*ren* PSN Down, Customer Info Compromised

If you know anything about network security and IT management all this stuff is encypted and even Sony doesn't know what the question and password is. They don't want to know all they can do when you forget a password or they think it might of been compremised is reset your password to some randomanly generated thing sent you your email. Which will be the likely course of action that when PSN comes up everybody will start getting emails to change their password it has been reset.

That's pretty interesting because they warned people that their passwords were stolen and recommending people start changing their passwords elsewhere. They also said security questions and answers may have been stolen. According to Sony that info is not safe.
 
If you know anything about network security and IT management all this stuff is encypted and even Sony doesn't know what the question and password is. They don't want to know all they can do when you forget a password or they think it might of been compremised is reset your password to some randomanly generated thing sent you your email. Which will be the likely course of action that when PSN comes up everybody will start getting emails to change their password it has been reset.

Somewhat true, but not quite...

Most enterprise systems store user accounts and passwords in either an LDAP type server (Active Directory (MS), Open Directory (Mac), OpenLDAP, Oracle DSEE, et al) or an RDBMS system (Oracle, IBM DB2, MySQL, Postgres, et al). There are probably a few cases of bespoke systems -- which also leads to the argument that an RDBMS implementation is essentially a bespoke implementation of an authN/authZ system).

Anyway, a standard method of storing user passwords would be to use a one-way hash algorithm. Most LDAP systems, for example use a SHA variant. RDBMS systems generally encrypt fields with a two-way encryption, but can also store hashed values in a field.

Depending on how Sony implemented their identity system for authN, generally speaking, once you get the password file, you can run dictionary attacks on it to figure out the cleartext version of the hashed values. This is a brute force method that works because you don't need to go through the front-end systems which log and may indicate an attack to the service provider.

For symmetrically encrypted data, if you have access to their database files, you may also have access to their code. Once you have access to their code, you can get the symmetric key by examining the code (even in compiled format).

As for challenge questions and answers, you generally need to store that in a manner you can present the end-user. That means typically you store it plain-text, or even if you encrypt it, it's usually a symmetric encryption so that you can retrieve it. Even if it isn't, and it's hashed, again... a brute force attack on challenge answers would be very simply, because they are mostly based on real words... I typically treat even my challenge questions as passwords and use mixed numbers, letters, cases, and symbols -- with long lengths. I also never use the same questions/answers on any sites, and make up answers for questions. I'm paranoid, but I work in identity management these days.

Simply put... if your security is based mostly upon the concept of securing your servers from unauthorized login access, when you lose that security, you've lost the whole house.
 
Encrypted info is not safe if they have it. All encyption does is make it more difficult to access it. Also Sony does not know if you used the same password elsewhere so it's better to be safe then sorry. Also not all info is encrypted. I kinda doubt they encrypted things like PSN account name, name attached, location and contact ifno as that's stuff they want to be easy to pull up. Encryption to that type of data is deemed unessary beyond a minor hashing etc as it would slow down their customer service reps if any heavy encryption was done there.

Yes brute force any encyrption and it is usually one way. But dictionary attacks on 75-80 million accounts are going to takequite a while assuming any non-basic encyption used. In short nothing is safe so it's best to assume it all is comprimised but it doesn't mean it's feasable to get at either.
 
Last edited by a moderator:
Well, shit. I don't even own a PS3 currently, and my PSN account has been unused for some time. Should have had the better sense of removing information from the account long ago.

My chances of buying a NGP just went down to zero.
 
I'm thinking of deleting my PSN account altogether and using it as an offline box until I decide the time is right to part ways. Uncharted 3 is definitely a game I want to play.
 
If we assume for a second that cc info has not been compromised - should i care about some person knowing my birthdate, address and legal name, psn passwords??

Further, does anybody know If sony passwords are letter+number combo ( also how many symbols are needed) trying to figure out if my itunes password is the same - i know that one is 6 letters only but i dont remember what my psn password is
 
Last edited by a moderator:
If we assume for a second that cc info has not been compromised - should i care about some person knowing my birthdate, address and legal name, psn passwords??

I'm a bit concerned with someone using social engineering to use that information to obtain even more information, but on its own I'm not too worried about that stuff specifically. I'm more worried about the challenge question, actually, since I'm not sure what I used for that.
 
mrcorbo said:
I'm a bit concerned with someone using social engineering to use that information to obtain even more information, but on its own I'm not too worried about that stuff specifically. I'm more worried about the challenge question, actually, since I'm not sure what I used for that.

I mean after all - my name, address, etc is all public anyway you could obtain this through a phonebook. Hell in norway you can even obtain my last years income figures ( crazy).

The challenge question i agree. Im gonna change my steam and itunes questions tomorrow. I dont care about forum passwords etc
 
Somewhat true, but not quite...

Most enterprise systems store user accounts and passwords in either an LDAP type server (Active Directory (MS), Open Directory (Mac), OpenLDAP, Oracle DSEE, et al) or an RDBMS system (Oracle, IBM DB2, MySQL, Postgres, et al). There are probably a few cases of bespoke systems -- which also leads to the argument that an RDBMS implementation is essentially a bespoke implementation of an authN/authZ system).

Anyway, a standard method of storing user passwords would be to use a one-way hash algorithm. Most LDAP systems, for example use a SHA variant. RDBMS systems generally encrypt fields with a two-way encryption, but can also store hashed values in a field.

Depending on how Sony implemented their identity system for authN, generally speaking, once you get the password file, you can run dictionary attacks on it to figure out the cleartext version of the hashed values. This is a brute force method that works because you don't need to go through the front-end systems which log and may indicate an attack to the service provider.
You should store the hashed password with a random salt value. That prevents dictionary attacks with a rainbow table.

random .... oh my god.:devilish:
 
Damn, did Sony do anything right in this situation? :oops:

Seen on arstechnica:

"PlayStation: It only gives away all your information."

**** YOU SONY.

You should have given this information on day 1. Not a week after the fact. WORST CUSTOMER SERVICE EVER.


Oh well, gonna call the tech guys at the bank tomorrow and see if i need to change the credit card that was used or not. They say that the security code was not comprimised, however if they aren't sure wether or not they obtained our credit card information how the hell do they know if they got the security code or not? (they probably are 100% sure, they just dont want to make things even worse)

Lets do a CLASS ACTION LAWSUIT!!!
Millions of PSN users vs Sony

I am reading all of this and noticing how noone seems to mention any of the threats by hacker/pirate groups days and weeks earlier. Its like these forum posters are making it seem like Sony intentionally did this and not someone else.

I wonder if someone steals your wallet, how long does it take you to notice its gone or that some stuff in there is missing?
 
I am reading all of this and noticing how noone seems to mention any of the threats by hacker/pirate groups days and weeks earlier. Its like these forum posters are making it seem like Sony intentionally did this and not someone else.

I wonder if someone steals your wallet, how long does it take you to notice its gone or that some stuff in there is missing?
It depends. If after stealing my wallet they lock my pants in the closet where I can't get at them for a week it makes it hard to notice. :???:

And any hacker who had any part in this deserves everything bad they get, this is the evil/bad kind of hacking that even I disapprove of.
 
I am reading all of this and noticing how noone seems to mention any of the threats by hacker/pirate groups days and weeks earlier. Its like these forum posters are making it seem like Sony intentionally did this and not someone else.

I wonder if someone steals your wallet, how long does it take you to notice its gone or that some stuff in there is missing?

No, I don't think Sony intentionally did anything. I just think they absolutely messed up their handling of this situation. If they had some suspicion my information was compromised last week, I should have known last week.

Also, the people who steal information like this are pieces of shit that deserve to be in prison. Doesn't excuse the fact that Sony let their customers down.
 
In this digital age, when you're dealing with 50-75 million user accounts with personal and financial information, it's their job to protect the data. As consumers, there is a certain amount of accountability we expect out of the companies that control our information. Much like bkilian talked about Amazon, there are many different ways legitimate companies protect their consumers information. This is going to go down as most likely the biggest breach of personal information in the digital age we've had so far.

I accept a certain amount if responsibility every time I purchase something digitally. Waiting a full week to inform us of this data breach is inexcusable. Period.
 
Thanks Sony. Now I'm going through and changing all my passwords since stupid me assumed PSN would be secure and I could use the same common password I use on other trusted sites.

I wonder how many people will be canned over this. Sony should also get a nice fat fine for setting a new standard in poor communication and security.
 
Thanks Sony. Now I'm going through and changing all my passwords since stupid me assumed PSN would be secure and I could use the same common password I use on other trusted sites.

Now, not to take any blame away, but if any user is using the same password info on all sites they use, I blame this solely on the user.
 
Back
Top