...relying on security by obscurity then? Bad, bad Sony...
Sony has begrudgingly abandoned its fight to contest a £250,000 fine handed down by the Information Commissioner’s Office after its massive 2011 PlayStation Network data breach. The Japanese electronics giant was slapped with the fine back in January for breaching the Data Protection Act after the personal info of millions of …
Don't know when large corporations will learn. Sony were found to have been woefully inadequate in their security provisions. We're not talking about clever hackers getting around decent security here. Sony's security stank big style with very, very basic errors and omissions. How they've got the audacity to even consider fighting this fine, as paltry and inadequate as it is, I really don't know.
All this goes to show is that another leak is inevitable. Sony's attitude means it will happen. If they were truly contrite and had learnt from their mistakes, they wouldn't have argued and just payed.
One downvote!! Looks like someone from Sony monitoring the comments!!
Not sure how anyone can claim Sony had decent security. The ICO report itself explains just how bad it was!! Because Sony don't seem to accept they were in the wrong, they're just likely to do the same again. Hence, another leak is inevitable. Perhaps rather than just downvote, someone could explain the flaw in the logic?
How you you know the details? What you read on the internet? Please....
Most of the things you THINK you know about this are certain to be wrong.
There were stories that they were using an old version of Apache. This turned out to be untrue.
There were stories that credit card details were taken, this also turned out to be untrue
There were stories that passwords were stored in plain text, again this turned out to be untrue.
Guess what American corp were responsible for spreading all thus FUD.....
So tell us Mr Expert, what did they do wrong exactly, and what could they have done differently....
Dear Sony PR droid/unpaid intern
No one gives a flying fuck how bad other providers are or the security or other issues they have.
The grim reality is that Sony are the ones that lost a vast amount of personal information and failed dismally to secure its data or protect its customers.
£250,000 was a cheap price to pay for lamentable performance of this magnitude.
Enjoy your decaf soya latte!
"There were stories that credit card details were taken, this also turned out to be untrue"
Why did Sony admin to it then? http://www.newscientist.com/blogs/onepercent/2011/05/sony-admits-12700-credit-card.html
"There were stories that passwords were stored in plain text, again this turned out to be untrue."
Nope - it was true: http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html
@AC 17th July 2013 10:42 GMT
Quite clearly you have learning disabilities, and I am sorry for that. Please ask your carer to explain this to you.
Your fist link is SOE, which isn't PSN, and it related to 12k old cards, all of which had past expiry, and none of the security codes were taken. The link on the page you link to explains this in words that even a child could understand.
The second link it's even Sony claiming passwords were in clear text, it's some 10yr old hacker. It's already well acknowledged they weren't in plain text, Sony themselves explaining the difference between encryption and hashing. In short, Sony were being using jargon that most didn't understand.
"The entire credit card table was encrypted and we have no evidence that credit card data was taken,"
As mentioned by someone else. Much of the vagueness, is because the logging wasn't upto scratch. Sony couldn't be 100% sure that something was or wasn't accessed, and as any responsible company should be, had to go with the worst case scenario.
However we now know, they actually got bugger-all. Nothing has ever turned up on line, no fraudulent activity detected nothing..... It's all a massive storm in a teacup, and no more serious than the Gawker Media hack, the Nintendo hack, or any of the other high profile hacks in recent years.
"As mentioned by someone else. Much of the vagueness, is because the logging wasn't upto scratch. Sony couldn't be 100% sure that something was or wasn't accessed, and as any responsible company should be, had to go with the worst case scenario.
However we now know, they actually got bugger-all. Nothing has ever turned up on line, no fraudulent activity detected nothing..... It's all a massive storm in a teacup, and no more serious than the Gawker Media hack, the Nintendo hack, or any of the other high profile hacks in recent years."
So, in one breath you say the logging wasn't up to scratch and therefore they don't know what was taken. Then, you say we "now know, they actually got bugger all". If you don't have logs, how do you know they didn't get anything. The fact that nothing has turned up online is no indicator of whether the data was taken or not. It depends, amongst other things, on the motive for performing the attack. Maybe it wasn't fraud, but simply highlighting how bad the security was, with the data taken then being deleted. Who knows? Certainly not Sony.
If, on the other hand, nothing actually was taken (and there is no evidence to substantiate this), then Sony should be rather red cheeked at having fallen for such a scam that cost it so much money on the basis of something that never even happened!! Tens of millions lost on the back of something that never was!!
I'm not really sure which is the most embarrassing for Sony. It's a close call.
"The second link it's even Sony claiming passwords were in clear text, it's some 10yr old hacker. It's already well acknowledged they weren't in plain text, Sony themselves explaining the difference between encryption and hashing. In short, Sony were being using jargon that most didn't understand."
As opposed to a language masquerading as English, but actually isn't because the sentences don't make any sense!!
I read the ICO judgement and also happen to know someone who worked for Sony in security. Also, when you say a lot of things stated at the time in various media are 'untrue', this isn't exactly correct. Sony claim 'there is no evidence any credit card information was taken'. This doesn't mean it wasn't. The reality was that Sony monitoring was so poor, they don't really know what happened!! So, you can't really say what was and what was not compromised. You can prove some was, the rest is conjecture.
So, none of my comments were based on unsubstantiated claims on the internet (or elsewhere), but on judgements from the relevant authorities (i.e. ICO) and some personal connections.
I also have personal information on some of their quality security processes during issues with my PS3 account. One of these was a request to send an image of my passport (as in the important page with photo) to them to prove who I was. Now, many people may have just done this. However, I refused as this didn't prove anything other than I was in possession of somebodies passport. In the end, they agreed I could redact everything bar the name and DOB and accepted that as evidence of my identity!! Absolute rubbish.
And, by the way, this was AFTER they were breached!!
What's beyond words is how Sony have been treated as the bad guys, despite doing the right thing and coming clean.
Microsoft seem to have a free pass to cover up their Xbox Live hacking problems, which cost users REAL money...
It's been going on for 2 years now, with no end in sight, and the problem is pushed under the carpet and trodden down...
To tell me, who is REALLY the irresponsible one???
"Microsoft seem to have a free pass to cover up their Xbox Live hacking problems, which cost users REAL money..."
Xbox Live has never been hacked. The only known issues around Xbox Live are for users who were conned via social engineering and similar techniques into giving up their ID, personal details and password. That's not a Microsoft issue...
The fact that Microsoft having been getting away with something doesn't mean everyone else should get away with it as well. They should both be brought to book. Microsoft should suffer the full force of the law the same as Sony.
Sony didn't 'come clean' at all. They admitted to the problem only after everyone already knew it had happened. That's completely different to admitting to something when people don't already know. Yes, it's one stage better than trying to hide it after everyone knows, but it still isn't exactly a sign of a morally righteous company.
Basically they're paying up so they're not forced to reveal how shockingly bad their system was during this time.
I suspect it was all down to a schoolboy error, which if revealed through a legal process would be far too damaging to Sony, so they'd rather cough up than face the consequences.
£250,000 is probably a right bargain to keep the details under wraps.
Sony have a long long way to go before they can make me forget the shocking injustice and disregard for their customers they showed during this whole sorry episode. By that I of course mean subjecting me to "Don't Mess with the Zohan" as part of the PSN Welcome Back compensation package.
UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.
Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.
In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].
What's old is new again with reboots of classic devices for gaming and music coming out all the time. But that kitsch value comes at a cost, even if the tech is from the current era.
Audiophiles want digital music players that leave out cellular components in favor of sound-quality-maximizing gadgets – or at least that's what Sony appears to be betting on with the introduction of a $3,700 so-called Walkman this week.
Before you ask, no it can't play actual tapes, which means it's not really a Walkman at all but rather an Android 11 media player that can stream and play downloaded music via apps, much like your smartphone can probably do. But we won't talk about that because gold plating.
If claims hold true, AMD has been targeted by the extortion group RansomHouse, which says it is sitting on a trove of data stolen from the processor designer following an alleged security breach earlier this year.
RansomHouse says it obtained the files from an intrusion into AMD's network on January 5, 2022, and that this isn't material from a previous leak of its intellectual property.
This relatively new crew also says it doesn't breach the security of systems itself, nor develop or use ransomware. Instead, it acts as a "mediator" between attackers and victims to ensure payment is made for purloined data.
California lawmakers met in Sacramento today to discuss, among other things, proposed legislation to protect children online. The bill, AB2273, known as The California Age-Appropriate Design Code Act, would require websites to verify the ages of visitors.
Critics of the legislation contend this requirement threatens the privacy of adults and the ability to use the internet anonymously, in California and likely elsewhere, because of the role the Golden State's tech companies play on the internet.
"First, the bill pretextually claims to protect children, but it will change the Internet for everyone," said Eric Goldman, Santa Clara University School of Law professor, in a blog post. "In order to determine who is a child, websites and apps will have to authenticate the age of ALL consumers before they can use the service. No one wants this."
Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.
A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.
It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.
A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.
In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.
"Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.
In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.
Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said.
Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.
Sony on Friday launched a subsidiary dedicated to optical communications – in space.
The new company, Sony Space Communications Corporation (SSCC) plans to develop small optical communication devices that connect satellites in low Earth orbit using a laser beam, and provide the resulting connection as a service.
These small devices can provide high speed communication more effectively than radio, because they do not need a large antenna, high power output or complicated licenses, said Sony in a canned statement.
Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.
Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.
StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.
The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.
Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.
According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.
Biting the hand that feeds IT © 1998–2022