Tip jar

If you like CaB and wish to support it, you can use PayPal or KoFi. Thank you, and I hope you continue to enjoy the site - Neil.

Buy Me a Coffee at ko-fi.com

Support CaB

Recent

Welcome to Cook'd and Bomb'd. Please login or sign up.

March 28, 2024, 11:59:44 AM

Login with username, password and session length

PS3 Network down for a few days

Started by Depressed Beyond Tables, April 22, 2011, 07:25:52 PM

Previous topic - Next topic

VegaLA

#30
Engadget have some deets here:

http://www.engadget.com/2011/04/26/sony-provides-psn-update-confirms-a-compromise-of-personal-inf/

This is why I... oh.
Don't upset the Nerds I guess is the moral of this story. It is seriously bad and I hope MS have reviewed their security.
Jack Tretton is getting a serious arsekicking right about now.

EDIT to add: Just got an email from a friend in the UK, said his brother was contacted by HSBC stating his CC details had been passed onto them as compromised so.... take action.

Consignia

Quote from: VegaLA on April 27, 2011, 04:24:56 PM

Don't upset the Nerds I guess is the moral of this story.

No, the moral of the story is; have a robust security model for your network applications, and don't ever get complacent about it. From the sounds of it, there has been some pretty fundamental flaws in the design. Who takes advantage of it is irrelevant. Incidentally, it won't be the script kiddies pissed off with their piracy attempts being blocked firing off their DDoS applications on mass that caused this breach, it'd be some knowledgeable person(s) targeting the information. More likely an organised crime unit taking it.

jutl

QuoteQ: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

...

Q: What steps should I take at this point to help protect my personal data?
A: For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.
from http://blog.us.playstation.com/2011/04/27/qa-1-for-playstation-network-and-qriocity-services/

That sounds to me like the passwords were stored in plaintext.

Consignia

Well, you wouldn't expect a password to be encrypted anyway. Just hashed, and hopefully salted. Losing hashed passwords is not good news though. Even though you can't reverse the hashing algoritmn, you can recover a plaintext password by using techniques such as rainbow tables. It's not a quick process though, so you do have some breathing time, if they are hashed, which I really would expect they are.

There are bigger issues of security concern here though, that such an intrusion was possible at all.

spanky

I've changed my password on the sites I know use the same email/pw combo I used for PSN (Amazon, Play, Paypal, GMail) and although I'm not entirely sure I've used my current card, I'm withdrawing cash and then getting the card replaced to play safe.

Don't ever advertise your DLC to me again, Sony.

MojoJojo

Quote from: Consignia on April 28, 2011, 09:58:23 AM
Well, you wouldn't expect a password to be encrypted anyway. Just hashed, and hopefully salted. Losing hashed passwords is not good news though. Even though you can't reverse the hashing algoritmn, you can recover a plaintext password by using techniques such as rainbow tables.

If the hashing is properly implemented rainbow tables aren't effective. If you have a "strong password" they don't work either.

I'd rather my password was salted and hashed than encrypted, for sure.

Consignia

Quote from: MojoJojo on April 28, 2011, 12:49:27 PM
If the hashing is properly implemented rainbow tables aren't effective. If you have a "strong password" they don't work either.

Yup, but you can't expect many people will have strong passwords. You are kinda hoping that Sony implement hashing well enough to stop rainbow tables, but that is a real unknown. I feel there's a lot of "this is good enough" complancy behind the scenes here.

Salting implemented properly should render a rainbow table completely ineffective, even if your password is password.

I wouldn't be surprised if Sony are just covering their asses by telling people that their passwords might be compromised. If they didn't say that and it later turned out that passwords were revealed it would be a bigger problem than just adding "and change your passwords too" to this current mess.

spanky

Sony are saying card details are ok now:

QuoteAll of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

Depressed Beyond Tables

Anyone any idea when this will be back, if ever?

Edit:

Quote...we expect to have some services up and running within a week from yesterday.

http://www.telegraph.co.uk/technology/news/8480441/PlayStation-hack-Sony-network-down-until-next-week.html

chocky909

Come on! How hard is it to add some fucking security? They can always change it later. I hate you Sony, I hate you!

So how come Black Ops' multiplayer combat training with bots requires PSN sign-in to work? This is the only time I have ever needed that mode. What were they thinking?



Slaaaaabs

Yeah I got a second e-mail this morning. Luckily the details are from 2007 so most cards should have been replaced by now.

Depressed Beyond Tables

Anyone else see a Xbox like charge coming in 'to strenghten security and prevent your privacy being compromised'?

I'd say they might try generously giving users 1 month free usership and then crank in the charge.

You know how corporations work...

chand

Quote from: Depressed Beyond Tables on May 03, 2011, 05:09:05 PM
Anyone else see a Xbox like charge coming in 'to strenghten security and prevent your privacy being compromised'?

I'd say they might try generously giving users 1 month free usership and then crank in the charge.

You know how corporations work...

I doubt it, free PSN was always held up as a big benefit, and no-one will want to pay for basic security which should be standard. I'd be surprised if they went any further down the road of charging for online beyond the premium Playstation Plus.

Zero Gravitas

Or rather hiding the costs from consumers by passing them on to publishers.

There's talk it might be down until May 31st.

I'm not getting excited over this mooted 'compensation package' of a couple of PS3 or PSP games and a free month of PlaystationPlus either. The games on offer are likely to be ancient first party titles they were selling for buttons on there anyway. Fuck off Sony.

chocky909

The shithouses. I wanna play Portal 2 Co-op! My chosen co-op buddy is getting very restless as they have the PC version and other people willing to play it with them. I won't have anyone else to play with though if they can't wait.

Remember when Live was down for a while a couple of years ago? Did they add any time to people's memberships or was it just that shitty free game?

Still Not George

Quote from: chocky909 on May 10, 2011, 09:35:45 PMRemember when Live was down for a while a couple of years ago? Did they add any time to people's memberships or was it just that shitty free game?
Nope, it was just generic twinstick shooter Undertow. A game which apparently uses the Unreal Engine, although I've no clue what for.

VegaLA

Got a free shitty game but with an added months sub.

momatt

Quote from: VegaLA on May 10, 2011, 10:13:26 PM
Got a free shitty game but with an added months sub.

Where did you hear this?  Is this just for existing PSN Plus customers or everyone?

I think he was talking about Xbox.

Utter Shit

Quote from: thehungerartist on May 10, 2011, 07:52:26 PM
There's talk it might be down until May 31st.

I'm not getting excited over this mooted 'compensation package' of a couple of PS3 or PSP games and a free month of PlaystationPlus either. The games on offer are likely to be ancient first party titles they were selling for buttons on there anyway. Fuck off Sony.
It's better than nothing. Only an absolute dickhead would think they deserve any kind of compensation for this anyway.

Subtle Mocking

In fairness, it is a free system, so any compensation at all is generous. I would've thought that they'd compensate PS Plus users and users who's cards got used as a result of their details being taken.

If Live was down for this long, they'd have to compensate a lot more.

Viero_Berlotti

It may be a free system, but PS3 owners have paid for the console, they've paid for the games, and funds from both of these must indirectly go towards paying for and maintaining the PSN?

Regardless of this I think Sony's rep has taken enough of a hit that they'd be stupid not to offer some kind of sweetener to PS3 owners.

Subtle Mocking

Yeah, true. It would be a bit of a fuck you to just say 'well your credit card details may have been taken and you can't play online for a month. Don't hassle us though.'

momatt

#59
Quote from: Utter Shit on May 11, 2011, 01:17:28 PM
It's better than nothing. Only an absolute dickhead would think they deserve any kind of compensation for this anyway.

Well, that's true.  I wasn't expecting anything, but it'd be jolly nice.  As others have said, I think they should offer some sort of freebie to help maintain their reputation.  But if they didn't I wouldn't give it a second thought.
I'm very happy with the PSN normally.

I do think it's funny how it always seems to break down over Easter holidays though[nb]remember that silly Leap Year glitch last time?[/nb] - when so many people want to do nothing but play computer games for a week.  My mate bought three CoD games in April and was fairly gutted by all this.