Yeah, I'm not sure what release candidate would mean in this context.
*ren* PSN Down, Customer Info Compromised
- Thread starter Cheezdoodles
- Start date
Yeah, I'm not sure what release candidate would mean in this context.
PSN will be back this week I think. PSS by the end of the month. Nothing new here, that's what they said in press release (PSN was delayed since then).
PSN by way of online gaming, maybe. Looks like it'll possibly be June when I get a chance to play Under Siege. By which time DnD
aggerdale will be on the cards too. Might miss one altogether because of this.
aggerdale will be on the cards too. Might miss one altogether because of this.
Well, I'm pretty skeptical to be honest. I think the SOE breach rattled them, so I wouldn't be surprised if it did include online gaming and/or the store. Ouch, if true, as they'd get very close to E3 with the restoration. If they're still down during E3 that's going to hurt, but being back up just before also means its still fresh on everyone's mind during the E3 presentation. If we didn't all know better right now, it would be pretty awesome though if they did some kind of ruse with this and give PSN all sorts of new features when it gets back up, but as I was saying, we definitely do all know better at this point. Sony isn't at the forefront of technology here at the moment, and it will be a while before they've caught up. It is more likely that if they did have plans to, say, announce full Steam support for all multi-platform titles that also release on Steam at E3, such announcements would in fact be postponed considerably.
That'd be the best outcome for Sony, to release PSN as a next-gen upgrade and give something valuable as a result of all this. Say, for example, cross-game chat, saying they took this opportunity to roll out features they were intending for later, they could get some positive PR as a result. Be we all know that's not going to happen.
All SSL certificates became a little suspect after Comodo was compromised. After they held or do hold many of the master keys for the X.509 public key infrastructure on the internet.
It looks like Sony may have been the victim of a number of failures by security teams on the internet, not withstanding their own, that created a perfect storm, both virtual and physical, that has resulted in the mess we have now.
I think that the rc stands for Release Candidate as well. It was just the RC for that branch of Apache, possibly compiled in house.
It looks like Sony may have been the victim of a number of failures by security teams on the internet, not withstanding their own, that created a perfect storm, both virtual and physical, that has resulted in the mess we have now.
I think that the rc stands for Release Candidate as well. It was just the RC for that branch of Apache, possibly compiled in house.
If you have the ability to run arbitrary code on the front end, you have two opportunities to steal credit card numbers via compromise of SSL:
1) Decrypt the incoming stream from users and grab any CC numbers if you can identify them
2) Set up a proxy to decrypt the outgoing traffic and steal CC numbers as they're being sent to the bank auth servers for validation.
Obviously #2 is going to yield the most fruit. It also has the advantage of being easier to do both in technical terms (setting up an outbound proxy is easy) and in terms of finding valid CC numbers (you can whitelist hosts based on where CC auths are commonly done and the pattern of the request is going to be fairly easy to determine).
This is all of course assuming the CC numbers are sent in a way that's sniffable assuming you decrypt the outgoing SSL.
Apparently there were articles describing how onboarding / signups of new PSN accounts via. PS3 resulted in CC data being secured via. HTTPS on transmit to the PSN servers.
So, if someone were to have captured the traffic streams with access to the SSL certificate keystore, then any PSN subscription setups with CC data would be captured. Presumably, one would need a long duration of capture to collect enough CC numbers, and they would presumably be new PSN accounts being associated with a CC or CC renewals/updates.
This may have been the original article:
http://www.geek.com/articles/games/...nsmits-credit-card-info-unencrypted-20110217/
I've seen an update of the Dutch Playstation twitter account (PlaystationNL) clarifying that indeed the 31st of May is the date that all services will be restored, but that the phased restoration of services stands, and that online play and Home will come back first, though no date for this is known at this time.
Isn't that true of any SSL connection though? I mean, if someone has the certificate for my online bank, they can get my details, or any online transaction such as with ShopTo or Play or Amazon (if you haven't left a card). Why is Sony in a worse place here than anyone else?
So they weren't using HTTPS to send data? I can't remember if this statement from an unknown hacker was verified or disproven.
deathindustrial
Regular
That article is just taking snippets from the original IRC chat log. The person in question was sniffing their own local PS3 traffic and Sony were definitely using HTTPS (at least for anything related to customer information, credit card data, authentication, etc.).
Here's the original IRC log:
http://www.thehackernews.com/2011/04/complete-irc-chat-of-playstation.html
Cheers
The ssl session usually terminates in the application, not in os or in ip stack. But due to security reasons it's pretty common to terminate the ssl in the loadbalancer so that idp/ids (this might be a part of pci/dss) can check the traffic before it hits the server (or the idp/ids can be a part of the webserver ex. mod_security for apache or similar). So i don't think they (the hackers) decrypted ssl.
deathindustrial
Regular
Which hackers are you referring to? The ones in the IRC logs were messing with their own PS3 and local network, nothing to do with the server side network(s).
They are in a worse place because others with a mind for security would at the very least encrypt the payload (using at least message security) in addition to transport security. In the Microsoft WCF .NET realm this is as simple as a configuration change to your endpoint bindings in the app.config or web.config. That is the minimal security configuration we do at the financial institution I work for.
deathindustrial
Regular
That sounds like you are talking about the server side internal network. If I buy something from:
https://www.microsoftstore.com/store/
The order form uses standard form variables:
<input name="cardNumber" value="" autocomplete="off" maxlength="38" id="ccNum" type="text"/>
You hit submit and you will be sending:
cardNumber=4111111111111111
in "plain text" though of course, over an encrypted SSL connection. No message level security there and that is essentially identical functionality wise to what was shown in those IRC logs. It is also what ever single e-commerce store on the planet is doing.
The PS3 = web browser in this scenario.
Cheers
Hey!!! Deathindustrial you're now "The Internet PSN Security Expert" !!
http://www.joystiq.com/2011/05/09/report-sonys-psn-servers-were-up-to-date/
http://www.joystiq.com/2011/05/09/report-sonys-psn-servers-were-up-to-date/
Hey!!! Deathindustrial you're now "The Internet PSN Security Expert" !!
http://www.joystiq.com/2011/05/09/report-sonys-psn-servers-were-up-to-date/
Yeah, the story I posted on Bitmob really exploded across the internet. I thought it was gonna get buried over Mother's Day but it was the number 1 story all day Sunday on N4G and showed up on a ton of big sites. Even got linked on Penny Arcade. On bitmob alone the story has already been seen over 37,000 times. I can't account for all the times it's been cut and pasted on to various forums or slightly rewritten without attribution on shady blogs.
Similar threads
