Sony/Anonymous Nonsense & the PSN Outage ... also GeoHotz

DrakeClawfang

The Wanderer of Time
I'm grateful I never put funds on my PSN account using my bank card, all I ever used was a PSN card for 20$, and it's half-gone on Prologus and other Dissidia DLC. Go ahead, hack my account, you'll only get seven bucks and some change, suckers! Not like there's anything else in there for you to swipe.
 

Sprites

Waiting for something
AKA
Gems
I decided to cancel my card just to be on the safe side after all :monster: I should get my new one and pin by the end of next week :) I still have funds on my psn account I think i'll use them up first and then just not bother with it. I'm gonna have to go back onto my account to retrieve all my downloaded games anyway.
 

X-SOLDIER

Harbinger O Great Justice
AKA
X
http://blog.us.playstation.com/2011/04/28/qa-2-for-playstation-network-and-qriocity-services/

I love the second question. Nice to know people are concerned about the important issues.

Well, it IS their second Q&A. One figures that, since they covered the legal whatnots with the first one, that they would cover the gaming questions with the second one. You know, since it's largely a gaming service outage.

:awesomonster:


Related:

These services are coming back this week:

• Restoration of Online game-play across the PlayStation®3 (PS3) and PSP® (PlayStation®Portable) systems
-This includes titles requiring online verification and downloaded games
• Access to Music Unlimited powered by Qriocity for PS3/PSP for existing subscribers
• Access to account management and password reset
• Access to download un-expired Movie Rentals on PS3, PSP and MediaGo
• PlayStation®Home
• Friends List
• Chat Functionality

Kaz Hirai also gave a speech, and talked about what they're going to be offering to the users due to the downtime (30 free days of PS+). It's well worth the read, so I'll quote the section from the Joystiq article.

Sony "Executive Deputy President" Kaz Hirai has yet to take the stage, so there may be more details forthcoming, like the exact date of PSN reactivation. Follow along after the break for pseudo-liveblog coverage.

Sony guesses that hackers got into the network through an "application server," through which they were then able to get into the database servers and grab data.

Hirai estimates about 10 million PSN users with active credit cards tied to PSN. Security measures will include moving to a new physical data center, more firewalls, and a new "Chief Security Officer." And, of course, a PS3 firmware update. Passwords will only be changeable through the same PS3 that the account was started on, or through a verified email address. Hirai asks you to "be vigilant" and check your credit card statements. Good advice!

Sony will not contact you under any circumstances asking for your credit card number or other personal info. So if someone claiming to be Tom Sony asks for your credit card verification code, you're getting scammed!

Sony is "considering" covering the costs of credit card replacement for affected users. The company is instituting a "welcome back" program including free downloads of selected content, 30 days of free PlayStation Plus for new and existing users, and -- for Qriocity members -- 30 days of free services.

Hirai just called out Anonymous as having attacked Sony by releasing personal info about executives and family members. Sony will cooperate with law enforcement and other organizations to secure data and ensure safety. The fact that this note came right after the Anonymous thing suggests that they'll work with law enforcement to track those kids down too.

Nikkei just asked if all 10 million credit cards got out. Hirai said "we can't rule out the possibility" that credit card info was compromised, but Sony hasn't received any reports of illicit card info usage. Another exec on stage said that all Sony knew on April 20 was that there may have been an intrusion.

Hirai just reminded us that it's not really 78 million people whose info got stolen, because some of those 78 million accounts are duplicate accounts for the same person. He refrained from providing details of the investigation, because the case has just started. But he did say that "not to his knowledge" has Sony been working with law enforcement agencies out of the US, but they have brought "inquiries" to Sony.

The vulnerability in the web server was a vulnerability known about that particular type of server, one of the execs on stage said.

Hirai defended the long response time by saying that Sony took the PSN down as soon as something was shown to be wrong, but analysis took time. "Once we became aware of the situation, we moved promptly to warn customers."

A reporter asked what the purpose of the "intrusion" was. Hirai: "For the past month and a half, we've experienced attacks on various Sony systems. We have yet to identify a direct relationship with a group." Speculation about the objective: "We are not in a position to say one way or the other." That same reporter asked if passwords were encrypted. I believe (translation not being perfect) that Hirai said they were not.

If customers wish to cancel their services, Sony will cooperate in good faith.

Sony has to "keep the integrity" of its system to continue to encourage content creators to create products for PlayStation, Hirai says. Protection of customer information has always been part of the plan since the PS2 network. But now Sony has to "review" its system.

Another exec says Anonymous has attacked "repeatedly," but Sony doesn't know who is behind the recent attacks.

A reporter just asked why Sony Japan was slower to disclose the news than SCEA. Backhanded pat on the back, PlayStation Blog US. Hirai said SCEJ is looking into deploying a PS Blog for Japan.

Because the freebie content will be different by region, Sony was hesitant to put a price on it, but Hirai estimated "a few thousand yen" worth of free downloads. So like $20-25 or so?

In response to a question about install base, Hirai said 37 million PS3 systems are connected to PSN, and 16 million PSP units, but the total install base is larger. Sony isn't disclosing the userbase for Qriocity yet.

Why not hold a press conference on April 27, when the announcement was made? That's the question we all want answered ... according to Hirai, Sony wanted to have an estimate about resumption of services before holding a conference.

In response to concerns about future security, Hirai pledged that Sony will "do its best" to ensure secure data. If that helps.

"If there are, in the days ahead, damages suffered by customers, they will be dealt with on a case-to-case basis," Hirai says.

The evening's final question: what is Hirai's view about the relationship of this case to Anonymous? Hirai says there's "no certainty" of a connection. "It's not intended that they were implicated in any way" regarding this intrusion.




X :neo:
 

Tetsujin

he/they
AKA
Tets
Free month of PS+ would be great if it wasn't for the fact that you can't keep the good stuff once the 30 days are over. :P

Also, PS+ here is crap.

But at least we're getting something, which I didn't even expect.
 

ForceStealer

Double Growth
Well there's that stuff that is free with PS+, I guess you could gorge yourself on those before the month is up. Could wind up being worth it.
 

Alex Strife

Ex-SOLDIER
Now I'm going to ask a silly silly question. Since I do not use a credit card with my PSN, what can people do with the other information, such as my address, birth date, etc.? Is there anything important they can do to harm me, with that? Because, as far as I'm aware, if I change my password, which I'll do as soon as possible, there should be nothing they can do with that information? Or I'm wrong and I should actually be worried?
 
Now I'm going to ask a silly silly question. Since I do not use a credit card with my PSN, what can people do with the other information, such as my address, birth date, etc.? Is there anything important they can do to harm me, with that? Because, as far as I'm aware, if I change my password, which I'll do as soon as possible, there should be nothing they can do with that information? Or I'm wrong and I should actually be worried?

As long as your bank password isn't your birthday I think you're okay. :awesome:
 

Tetsujin

he/they
AKA
Tets
I guess the hacker(s) shouldn't feel too safe since even the world champion at hide and seek himself has been found. :awesome:
 

ForceStealer

Double Growth
Oh man, dropping a bunch of SEALs on top of the hackers (not killing them of course, just scaring the living shit out of them) would make my year.
 

Tetsujin

he/they
AKA
Tets
Create a second NA account?

Or a Japanese account since they seem to have all the best stuff?

I do have a second NA account actually. Guess I could see if there's anything worth getting from that store...:P

I do wish other stores would get content with equal quality though...=/
 

X-SOLDIER

Harbinger O Great Justice
AKA
X
Looks like there's a good amount of stuff going on today, so I'll drop as much as I can. I only found one thing worth quoting, and I've provided links to the rest.

Kotaku has an article about who Son'y hiring to catch the folks responsible.

To catch those responsible for the attacks on the PlayStation Network, which has brought the service down for over a week and exposed the private details of millions, Sony has hired not one but two teams of private investigators. And a third team of consultants, just for good measure.

The first team is from Data Forté, and according to Reuters it's led by "a former special agent with the U.S. Naval Criminal Investigative Service". The company specialises in the "preservation and collection of electronic evidence", and has experience with similar cases, having helped prosecute hackers responsible for data theft from a "major motion picture studio".

The second team is from Guidance Software, a data security firm. While specialising in the training of staff and the selling of corporate data protection software, Guidance has dispatched a number of "cyber-security detectives" from its ranks to help in the investigation.

The third company, Protiviti, is not involved in trying to catch those responsible. Instead, as a company specialising in things like audits, it is providing consultants to help Sony "clean up" the mess left by the attack and the fact the PSN has been down for over a week.

While restoring the functionality of the PSN and ensuring that its customer's personal details and credit card details are safe is of course Sony's top priority, it'll still be nice to see somebody caught at the end of all this. After all, as culpable as Sony was for its online defences, it is (and we all are by extension) still the victims of an invasive crime here.


Some Canadian broad is attempting to sue multiple branches of Sony for 1 billion dollars.
Someone released a custom firmware that brings back OtherOS, but you need to be running an old firmware to install it.
The House Subcommittee on Commerce, Manufacturing, and Trade just started their hearing (planned before the PSN Outage) to discuss the threat of data theft.
- It can be watched here for any interested.
Kotaku has an article speaking with Bruce Shneier about network security in general.


X :neo:
 

X-SOLDIER

Harbinger O Great Justice
AKA
X
Here's the big news

The cyber attack that knocked the Playstation Network and Sony Online Entertainment offline for more than a week was a "very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information," according to a letter from Sony to members of Congress obtained by Kotaku today from government sources.

While Sony declined to testify at today's congressional hearings on the threat of data theft to American consumers they did provide Congress with some answers to their pointed questions.

In an 8-page letter dated May 3, Kazuo Hirai, chairman of the board of directors for Sony Computer Entertainment of America, explains the lead up to the attack, how it was first detected and the deep impact it is having on the multi-national company. Sony also separately informed the subcommittee that they discovered that the intruders had planted a file on one of their Sony Online Entertainment servers named "Anonymous" with the words "We are Legion."

On April 19, at 4:15 p.m. Pacific, members of the Sony Network Entertainment America network team detected unauthorized activity in the network system, according to the letter.

"The network service team immediately began to evaluate this activity by reviewing running logs and analyzing information in order to determine if there was a problem with the system," Hirai writes.

On April 20, in the early afternoon, the team discovered evidence that the unauthorized intrusion had occurred and that data of some kind had been taken from the Playstation Network servers. The team didn't know what the data was, so they shut the system down.

That shut down kicked off what Hirai calls an "exhaustive and highly sophisticated process of identifying the means of access and the nature and scope of the theft."

Later that afternoon, Sony Network Entertainment of America brought on a "recognized security and forensic consulting firm" to copy the servers and begin a deeper investigation in the break in. As the investigation continued, Hirai writes, the scope and complexity grew.

On April 21, Sony brought in a second computer security and forensic consulting form to help. By the evening of April 23, the experts confirmed that intruders had used "very sophisticated and aggressive techniques" to break into the network undetected.

On Easter Sunday, now realizing how serious the breach was, Sony brought on a third team that specialized in these sorts of intrusions. By April 25, the teams confirmed that personal data had been stolen from the network, but still could not determine whether credit card info was stolen.

On April 26 Sony notified users that personal information had been taken and that they could not rule out credit card theft.

Sony says they were reluctant to prove partial information to the public about the breach and what was stolen because they worried it could cause confusion among consumers and "lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence."

Sony still hasn't determined whether credit card information was stolen, but they did say that of the 77 million Playstation Network and Qriocity service accounts, about 12.3 million of them had credit card information on file. Of that, 5.6 million were from the U.S. and the rest abroad.

Hirai assured Congress in his letter that the company has figured out how the breach happened, something they declined to share because of the nature of the on-going investigation by the FBI. They haven't yet, Hirai said, identified who was behind the breach.

Hirai added that the company has taken a number of steps to try and prevent future breaches including adding automated software monitoring to their networks, enhanced levels of data protection and encryption, new firewalls, moving the data center to a different location and hiring a new Chief Information Security Officer.

The attack, the subsequent investigation and the fall out are described by Hirai as "unprecedented", "extraordinary circumstances and challenges" that employees of Sony Network Entertainment America and Sony Computer Entertainment America have "endured."

"They were faced with very difficult decisions and often-times conflicting concerns and objectives," he wrote. "Throughout this challenging period, they acted carefully and cautiously and strove to provide correct and accurate information while balancing concerns for our consumers' privacy and need for information."

Hirai wrapped up his 8-page letter with a request to the congressional committee:

"We ask the Committee to consider as well the connection between data security and the cybercrimes and cyber terrorism that threaten to make the Internet unsafe for consumers and commerce."

Looks like Anon's gonna have a pretty fucking rough time denying this one, even if they stated that they didn't claim responsibility. It's especially interesting, since there's a legitimate reason for some fairly tough security groups to go after them. Kaz's whole letter is uploaded to flickr for those interested.


X :neo:
 
Top Bottom