back to article PlayStation Network credit cards protected by encryption

All credit card information stored on Sony's PlayStation Network was encrypted, the company said one day after warning users their user names, passwords, birth dates and home addresses were stolen in a security breach. “The entire credit card table was encrypted and we have no evidence that credit card data was taken,” Sony …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Sorry, Sony...

    ...but I still don't believe you.

    1. Gav
      Alien

      the truth will out

      And you're basing that conclusion on.....?

      Clearly this is a big embarrassment for Sony, but I don't believe for a second they're stupid enough think that lying about events is going to help. There are bound to be a number of investigations following this debacle, so any lie would be discovered and make things a whole lot worse for them.

      That is, unless, you're keen on conspiracy theories and never believe anything you're told. In which case obviously Sony is in league with the legal system, the government , the Illuminati and our alien overlords, and the whole thing will be whitewashed.

      But one important thing to learn from all this; never ever give your proper full name and correct date of birth to a website that has no genuine need, or right, to know them. It's not your job to help them build a detailed marketing database.

      1. Ru

        "never ever give your proper full name"

        A correct name and address are often required for cardholder-not-present credit card sales. Birthday though, no need to help em out with that.

        1. Anonymous Coward
          Anonymous Coward

          cardholder-not-present

          "A correct name and address are often required for cardholder-not-present credit card sales. Birthday though, no need to help em out with that."

          Wrong, they need, name on card, card number, exp date, ccv (maybe issue number and valid-from date depending on card type)

          That's all I had registered with them and it worked for me.

          The name and address part is used by vendors to verify that the delivery and billing address are the same so they don't send their goods to a safe house. It won't stop the transaction going through.

          Also with PSN - no product to deliver, no address needed. You can put any old crap in there, I honestly don't know why they ask for it.

          The reason they ask for your date of birth is to make sure that you are not a minor trying to download content intended for more mature audiences such as 18+ rated games. They probably have to do this because of some stupid legislation, however why ask for a date of birth (which I consider to be confidential) in the first place when they can just ask your age and timestamp that - it's idiotic really.

          1. Anonymous Coward
            Anonymous Coward

            @AC

            >Wrong, they need, name on card, card number, exp date, ccv

            Depends on the retailer - I just [reluctantly] bought an iPad 2 on my MC from the Apple Store UK - its shipping to my work address and no CCV was required just the card number, billing address and exp date....its on a new Apple ID too, so no purchase history or other verification is available to Apple.

            [and pre-empting the 'nay' sayers, its risk free to try it yourself without confirming the order in the last step]

      2. Inachu
        WTF?

        Here is another charge sent to me I never made!

        inachu,

        Thank you for your recent order. This e-mail serves as your receipt for a purchase, ************** (NAME DELETED

        Order Number: 1097793074

        STATION CASH PURCHASES

        Station Cash Funding Purchase

        $10.00

        Tax:

        $0.00

        Order Total:

        $10.00

        Sony Online Entertainment LLC

        http://www.station.sony.com

        Nothing has shown up on my cradit card yet. I never made these purchases with a credit card and if somehow I am billed for that $5 and $10 that I never made then I will go class action with this.

    2. Anonymous Coward
      FAIL

      Then you are an idiot.

      and nothing they ever tell you will make sense.

      Basically this incident has now been downgraded to a "Gawker" or a "Play.com"....

      1. serviceWithASmile
        Big Brother

        think youre being a little unfair

        sony would be mad to tell all, say, if the whole thing was either an inside job (providing they dont know who did it or that person has a dead drop with all the data he stole set up) or perhaps if the whole blunder was 100%, completely and solely their fault.

        "blame it on a hack" has been done before.

        that said, personally I don't doubt there has been a hack, but i'm not certain sony are saying everything either. I wouldn't.

        Either way, they can't repel a cockup of that magnitude.

    3. Anonymous Coward
      Happy

      Well said!

      I put it to Sony, please define encryption as you see it?

      Simply swapping every character for the next in the ASCII list is technically encryption, it's completely useless and shit encryption, but in the technical sense of the word, it's still encryption!

    4. Inachu
      WTF?

      Look at this and tell me they arent giving fake charges!

      inachu,

      Thank you for your recent order. This e-mail serves as your receipt for a purchase, **************(NAME DELETED)

      Order Number: 1097793142

      STATION CASH PURCHASES

      Station Cash Funding Purchase

      $5.00

      Tax:

      $0.00

      Order Total:

      $5.00

      Sony Online Entertainment LLC

      http://www.station.sony.com

      I NEVER BOUGHT ANYING worth $5 and never used any kind of credit card either.

  2. Mark 65

    Passwords

    I'm guessing that Sony informed that passwords were stolen as, even if hashed, a lot of users' passwords will be simple enough to crack via tables. Hence you tell everyone they've been stolen. Hashing is no silver bullet. Hash with salt - maybe.

    1. Anonymous Coward
      Happy

      But...

      Rainbow tables are not trivial to make. It'll take months to make one that has 8 chars or less, years for 9 chars. And rainbow tables only record 1-8 iterations of hashing (they're hard enough to make as it is). So, if Sony hashes passwords say, 32 times, then no current rainbow table will work. But if Sony is being lazy and only hashes once or a few times, then yes some of the passwords will be susceptible to a rainbow table if it's 8 chars or less and especially if it's a dictionary word. That is why I use 12 chars minimum for all my passwords. Short enough to be remembered and typed, long enough to be hard-to-crack, and most likely not yet found in any rainbow table.

      1. Anonymous Coward
        Boffin

        Rainbow Tables

        But more importantly, if sony uses the same salt when hashing every user's password, then that single Rainbow Table will be of use when attempting to identify the hash collision for the entire dataset.

        However, if like someone with a brain, sony have used a random hash per password, then a potential exploiter would need to construct a Rainbow Table for each and every salt/password combination, which even with immense distributed computing power is essentially impractical.

        But let's be fair, we're not dealing with people who know the difference between same-salt and random-salt hashing here, we're dealing with sony.

        1. Anonymous Coward
          Anonymous Coward

          'Someone with a brain'.

          This is the kind of thing undergraduates are expected to do on their honours projects.

      2. DRendar

        Salt is better.

        An easier, and more user friendly way, is to apply a system salt, user salt, then hash.

        No way any rainbow table will be able to crack that, as you'd need a different table for each user.

        eg (not a real example)

        sha($password . 'Sa1tY@5' . md5($userid))

        Your password doesn't need to be so long that way.

        12 chars isn't too long in isolation, but when users need to remember 10-20 different passwords it becomes unwieldy, and in the end just encourages users to write passwords on post-its under keyboards, on monitors etc, or as the story suggests, use the same password for everything.

        In addition, just repeatedly hashing a hash of a hash may seem more secure, but it still allows your entire table to (potentially) be broken with one rainbow table.

        1. Anonymous Coward
          Anonymous Coward

          Writing down passwords is not necessarily a bad thing

          A notebook full of strong passwords locked in your desk drawer is much safer than using the same simple password everywhere because you're afraid of forgetting the password.

          The odds of someone breaking into your house to steal your book of passwords is orders of magnitude lower than the chances of someone hacking your online accounts with simple passwords.

          1. DRendar
            Boffin

            The title is required, and must contain letters and/or digits.

            Perhaps.

            But we aren't generally referring to home users here.

            Personally I was referring to people in office buildings who write down passwords and stick them to their monitors and keyboards etc. We had to fire a member of staff not too long ago for habitually writing down passwords, and leaving them in plain sight (in public areas!)

            Also your solution of writing down passwords (and presumably usernames and site names too) doesn't help you when you aren't at home.

            An encrypted password vault, for example on your mobile would be a far better solution.

            If you also install remote shredding software you are protected even if your mobile is nicked too.

            1. Anonymous Coward
              Anonymous Coward

              @DRendar

              "But we aren't generally referring to home users here." - says who? Arent home users going to be the main users of the Playstation Network?

              "Also your solution of writing down passwords (and presumably usernames and site names too) doesn't help you when you aren't at home."

              Nope, but then you can always carry the passwords around with you. Usernames tend to be a lot easier to remember.

              Of course there is always the risk that evil Chinese h4xx0r will fly all over the world to hunt you down and rob your password so they can use it to get into your gmail account. But I tend to see this as pretty low in the scale of things.

              Businesses often take too harsh a line on writing down passwords. It is a rule that is frequently put in place without any assessment of what it is actually trying to achieve. How much damage did the business suffer as a result of the Staff member leaving their password written down? (or was it all theoretical?)

              Its the same problem with password lengths - we have some received wisdom which sounds "right" so it gets repeated out of context and we end up with arcane password rules that become self-conflicting (35 alpha numerics that mustnt be written down and changed every 30 seconds...etc.)

              Its almost as bad as the idea that because a password "looks" insecure it must be insecure. Patterns appear in random data so we even go as far as damaging the randomness protection so the password appears more random.

        2. Anonymous Coward
          Anonymous Coward

          Passwords

          Sort of agree but:

          "and in the end just encourages users to write passwords on post-its under keyboards, on monitors etc,"

          What is wrong with putting your password for a remote internet service on a post it note next to the monitor?

          Unless the hackers who pwn'd Sony can also break into my house and look at my monitor, the 32 character password I have written down is pretty safe. For most internet based services, the risk is from a distant hacker attacking the system and getting the hashfile. The defence here is for a hard to crack password. If you have to write this down is that really a risk?

          If you are a TLA government agency running TS systems with a persistent threat from hostile foreign agencies who can spend the time and effort to hire cleaners etc., then writing down passwords is a bad move.

          If you are a home user, having your internet banking password on a post it under the keyboard is a lot less risky than using an easy-cracked / easy-guessed password.

          1. Anonymous Coward
            Black Helicopters

            32 digits ok, unless...

            They can hack into your webcam and take a look at a reflection of your goggles lenses, provided you use goggles at all. Or any reflective surface facing the PC for that matter. Use dark non-reflective shades too, since your eyes can literally betray you at this moment.

            (...)

            As if I would let my webcam plugged in at all times, or play PS3 right next to a running PC with the said webcam on the same IP subnet. Now that's some hacking attempt.

      3. Thomas 18
        Thumb Up

        Fortunately you can just use Google Rainbow Tables

        1. Go to http://www.miraclesalad.com/webtools/md5.php and generate a hash

        2. Copy and paste your hash into Google Search

        3. Open the first result.

        Bonus. Was covered by the reg a while back too: http://www.theregister.co.uk/2007/11/21/google_md5_crack/

        More salt pls

      4. Anonymous Coward
        Anonymous Coward

        Rainbow

        "Rainbow tables are not trivial to make. It'll take months to make one that has 8 chars or less"

        Only if you are using a 286. If you have a modern PC the creation times are nothing like this.

        However, if you are trying to generate them with your wrist watch, there are easier solutions such as freerainbowtables.com.

        It took me two weeks to generate rainbow tables for 16 characters using a VMware instance.

        Where I do agree is in the hash and iterations but there is more to it than the simple number of goes through the cycle. Plus, if you have a windows box you probably want to be using 15+ character passwords.

  3. Steve Evans

    Words are cheap.

    “The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.”

    I would say that events suggest the security system wasn't that sophisticated at all!

    The fact it took Sony several days work out exactly what was accessed says a lot for the capabilities of their intrusion detection system and auditing, assuming they have either of course. Unless the few days delay was due to them hoping the story would just go away on its own.

    1. Anonymous Coward
      Anonymous Coward

      but it is sophisticated

      Their security system is good enough to know that all their servers were accessed, all their data was accessed, but that the attackers forgot to take a copy of the decryption key that the servers must have access to in order to read the encrypted data...

  4. stevo_80
    FAIL

    I'm still glad I cancelled my cards...

    'Encrypted'. Brilliant. Just like Gawker with DES or something equally amazing. Maybe they've gone a step up all the way to ROT13 if we're reallly lucky...Bastards.

    I take back all my previous statements on this - Sony's response has been utterly appalling.

    1. Anonymous Coward
      Joke

      ROT13 isn't very secure

      That's why I always do it twice on any data I want to encrypt!

    2. Anonymous Coward
      FAIL

      Me too

      I cancelled my card yesterday. I don't think I'll be putting my replacement card details anywhere near my PSFail.

      They have lost me as a customer over this, the PS3 is not that good, if anything they whole platform is lacking. Fuck 'em.

      And another thing... I haven't received any damn email.

      1. Anonymous Coward
        Anonymous Coward

        Email

        None of my friends with PS3s nor myself have received emails either. 77 million emails is a lot, but Sony's new pals in the criminal underworld seem to be able to send that many in a lot less than a week.

    3. Dan 55 Silver badge
      Joke

      You can rest easy

      Sony pushed the boat out with this one, they encripted the CC info with ROT13 and then to make sure they encrypted it again with ROT13.

  5. stevo_80

    actually,

    I still suspect it was unencrypted and this is a halfarsed attempt to fend off the legal action, class action lawsuits and possible criminal prosecution (is it US jurisdiction?) that would lead from them admitting that they were storing credit card details in plain text.

    Even though it's a bank holiday weekend and I won't see my new one for ages, I'm still glad I cancelled my card.

    1. Anonymous Coward
      Anonymous Coward

      Credit cards encrypted.. YEAH RIGHT!!

      See the following undated chat transcript where some users had sniffed the communications from the PS3 to PSN and found that ALL credit card info was send in PLAINTEXT (creditcard info redacted here for obvious reasons)

      http://bit.ly/gXFNLa

      <user2> for example:

      <user2> creditCard.paymentMethodId=VISA&creditCard.holderName=Max&creditCard.cardNumber=4xxxxxxxxxxxxxx1&creditCard.expireYear=20nn&creditCard.expireMonth=2&creditCard.securityCode=2nn&creditCard.address.address1=example street%2024%20&creditCard.address.city=city1%20&creditCard.address.province=abc%20&creditCard.address.postalCode=12345%20

      <user2> sent as plaintext

      1. Anonymous Coward
        Anonymous Coward

        Because chat transcripts are always the truth!

        How do you know that is actually what is sent? and not just some geek trying to "get one over Sony" and oh I don't know, making it all up? given it's all fake data and all. Also it uses the varible of province, rather than the more standard county or state as used by the payment gateways I've used in the past. I'm very very suspect about the authenticity of this "evidence"...but then you do have proof, it's from an internet chat room and everything....

      2. Fuzzysteve
        FAIL

        SSLed

        That chat transcript is a trifle misleading. The entire thing is run through SSL. yes, it's clear text in the URL. But you can't get at the URL unless you're man in the middling the SSL transaction

    2. AndrueC Silver badge
      Thumb Down

      Why

      Why bother cancelling it until something untoward has happened? I can understand that if it's a debit card (which is why using debit cards online are a bad idea) but with a credit card it doesn't matter. If/when someone uses your card details it's not your money being stolen. That's the time when you inform your CC issuer. Let them take the fight to Sony - the money they lose will be a juicy incentive.

      1. Anonymous Coward
        Anonymous Coward

        It won't be Sony that pays

        It's the retailer that accepts the stolen credit card that is on the hook for the money.

        1. AndrueC Silver badge
          Thumb Down

          You misunderstood

          I meant that it was the CC issuer who loses the money and will therefore have additional incentive to sort Sony out. But I suppose it could be the retailer - it wouldn't surprise me if the banks pushed it back.

          Still - my point remains that it's not /your/ money so not worth you doing anything about it until it actually happens. I've had it happen once or twice before and it's no big deal. Call issuer, get replacement card in post two days later. I think there was a form to fill in and fax back but there wasn't much to it - basically just confirming the disputed transactions.

      2. adnim

        If that was the case

        I am sure it would be public knowledge.

        There are hackers who buy new products such as the PS3 just to hack them. Now if I was planning to do any reversing of PS3 and its protocols I would sniff packets. If I was a curious security researcher I would sniff packets. I would hazard a guess that hundreds maybe a thousand or more technically competent individuals have captured packets between PS3 and PSN.

        The chances of all of those people keeping quiet about such a security failure are as close to zero as matters.

        Regarding encryption:

        There is no excuse for not salt hashing passwords, regardless of the data those passwords protect.

        I was surprised that a company as large as Sony had to call in third party security analysts, they really should have their own dedicated security team that are fully clued up on the systems involved. Perhaps if they had, this breach may not have happened in the first place.

      3. Random Handle

        @Andrue

        >Why bother cancelling it until something untoward has happened?

        Because you've been informed of the risk by email - subsequent fraud will be at your expense not the CC issuer and certainly not Sony's unless you have definitive proof of the chain.

        1. AndrueC Silver badge
          Thumb Down

          This is Andrue

          http://www.bbc.co.uk/news/technology-13231307

          "That advice was echoed by Visa Europe, the company behind the Visa payment system. It explained that if card data was found to have been stolen and used to make unauthorised payments, users would not have to pick up the bill.

          "Cardholders who are innocent victims of fraud will get their money back, subject to the terms and conditions of their bank," it said in a statement.

          PlayStation Network members were urged not to cancel their cards at this stage.

          A spokesman for Barclaycard said that such action was unnecessary until it was known if card numbers had fallen into the wrong hands."

          So - no need to panic, Mr. Jones! Just wait until it happens (if it does).

  6. Jeremy 2
    Coat

    So then...

    ...Let's just hope that the private key protecting the credit card data table is better protected than the game disk code signing key, huh?

  7. scarshapedstar
    FAIL

    Great...

    I don't even know what my password was. But I can't find out, either.

    1. Random Handle

      @scarshapedstar

      Keep your eye out for the torrent....

  8. XMAN
    Thumb Down

    77 million users

    OH.MY.GOD!

    No one noticed that their DB was being ragged with a huge export?

  9. acbot
    FAIL

    Hmm

    Sony never emailed me. I call bullshit on them emailing the majority of their 77 million users.

    1. stranger
      WTF?

      Re:Hmm

      I have 2 accounts (PSN is regional locked) and just like you, I haven't received an email on either of them!

    2. stranger

      @ Re: Hmm

      Update:

      wow, I received the email less then 5 minutes after I made my post!.... should I be worried?

      Quote:

      Although we are still investigating the details of this incident,

      we believe that an unauthorized person has obtained the following

      information that you provided: name, address (city, state, zip), country,

      email address, birthdate, PlayStation Network/Qriocity password and login,

      and handle/PSN online ID. It is also possible that your profile data,

      including purchase history and billing address (city, state, zip),

      and your PlayStation Network/Qriocity password security answers may

      have been obtained. If you have authorized a sub-account for your

      dependent, the same data with respect to your dependent may have

      been obtained. While there is no evidence at this time that credit

      card data was taken, we cannot rule out the possibility. If you have

      provided your credit card data through PlayStation Network or Qriocity,

      out of an abundance of caution we are advising you that your credit

      card number (excluding security code) and expiration date may have

      been obtained.

    3. Anonymous Coward
      Badgers

      Re

      I've not seen any email from them yet, I know they have the right address as I've got the original welcome to PSN email. I never gave them credit card details, although I was foolish enough to give them the correct postal address, which is now out of date. As for the password, I gave them the one I use for random untrusted sites that demand passwords for no good reason, like this one!

    4. DJ 2

      PSN

      I haven't received an email either. Is it restricted to US only?

      1. stranger

        Re: PSN

        not sure if the email is sent by region or not. But so far, I have received the email on my US account, I am still to receive it on my (newer) UK account.

    5. Benny

      PNS Plus account

      and not a word in my inbox. Id figure paying to use the service would at least bump me up to getting an email when it all goes titsup! (Not that im saying non plus accounts shouldnt get updates as well!)

  10. Mectron

    Game Over

    Sony Need to go down over this.

    1. Sony is a (Court of law) proven crminal company.

    2. Sony has lost all credibility since the rootkit fiasco

    3. Sony as acted illegally by removing feature(s) of the PS3

    4. Sony let million of users personnal date exposed to hackers

    Sony need to go down and those who run it should be put down (ruined the life of 70+ millions peoples is a crime agains humanity)

    1. Kyoraki
      WTF?

      Re: Game Over

      Oh shush. Removing features of an OS that sony own is hardly illegal. Sony gave people a choice of Linux, or PSN,

      And as huge of a scandal as this is, not encrypting user passwords and not employing better security is hardly a crime against humanity.

      1. The Fuzzy Wotnot
        Happy

        "hardly a crime against humanity"

        Nope it isn't, it's plain and blatant fucking stupidity by a huge tech company that should know better how to look after their customers info.

        Sorry but this and the other things Sony have done, prove beyond all doubt they don't give a rat's wotnot about their customers so long as the green is rolling in and the shareholders are happy. Although I can imagine the next Sony shareholders meeting should be a bloody good laugh!!!

    2. Captain Thyratron

      What?

      You have a curious definition of what constitutes a ruined life.

  11. Tom 15

    No way

    Hashing IS a silver bullet if done correctly... rainbow tables of just hashed passwords are easy but you should never simply hash the password, you should always salt it first. In most of our systems we take a unique, unchangeable piece of user information, such as a GUID that represents the user, add the password on to that and then hash it. Try building a rainbow table for that!

  12. Anonymous Coward
    FAIL

    PCI

    "The personal data table, which is a separate data set, was not encrypted"

    The only reason the credit card details were encrypted was because of PCI compliance - there is no mandatory requirement to encrypt personal information - name / address / date of birth / mother's maiden name etc. - even though this is useful for fraud.

    It's time legislation was tightened up and companies were fined significant amounts of money for breaches.

  13. CreditCards.org

    Email

    Sounds Alarming!

  14. Anonymous Coward
    Grenade

    PCI-DSS

    If Sony had Credit Card numbers in their Databases and they're weren't encrypted to the standards laid out by VISA/Mastercard thru PCI-DSS, then I'd suggest they're also going to cop a heafty fine from their bank.

  15. Andy Watt
    Stop

    Is this fake then?

    http://t.co/Xb7uXrb

  16. Craig 8
    Stop

    Encrypted, so what?

    It doesn't matter that it was encrypted, it doesn't even matter much how it was encrypted, what really matters is, where were the encryption keys and how were *they* protected?

    1. Anonymous Coward
      Joke

      table dbkeys, column 1, row 1, characters 0-7

      where did you think they were?

      Of course the keys shouldn't be saved in stored procedures either.

      Also, you should change the combination on your luggage.

  17. MJI Silver badge

    Received emails

    Received on 2 accounts, need to check the other few.

    Most have same password, my old one was stamped into the engine block of a car I used to own years ago. All childrens PSN accounts and email accounts.

    Now I have to use a new one.

  18. Joe Montana
    FAIL

    Blah

    Sophisticated security system? And it still got breached... Security is best kept simple, the more complex your system is the greater surface area in which someone could find holes.

    More interesting however, is the way they claim card data was encrypted but don't say how... This is probably down to PCI regulations (and industry "best practices") which basically state the data should be encrypted but don't say how... Because of this loophole in the regulations, you get some very flawed (and extremely common) implementations being marked as compliant:

    Extremely weak encryption (eg ROT13)

    Flawed implementation (look at the ps3, constant values used to derive keys etc)

    Database stored on an encrypted filesystem, however the filesystem is mounted so therefore anyone who compromises the running system will be able to access the data although technically anyone who steals powered down drives won't be able to read it...

    As above, but any kind of symmetric encryption where the system writing the data needs the key therefore anyone who compromises it can read the data - only offers protection against people stealing the physical disks.

    As above, but the key is also stored on the same disk/machine (often done for convenience, otherwise user intervention would be required in order to boot since the key would need to be entered)...

    Even if you use public key crypto, where the system writing the data only has the ability to write and not read, there still needs to be a system capable of reading the data in order to use it... For a secure system, the encrypted data would be transported to another system for processing under the watchful eye of an operator who enters the keys... However in the real world this is too difficult and expensive to implement, so even if public key crypto is being used chances are the private key will be permanently stored on the system that needs to read the data - which means this system is now the primary target for the hackers.

    Many other encryption schemes simply rely on a form of DRM, the key is there but the software won't let you use it... Well the important point is that the key is there, it just takes a little more skill to work out how to bypass the restrictions, either by modifying the software or by extracting the key and decrypting the data yourself... Either way, such an approach is fundamentally flawed and will only ever be a minor nuisance to competent hackers.

    Of course the industry answer to this problem, will be to introduce additional flawed regulations... Regulations written by men in suits with no real understanding of security or encryption. They will most likely follow the government approach where products have to be `approved` under some scheme such as Common Criteria...

    The problems with this approach are MANY...

    The certification is pretty poor, it basically boils down to verifying that a product implements the features it claims to, the review is performed at a high level without even doing source code review and it only checks that features exist, not that they work properly or cannot be circumvented...

    The certification process is also extremely expensive, which effectively excludes open source and ensures that a small cartel of big vendors are the only choices - even when many of their products are simply based on open source code. The high cost and slow turnaround also means that vendors will often not resubmit newer versions, so under such a scheme you may be forced to run an old version which has known unpatched vulnerailities!

  19. Anonymous Coward
    Anonymous Coward

    So everything's fine

    "behind a very sophisticated security system that was breached"

    I'm not criticising Sony for having been hacked into (heck, I don't have any Sony stuff myself, and since I'm selfish, I don't really care), since indeed hackers can get into pretty much in any system given enough effort, but why the need for the pointless defensive banter to subsequently question it in the next few words of the same sentence?

    That's like your bank or pension fund saying "your savings were very safe, but you lost everything". Or a local egg farm saying "we have excellent sanitation but all our eggs have salmonella".

    Q: Doesn't it make you sigh in relief?

    A: Errr, no it doesn't.

  20. Pascal Monett Silver badge
    FAIL

    "a very sophisticated security system"

    Dear Sony,

    There are two issues with the statement that your "security" system was "very sophisticated". The first is obvious : it got breached, so it wasn't sophisticated enough.

    The second is also obvious, albeit probably not to you. It is the fact that you are a company who has considered a number of ridiculous DRM schemes, some of which have actually been damaging to your customer base, all of which you have touted as THE solution to piracy, all of which have failed miserably.

    So, your idea of "sophisticated" is one in which faith of any kind must be used sparingly, if at all.

    On top of that, if you were indeed capable of sophistication, you would not have ANY identifiable customer data in reach of the Internet that was not encrypted with 128-bit secure, hashed and salted, minced and boiled and whatever other neat, top-of-the-line procedures the security geeks gargle with every morning.

    Instead, you stored identifiable customer data in plaintext.

    Sorry, Sony, but that is quite the opposite of "sophisticated".

    It is, on the other hand, exactly what we could expect from the likes of you.

  21. Mad Mike
    FAIL

    Encryption on credit card numbers etc.

    Even if relatively sophisticated encryption is used on the credit card number, it's actually quite easy to break. Credit card numbers have numerous problems which render them quite easy to crack when encrypted. They're a known length, all numbers and can be checked for validity (at least to a point) through a well known modulo test. Cracking encryption isn't that difficult if you know what the result should be and the more well known and tight the definition is, the easier the crack is.............

    1. Neil 7
      FAIL

      Not to mention

      If the hacker has an account on PSN then they can use their own credit card number to assist with the cracking of the encryption algorithm by starting with their own account first...

  22. Andy 99

    Is this related to..?

    So has anyone linked this hack attempt with Geohot somehow yet?

    Reckon the guy that said "Hey I know, lets just turn off the other operating system option!" has been strung up by the crotch by Sony...?

    1. Anonymous Coward
      FAIL

      Of course, this whole thing is a direct result of GeoHot

      He hacked OtherOS that resulted in it getting removed

      He released the keys that made Sony sue him

      He enabled the custom firmware that allowed access to dev accounts

      He is the one that drove Anonymous and their splinter groups to DDoS PSN

      He is the one that driver whoever to hack the user-database.

      I wonder where his supporters are now????

      1. asdf
        Flame

        nice stretch

        Nice, paid shill AC. Could you provide proof Geohot has anything to do with this? More than likely this is some idiot Russian\ Ukrainian mob funded hacker looking for a major score. But I guess its never Sony's fault. I mean it was just a coincidence they will sell 50 million less PS3 than they did PS2s. Customer service is so over rated anyway when your your locked down DRM infested hardware is so 1337.

      2. sT0rNG b4R3 duRiD
        FAIL

        Re: I wonder where his supporters are now????

        Right here, mate. Right here.

    2. Sinical

      I'll have a go then ...

      Geo publishes the missing info for cracking the PS3 security, within a few weeks PSN security is broken - could be directly related. However I think the following is more likely ...

      Cracked PS3 used to spoof a dev machine gets Hacker access to normally hidden bits of PSN. Hacker starts sniffing about. Anon start the DDoS which gives perfect cover for Hacker to really go for it as traffic monitoring on Sony's sites, which would normally spot hacking attempt, is now swamped. Hacker gets in, pinches unencrypted data (much of which should have been encrypted). PSN gets pulled and I can't shoot my friends in the face for a couple of weeks.

      Right now I am miffed with everyone, Sony included for not having the sense to encrypt passwords. They have a big database of personal data and credit card numbers, it's always been a target. But it ain't the end of the world and would have been a lot worse if unencrypted CC numbers had been pinched.

      BTW I would love to go buy a console from a company with better practices than Sony but the only real option is Microsoft. They are not exactly famous for their support of open systems and for building secure products either. I wasn't happy with Sony forcing me to choose between OtherOS and PSN/new Games, however I do understand why they did it as I prefer to play my games against as few cheaters as possible and protect the revenues of developers.

      So I'll stick to the one with the games I prefer, which just happens to be the PS3.

      1. Highlander

        Passwords were almost certainly not stored on PSN, only hashes.

        PSN exists across many different legal jurisdictions. Just the UK for example with the data protection act has various laws which lay out the duty of care that a company has to protect data held by it. PSN has to accord to all the various laws and guidelines laid out across all the countries it operates in. That means that it is essentially a best case blend of all of the various regulation.

        Either way, password hashing is so standard and has been for such a long time that it's completely unthinkable that passwords would not be hashed - at least. It is also noteworthy that with PSN if you forget your password, there is no password recovery option. If the passwords were stored on PSN they would be available for recovery by the use of your security question, but they are not. Instead the standard procedure of answering the security question correctly nets you an email to your registered account with a one time random password that you can use to get back into PSN, but you have to change the password when you log in. That procedure is a strong hint, along with all the other evidence, that passwords are not held by PSN, and that in fact they are hashed.

        Now, how strong and salty the hashing is, is anyone's guess. Rainbow tables are easily obtained, and even if Sony really pushed the boat out the very nature of hashing passwords in such a way that they are still useful means that with sufficient time and resource a hacker group could compromise shorter and obvious passwords within a reasonable amount of time.

        But the point is that if the password hashes were obtained ( clearly, they were), it's possible for any given user's password to be compromised. Hence the enforced password change when PSN restarts.

        It's quite depressing how many tech journalists and site have made total arses of themselves by making lots of wild assumptions and accusations about the security of PSN, the security of CC data, and the security of passwords. Due to the international and national laws that Sony has to obey, and the card processing industry's own guidelines and practices, it's always been the case that there is a near certainty that passwords are not stored on PSN, only the hash values, and that CC data was properly encrypted and held separately from other user information. I mean, good god, even the crappy $150 e-commerce solutions consumers can buy to run their own T-shirt shop online can handle both of those requirements.

        I guess it's just so fashionable to attack Sony that many people who know better simply cannot help taking leave of their senses.

  23. Anonymous Coward
    Stop

    type title here

    http://forums.sarcasticgamer.com/showpost.php?p=645846&postcount=734

    just sayin'

  24. Anonymous Coward
    Joke

    Oh No I've lost Hundreds of Pounds !!!

    Someone has been spending hundreds of pounds of my money since this happened !

    It might just be the wife but I bet its those nasty hackers.

  25. Anonymous Coward
    Anonymous Coward

    Maybe we need to rethink...

    Maybe this attack should make us all, industry and government included, think about wether it is actually possible to have a completely secure, unhackable system.

    I don't believe such a thing is possible.

    If there's a flaw in any system, it's human - it always is. You can secure, encrypt, firewall, obfuscate as much as you like, but that is no defence against a sophisticated spear-fishing attack or a disgruntled employee.

    Perhaps we should look at how much personal information it is really necessary to give out? For example, many people here have stated that when they signed up to PSN they used fake names and addresses. This has had seemingly no issues with their experience of PSN - they can still play games and such. Sony don't seem to have noticed either, or care. So do they really need to have this data in the first place? I don't think so.

    In conjunction we should also look at ways of evidence gathering and being able to track down and suitably punish those who do try (and succeed) to walk of with this information - however they've got hold of it.

  26. Doug Glass
    Go

    Yeah, Right!

    Encrypted with a root kit or something. Maybe like the nuclear defense strategy: "You kill us and we'll just kill you right back".

    Bashtahrds

  27. Anonymous Coward
    Anonymous Coward

    LOL

    "Wednesday's update follows multiple news reports that recounted PSN users who reported credit card fraud that seemed to coincide with the breach."

    The are just lame glory seeking Xbox fanboys.... and citing an article from Ben Kuchera of Ars Technica, who has single handily destroyed Arts Technica's reputation, will also risk putting El-Reg in the same boat.

    The bottom line, is that anyone can claim anything on the internet, and with rabid Xbox fanboys, and thousands of Microsoft shill accounts across most gaming sites, is it really any surprise to see people claiming this?

    When I used my Creditcard on Xbox Live, 2 weeks later I had $2bn stolen from my account. Go report that....

    1. asdf
      Flame

      umm what?

      You don't have to be a M$ employee or even fan to loathe Sony's business practices. How sad in fact to feel defensive to the me too wannabe company that gave us the Zune and the Kin phone? Fact is if Sony put half as much effort into securing their own network as they do trying to control and lock down their own paying customers they might not be looking at the massive shareholder law suites that are a coming.

  28. greensun
    FAIL

    Sony paying the price for a ridiculous hiring process ?

    Following an initial telephone interview, Sony wanted me to go to Austria for a follow-up.

    But if I did not accept or was not offered the job, I would have to pay for the flight.

    I assume the engineers who they did hire were the ones willing to accept their conditions, not the clever ones.

    And maybe now we see the consequences.

    1. Simon Waddington

      or...

      ...or they were Austrian?

  29. alan buxey
    FAIL

    passwords stored encrypted?

    >Industry practices dictate they should never be stored in clear text

    ...unless you're in France where theres a big fight going on against the Government who

    want all passwords stored in plaintext on remote servers :-|

  30. Anonymous Coward
    Anonymous Coward

    Encryption - yay!

    Though knowing Sony it was a Caesar Cipher.

  31. Anonymous Coward
    Pirate

    CC details encrypted...

    ...but given the fail shown elsewhere, they probably left the private key on the server.

  32. Anomalous Cowlard

    One time credit card numbers

    ... should r-e-a-l-l-y be a standard feature of any cc offering; NETELLER can do this without any obvious trouble, a regular bank/cc company should be able to offer these as well. The way it works is that you get a new number for every transaction through a web-interface. The number only works for that one charge. Since cc information includes the expiration date (next month) the numbers themselves can even be recycled if need be.

  33. Miek
    Linux

    Email Just came

    Was wondering where this Sony email was, then it appeared in my mailbox:

    Apparently you can have a read online too :

    http://view.ed4.net/v/3O6L5ZE/22H5T9/VTCTMYV/K3ZWUB/MAILACTION=1&FORMAT=H&HOSTED=TRUE

  34. John Burton

    So, erm....

    So.... Lets hope that the "intruder" didn't leave some kind of trojan on their system to capture and send them all the new passwords and new credit card numbers that are now going to be send to Sony....

    1. Anonymous Coward
      Anonymous Coward

      Given the scale of the hack..

      its likely that every server/router/firewall/switch etc that was hacked has been taken out of service to be examined.

      New servers will be installed and built from scratch and tested. Before they can open up the network again they have to understand how the original hack occurred and to implement measures to prevent a repeat.

  35. Anonymous Coward
    Stop

    The title is required, and must contain letters and/or digits.

    If the credit card table is encrypted in a way that cannot be cracked, I somehow doubt the breachers would be bothered.

    Personally I think the worst outcome is going to be an increase in spam levels if the hacker(s)

    sell the mailing list to certain "marketing" firms. Which makes logical sense, basing each email address at say £0.01, then times that by 77 million and they have quite a return on 2 days work...

    Also for everyone blaming Sony, data breaches happen and they're getting more frequent so to be

    honest it's your job to try and shield yourself as much as possible in case of a third party breach - anyone ever heard of prepaid credit cards?

    1. Mad Mike
      FAIL

      @AC

      You are, of course, assuming the hackers were interested in making money. I would suggest it is no coincidence that Sony were the target given their current profile and that would also suggest it could well be people just embarrassing them rather than seeking to make money.

      Data breaches do happen and they are getting more frequent. Generally, the reason is that companies treat our personal data with contempt and do not take adequate precautions. When their lack of effort shows, they simply blame the customer, some hackers, an individual employee (delete as appropriate) rather than a company that can't be bothered or won't spend the necessary money (delete as appropriate).

  36. Dropper
    FAIL

    Nothing to see.. move along

    "The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."

    username: admin.. password: admin?

    Oh and our credit card data was encrypted? no doubt by placing a username and password on the database.. maybe username: admin.. password: admin?

    You could claim the barest possible protection placed on a set of files as encryption if you so chose and stick by that no matter what is discovered later. Certainly Sony, like any other corporate, couldn't care less about you and the losses you will incur.

    I actually applaud that they aren't wasting their breath and our time with something as shite as free credit monitoring. Credit monitoring to those whose identity has been stolen is as useful as offering a drowning man details of how much water he is drinking.

    Until there are serious consequences to board members for allowing personal data, especially financial data, to be stored on networks without sufficient investment in security, nothing will change.

  37. Jason Terando
    FAIL

    PS3 as a Home Entertainment Hub

    I have two devices that pass as entertainment "hubs". One is an LG Blue Ray player. I can stream content from Netflix or Vudu, watch YouTube, listen to music from Pandora, and LG never bugs me about who I am or puts anything else between me and my content other than a few remote clicks.

    Contrast that with Sony. Why in the gods' names should I have to log into their network to stream Netflix? And why would they store answers to security questions as anything other than a non-reversible, salted hash? The TOC's I am supposed to "read, understand and acknowledge" whenever there is an update go beyond ridiculous. For all I know, I could be signing away my right not to be assembled into a human centipiPad...

    I am not going to throw my PS3 in a bin, I do like the casual bout of beating up on Olympians, but the AV center we're assembling in our new house will not use the PS3 at its center. Sony has lost that right.

  38. Highlander
    Boffin

    The sky is not falling, the world is still turning and your credit card is secure...

    The truth here is that large corporate networks get hacked, large government networks get hacked huge marketing databases get hacked, huge financial networks get hacked, Data is compromised, card numbers are stolen, social security information becomes comprised. All of this happens all the time. Each week there is a new attack revealed. However the important thing for people to know is that the attacks reported represent the tip of the iceberg. Most attacks of this kind are never revealed to the public.

    What marks this hack out and makes it different is not that Sony took too long, or that they used different security than others or anything else. Their security was actually pretty good relative to others. No, the thing that made this different is that Sony came forward almost immediately to tell their customers about it.

    Not only that but Sony took it on the chin by shutting down PSN to end the hack. Lots of networks have been hacked and the system admins haven't shut down, instead they tried to plug the gaps without interrupting service. That is a practice that has allowed attacks to continue longer than they should. Shutting down PSN was an extreme, but very effective way to end the attack.

    Many data breaches we never hear about, and only when card fraud becomes an issue is it even commented on. A lot of the hacks we do hear about, we hear about long after they've happened when the dust has settled. Sony has hidden nothing, they have come forwards with information and the straight out admission that their system was attacked. They took swift action that ended the attack and they engaged a third party to perform the analysis. Not only that but they've involved law enforcement.

    I've read some articles where the use of a third party security specialist has been criticized, saying that meant Sony didn't know what they were doing. On the other hand if Sony hadn't engaged a third party, they'd be accused immediately of a cover-up. However, the truth of this matter is that a third party bring objectivity to the investigation, and provides an independent source of forensic analysis that can be used in criminal proceedings. Sony was extremely smart to take that move.

    What I do not understand is the instantaneous firestorm of Sony hate. I honestly wonder sometimes if it isn't an orchestrated campaign against Sony. As of right now, the severity of the attack is really not that great. The personal information compromised is little more than can be obtained on most people using Google and a few search sites and perhaps a few social networking sites. It's almost all publicly available information. The fact that passwords may have been compromised - because you can attack password hashes to determine the original password - is about the worst of it. Of course no one uses the same password for everything, right? If you do, then shame on you, go change them. No CC information appears to have been taken, Sony says it hasn't and financial organizations say it hasn't. So, apart from the extended down time, the passwords are about the most significant aspect of this, and the danger of that is limited by the prompt action by Sony.

    Personally, I'm impressed by the action Sony has taken. It's expensive for them in so many ways, but it's absolutely the best way to approach this. I just cannot understand why so many people have to rush to judgement and attack Sony immediately, despite Sony being the biggest victim in all of this, and despite Sony handling this about the very best way possible.

    And before someone smarts off about how the best way possible would have been to prevent the attack. You need to understand that is a large enough and persistent enough group of skilled attackers wants to access your system, they will eventually find a way. You can't stop it, but you can handle it well. Sony really isn't going to get the credit they deserve in all of this, but they are doing a very good job in the most difficult circumstances anyone could imagine for a network service like PSN.

    Well, I know that a lot of the more casual readers will have already downvoted this without even reading this far. If you did read this far, thanks. I hope that you can find something in what I am saying that you agree with. Either way, please think about the whole situation, you might find that in the end, the sky has not fallen, and Sony has done pretty well considering everything that has happened.

  39. nickpaton

    Same Old, Same Old

    Sony have been caught out at long last!

    Working in the IT repair industry we get Sony laptops in all the time with unsoldered Nvidia Graphics Chips, as well as the unsoldered chips in PS3's.

    Unlike most other manufacturers Sony has NEVER acknowledged these problems exist nor offered any sort of extended warranty repair scheme.

    Regarding their laptops this compares with "responsible" companies like HP, Dell, Lenovo etc etc who offered / are still offering such warranties for laptops with graphics failures due to the manufacturing issues with Nvidia GPU's, and which Nvidia are picking up the tab for by the way.

    Sony appears to have chosen to ignore the problem and if the laptop is outside their normal warranty period then they will not repair any laptop with this issue.

    Likewise with PS3's, bucketloads are failing with unsoldered chips and surely Sony must realise there is a major issue here. Maybe they're worried about action leading to aa class action (as happened with Nvidia) if the true extent of the issue is known. Or maybe they want people to spend more money on a new console - but I'm sure that's not the case!!!

    I guess one could conclude that Sony seems not to care one iota about their customers and to think it's OK to dump them when there are such problems (but again I'm sure that's not really true...).

    Now they've nowhere to hide.

  40. doperative
    Alien

    credit cards protected by encryption

    "According to Stevens, the credit card data is up on illegal forums and holds enough information for anyone wielding it to siphon money off the card holder"

    http://www.techtree.com/India/News/Hackers_put_up_PSN_Credit_Card_Info_for_Sale/551-115147-585.html

    1. Highlander

      Random twitter post is news?

      The twitter twit says that the information includes the card verification number, something that Sony doesn't have, and has never requested from users. So, I'm gonna go out on a limb and suggest that the report you quoted is "full of it".

  41. kapple999

    Do Sony understand Security?

    Firstly we had Sony being not very re-assuring, saying "While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility ... to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may also have been obtained."

    The next day we have Sony providing some reassurance, saying "The entire credit card table was encrypted and we have no evidence that credit card data was taken."

    So on the one hand, why cause such consternation in the first place? On the other hand, there's no information regarding what strength of encryption was being used.

    Certainly the face that personal data including passwords appear to have been held in the clear, rather than be subject to a one-way hash, suggests that Sony weren't exactly at the cutting edge of Security practices?

    Now we have reports that hackers had a database that included customer names, addresses, usernames, passwords and as many as 2.2 million credit card numbers, and that the Sony hackers were hoping to sell the credit card list for upwards of $100,000.

  42. Mr Bean
    WTF?

    Wat?

    How come they didn't say this from the VERY START!?

    1. Why did they originally warn that bank account details may have been stolen and not mention that they're encrypted?

    2. Why not encrypt ALL users' info?

    3. Why not state the kind of encryption?

    This is rubbish; don't believe this crap from Sony.

    1. Highlander

      Well...

      To answer your first question, they didn't say this from the start because they didn't know the full extent at the start. It took several days for the security firm engaged to investigate to do the forensic data analysis and determine the scope of the attack.

      To answer some of your other points

      1. The original warning stated that there was no evidence of the credit card numbers being obtained, but out of an abundance of caution they suggested some precautionary measures. That's a very prudent step to take in the circumstances. A pity that so many people took it as a sign of the apocalypse instead of a precautionary warning.

      3. They don't way what kind of encryption because you don't want to give attackers more information than they already have. Besides which, at this point it is rather moot.

      1. Mr Bean
        Unhappy

        @Highlander

        But surely, it would give PSN members piece of mind from the start, knowing that their credit card details were encrypted; but I guess you're sort of right and wrong when you say that we don't want to throw the hackers another bone, because I see it like this:

        If the encryption was strong ("industry standard", as I understand it), then telling the hackers what type of encryption would make no difference; they wouldn't be able to brute force it in any reasonable length of time!

        I think this is an indication that the encryption of users' vital data was not good enough.

  43. John Hughes
    FAIL

    Virtua tennis?

    "The update said that Sony has sent the majority of its 77 million users an email informing them of the breach and the steps they should take to protect themselves in its aftermath. The company also said it is working to track down the perpetrators."

    All I got is some rubbish about "Virtua Tennis 4".

    Or maybe that is some TEPCO like way of saying "your credit card has been nicked".

  44. hjweth
    Happy

    Malicious attack

    I'm certainly comforted to infer that Sony's security is proof against benevolent attacks.

  45. DEAD4EVER
    Thumb Up

    sony breach

    its ok i didnt use any credit card details anyway so i didnt enter any details apart from my name and address and oviously my gamertag and password but when the psn is back online il be changing the password. all i can say is sony take your time and please make sure this doesnt happen again i couldnt bare another psn outage

  46. Tony Pott

    Industry standard not so secure

    <quote>

    Noticeably absent from Sony's update was the status of passwords used to log in to the PlayStation Network. Industry practices dictate they should never be stored in clear text, but rather should be run through a one-way cryptographic hash algorithm, which converts each string in plaintext to a unique set of characters that can never be reversed.

    </quote>

    In practice, a lot of them can be reversed by offline brute force. If one restricted oneself to trying to crack weaker passwords: lower case, 8 characters or less (which is a significant subset of normal users), and assuming a 20 byte hash value (sha1 for instance, expressed as an integer rather than a string). A quick back-of-an-envelope calculation tells me you can build a look up table of hashes of all possible combinations of this on slightly over 6TB of disk space, which can be had easily for ~£250.

    Lower case and digits, 8 chars, needs about 82 GB, which if you're able to access other people's servers, is also attainable, and in a few years can be expected to become financially viable on your local machine.

    From the point of view of users, the conventional wisdom of 'choose a password that even someone who knows you couldn't guess', is superseded by 'choose a long password, that you can remember, because threat comes from people who don't know you'. Your friends might guess that your password is mrmugginsthecat, but a lower case look up table for up to 15 characters would require 6.28E22 bytes, which will not be viable for the forseeable future.

This topic is closed for new posts.

Other stories you might like