from the article: “Sony is saying the credit cards were encrypted, but we are hearing that the hackers made it into the main database, which would have given them access to everything, including credit card numbers,” said Mathew Solnik, a security consultant with iSEC Partners
Btw, the 'moving to a better secured location' sounds to me like someone just walked into the building and just sat down behind a terminal with possibly less security like you'd hope there to be. Or an inside job.
they held a press conference this morning the short of it is
* Still no evidence that PSN credit card data was obtained but cannot be ruled out * Sony to provide free selected software downloads in “Welcome Back” program. 30 days of free PlayStation Plus access to new and existing members, and 30 days of free Qriocity service * Sony will appoint Chief Information Security Officer * PSN back up “this week”, PS3 to have forced system update that requires password change before login
So we get 30 days of ps+ something that if we dont have anything we get from it is gone at the end of that 30 days?
Dont say its not worth it, when you can sleep with no fear, that kind of time is worth any thing.- FFX
They suggested there will be free downloads in addition to the free Plus service.
Because the freebie content will be different by region, Sony was hesitant to put a price on it, but Hirai estimated "a few thousand yen" worth of free downloads. So like $20-25 or so?
Though I'd rather cash (or even credit) rather than free avatars and backgrounds, or add ons to specific games I don't own.
Other stuff I found interesting:
Sony guesses that hackers got into the network through an "application server," through which they were then able to get into the database servers and grab data.
The vulnerability in the web server was a vulnerability known about that particular type of server, one of the execs on stage said.
A reporter asked what the purpose of the "intrusion" was. Hirai: "For the past month and a half, we've experienced attacks on various Sony systems. We have yet to identify a direct relationship with a group." Speculation about the objective: "We are not in a position to say one way or the other." That same reporter asked if passwords were encrypted. I believe (translation not being perfect) that Hirai said they were not.
Quite dumb. Hopefully a ripple effect is everyone else gettign scared and increasing their security before they're hit themselves.
Originally posted by El NastioIt gets better. Click Here (joystiq.com) Sony Online Entertainment shuts down their service temporarily after finding "an issue". For those who don't know, this is what they use for DCU Online.
The hubris of Sony is amazing. After the debacle listed above, SOE goes up and says "oh, we're totally fine and weren't affected.
"SCEA PR director Patrick Seybold states in the FAQ that the company is "moving our network infrastructure and data center to a new, more secure location, which is already underway."
The implication is was physical security that caused the PSN hacks. So unless SOE and PSN share the same location, they lied. Again.
Unless they're repealing that and going with the Application Server and poor encryption schemes.
The follow-up word is that Sony's been hit again through these servers and EVEN MORE credit card numbers have been stolen!
Following up on this morning's news that Sony Online Entertainment servers were offline across the board, Japanese newspaper Nikkei reports (via BGR) that the company has lost 12,700 customer credit card numbers as the result of an attack. The company apparently took SOE servers offline after learning of the attack last evening, but has yet to issue a statement confirming that customer information has been lost.
Of the 12,700 total, 4,300 are alleged to be from Japan, while the remainder's origins are unknown. The report also notes that most of the numbers are said to be from expired cards, which Engadget posits could mean this was simply stolen data from an old backup.
Expired cards or not, this is still a pretty big deal. The FBI needs to move faster, because a lot of people stand to get their lives wrecked if their credit card numbers get sold to the highest bidder.
Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.
We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.”
That somewhat explains the sequence of events: someone notices that file on the server -> sirens go off, someone hits a big red button to turn off the servers -> logs are analyzed for days -> uh oh.
Though, I could've sworn both Sony and Anonymous said they weren't responsible prior.
Edit: the actual letter is worth reading. They clarify that the Anonymous file was actually found on one of the SOE servers - the more recent breach. The actual triggering event was computers rebooting on their own, which led them to look at logs and find out data was being transferred out.
The letter makes it very clear that Sony believes Anonymous is responsible. Their denial of service attacks were a diversion from the data theft; Sony's not sure if Anonymous was part or aware of the theft, but emphasizes them as part of the problem and pushes for stronger laws against these sorts of groups (above and beyond their own data protection.)
Thanks for the link - it was worth reading. It says in one part:
Originally posted by the letterSony Network Entertainment America is committed to helping its customers protect their personal data and will offer its U.S. account holders complimentary identity theft protection services.
WTF does this mean? You're gonna compensate me if someone has stolen my card number and cleaned out my account? You're gonna offer enhanced security measures to make sure no one steals my info going forward? If they're anything like your previous security measures, I'll pass, thanks.
I'd settle for just knowing if I've stored my card number with PSN or not because I can't recall if I've used it on there before, but all of my various e-mails have gone without a response. Maybe I'll just log on to PSN and see if my info is....OH WAIT!
Originally posted by the letterCentral components of the "Welcome Back" program will include:
-All consumers coming back to the PlayStation Network will be provided with 30 days of free membership in the PlayStation Plus premium subscription service.
Wow! 30 days! They must be really apologetic about this. /sarcasm
Not to divert any of the deserved criticism about Sony's incompetence, but I'd like to see this level of vitriol and cynicism focused on the hackers and pirates who are the ones who committed the crime and now hold many people's financial information hostage.
Michigan against the SEC: 20-6-1 (7-4 in bowl games)
Originally posted by BoromirMarkNot to divert any of the deserved criticism about Sony's incompetence, but I'd like to see this level of vitriol and cynicism focused on the hackers and pirates who are the ones who committed the crime and now hold many people's financial information hostage.
Sure I blame the hackers, but right now I've got no clue who they were. All I do know is that Sony SHOULD have had security in place to prevent this from ever happening. Not to mention the fact that they still haven't been able to figure out what was taken or correct the problem and get the systems back up. That tells me there are some seriously incompetant people I've been trusting my info with in the first place. No way in the world they should still be so confused about what took place or how to fix it.
Originally posted by wmatisticAll I do know is that Sony SHOULD have had security in place to prevent this from ever happening.
Yeah - given that the security hole was something already known about, it's akin to driving into a bad neighborhood and leaving your car parked with the keys in the ignition. It's kind of amazing this didn't happen sooner.
Originally posted by wmatisticNot to mention the fact that they still haven't been able to figure out what was taken or correct the problem and get the systems back up.
I don't think this is the case. If they're moving their entire facility and rebuilding everything from scratch (or a close proximity thereto), I think it's safe to say they're not taking any chances with regards to security and thoroughly testing all of their systems.
You know... doing everything they should've done BEFORE taking and storing credit card numbers.
"On a few of the security mailing lists that I read, there were discussions that individuals who work in security and participate in the Sony Network had discovered several months ago, while they were examining the protocols on the Sony Network to examine how the games worked, they had discovered that the [PlayStation] Network servers were hosted on Apache Web servers--that's that form of software. But they were running on very old versions of Apache software that were unpatched and had no firewall installed, and so these were potentially vulnerable. They had reported these in an open forum that was monitored by Sony employees, but had seen no response and no change or update to the software. … [And] that was two to three months from when the break-ins occurred."
People in the US will be offered one free year of Allclear ID Plus identity monitoring. Codes are being sent out (hope your PSN email is correct) and you'll have until June 18th to sign up. That probably means they're not expecting the codes to be all out for another couple weeks. They're still working on it for elsewhere.
I know some believe we should have notified our customers earlier than we did. It’s a fair question. As soon as we discovered the potential scope of the intrusion, we shut down the PlayStation Network and Qriocity services and hired some of the best technical experts in the field to determine what happened. I wish we could have gotten the answers we needed sooner, but forensic analysis is a complex, time-consuming process. Hackers, after all, do their best to cover their tracks, and it took some time for our experts to find those tracks and begin to identify what personal information had — or had not — been taken.
In the last few months, Sony has faced a terrible earthquake and tsunami in Japan. But now we are facing a very man-made event – a criminal attack on us — and on you — and we are working with the FBI and other law enforcement agencies around the world to apprehend those responsible.
Progress? 3.61 is up for mandatory update. All it appears to be is the promised forced password change.
The network is not up, but this is a smart move: even with all the trouble and wariness of using the service, the first day the PSN is back on will blow away any bandwidth record they have. People will be grabbing weeks of delayed game updates, DLC, and whatever else all at once. Best to stagger what they can.