According to Philip Reitinger, Sony’s Chief Information Security Office, PSN accounts have been compromised once again. 93,000 accounts globally were compromised and quickly locked by Sony. The data for the accounts was stolen from an external source, not Sony. There was an overwhelming amount of attempts made against Sony’s authentication servers that failed. The percentage of accounts that were successfully authenticated against Sony’s database were only .1% of all PSN accounts.
Reitinger added, “Please note, if you have a credit card associated with your account, your credit card number is not at risk. We will work with any users whom we confirm have had unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet.”
This is the result of a list that may have been passed around to hacker sites after the original security breach earlier last summer. Some PSN users may have already received emails from Sony detailing the issue and asking for them to reset their password. If we’ve learned anything from this, creating a new password after PSN was restored was a necessity. It seems like the data being used for the current breach is old.
Source: [PSBLOG]
![New Games [May 13-19 2013]: Metro: Last Light, Dust 514](http://www.thebitbag.com/wp-content/uploads/2013/05/Metro-Last-Light-170x100.jpg)
![New Games [May 6-12 2013]: Fatal Frame 2, Pinball FX 2](http://www.thebitbag.com/wp-content/uploads/2013/05/Qube-Against-the-Qlock-170x100.jpg)
![New Game Releases [April 29-May 5 2013]: Far Cry 3: Blood Dragon, Fez](http://www.thebitbag.com/wp-content/uploads/2013/04/Far-Cry-3-Blood-Dragon-170x100.jpg)
![New Game Releases [April 22-28 2013]: Dead Island: Riptide, Star Trek](http://www.thebitbag.com/wp-content/uploads/2013/04/Star-Trek-2013-game-170x100.jpg)
![New Game Releases [April 15-21 2013]: Injustice, Papo & Yo](http://www.thebitbag.com/wp-content/uploads/2013/04/Injustice-Gods-Among-Us-170x100.jpg)
![New Game Releases [April 8-14 2013]: Guacamelee!, Age of Wushu](http://www.thebitbag.com/wp-content/uploads/2013/04/Guacamelee-170x100.jpg)
only on sony lol
I had 0 amount today on my psn account. Checked my history log and it should have been several bucks available. Need to send an email to sony tomorrow to find out what that is all about.
Journalism fail.
shouldve had a 360
Once a prolific company or any company with the status Sony holds gets hacked you can bet your bottom dollar more attempts will follow. The fact that they were hacked is what it is, the fact that once again personal information was accessible is terrible. Telling us credit card information was safe doesn’t grant you a public pat on the back, you’re supposed to protect that data as well as our personal info.
Okay, so let us know what your solution is to protect users who reuse the same password everywhere? What’s your solution to protect users who can’t be bothered to change their password periodically – even if they haven’t accessed the service in say – oh I don’t know – a year? How do all the other web sites on the Internet protect their users against these things? As far as I know, XBox Live hasn’t pestered me to change my password in the last 72 days, 6 months or a year – even though Hotmail has such a “remind me in 72 days option” – I am not forced to use it. I bet most of you “XBots” don’t either. Don’t throw stones in glass houses.
Why ask a rhetorical question? My angst has zero, nil, zilch to do with user awareness or user security. Here’s what I believe to be unacceptable: “Only a small fraction of these 93,000 accounts showed additional activity prior to being locked. We are currently reviewing those accounts for unauthorized access, and will provide more updates as we have them.” — Philip Reitinger SVP & Chief Information Security Officer, Sony It sounds like an inept explanation considering all things. You locked the account but some continued on with unauthorized access? Hmmm, well sir what the hell else did you try? How about not only locking accounts but revoking permissions to perform any harmful functions, such as the ability to use funds and other requests? I can’t say undeniably that they haven’t take those steps but it wasn’t written and in this business i give no one the benefit of the doubt. As for your rhetorical question, reverse social engineering is not new and any company, service and consumer can lay claim to that.
It is not a rhetorical question at all. It seems you don’t understand how authentication systems work. I do because I’ve actually written authentication systems for Corporations. The 93,000 compromised accounts that Sony are reporting is precisely as I have said. The compromised accounts were legitimately authenticated using accurate e-mail & password credentials. Where did the 3rd party obtain those e-mail addresses & passwords from? That’s the question. The answer – who knows? They could have been syphoned using key logging software for all we know.
“It is not a rhetorical question at all. It seems you don’t understand how authentication systems work nor do you understand the statement made by Sony’s CISO. I understand it all because I’ve actually written authentication systems for Corporations.” – It IS a rhetorical question if your talking to someone about security and who knows security. If you didn’t assume, well now you know. What you asked was rubbish, actually silliness in it’s fullest. You have no control over someone using Sarah1 as their password for every service that allows such, thus being rhetorical in nature OR you’re simply looking for a pigeon holed response. Whichever preference, the question was silly from that pov. Again re-read my second paragraph, after I quoted Philip. It was an inept response from Sony, actually no, it was very telling. I’ll give Sony credit for actually releasing their statement in a timely manner but the faults are glaring. I’ll note that the “prior” in his statement slipped by me so on that front i am incorrect, but again i ask what else have they done? Better yet how this could have been prevented. 1) Accounts for PlayStation Network, Sony Entertainment Network and Sony Online Entertainment were compromised from another source, a third party. Now back when Sony was recovering from its wounds they “required” that everyone “reset” their password. Resetting your password usually means you had to change it to something else, unless in very rare occasions. Any database of passwords collected and distributed with that old information should have by all means become null and void. So that possibility is almost unlikely. 2) This database in which the account material was gathered, should have had proper hashing implementation with salts per individual account/log-in. It’s clear the vulnerability was actually the third-party database in where the storage of the accounts where and not the password strength at all. Sony controls these networks and they have full authority on the security and the placement of this sensitive data. 3)Philip stated that their was 93,000 compromised accounts. Here’s a question that’s not rhetorical for you, If they can tell that an account was compromised as opposed to a legitimate log-in then something had to have tipped them off, possibly something unique and/or similar amongst all. Why again are we focusing on passwords? I myself have looked at logs and seeing repeat log-in failures on multiple accounts (especially .1%) can in no, way shape or form constitute a database compromise and hack attempt. 4) Again, I asked what have they done? If suddenly 93,000 of your accounts started logging in from a common source such as a browser (user-agent identified) that’s a blatant attack. With a proper security team/group in place it should NOT take you 3 days to notice this odd behavior. My last point was a scenario and i understand its not exactly what happened but the level of incompetence still stands. With 60,000 of the accounts on PSN and Sony Entertainment network and about 33,000 on SOE it’s clear this wasn’t a basic social engineered attack where accounts are compromised from other sites such as facebook and used against other services. So no, 93,000 accounts aren’t just siphoned using keylogging software and simultaneously attempt to log-in. That is how this is Sony’s fault.
I disagree… QFT. Source: http://www.guardian.co.uk/technology/2011/oct/12/sony-suspends-93000-accounts “Reitinger was quick to shift responsibility for the break-in to third-party sites or servers. “These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources,” he said. “In this case, given that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our networks. We have taken steps to mitigate the activity.”
The headline here seems to be misleading… Service accounts being compromised is most definitely not the same thing as a service being hacked. If I write my http://www.thebitbag.com username and password down on a piece of paper and leave it laying about for the local cleaners to find – whose security is at fault? Mine or http://www.thebitbag.com‘s? Can someone honestly and legitmately claim that http://www.thebitbag.com has been hacked because someone viewed / used my account? Can someone even legitimately say that my account has been hacked? I would have left my username and password laying around in plain view – should it be illegal to read that document? Should it be illegal to use the username / password information that was made publicly available? If my twitter.com account is compromised, my username / password is “stolen” or rather “obtained” and all of a sudden you see random malicious spam posts being made using my Twitter account on http://www.thebitbag.com, whose fault is that? I guess if you’re to believe this news story above – it’s http://www.thebitbag.com‘s fault for supporting posts using DISCUS and Twitter and not adopting it’s own, more intelligent security procedures… Perhaps http://www.thebitbag.com‘s really ought to forcibly reset my password every time I want to log in…..? or are we actually happy with how http://www.thebitbag.com works – in that it works similarly to the rest of the Internet websites that are out there – just like PSN does?
People don’t understand that an isolated incident, ie; me being hacked because of negligence, is different than hackers having access to multiple accounts because of a lack of security on Sony’s behalf. It’s still hacking. My theory is this; Sony was hacked last summer and the information was shared. Hackers are just now using it to try and gain access to the accounts that were aquired. Yes, Sony is still to blame. I don’t think 93,000 people just happened to get a keylogger virus or gave out their password due to a phishing attempt. This is a massive hacking of PSN due to Sony’s negligence.
I disagree… QFT. Source: http://www.guardian.co.uk/technology/2011/oct/12/sony-suspends-93000-accounts “Reitinger was quick to shift responsibility for the break-in to third-party sites or servers. “These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources,” he said. “In this case, given that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our networks. We have taken steps to mitigate the activity.”
Since i couldn’t reply to your last post I’ll reply here. My source for the account break down can be found here: http://www.networkworld.com/news/2011/101211-sony-suspends-93000-online-accounts-251874.html 1) I never said Philip lied, thats flat out a falsified claim. 2) As for the “common source” why would you assume (being a security chap yourself) the source meant someone sitting at a desk? In a case where 93K accounts were compromised thats asinine. At best i figured no explanation would be needed for that. The “Common Source” in my example was as stated a user agent. If suddenly 93,000 accounts started seeing logins from a unique and distinguishable user-agent, there’s obvious concerns and grounds to take preventive measures and assume an attack is/has happened. Log files that have been properly normalized and prioritized can soundly alert you to an attack that has happened or is in progress especially if you are used to mining logs. Log mining isn’t as archaic as you make it out to be there are plenty of tools and scripts to help cut man hours… 3) Bots serve there purpose but again there’s more to be learned from logs than seeing a variety of user agent strings and protocols. Time stamps, IP address, etc all throw hints at you. You joke about blocking the whole internet, no need to, if you see 15K logins all from a couple of class B IPs in one region of the world, that when compared to normalized traffic (time stamps and so forth) stand out… Need i say more? It’s not nearly as improbable as you make it seem. Logs along with other software help identify things us mere humans may miss when mining. Your condescending tone tickles me, I don’t need nor require your approval to be well versed in any matter let alone one that I practice for a living. You can disagree, you can offer opinion, what you can not do is alter fact. I have listed facts and based off of them i have my opinion, my thoughts on why Sony was and still is incompetent with security. You offer keyloggers and other rather improbable notions to counter, all to which are refuted in my previous comment. This “third party” source as they state: “These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources,” This is a blanket statement, they a) have no idea and/or b) wish not to tell all there is to tell at this time. All that statement is, all it does is remove Sony from the brunt of the blame and place it on someone else, actually no one at all. Again i listed facts, Sony required you to change passwords after the April fiasco so that list (if any) can be thrown out. Twitter, Disqus or whatever other social network you want to include can be thrown into the improbable pile as well. Those databases weren’t compromised and resulted in ONLY Sony PSN, SOE and Sony Entertainment Network targets, surely other more lucrative choices would have been made. This was a targeted attack aimed at Sony, think about that before you presume such general assumptions as those you laid out.
1.) You are the one saying… (a) The statement referring to “compromised lists from other companies, sites or other sources” statement is a “blanket statement”. (b) Sony doesn’t know / doesn’t want to say, so therefore you are saying Sony’s CISO is lying. (c) Sony’s statement is intended to “remove Sony from the brunt of the blame and place it on no-one at all”. I don’t agree with any of that. You state you are only stating facts, well – nothing there is a fact, it is all your opinion. What’s more, clearly, it is nonsense. 2.) Ref http://blog.us.playstation.com/2011/10/11/an-important-message-from-sonys-chief-information-security-officer/ It is clear the data must come from other sources. Okay so 60k of compromised accounts were against PSN and 33K were against SOE… That’s against MILLIONS OF ATTEMPTS. If all the account data came exclusively from the April 2011 PSN hack data – they wouldn’t have matched up to all those PSN / SOE accounts unless users used the same usernames and passwords across both systems and did not change their passwords. SOE has a completely different authentication system with alternate credentials – not PSN i.d.’s. User’s would have had to duplicate usernames and passwords across both systems. As you obviously don’t recall, at the time of the hack, Sony forced PSN and SOE users – separately – to login via their PS3 / PC earlier this year to change their password. Accounts remained locked until passwords were changed. I went through both procedures and I remember it well. The success ratio for compromising accounts was not 1:1, so clearly the data was not stolen and did not come from either SOE / PSN’s current user database (it would have matched), nor their old database (wouldn’t match anyway). You say the data used to get the 93,000 accounts didn’t come from other sources – so tell us where it did come from then? 3.) I don’t assume those attacks come from someone sitting at a desk but by stating “common user agent” – you implied it! As I stated before, it’s easy to write an app to do this, even in c# using XMPP. The user agent string can be forged, modified and randomized – per attempt – to appear to be from any browser, a variety of browsers, something else or nothing, so you can’t realistically use that to block traffic. Where is your evidence showing there was a common, unique user agent string from the attack sources? 4.) Again, botnets are not limited to regions of the world. Anyone’s computer / hardware can be infected. You can’t block all traffic from everywhere, nor can you block ISPs or you’ll soon have legitimate customers phoning up saying they can’t access the service. Sony is a global company with customers across the globe. It’s not the same as your day job where you’re trying to understand why people in Pakistan are trying to access your corporate servers. Besides, manual log analysis and pattern recognition takes time – and that’s assuming there is a viable pattern to establish from all the noise. A hacker could quite easily write code to queue authentication requests with different credentials to make an attack appear legitimate. 5.) The attack was against Sony – sure – why do you think that is though, because the data owners thought they had a data set that was relevant to Sony explicitly, or just because they thought Sony’s security sucked? Sony is a target right now – sure, but that doesn’t mean they’ve not radically improved their security since April. If anything 93,000 accounts from well over 60 million – across 2 services – is a pretty small success rate. That Sony caught that it was happening and did something about it – that’s a good thing and doesn’t imply incompetence at all.
1) Saying someone’s statement is a blanket one and is to divert the blame does not imply lying. I simply believe that they know where the source came from or have an idea and simply wish not to reveal it at this time. How does any of that constitute me calling Philip or Sony liars? Those aren’t the facts i laid out, those are conclusions i came to based off of the facts presented. 2) As for the “third party” / other source(s) discrepancy, never did i say it was from Sony, the closest i’ve ever placed Sony in regards to the list of compromised attacks was: “This database in which the account material was gathered, should have had proper hashing implementation with salts per individual account/log-in. It’s clear the vulnerability was actually the third-party database in where the storage of the accounts where and not the password strength at all. Sony controls these networks and they have full authority on the security and the placement of this sensitive data.” Again i doubt very much this came from another source such as a database controlled by Twitter, Facebook, EA, Activision, Steam, etc. Let me make this part clear, this is my belief, my opinion. Fact is if the data from any of the aforementioned were compromised Sony would not be the only company attacked. They could be the main target but not the only target, saying otherwise is naive. With that said i believe this third party source could be a company not owned by Sony but does business with them and was targeted because of direct links to Sony’s various networks. 3) As stated when i first mentioned the “user agent” string, that was an example not a fact. I stated that in regards to them taking 3 days to be alerted of this attack (Oct. 7th – 10) i find it surprising due simply to the amount of accounts that was affected. Yes only .1% were affected but it was clearly an attempt on more than that meaning there was an undisclosed number of attempts that took place and only 93,000 accounts were successfully compromised. Lots of flags go up on that over a three period and along with that other common traits region, source request, protocol, etc mapped against network and log normality this would have been noticed (albeit it was) quicker. 4) Currently the most known and worrisome botnet is TDL-4, Microsoft along with the FBI and other world authorities have cut botnet effectiveness across the globe by more than a third with the recent takedowns of three major botnet hives. Asides from TDL-4 the less ethical computer users of society are trending away from using them. With all that said pattern, trend, normalization analysis and so forth all aren’t as dastardly as you make it out to be. If done, over time when compared to baselines events like this stand out. Again this is 2011 it’s not that bad especially with tools like the oldie but goodie Swatch and for enterprise businesses Tripwire and Zabbix (depends on your company, assets and infrastructure) these are hardly a chore as they were say back in the late 90s early half of the last decade. 5) I agree with you on that, they have a big bullseye on them currently. They’ve had it since the first attack earlier this year. It’s not inconcevable to believe that proper normalization of logs and use of other HIPS/IDS/IPS and enterprise equipment/software were not yet in place or that planning and implementation (which in an enterprise due to politics takes forever) isn’t complete. Philip was hired to do what wasn’t done prior to his arrival and in that regard i can cut him some slack. The fact that they realized what was happening (3 days or not) is noted. BUT I still expected more given that between the original fiasco and now 3 days of this sort of activity seemed like an inadequate timeframe to react.
This is what happens when you are playing on the worst console out there , seriously get a PC nothing better.
You’re saying the PC has “no real worries about people hacking in games and better security than a console?” Erm………………. No Matthew, I’m afraid that isn’t the case.