"External Intrusion" blamed for PSN outage:
http://blog.us.playstation.com/2011/04/22/update-on-playstation-network-qriocity-services/
Update + theft detail:
http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/
Quote from: Mr. Analog on April 26, 2011, 02:50:50 PM
Update + theft detail:
http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/
Post 33 struck a chord with me:
(http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/#comment-547936)
Quote
when you say that our password data may have been accessed, I hope you mean that our hashed, non-reversible password data may have been accessed.. right? You didn?t have our passwords in plaintext on your servers, did you?
It's so easy to mess up security...
That's for sure...
77 million accounts stolen from PSN:
http://yro.slashdot.org/story/11/04/27/142238/77-Million-Accounts-Stolen-From-Playstation-Network
Apparently even the passwords were unencrypted...
http://cyberinsecure.com/sony-playstation-network-breached-77-million-users-private-data-stolen/
Sony: Being incompetent so you don't have to...
The article doesn't really indicate that they know the state of the passwords... Even hashed password leaks are bad now if they are md4 or sha1 and not salted.
Right in the first paragraph:
QuoteSony is warning its millions of PlayStation Network users to watch out for identity-theft scams after hackers breached its security and plundered the user names, passwords, addresses, birth dates, and other information used to register accounts. Sony?s stunning admission came six days after the PlayStation Network was taken down following what the company described as an ?external intrusion?.
If the passwords were encrypted and "safe" Sony wouldn't have mentioned it.
Either way, if you have a credit card bound to your PSN account I'd cancel it.
I dunno, once data gets taken, whether encrypted or not, you have to mention that it's been taken. From the security articles I've read over the years, I've come to understand that if someone has stolen the data you have to assume they'll find a way to decrypt and access the data.
For instance, rainbow tables are useful to brute-force guess hashed passwords, and with the amazing computing speeds capable on desktops these days, you can actually create rainbow tables that include salt values. Especially if you stole the salt value(s) while you were in there plunderin' the databases (yarr!)
Still, it's not _that_ far-fetched to think that Sony might have employed less-than-perfect programmers who don't know to salt and hash passwords...
I dunno brute forcing 77 million records would still take a significantly long time if they were properly hashed using a client generated salt.
Like I say, reading between the lines a bit I feel like if they weren't in clear text Sony would have worded their release differently. The affected details seem rather specific:
QuoteAlthough we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising that your credit card number (excluding security code) and expiration date may also have been obtained.
source: http://uk.playstation.com/psn/news/articles/detail/item369506/PSN-Qriocity-Service-Update/
Either way this is a big time "oopsie"...
Well, also it may be that they were using clear text passwords for a reason like this user was suggesting, not great but makes sense...
http://yro.slashdot.org/comments.pl?sid=2108370&cid=35953242
Apparently they managed to hack PSN through the PS3 itself
Aaannnddd they've been summoned by US Congress:
http://latimesblogs.latimes.com/technology/2011/04/sony-playstation-hack.html
PlayStation Network Attack Now Has the Attention of U.S. Homeland Security
http://m.kotaku.com//5797288/playstation-network-attack-now-has-the-attention-of-us-homeland-security
Now SOE is taken down because of another Intrusion: http://ve3d.ign.com/articles/news/60080/SOE-Takes-Down-PC-MMO-Services-As-A-Result-Of-Intrusion
Quote from: Melbosa on May 02, 2011, 01:44:57 PM
Now SOE is taken down because of another Intrusion: http://ve3d.ign.com/articles/news/60080/SOE-Takes-Down-PC-MMO-Services-As-A-Result-Of-Intrusion
Yup, my buddy in Japan hit this last night (early this morning).
He's bummed because he can't play any of his MMOs or any games that require PSN connectivity.
Remember back when Sony put rootkits on computers of people who thought they were putting a music CD in their computer? Remember a whole bunch of those people decided not to buy Sony anymore? Well, if they're gamers they're not suffering this latest problem...
Aye there's the rub.
Pirated games and hacked consoles bypass PSN and PSO, so those gamers can keep playing on private networks.
Irony thy name is Sony
Another interesting aspect is that Sony may have put themselves in this position by angering they who tinker by removing key features from the PS3, well okay, that connection is tenuous at best, but I'll take a page from Earl Hickey on this one... (karma man! It's karma trying to get you)
Found my SOE breach notice in my Junkmail folder.... Even though most of my personal data would be very out of date on there, some of that stuff doesn't change and can be used to forge your identity to a degree.
"It only does offline"
http://www.youtube.com/watch?v=sOKOEAOa8lc
Haha :D
Well looks like we get some stuffs for free once it all works: http://blog.us.playstation.com/2011/05/16/details-for-playstation-network-and-qriocity-customer-appreciation-program-in-north-america/
QuoteDetails for PlayStation Network and Qriocity Customer Appreciation Program in North America
+ Posted by Patrick Seybold // Sr. Director, Corporate Communications & Social Media
Now that some PlayStation Network and Qriocity services have been restored and you?re once again enjoying online gaming and entertainment, we?re happy to provide details about the ?Welcome Back? appreciation program for customers in North America. We developed the program as an expression of our gratitude for your patience, support and continued loyalty during the service outage. From all of us at PlayStation, thank you and welcome back!
This package will be made available to all existing registered PlayStation Network and Qriocity users in North America (US and Canada), and will be made available shortly after we have fully restored the service. More specific details about these offers and eligibility requirements will be posted as the services go live.
All PlayStation Network customers can select two PS3 games from the following list. The games will be available for 30 days shortly after PlayStation Store is restored and can be kept forever.
Dead Nation
inFAMOUS
LittleBigPlanet
Super Stardust HD
Wipeout HD + Fury
For PSP owners, you will be eligible to download two PSP games from the following list. The games will be available for 30 days shortly after PlayStation Store is restored and can be kept forever.
LittleBigPlanet (PSP)
ModNation Racers
Pursuit Force
Killzone Liberation
A selection of ?On Us? rental movie titles will be available to PlayStation Network customers over one weekend, where Video Service is available. Those titles will be announced soon.
30 days free PlayStation Plus membership for non PlayStation Plus subscribers.
Existing PlayStation Plus subscribers will receive an additional 60 days of free subscription.
Existing Music Unlimited Premium Trial subscription members will receive an additional 30 days of free premium subscription.
Additional 30 days + time lost for existing members of Music Unlimited Premium/Basic subscription free of charge for existing Premium/Basic members.
To welcome users Home, PlayStation Home will be offering 100 free virtual items. Additional free content will be released soon, including the next addition to the Home Mansion personal space, and Ooblag?s Alien Casino, an exclusive game.
We?d like to thank all of our publishing and development partners who?ve contributed to the Welcome Back program, including Bigbig Studios, Codeglue, Digital Leisure, Guerilla Games, Heavy Water, Housemarque, Lockwood, Loot, Mass Media, Media Molecule, SCE Cambridge Studios, SCE Studio Liverpool, SCE San Diego Studios, and Sucker Punch Productions. We couldn?t have created such a compelling package without them!
As a reminder, you will be able to access the above content shortly after services are fully restored. We are doing everything we can to make that happen as soon as possible. Please visit the following sites for more information about the Welcome Back program in Europe and Latin America.
Thank you again for your support!
Well those in Japan apparently have to wait until Sony proves to the Government that they have fixed the problem.
Quote from: Lazybones on May 16, 2011, 04:54:57 PM
Well those in Japan apparently have to wait until Sony proves to the Government that they have fixed the problem.
I saw that today and I think it should give PSN users a moment for pause...
LOL down again: http://www.zdnet.com/blog/gadgetreviews/playstation-network-sign-in-is-down-again-due-to-new-security-loophole/24844
QuoteAfter restarting the PlayStation Network around the world this past weekend and promising tougher security for customers? data, the PSN Sign-in is once again offline as Sony is working to patch a new security hole.
According to Nyleveia.com, the new loophole can reset passwords using just the user?s date of birth and email address ? information that was stolen in the first attack. This means even if the user has logged in after the restart to create a new login, that login may already be useless due to this new vulnerability.
Nyleveia?s unnamed source demoed this breach to the staff to prove that it is a real threat, and Eurogamer has also seen video evidence that corroborates with Nylevia?s claims. Nyleveia has also passed what it discovered to Sony Computer Entertainment Europe. Since then, a number of sites have become inaccessible for login including:
- PlayStation.com
- PlayStation forums
- all PlayStation game titles
- PlayStation Blog
- Qriocity.com
- Music Unlimited via the web client
- site where users are directed to to reset their passwords
In a brief statement confirming that the PSN has been taken offline, Sony said, ?Unfortunately this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being. This is due to essential maintenance and at present it is unclear how long this will take.?
Sony also reiterated that only the login site is down and not the entire PSN in a tweet, ?Clarification: this maintenance doesn?t affect PSN on consoles, only the website you click through to from the password change email.?
That said, ?[users] will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information,? according to Sony.
Is there anything a PSN customer can do to better protect their own data? Nyleveia is recommending that all users create a dedicated email account to link only to their PSN account so if any personal information is ever stolen, it would only affect their ability to log into the PSN. You can refer to the FAQ for further details
I think everyone should have followed the Japanese Government's stance.
Enjoy the freebies you can't access! LOL
Looks like all back by end of the week: http://blog.us.playstation.com/2011/05/30/full-psn-services-including-playstation-store-return-this-week/
QuoteSONY AND SONY COMPUTER ENTERTAINMENT ANNOUNCE FULL RESTORATION OF PLAYSTATION?NETWORK SERVICES
Tokyo, May 31, 2011 ? Sony Corporation and Sony Computer Entertainment (SCE) announced today that Sony Network Entertainment International (SNEI, the company) will fully restore all PlayStation?Network services in the Americas, Europe/PAL territories and Asia, excluding Japan, Hong Kong, and South Korea by the end of this week. The company will also resume Music Unlimited powered by Qriocity? for PlayStation?3 (PS3?), PSP? (PlayStation?Portable), VAIO and other PCs. Details for Japan, Hong Kong, and South Korea as well as the remaining services on Qriocity will be announced as they become available.
The company implemented considerable security enhancements to the network infrastructure, as well as conducted testing of the payment process and commerce functions. The first phase of PlayStation Network and Qriocity restoration began on May 15 in the Americas and Europe/PAL territories, followed by Japan and Asian countries and regions on May 28, when the company brought partial services back online. With this partial restoration users were able to access to some of the services such as online game play, account management, friend lists and chat functionality were restored. The full restoration of PlayStation Network as well as part of services to become available on Qriocity will include:
? Full functionality on PlayStation?Store
? In-game commerce
? Ability to redeem vouchers and codes
? Full functionality on Music Unlimited powered by Qriocity for PS3, PSP, VAIO and other PCs
? Full functionality on Media Go
Customers will be able to purchase and download games and video content from the PlayStation?Store on PS3 or PSP. In addition, consumers will have full access to Music Unlimited powered by Qriocity through PS3, PSP, VAIO and other PC?s. Service restoration of Video on Demand powered by Qriocity? and Music Unlimited powered by Qriocity for a variety of network-enabled Sony devices will be announced later.
?We have been conducting additional testing and further security verification of our commerce functions in order to bring the PlayStation Network completely back online so that our fans can again enjoy the first class entertainment experience they have come to love,? said Kazuo Hirai, Executive Deputy President, Sony Corporation. ?We appreciate the patience and support shown during this time.?
The company will be offering customers a ?Welcome Back? package of services and premium content to all registered PlayStation Network* and Qriocity account services. The details of this program will continue to be detailed regionally.
* Only available for those countries with access to PlayStation?Store.
Of the games we can get, what 2 would you guys suggest? (except Little Big Planet, got that already)
Quote from: Mags on June 01, 2011, 07:48:13 PM
Of the games we can get, what 2 would you guys suggest? (except Little Big Planet, got that already)
Let's see the options are:
LittleBigPlanet- inFamous: Big sandbox game, apparently very much fun, but nearly identical to Prototype
- Wipeout HD (+ Fury expansion pack): meh
- Ratchet and Clank: Quest for Booty: Two words really short (4 hours)
- Dead Nation: Top down zombie killin' with a tactical side, I read it has control issues though and can lead to frustration / cheap death
So, out of the given options, I'd say
inFamous. And not just because it's endorsed by "Yahtzee"...
Quote from: Mr. Analog on June 01, 2011, 09:59:04 PM
- inFamous: Big sandbox game, apparently very much fun, but nearly identical to Prototype
http://en.wikipedia.org/wiki/Infamous_(video_game)
http://en.wikipedia.org/wiki/Prototype_(video_game)
interesting.
Quote from: Darren Dirt on June 02, 2011, 09:37:36 AM
Quote from: Mr. Analog on June 01, 2011, 09:59:04 PM
- inFamous: Big sandbox game, apparently very much fun, but nearly identical to Prototype
http://en.wikipedia.org/wiki/Infamous_(video_game)
http://en.wikipedia.org/wiki/Prototype_(video_game)
interesting.
If you follow "Zero Punctuation" at all you'll know the hilarity that surrounded the review tie-breaker (or rather non-tie-breaker LOL)
I own both Prototype and inFamous, and I say inFamous is twice the game, and story of Prototype.
I'm going with Wipeout and Ratchet, as I own the other three.
Dead Nation while ok, really isn't all that great. And yes the controls can be very frustrating.
a new hack/leak?
http://www.telegraph.co.uk/technology/news/8553979/Sony-hack-private-details-of-million-people-posted-online.html
Quote
By Andy Bloxham
7:51AM BST 03 Jun 2011
Sony hack: private details of million people posted online
Hackers have attacked Sony and stolen the private details of more than a million people in the latest security breach to hit the electronics giant.
The names, birth dates, addresses, emails, phone numbers and passwords of people who had entered contests promoted by Sony were all published on the internet.
LulzSec, a hacker group, said it had infiltrated the firm's systems to prove how vulnerable they were to "simple attacks".
The group has previously launched hacking attacks on the US broadcasters PBS television and Fox.com.
In a message on Twitter, the group said: "1,000,000+ unencrypted users, unencrypted admin accounts, government and military passwords saved in plaintext. #PSN compromised. @Sony."
While I certainly have no love for Sony, exposing user's private information is not the best way to fight them. If anything it will lead to more retarded lawmaking.
Quote from: Mr. Analog on June 03, 2011, 06:37:16 AM
While I certainly have no love for Sony, exposing user's private information is not the best way to fight them. If anything it will lead to more retarded lawmaking.
blackhat disinfo agent-run black ops maybe?
Quote from: Darren Dirt on June 03, 2011, 08:04:36 AM
Quote from: Mr. Analog on June 03, 2011, 06:37:16 AM
While I certainly have no love for Sony, exposing user's private information is not the best way to fight them. If anything it will lead to more retarded lawmaking.
blackhat disinfo agent-run black ops maybe?
The tin foil is strong with this one LOL
More likely it means that some developers will get paid way too much to write code that will still have vulnerabilities:
http://www.telegraph.co.uk/news/newstopics/onthefrontline/8546921/Cyber-weapons-now-integral-part-of-Britains-armoury.html
Bring on the ICE! <-- Only makes sense if you've played Shadowrun...
I don't know about all these cyber-warrior programs, I mean all you have to do is shoot them with gold (at least, that's how it used to work on Dr. Who)
have you guys checked http://Shouldichangemypassword.com ?
http://blogs.forbes.com/parmyolson/2011/06/30/entrepreneur-answers-hackers-with-1-3m-e-mail-vault/
QuoteGrzelak doesn?t track how many visitors get bad news, and to prevent the data being misused, he only compiles one-way hashes of emails containing no personally-identifiable data.
LulzSec?s 50-day leaking spree marked a turning point for hackers as they increasingly sought to make a point instead of money: instead of selling their stolen user data for thousands of dollars on underground carding forums like the now defunct DarkMarket, or through shady e-merchants, they posted them online in a bid to attract media attention and embarrass their targets.
This meant people?s data was, for once, relatively easy to find. LulzSec would sometimes post their stolen data as text on web tool Pastebin, or upload it as a torrent on file-sharing sites like The Pirate Bay. For Grzelak, it was just a matter of collecting it all in one place.