My Brother, and avid PSN user reports getting a strange phone call in regards to his bank / credit card. He said it was an obvious phishing attempt, he says his email account linked to his PSN account has been bombarded with new phishing attempts and scams.
Not related to Anonymous, although they did bring up that they were being attacked by them for the past few months (repeatedly stated it was limited to DDoS).
This intrusion was very skillful and passed their firewall and other security measures because it looked like a normal transaction. It then made a tunnel and had a command attached as a trigger, at which point it was able to be manipulated remotely.
The attack used a known vulnerability. However, this vulnerability was not known to the management (really hope I understood that part correctly since it's a biggie). Since then, security measures have been improved against that mechanism of attack.
Because it was an advanced attack and left "no traces", they didn't learn of it until the 19th/20th of April. They still aren't aware of the scope of the data compromised, but say that CC info was a low possibility, since it was stored in a different part of the database and not likely read.
It took them until the 27th of April to confirm that data was compromised. They had been working with 3 different analysis entities starting from the 20th.
Information of up to 78 million accounts were taken, but some were likely duplicate/backup accounts. They later were asked about sales data, said that 37 million PS3s and 16 million PSPs had connected to PSN (install base of 50/69mil). There were 10 million Credit Cards connected to PSN at some point.
From what I understood, it seems that Sony will be doing more testing/inspection of its security measures to prevent future incidents like this. At the time though, SNEI believed their security to be good enough.
Compromised Information
Hirai said that no improper CC usage has been reported and they have no evidence of CC info being compromised. They said that Sony will pay for CC reissuing and assist with monitoring/insurance programs for customers. If there are any improper charges, they will be handled on a case-by-case basis.
CC info was encrypted and stored in a different part of the database from user personal information. Because of this, user information and CC information are being categorized separately.
User passwords were not encrypted, but were hashed.
Is still analyzing data of the attack, so they weren't saying a whole lot about what had been taken.
Investigation
Entities from outside of Japan have contacted Sony and requested that they cooperate with their investigation process. FBI HQ seems to be the most involved currently. List of questions from USA House of Representatives has been received.
Didn't give any more information, just said that investigations had been started globally.
They weren't aware of the extent of the attack until the 27th of April, the conference was delayed because there was much more that they wanted to work out (in terms of compensation and other considerations).
Resumption of Services and Compensation
PSN compensation and CC-type compensation are being considered separately. Sony says they will cover credit card reissuing fees and will assist with credit monitoring/insurance programs.
Again saying that PSN will be online "within a week." Going to be incrementally bringing services back online. Different regions may see services at different times.
All PSN users will get one free month of PSN+ (current PSN+ subscribers will also get 30 free days), Qrocity subscribers will get a free month, and there will be some titles available for free download. Will differ based on region and their plans are not finalized as of yet.
All services to be back online within a month.
As far as cost to Sony, they weren't sure and it'd vary by region, but $15-$20 for PSN+ and a few thousand yen for the titles.
Immediate Actions Being Taken
Moving the data center from San Diego to a more secure location and adding new detection measures, firewalls, and encryption to make data more secure. Creating a new job position to monitor security. These things have already been done to an extent, but they wouldn't comment specifically out of security considerations.
Sony is going to have a way for users to look at purchase history online (I think before PSN is actually up) to check for any abnormalities.
Sony will allow users to leave PSN. They are looking into ways to refund any balances on PSN or PSN+ fees if those exist for the user. There was one conflicting answer about this, but I'm pretty sure they're working on a system to allow users to leave and erase their info if they desire.
Firmware will need to be updated as soon as PSN is back up and users will need to change their password. Passwords can only be changed on the PS3 system the account was created or via a verified email address. That seemed like a super important point, but it was only mentioned once. However, that means people don't have to worry about a mad dash to change their password before a hacker does. As far as users changing a password from "A" to "B" and then back to "A," they'll alert users if they're doing something like that, or if it's close to their username or something.
Apparently the updates in Japan were even slower than the ones in the US/EU, so in Japan they're probably going to set up a blog similar to the NA/EU.
Tablet/NGP launch dates will not be affected.
They'll possibly be taking measures against the root key thing, although this part wasn't clear and was there was a lot of rambling.
Want to re-earn user trust as well as developer trust on the PSN ecosystem.
They actually apologized for the incident!!
Edit: Concerning the datacenter being moved, "[Sony] also expedited an already planned move of the system to a new data center in a different location that has been under construction and development for several months." (from the us playstation blog post)
I hate to be that guy... but does anyone else feel like this is the kind of thing a company should expect when they sue someone for tweaking hardware that they legally purchased? I mean... if you're going to piss off the hacker community, you should really make sure you have your shit on lockdown. Not that I agree with what is being done.
You buy a car, and you trim the hell out of it, making it go way faster than it was manufactured for. Do you go on a rampage when you get caught for it?
Except that geohot wasn't doing anything illegal. Better analogy, you buy a car and replace the engine with a more efficient one that gets you better gas mileage and faster acceleration. Toyota then sues you for modifying your car and telling other people how they could do the same. How is that in any way right?
Well... that's really the question here. Obviously Sony WANTS it to be illegal.... but at the same time, there really isn't any legal precedent for them to stand on. I mean, just logically speaking, why should it be illegal to modify something that you bought and legally own?
Right... but if you're modding without bypassing or affecting the copy protection then that wouldn't apply. For instance, restoring the ability to install another OS doesn't do anything to the copy protection.
Dunno if you guys have seen this but Sony are pointing the finger at anon.
We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous†with the words “We are Legion.â€
Well, I'm not saying anon did or didn't do it (though they claim the anon ops channel or w/e was not involved), but anyone can plant a file misdirecting attention etc.
Regardless of whether it was an act of propriety for Sony to sue Geohot or not, they, as a company, were exercising their right to protect their product and name. I don't blame them for taking action.
I am, however, utterly furious with Sony right now. This situation has been handled in a rather sloppy manner, and the sheer fact that so much personal information has been compromised is mind blowing. People will be talking about this for decades to come.
I'm not bright enough to follow the hacker trail, but I can tell you this is a disaster of epic proportions for Sony and its PR machine.
I'm in the process of re building my home theater. Right now, I have to strike Sony from the list of potential technology vendors. If I can't trust them with my personal info, how am I going to trust them on other aspects of their customer service and quality? I'm sure there are a few other guys that feel the same way. I guarantee, this bad PR will have a far reaching negative effect, like Toyota last year with the safety issues, Sony is going to suffer the same kind of losses across all of their core businesses. It won't just be isolated to gaming consoles.
Comments
Ve beleef in nussing, Lebowski!
Coincidental? Perhaps not?
its an interesting read.
These were the major points that I caught, let me know if I missed any or misinterpreted them. X-posted from r/ps3, hopefully no one minds. A lot of this seems to be summed up in the latest blog post as well: http://blog.us.playstation.com/2011/04/30/press-release-some-playstation-network-and-qriocity-services-to-be-available-this-week/
About the attack
Compromised Information
Investigation
Resumption of Services and Compensation
- PSN compensation and CC-type compensation are being considered separately. Sony says they will cover credit card reissuing fees and will assist with credit monitoring/insurance programs.
- Again saying that PSN will be online "within a week." Going to be incrementally bringing services back online. Different regions may see services at different times.
- All PSN users will get one free month of PSN+ (current PSN+ subscribers will also get 30 free days), Qrocity subscribers will get a free month, and there will be some titles available for free download. Will differ based on region and their plans are not finalized as of yet.
- All services to be back online within a month.
- As far as cost to Sony, they weren't sure and it'd vary by region, but $15-$20 for PSN+ and a few thousand yen for the titles.
Immediate Actions Being TakenEdit: Concerning the datacenter being moved, "[Sony] also expedited an already planned move of the system to a new data center in a different location that has been under construction and development for several months." (from the us playstation blog post)
Sauce
See also Page 2, Point 4, Paragraph 4 of the letter to the U.S. House of Representatives.
Regardless of whether it was an act of propriety for Sony to sue Geohot or not, they, as a company, were exercising their right to protect their product and name. I don't blame them for taking action.
I am, however, utterly furious with Sony right now. This situation has been handled in a rather sloppy manner, and the sheer fact that so much personal information has been compromised is mind blowing. People will be talking about this for decades to come.
I'm in the process of re building my home theater. Right now, I have to strike Sony from the list of potential technology vendors. If I can't trust them with my personal info, how am I going to trust them on other aspects of their customer service and quality? I'm sure there are a few other guys that feel the same way. I guarantee, this bad PR will have a far reaching negative effect, like Toyota last year with the safety issues, Sony is going to suffer the same kind of losses across all of their core businesses. It won't just be isolated to gaming consoles.
FTFY