Is PSN under attack? - PSN now back up 15/05

[tonyt3rry]

Im glad I removed my card details a while back Plus I have a new card now

 

[buchtis]

Is there any concrete dates as to when it's going to go back on-line? Also heard that they might be bringing in XMB chat and some other features. True/false anyone?

 

[TheVoice]

Yep, Sony are sending those out to all 70+ million accounts . It's naturally taking a while to get to all of them.

And I get the feeling all 70 million are going to post it in this thread.

 

[tntcoder]

No, it isn't legal, not even worth mentioning really, don't know why they put that nonsense in there.



They've said the hackers have got peoples passwords. Passwords shouldn't be stored on the server full stop, any competent system stores hashes of the password instead. A hash of the password is not the same thing as the password encrypted.

It isn't really that clear cut (although yes they screwed up), banks don't store hashed passwords for example. When you login to your bank by giving 3 characters of your password or whatever rather than the full thing, that only works because the bank's database doesnt store a hashed version of your password. If a hacker got to the banks database, your passwords would be out with minimal cracking time, simple as that. They get away with it because there databases have major security around them.

Sony probably did it for a couple of attractive (but not excusable) reasons to them:

- It makes changing authentication schemes very easy if you need to for some reason.
- It makes password recovery very easy.
- If you 'think' your database is secure and you use SSL then you can use a nice secure authentication protocol based on shared secrets such as challenge/response or zero knowledge proofs.

They may even have used hashed passwords but built the PSN protocol using such a scheme where the hash essentially becomes the password. If you do this when using SSL and treat your database as secure then it's not too bad (until something like this happens). This may well be what they are now re-engineering

The credit card numbers were probably encrypted due to industry compliance requirements, if they weren't then they are gonna get ******.

 

[eyyaz]

Not sure if it's been mentioned but rumour has it that the same group of people threatened microsoft and as a result MS have unbanned all banned consoles.
http://www.legitreviews.com/news/10576/

 

[Zhokel]

Not sure if it's been mentioned but rumour has it that the same group of people threatened microsoft and as a result MS have unbanned all banned consoles.
http://www.legitreviews.com/news/10576/

I believe they have also all been banned again . http://uk.kotaku.com/5796081/has-microsoft-un+banned-outlawed-xbox-360-consoles (In the updated section of the post).


Also as an update, the playstation blog has a Q&A post: http://blog.us.playstation.com/2011/04/27/qa-1-for-playstation-network-and-qriocity-services/
One I think answers some peoples questions:

Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

 

[Strife212]

Hmm. Clearly the hackers got into PSN but how the **** did they download all 77 million users worth of info? Must be terrabytes worth of info?

It seems infeasible to me that they managed to get the whole database, it would be impossible unless they were downloading it for days and days.

 

[TheFool]

Q: Are you working with law enforcement on this matter?
A: Yes, we are currently working with law enforcement on this matter as well as a recognised technology security firm and local law enforcement to conduct a complete investigation. This criminal attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible.

Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

Q: Was my credit card data taken?
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however, that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.

Q: What steps should I take at this point to help protect my personal data?
A: For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your statements.

Q: What if I don’t know which credit card I’ve got attached to my PlayStation Network account?
A: If you’ve added funds to your PlayStation Network wallet in the past, you should have received a confirmation email from “[email protected]” at the email address associated with your account. This email would have been sent to you immediately after you added the funds, and will contain the first four digits and last four digits of your credit card number. You can also check your previous credit card statements to determine which card was attached to your PlayStation Network or Qriocity accounts.

Q: When or how can I change my PlayStation Network password?
A: We are working on a new system software update that will require all users to change their password once PlayStation Network is restored. We will provide more details about the new update shortly.

Q: Have all PlayStation Network and Qriocity users been notified of the situation?
A: In addition to alerting the media and posting information about it on this blog, we have also been sending emails directly to all 77 million registered accounts. It takes a bit of time to send that many emails, and not every email will still be active, but this process has been underway since yesterday. At this time, the majority of emails have been sent and we anticipate that all registered accounts will have received notifications by April 28th. Consumers may also visit uk.playstation.com/psnoutage and www.qriocity.com for notices regarding this issue. In addition, we have taken steps to disseminate information regarding this issue to media outlets so that consumers are informed.

Q: What steps is Sony taking to protect my personal data in the future?
A: We’ve taken several immediate steps to add protections for your personal data. First, we temporarily turned off PlayStation Network and Qriocity services and, second, we are enhancing security and strengthening our network infrastructure. Moving forward, we are initiating several measures that will significantly enhance all aspects of PlayStation Network’s security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway. We will provide additional information on these measures shortly.

Q: Has Sony identified the party or parties responsible for the PlayStation Network hack and subsequent theft of personal information?
A: We are currently conducting a thorough investigation of the situation and are working closely with a recognised technology security firm in order to find those responsible for this criminal act, no matter where in the world they might be located.

Q: When will the PlayStation Network and Qriocity be back online?
A: Our employees have been working day and night to restore operations as quickly as possible, and we expect to have some services up and running within a week from yesterday. However, we want to be very clear that we will only restore operations when we are confident that the network is secure.

Don't know if you've seen this yet, apparently the credit card information was encrypted after all.

Playstation Blog

 

[Energize]

It's even worse than I could ever have imagined, not even encrypting the database!

Hmm. Clearly the hackers got into PSN but how the **** did they download all 77 million users worth of info? Must be terrabytes worth of info?

For a few text fields? Would have been less than 100GB probably.

 

[TheFool]

It's even worse than I could ever have imagined, not even encrypting the database!

Rookie mistake, hopefully a lesson to other companies not properly protecting customer data though . . . looks at microsoft (hopefully they're not that stupid though)

 

[MikeHunt79]

It's even worse than I could ever have imagined, not even encrypting the database!

 

[roboffer]

It isn't really that clear cut (although yes they screwed up), banks don't store hashed passwords for example. When you login to your bank by giving 3 characters of your password or whatever rather than the full thing, that only works because the bank's database doesnt store a hashed version of your password. If a hacker got to the banks database, your passwords would be out with minimal cracking time, simple as that. They get away with it because there databases have major security around them.

Is this an uneducated guess or have you worked on internet banking security?

On all of my account I have secrity questions AND a password.

As for not hashing the answers to your security questions imagine this. User enters password when signing up, password is split on each character, hashed and saved into the database individually. Then as you enter them individually to authenticate they are all rehashed and the hashed values compared. Simple.

You know when you have to worry is when you request your password from a system and they give you it without having to reset it.

I'd very shocked if the PSN passwords weren't hashed, but I've seen some shocking developers in charge of some serious information.

 

[Duke]

 

[Oynas]

image

LOL.

 

[antijoke]

NVM

 

[bloodiedathame]

I initially thought I borked PSN because I started using B-Spec grinder.

 

[Robert1986]

 

[Twentyone]

^

Just saw this old looking advert on TV for Sony (no specific item). I can see PR going into overdrive once this has been solved.

 

[point decay]

anyone else NOT recieve an email from them?. not important i know, as ive already read enough to know whats going on. but still a little concerning that they never sent one out..

 

[Nitefly]

I don't know what's more shocking, the details weren't incrypted or that VG Cats updated.