PSN down, account details stolen

[Mr. Analog]

"External Intrusion" blamed for PSN outage:
http://blog.us.playstation.com/2011/04/22/update-on-playstation-network-qriocity-services/

Update + theft detail:
http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/

[Thorin]

Update + theft detail:
http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/

Post 33 struck a chord with me:

when you say that our password data may have been accessed, I hope you mean that our hashed, non-reversible password data may have been accessed.. right? You didn’t have our passwords in plaintext on your servers, did you?

It's so easy to mess up security...

[Mr. Analog]

That's for sure...

[Mr. Analog]

77 million accounts stolen from PSN:

http://yro.slashdot.org/story/11/04/27/142238/77-Million-Accounts-Stolen-From-Playstation-Network

Apparently even the passwords were unencrypted...

http://cyberinsecure.com/sony-playstation-network-breached-77-million-users-private-data-stolen/

Sony: Being incompetent so you don't have to...

[Lazybones]

The article doesn't really indicate that they know the state of the passwords... Even hashed password leaks are bad now if they are md4 or sha1 and not salted.

[Mr. Analog]

Right in the first paragraph:

Sony is warning its millions of PlayStation Network users to watch out for identity-theft scams after hackers breached its security and plundered the user names, passwords, addresses, birth dates, and other information used to register accounts. Sony’s stunning admission came six days after the PlayStation Network was taken down following what the company described as an “external intrusion”.

If the passwords were encrypted and "safe" Sony wouldn't have mentioned it.

Either way, if you have a credit card bound to your PSN account I'd cancel it.

[Thorin]

I dunno, once data gets taken, whether encrypted or not, you have to mention that it's been taken.  From the security articles I've read over the years, I've come to understand that if someone has stolen the data you have to assume they'll find a way to decrypt and access the data.

For instance, rainbow tables are useful to brute-force guess hashed passwords, and with the amazing computing speeds capable on desktops these days, you can actually create rainbow tables that include salt values.  Especially if you stole the salt value(s) while you were in there plunderin' the databases (yarr!)

Still, it's not _that_ far-fetched to think that Sony might have employed less-than-perfect programmers who don't know to salt and hash passwords...

[Mr. Analog]

I dunno brute forcing 77 million records would still take a significantly long time if they were properly hashed using a client generated salt.

Like I say, reading between the lines a bit I feel like if they weren't in clear text Sony would have worded their release differently. The affected details seem rather specific:

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login and handle/PSN online ID.  It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.  If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility.  If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising that your credit card number (excluding security code) and expiration date may also have been obtained.

source: http://uk.playstation.com/psn/news/articles/detail/item369506/PSN-Qriocity-Service-Update/

Either way this is a big time "oopsie"...

Well, also it may be that they were using clear text passwords for a reason like this user was suggesting, not great but makes sense...

http://yro.slashdot.org/comments.pl?sid=2108370&cid=35953242

[Stewie521]

Apparently they managed to hack PSN through the PS3 itself

[Thorin]

Aaannnddd they've been summoned by US Congress:

http://latimesblogs.latimes.com/technology/2011/04/sony-playstation-hack.html

[Lazybones]

PlayStation Network Attack Now Has the Attention of U.S. Homeland Security
http://m.kotaku.com//5797288/playstation-network-attack-now-has-the-attention-of-us-homeland-security

[Melbosa]

Now SOE is taken down because of another Intrusion: http://ve3d.ign.com/articles/news/60080/SOE-Takes-Down-PC-MMO-Services-As-A-Result-Of-Intrusion

[Mr. Analog]

Now SOE is taken down because of another Intrusion: http://ve3d.ign.com/articles/news/60080/SOE-Takes-Down-PC-MMO-Services-As-A-Result-Of-Intrusion

Yup, my buddy in Japan hit this last night (early this morning).

He's bummed because he can't play any of his MMOs or any games that require PSN connectivity.

[Thorin]

Remember back when Sony put rootkits on computers of people who thought they were putting a music CD in their computer?  Remember a whole bunch of those people decided not to buy Sony anymore?  Well, if they're gamers they're not suffering this latest problem...

[Mr. Analog]

Aye there's the rub.

Pirated games and hacked consoles bypass PSN and PSO, so those gamers can keep playing on private networks.

Irony thy name is Sony

Another interesting aspect is that Sony may have put themselves in this position by angering they who tinker by removing key features from the PS3, well okay, that connection is tenuous at best, but I'll take a page from Earl Hickey on this one... (karma man! It's karma trying to get you)