back to article Sony: 'PSN attacker exploited known vulnerability'

Sony is getting ready to return to service some PlayStation Network offerings, amid ongoing analysis to try and identify the source of the April attack on its San Diego data centre hosted in an AT&T network facility. While maintaining that it has not yet seen any evidence that credit card data was compromised in the attack, …

COMMENTS

This topic is closed for new posts.
  1. janedoe5.21.2011
    Heart

    In my opinion...

    I dont know why everyone is making a big deal over this...how many times have yall given your name, social and credit card info to a representative over the phone or in person to fill out applications??? Dont you think that people steal your info the same way? Dishonest people are EVERYWHERE. Why is everyone surprised at this. Duuuhhhhhh its no surprise that hackers can break encryptions and firewalls.....These things are man made. They arent iron clad!! Get over it.

    1. Anonymous Coward
      WTF?

      Yes but...

      This is a network that comprises of seventy million users.

      Basic security precautions, like, you know, salting and hashing passwords, should have been in place.

      Christ, I had a test network, heavily isolated from everyone but the users, and even there I hashed the passwords.

      There. Is. No. Excuse. For. Lax. Security. When. Dealing. With.Even. Remotely. Personal. Details.

      Ever.

      Steven R

      1. Thomas 4
        IT Angle

        I work in a hospital

        So by the OP's logic, it's ok if critical patient information and medical details go missing because, hey, we're only human?

        No. What happens when a hospital loses patient details is we get our bollocks nailed to the wall. When a multinational conglomerate does it, there's no accountability.

      2. DrXym

        The clues are in the Sony disclosures

        Go read up on the press conference and the Q&As. They did hash the passwords, they did encrypt the credit card information, they didn't store the CVV2 data. The manner of hashing has not be disclosed, e.g. whether it was salted but it was hashed.

        They also state they had security at the perimeter as might be expected when dealing with inbound traffic. It is likely therefore that in broad terms their security was following industry practice.

        I suspect the failure was something else and compounded by lack of due diligence that allowed it to happen. The manner of failure has not been disclosed but given that they're talking of moving the data center to a more secure location suggests to me it was likely an inside job, or someone simply walked in and nabbed the info, or someone sat outside in the carpark and broke in through a wifi point. i.e. nothing to do with the network facing service, but a weakness within their intranet configuration, e.g. production servers were not firewalled from people coming in from the intranet.

      3. Anonymous Coward
        FAIL

        Only hashes were at risk of exposure

        Sony have already confirmed that it was hashes that MAY have been obtained, they don't store passwords only the hash.

        You might want to use only official news sources with factual information, rather than relying on the irresponsible sensational reporting of this that's been occuring recently.

      4. Highlander

        Well both right and wrong...

        Janedoe is right in that the information isn't really much more than we give to many other sites online with far less reliable security. It's also true to say that hundreds of millions of people offer up far more information about themselves for free in environments that Facebook that are about as secure as a wet paper bag.

        On the other hand, PSN is a closed network, so you do expect that the information remains secure.

        In the real world of course, every system is vulnerable to attack in some way or another, it's all about how attractive the target is and how determined the attacker is. In the case of Sony and PSN it appears that a fairly large sense of entitlement and faux righteousness fueled some of the attack, plus PSN represents a fairly juicy target with some 10 million PSN users having card information on their account.

        It should also be noted by Mr Anonymous coward that PSN passwords were not stored in plain text, they were hashed - Sony stated this clearly at their big press conference with Kaz Hirai. So, let's please put the stupidity to bed. CC data was encrypted and there's no indication it was stolen. PSN passwords were not stored on PSN, certainly not in plain text, and in fact only the hashes were keep. No word on how robust the hashing/salting was, but if a password hashing algorithm allows a password system to function properly, it's hackable - given enough resources. That is, sadly, one of the fundamental truths of password hashing, it has to be consistently repeatable to work, so it's attackable.

        The least excusable element of the entire situation is that known vulnerabilities were allowed to remain on their systems for sufficient time to be exploited in an attack. Of course, that's not particularly unusual in the world today, but it's most definitely not excusable. Network service operators have to take care to patch known vulnerabilities or at least mitigate if there is no patch. It would seem that their internal security procedures need tightening up.

        However if there is something I have learned over the last two weeks, it is that there is a crap-load of baseless and irrational hatred for Sony present among a large segment of US/UK techies, gamers and other associated groups. So much so that for two weeks people have wildly claimed that the systems were wide open - they were not. That passwords were stored as plain text - they were not and that cc data was unprotected - it was encrypted, secured and apparently not taken.

        Could Sony have done better - sure. But then I could point to about 99 out of 100 organizations with an online presence and say that they could do better without any fear of contradiction.

        Sorry, I'm just struggling to see why it is that we should all be so angry or outraged with Sony. Their systems were secure, they employed a variety of measures including firewalls, password hashing and data encryption and other precautions. It's not like they made no effort to protect the systems. None of the wild accusations about plaintext passwords or unencrypted card data are/were true. So, why are people still pushing the outrage and anger button?

        1. Steven Raith
          Thumb Up

          Press release

          Ah, fair point - I assumed that El Reg would update that in this report, etc.

          So I retract my previous, rather acerbic and booze fuelled comment - partially.

          From the

          http://www.sony.net/SonyInfo/News/Press/201105/11-0503E/index.html

          release:

          -------------------

          The personal information of the approximately 24.6 million SOE accounts that was illegally obtained, to the extent it had been provided to SOE, is as follows:

          name

          address

          e-mail address

          birthdate

          gender

          phone number

          login name

          hashed password.

          In addition to the information above, the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, include:

          bank account number

          customer name

          account name

          customer address.

          -----------------

          That's still enough to cause pretty severe data protection problems though - and is still unforgivable given the scale of the operation and the responsibility that should come with it IMHO. The above is just for Sony Online Entertainment though, not sure how deeply that is entwined with the PSN - the numbers are a bit lower. The PS blog suggests the same issue though - passwords and CC details encrypted, personal details less so.

          Not sure why my last comment was AC, either - especially as I put my name on the bottom of it....

          Steven R

    2. JaitcH
      Happy

      YOU might not care but identification information should be guarded like your bank account

      I have never given my Social Insurance Number (Canada) or Social Security Number (USA) to anyone for years.

      Canadian uses of the SIN are well defined in law and no one can use them as identifiers be it police or credit bureaus.

      In the US almost everything is linked to it but I refuse to give it as it is lawfully used only for the payment of taxes/pensions and the collection of retirement benefits.

      Once an inquirer knows you know the law they usually back down.

      They might steal your information but no one has ever stolen mine, easy since I never hand it out.

    3. Doug Glass
      Go

      So, because it CAN happen ...

      ... we should all be OK with it when it DOES happen? No way, Sony is not to be trusted and if you doubt that remember a bit of their corporate "responsibility" with regards to a certain root kit on a music CD.

  2. Anonymous Coward
    FAIL

    Poor

    Got my lovely automated email form Sony. There's absolutely no mention of reimbursing customers for costs incurred due to reissuing of cards etc. I assume this is a nice soundbite and the offer is there, just don't tell the people who need to know (and can they help me change my name, date of birth and first dogs name? I've been working pretty hard to keep these things off the net).

    As for the "Welcome back package", don't want, couldn't care less about, feel insulted by the offer really.

    All I can hope for is that Sony are seriously slapped down for this debacle. They've been getting away with treating customers like sh1t for far too long.

    1. Anonymous Coward
      FAIL

      it was your choice to replace cards.

      Sony have been saying that no CC details were obtained, and that Cc details were on a separate set DT and encrypted. Banks have also been advising NOT to replace cards, and to just notify them and keep an eye out for unusual activity.

    2. Doug Glass
      Go

      "They've been getting away with treating customers like sh1t for far too long."

      So maybe stop buying their products?

      1. Thomas 4

        Oh those poor fools....

        If only their customer data centres were as well secured as their PS3s......

    3. A handle is required
      Stop

      Guess you didn't bother to read their post...

      "While there is no evidence at this time that credit card data was taken, the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs."

      - http://blog.us.playstation.com/2011/04/30/press-release-some-playstation-network-and-qriocity-services-to-be-available-this-week/

      That sounds like compensation to me.

      Additionally, for the handful of people who've complained about their credit card being swiped: You are few compared to the other MILLIONS who haven't complained. Seriously, it is expected that out of a few dozen million people (assuming that 70 mil. don't all have cards registered, of course), some of them will have had their credit card numbers swiped in another unrelated and coincidental exposure. That you just so happened to realize it now is the result of being more alert after hearing the news of the PSN network breach.

      The credit card data was hashed. Unless Sony failed to properly salt their hashes, then the criminals behind this will have a hell of a time generating millions of rainbow tables for each card hash.

      1. Anonymous Coward
        Thumb Down

        Guess you didn't bother to read my post

        Unless you have swiped my details and logged in to my email account and read my mail, how can you know what was said in the email?

        It was a stock response, and there was no mention of reimbursement. Press releases may contain what you have said above, but direct communication with those affected does not.

  3. diazamet
    FAIL

    Bad security strategy

    " However, he declined to stipulate what platform/s were used or what vulnerability was exploited, on the basis that disclosure might expose other users to attack. "

    This doesn't fill me with confidence if part of their security strategy is "security through obscurity"

    1. MarkOne
      Stop

      They mean

      Other companies that have this same platform and are still vunerable...

      They don't mean THEIR systems....

  4. Anonymous Coward
    Flame

    Pathetic compensation...

    They're just giving something in an attempt try and get people to subscribe more.

    Furthermore, any free game you download from the PSN+ will be rendered useless after 30 days; unless you continue the subscription just to play them.

    It's just a ploy to get you to spend more on the PSN+ discounted stuff.

    So it's only beneficial to Sony rather than the customers who've been violated.

    Sony just prove that they're only interested in money rather than the seriousness of the situation or the customers who've been screwed.

    1. Anonymous Coward
      FAIL

      erm no...

      A Full PSN title AND 30 days free access to PS+ and the music service. The PS+ items will expire after 30 days (unless you subscribe) but the PSN title won't.

    2. Anonymous Coward
      Anonymous Coward

      "They're just giving something in an attempt try and get people to subscribe more."

      Duh. That's how every subscription service works.

  5. DavidD
    FAIL

    Seriously?!?!

    "and automated detection mechanisms designed to identify unusual network traffic."

    So a company as big as Sony was not already using IDS/IPS? Hahahahahahhahahahaha!!!!

    Fail, because it is.

    1. Anonymous Coward
      FAIL

      Title required

      Especially when a reasonable IDS/IPS is built into pretty much every decent enterprise firewall.

  6. mafoo
    Pint

    new executive-level security position

    "in response to this that the company has established a new executive-level security position, that of chief information security officer"

    ie: someone to blame when it happens again.

    1. matt 83

      don't worry

      the BOFH will decapitate him with PS3 specially modified with shurikens

    2. Doug Glass
      Go

      "chief information security officer"

      Standard corporate appeasement strategy that looks good to investors. Pay someone big bucks to have low level flunkies they can fire the next time it happens.

  7. Fuh Quit
    Joke

    I love it

    "It's alright, some people have duplicate accounts so it's not really 78 million people affected"

    I'll remember that for my next security incident.....oh hang on, joke alert icon. So do these people really believe the crap coming from their mouths?

    It would be much more credible if they were simply contrite and admitted that this should never have happened. Don't they do VM and web app scanning?

  8. KroSha
    FAIL

    What's missing?

    How about an apology? I don't think I've actually seen the word "sorry".

    And the "Welcome Back" program is shite. "Selected entertainment" = some baaad Sony Pictures film that no one wanted to watch when it was out in the cinema. And the PN+ is a con as well, unless you are such a rabid gamer that you'll play *anything* and have no selectivity in choosing your games.

    Sony, you want to make amends? Try an actual apology and then let *us* choose our freebies.

  9. JaitcH
    FAIL

    If the attack was based on a “known vulnerability” why didn't SONY fix it up front?

    Sony is responsible for this successful attack if, as they now claim, attack was based on a “known vulnerability”.

    Things are supposed to updated when weaknesses become known not after clients data has been stolen.

  10. This post has been deleted by its author

    1. JHS

      A suitable quote

      "If you spend more on coffee than on IT security, then you will be hacked. What's more, you deserve to be hacked." - Richard Clarke

  11. Anonymous Coward
    Anonymous Coward

    Sony only held credit card information for around 10 million customers.-

    Since when is ten million credit card numbers and associated information ONLY 10 million?

  12. Anonymous Coward
    Anonymous Coward

    known vulnerability

    That wasn't patched or mitigated? As a novice security analyst I see an issue here, one that appears to have been overlooked by professionals.

  13. Confuciousmobil

    CISO

    Has young Mr Hotz applied for the post of CISO?

  14. Anon the mouse

    So they installed SNORT then

    All I can read from this is that they didn't have many security measures in place and didn't have a basic IDS.

  15. Drefsab

    lol

    well seeing as all SOE services are offline as well (http://maintenance.station.sony.com/) which means any SOE MMO for example is offline, things like everquest 1 and 2, DC universe, starwars etc loads of them, seams to be a lot more than just PSN.

  16. sisk
    FAIL

    FAIL

    So they're refusing to reveal the known exploit that was used in order to prevent another attack. So...they're not going to fix the vulnerability? Given that there's at least one cracker out there who knows what exploit was used that strikes me as....well, stupid.

    Giving free movie and music downloads seems like a pretty decent olive branch to the users affected by this, but it's really just an attempt to buy back some angry customers. It'll work for some. As for me, I've bought my last Sony product. Between this example of security incompetence and their insistence on treating their customers like criminals, I've had it with them.

  17. Anonymous Coward
    Flame

    Hmmm

    Well I've already had some e-mail from PayPal (apparently), alleging that they tried to reverse charge to my credit card but failed.

    Option A: Someone has my credit card details and was trying to set up a PayPal account using my name&details

    Option B: it's a spear fishing attack, with the usual "click this link to verify your card number and CVN" option.

    Whichever it is, I'm thankful that the particular credit card that was on PSN expired some months back.

  18. joe.user

    Audit your network dummy

    www.qualys.com

  19. Gilgamesh

    this is why

    I use a prepaid credit card on the internet.

    Good luck cleaning me out on a card with £3.50 on it and no overdraft facility.

  20. Anonymous Coward
    Flame

    Sony: 'PSN attacker exploited known vulnerability'

    And that makes the entire situation entirely inexcusable on Sony's part.

    Do I really want to deal with such an incompetent company?

    naw, the be DONE.

  21. Tidosho
    WTF?

    Not even an apology from Sony!

    In the email detailing the breach they sent out, they simply said:

    "We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience."

    Not even an apology from them, like, "We are deeply sorry!" so Sony obviously don't care. Good job the PS3 I registered my PSN account on was an eBay repair job and did the YLoD once too many times, and went straight under my sledgehammer. I'm sick of crap quality PS hardware with crappy lasers & ball bearing disc spindles (PS1), chips that get too hot and need reballing, add to that the features that keep disappearing. Hell, games don't even run at 1080p when the box says they should! The shit quality has been there since the PS1, I'm a console repairer and done it many times at work, and home before I got sick of their crap consoles. I used to be a PS guy until Xbox saved my headaches.

    My Xbox 1 NEVER needed any replaced parts, and still goes strong with my Elite cool running 360, and new S. Add to that the 360 and Xbox 1 never had features gradually taken away over the years. THAT was another nail in the Sony coffin for me (the FAT PS3 LOOKS like a coffin lid!), it's like giving a child loads of presents one year for Xmas, and slowly taking one away every year after that, downright cruel.

    After the way Sony have treated me as an ex customer, I'm loyal to Microsoft, at least they own up to mistakes and don't take stuff away from me that I paid hard earned cash for! They repaired and replaced RRoD consoles for me in great time and customer focused fashion, for both me personally and my customers at work. THAT is SERVICE.

    Mine's the one with the Microsoft logo on!

    1. Andy Jones

      Where do I start?

      "I'm loyal to Microsoft, at least they own up to mistakes and don't take stuff away from me that I paid hard earned cash for!"

      Do what? You are talking about Microsoft owning up to their mistakes? The RRoD that they denied for up to 2 years before finally caving in and admitting what everybody knew - their hardware was shit so they extended the warranty! Most Microsoft loving idiots think this was a good thing and appreciate Microsoft for doing this, but they were just painting over cracks in their poor hardware and marketing services! The hardware was shit, cheaply built shit, and they extended the warranty to cover their butts but STILL CONTINUED TO SELL DEFECTIVE HARDWARE!! But the fanboys were appeased - all hail Microsoft.

      Amazing that despite you have consoles that needed fixing you still praise Microsoft. You are an idiot. They sell you broken hardware yet you are still loyal!

      And yes, Sony took away the right to run another operating system on their machine - which if you had tried you would have found out it ran poorly. But what did they give in return? Well for a start they turned your PS3 into not just a standard Blu-Ray player but into a 3D CAPABLE BLU_RAY PLAYER! Not only that but it is now a 3D CAPABLE GAMES MACHINE! You may not have gone 3D and will probably find excuses not to but for those of us who have we have saved a few £100 as we don't need to buy extra hardware on top of the TV.

      As you are an obvious MS fanboy trying a pathetic troll let me make this clear - The PS3 way surpasses the XBox 360 in gaming/video, has a better optical drive in Blu-Ray and is now 3D capable. What does the XBox 360 have?

  22. Stevie

    Bah!

    Interesting. All those promises and still no mention of encrypting the data on disc.

  23. Tidosho
    FAIL

    @Andy Jones

    @Andy Jones: Well, it's obvious to me you're a PS3 fanboy.

    1. Where's your card reader?

    2. Where's your Other OS?

    3. Where did all your 4 USB ports go?

    4. Why have Sony released firmware that breaks stuff like stopping the Blu-Ray drive working?

    5. Why do the lasers and drives keep failing?

    6. Why can you STILL not FULLY install games to your PS3 HDD without jailbreaking it? Even then all games don't work, I've done it, I have a Slim as an unwanted present.

    7. Why do 99% of games that say 1080p on the box only do 720p? On a Sony TV as well as others?

    8. Where's your PS1/PS2 Backwards compatibility gone with physical discs? They charge a fortune for ANCIENT PS1/2 games on PSN to screw yet more money out of you!

    9. The build quality of the Slim is utter shit. The cooling fan itself is a tiny cheap plastic one as opposed to the massive metal one of the FAT, but then you wouldn't know that, you're a user fanboy and not a technician.

    I can go on, I repair these things on an intimate board level. The 3D is a load of shit. The firmware that was released to make the PS3 magically 3D when the FAT was still in production is bollocks. It was jittery and didn't have the proper hardware 3D support until the Slim. And the Slims are still failing today due to heat and dodgy blu-ray lasers and control boards, whereas Microsoft learned their lesson. Installing the FULL game to my 360 HDD so the drive doesn't need to be used, and full 1080p res in dash and game was enough of a selling point to upgrade from Premium to S for me when they added it in with bigger HDD and Wireless N. The console got better and better over the years once MS realised, I can't say the same for PS3. Sony just shrunk the case, whereas Microsoft shrunk chip die sizes, combined CPU & GPU, add to that improved the cooling.

    The PS3 is alsodifficult to program for,and I quote Gabe Newell of Valve, "The PS3 is a total disaster on so many levels, I think it's really clear that Sony lost track of what customers and what developers wanted". He continued "I'd say, even at this late date, they should just cancel it and do a do over. Just say, 'This was a horrible disaster and we're sorry and we're going to stop selling this and stop trying to convince people to develop for it'"

    Blu Ray is OK. It's slow for games, they take AGES loading because of the too-high density so the PS3 IS NOT good for gaming unless you have a sleeping bag handy waiting for loading. But then if you'd actually USED a PS3 and 360 side by side rather than being a forum know-it-all you'd know, wouldn't you? Blu-Ray is good for movies and backups, that's it. I'd rather use DVD and have quick loading times. Microsoft did make mistakes, I never said they didn't, but they learnt their lesson in the end, we are HUMAN, the console has never been fully hacked unlike the PS3 so it goes to show security.

    And finally. The 360 still has ALL IT'S ORIGINAL FEATURES! What does your PS3 still have after all these years? The only reason Blu-Ray won the format war was because Sony backhanded everyone with money and threatened court action to jump ship from HD-DVD!

    Case Closed.

  24. Tidosho
    Happy

    Some more Fact for Andy

    PSN is also crap and laggy, but then it's free and currently hacked to pieces and unavailable, so you get what you pay for. Microsoft have XNA for amateur programmers, the subscription costs a lot less than the development stuff for the PS3, that's why nobody likes programming for Sony anymore.

    Something else. Do you ACTUALLY KNOW what caused the RRoD and YLoD? It isn't "crap hardware", it's called RoHS, lead free solder and BGA solder technology. Before RoHS (Reduction of Hazardous Substances) we used LEAD in solder, which made joints strong enough to withstand high chip operating techniques. Ever since RoHS legislation, us engineers have had to use lead free solder balls in BGA (Ball Grid Array), which is softer, and gradually fractures due to cooling and heating of chips because the solder reaches melting point under normal use. The solder balls fracture past an acceptable amount (the chips include sets of redundant stress resisting balls) thus causing intermittent contact, and the YLoD/RRoD happens.

    It happens in laptops too, and is partly the reason the nVidia defect is so severe.

    There's the facts from a software and computer/console hardware engineer. Beats a bedroom expert fanboy opinion anyday, Andy. You might wanna do your research and use the hardware rather than spouting nonsense how Microsoft are crap. And actually get a job.

  25. Tidosho
    Flame

    I have 3D too, Andy!

    And as another note Andy, yes I do have 3D, I have a 60" Samsung 3D TV that my Japanese girlfriend imported from her hometown of Tokyo.

    I'm not a pathetic troll either but a time served electronics and computer professional so I tell it as it is. And I have a joband gorgeous girlfriend. Nor am I an idiot, and because I know more facts than you, turns out you're the idiot instead because you're a blind Sony fanboy still blissfully ignorant of the faults that the crap that your Holy Grail Sony call revolutionary, has and always will have.

    Sony couldn't organise a piss up in a brewery, that's why 15 years later their shitty laser diodes are still failing.

  26. DJGM
    Thumb Up

    That told 'im!

    Good solid arguments there from Tidosho, someone I know personally, and who knows EXACTLY what he is talking about, versus someone who most likely has virtually no real world technical knowledge and/or experience and is obviously blinded by his own pathetic fanboi ignorance.

This topic is closed for new posts.

Other stories you might like