference"
http://www.electronista.com/articles/11/05/02/psn.passwords.were.crypto.hashed.not.encrypted/#ixzz1LOxdkmdt
http://www.sony.net/Products/cryptography/aurora/download/AURORA-updated.pdf
The password only requires a 1-way hash (with salting preferably) since it never needs to be decrypted. The credit card data does need to be decrypted so presumably there was a key sitting around somewhere which provided access to the data.
Far from 'only 900' Sony have thus far admitted 12,700 credit card details have been stolen. They haven't ruled out the others (http://blog.eu.playstation.com/).
Have those 12,700 been personally notified? Not that I've heard.
Given that it took them 2 weeks of forensic analysis to even realize SoE had been hacked too, they clearly have little or no auditing so it's far from scaremongering to assume the rest could be compromised.
SOE lost a 12,700 record database of CC details that was around 4 years old. Only 900 (approximately) of those card numbers remained active.
Sony and their investigators have to date found no evidence to suggest that the PSN card database was accessed or taken. They have been able to confirm that the personal information such as names, addresses and usernames were accessed and taken. Considering that they are able to determine that the personal information was transferred off their servers by the hackers, the same logging, audit capability and tracing would allow them to see whether the CC data had also been accessed and taken. Obviously, it's essentially impossible to be 100% certain it was not. However in the absence of evidence from the investigation and auditing being done and with card issuers indicating they have seen no indication of fraud as a result of the hack either, it seems that Sony's statement that the card data was not taken holds a decent amount of water. They took so long to find the SOE hack because they were concentrating on PSN and only switched attention to SOE once their primary work had been completed and they were sweeping the rest of Sony's network in preparation to turn portions of PSN back on.
100 million potential credit cards violated and they are just calling the FBI now??????? Plus (and even worse) the FBI has to gather evidence that has been visited by not one, but two or more forensic examiners plus internal staff mucking around.
This is ineptitude of huge proportions. If you have a house break-in you don't sweep the floor, vacuum and repair the back window before calling the cops.
Epic Fail...
I had an account with SOE 4 years ago and while my card had expired in that interval, it had been reissued with a new expiry date. That card was probably one of the 12,700 cards they had listed as not being of interest because they were no longer "active".
I did receive a personal notification concerning the SOE hack, although it didn't say my card WAS compromised, just that it MAY have been.
The PSN hack didn't worry me much because the numbers were allegedly hashed, but I have found no mention anywhere that the SOE card numbers were hashed.
I've cancelled my old card and gotten a new one, as the bank in question was setting card expiries on an anniversary basis (i.e. they would always expire in April, every 3 years or so) - a stupid tactic that they have thankfully now forgone.
I read somewhere that PSN was hacked through a buggy old Apache release.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
