*ren* PSN Down, Customer Info Compromised
- Thread starter Cheezdoodles
- Start date
I seriously doubt MS are laughing about this at all... in fact, I am fairly certain they have an internal auditing department or someone else raising all sorts of flags, asking for documentation on existing systems, starting up audit processes to review code and practices, etc...
When something like this happens to a peer, it generally results in all the other peers scrambling to sort out their vulnerability and try to fix any issues found.
Therein lies the primary challenge to identity management: identity vetting.
Slim seems good. Not sure what this has to do with the topic at hand, exactly, other than random speculation.
Let me explain it this way. They shut down PSN six days before their statement, correct? So at some time before shutting down PSN and the release of their statement, they had a suspicion that the hacker was after personal data. If that suspicion arose early in the six days, they should have said something right away. If that suspicion arose late in the six days, why the fuck did it take them that long to even consider the person(s) may have been after customer data?! Either way, they failed miserably, but I'm guessing they had a suspicion early and wrongly felt that it would be better to wait and see the actual damage before releasing a statement.
I hope this is one of those situations where competitors come together and share information. If Sony can help others by giving them details of the attack and how it worked, it's a good thing for all of us.
Activation e-mails?
Like I said before, it wasn't me who brought up the issue of failure rates or other company failures. And even if it is a slight tangent, it's at least slightly related to what I and Carl B were discussing. You guys really need to read up a little bit and realize that there's a discussion going on.
Exactly. Seemed pretty obvious to me. All the emails associated with each PSN are authentic and preserved in their original state, so activation email--a unique link to change your password via email--would be the answer.
Well, I would certainly be very impressed if they can make whole-sale architectural changes to an existing system with such large dependencies in a short time window (of a few weeks.)
Their PR seems to indicate datacenter moves, software architectural changes, etc..
Most changes of this magnitude, when done in an non-emergency basis, takes months to prepare -- or even more than a year for some, and usually weeks to implement.
Now, I have no idea what the scope of those changes are... it could simply be a move of a couple servers from one DC to another... or it could be dozens of servers. What's the software? The OS, database, some bespoke software, etc... I would assume some upgrades are required. Bespoke software updated/modified. Usually this requires some form of testing, first to validate that the vulnerability is eliminated, second to ensure you don't have a regression that causes more bad PR.
If they can do all this in a week or two... color me super impressed. Our organization (and many others) disaster recovery team could learn from them. I hope they'll publish an after-action report on this.
Not sufficient, in my opinion... someone above just posted an incident they noted with their own personal email account having been the source of a SPAM attack.
How do you ensure those email addresses Sony has are in fact under the correct ownership of the original user?
Sadly, one of the best identity vetting methods may be to go through financial institutions... If you are indeed "Mr Hobbit" of "Shire, Eridore" then, a credit authorization check on your credit card with those bits of information should authenticate you as who you are... assuming that information wasn't altered or compromised -- which seems to be a somewhat safer assumption that assuming your email account is secure.
Last edited by a moderator:
Spam that uses your email is nothing special, it borders on "ohh again" an old email adress is bound to get picked up by spammers . SPF/DKIM is the way to go for anti spam.
The "no news" from sony and information shutdown is bad, very bad. But some of it must be related to them having piss poor security staff (or whatever it´s called) coupled with wild panic at CEO lvl (chickens without heads). Seems to me that they discover something is wrong.. find it it´s major screwed, flips the off switch. Searches some more and just can´t get a grip on the situation, calls in the "experts", that start from scratch, confirms that it´s fucked up. And the CEO´s have no choice but to give up "the truth" instead of a water down "only 1% was stolen".
And as been huffed and puffed by hackers for "weeks", PSN was in a poor state but no one from Sony seems to have reacted or passed that info on. Don´t they have a few people hired to just keep track of the underground, or just middleground? How do they have any idea of what is going on outside their buildings?
Yeah, you guys. Read up on it.
No, in this case:
So I just checked my e-mail this morning and I see someone I know responded to an e-mail that I apparently sent out. I checked my sent box and it shows that I sent spam mail out to everyone in my contacts list.
Does this sound like it could be related, or is it possible I have a virus on one of my computers?
Sounds to me like someone got into his email account (dkskribbles, I hope you didn't use the same password on PSN as your email)... why else would he have a trace of that spam message in the "sent mail" container?
This is different from someone modifying a SMTP mailer header to change the reply-to and from fields to use someone elses email address.
It was definitely you who brought up other company failures. Twice consequetively in fact before anyone else had mentioned it.
Still no email from sony...
I got mine last night. I know you're not going to like this answer but it takes time to send all these emails. Trying to mass send 77 Million emails will bring any email\exchance server to it's knees. Even if each branch of PSN is only sending a 10th of those it will take a while.
I think they put something on the blog Q&A that they are aiming to have them all sent by the 29th, but that they're hoping that the media has spread the message far and wide long before then,
I wonder if the way Sony has been handling the situation is going to come back to haunt them. I can't imagine consumer rights organisations being too pleased with it. You can't fault Sony for not being able to create a 100% secure system, but you can fault them for the way they've been treating their customers.
I dont give a **** about their blog. They should contact their customers directly, not assuming that people follow their blog. They haven't exactly been keen on spreading this to the media either
Here's the full quote:
I think we do have to be fair that pretty much all news organisations have 'spread the message' and also that sending that amount of emails takes time.
Similar threads
