That's pretty interesting because they warned people that their passwords were stolen and recommending people start changing their passwords elsewhere. They also said security questions and answers may have been stolen. According to Sony that info is not safe.
*ren* PSN Down, Customer Info Compromised
- Thread starter Cheezdoodles
- Start date
That's pretty interesting because they warned people that their passwords were stolen and recommending people start changing their passwords elsewhere. They also said security questions and answers may have been stolen. According to Sony that info is not safe.
Somewhat true, but not quite...
Most enterprise systems store user accounts and passwords in either an LDAP type server (Active Directory (MS), Open Directory (Mac), OpenLDAP, Oracle DSEE, et al) or an RDBMS system (Oracle, IBM DB2, MySQL, Postgres, et al). There are probably a few cases of bespoke systems -- which also leads to the argument that an RDBMS implementation is essentially a bespoke implementation of an authN/authZ system).
Anyway, a standard method of storing user passwords would be to use a one-way hash algorithm. Most LDAP systems, for example use a SHA variant. RDBMS systems generally encrypt fields with a two-way encryption, but can also store hashed values in a field.
Depending on how Sony implemented their identity system for authN, generally speaking, once you get the password file, you can run dictionary attacks on it to figure out the cleartext version of the hashed values. This is a brute force method that works because you don't need to go through the front-end systems which log and may indicate an attack to the service provider.
For symmetrically encrypted data, if you have access to their database files, you may also have access to their code. Once you have access to their code, you can get the symmetric key by examining the code (even in compiled format).
As for challenge questions and answers, you generally need to store that in a manner you can present the end-user. That means typically you store it plain-text, or even if you encrypt it, it's usually a symmetric encryption so that you can retrieve it. Even if it isn't, and it's hashed, again... a brute force attack on challenge answers would be very simply, because they are mostly based on real words... I typically treat even my challenge questions as passwords and use mixed numbers, letters, cases, and symbols -- with long lengths. I also never use the same questions/answers on any sites, and make up answers for questions. I'm paranoid, but I work in identity management these days.
Simply put... if your security is based mostly upon the concept of securing your servers from unauthorized login access, when you lose that security, you've lost the whole house.
Encrypted info is not safe if they have it. All encyption does is make it more difficult to access it. Also Sony does not know if you used the same password elsewhere so it's better to be safe then sorry. Also not all info is encrypted. I kinda doubt they encrypted things like PSN account name, name attached, location and contact ifno as that's stuff they want to be easy to pull up. Encryption to that type of data is deemed unessary beyond a minor hashing etc as it would slow down their customer service reps if any heavy encryption was done there.
Yes brute force any encyrption and it is usually one way. But dictionary attacks on 75-80 million accounts are going to takequite a while assuming any non-basic encyption used. In short nothing is safe so it's best to assume it all is comprimised but it doesn't mean it's feasable to get at either.
Yes brute force any encyrption and it is usually one way. But dictionary attacks on 75-80 million accounts are going to takequite a while assuming any non-basic encyption used. In short nothing is safe so it's best to assume it all is comprimised but it doesn't mean it's feasable to get at either.
Last edited by a moderator:
codedivine
Regular
Well, shit. I don't even own a PS3 currently, and my PSN account has been unused for some time. Should have had the better sense of removing information from the account long ago.
My chances of buying a NGP just went down to zero.
My chances of buying a NGP just went down to zero.
If we assume for a second that cc info has not been compromised - should i care about some person knowing my birthdate, address and legal name, psn passwords??
Further, does anybody know If sony passwords are letter+number combo ( also how many symbols are needed) trying to figure out if my itunes password is the same - i know that one is 6 letters only but i dont remember what my psn password is
Further, does anybody know If sony passwords are letter+number combo ( also how many symbols are needed) trying to figure out if my itunes password is the same - i know that one is 6 letters only but i dont remember what my psn password is
Last edited by a moderator:
I'm a bit concerned with someone using social engineering to use that information to obtain even more information, but on its own I'm not too worried about that stuff specifically. I'm more worried about the challenge question, actually, since I'm not sure what I used for that.
mrcorbo said:
I mean after all - my name, address, etc is all public anyway you could obtain this through a phonebook. Hell in norway you can even obtain my last years income figures ( crazy).
The challenge question i agree. Im gonna change my steam and itunes questions tomorrow. I dont care about forum passwords etc
You should store the hashed password with a random salt value. That prevents dictionary attacks with a rainbow table.
random .... oh my god.
You should store the hashed password with a random salt value. That prevents dictionary attacks with a rainbow table.
random .... oh my god.
Yes! SSHA (Seeded SHA) is generally better... but, of course... even that isn't fool-proof:
http://sourceforge.net/projects/ssha-attack/
Last edited by a moderator:
Damn, did Sony do anything right in this situation?
I am reading all of this and noticing how noone seems to mention any of the threats by hacker/pirate groups days and weeks earlier. Its like these forum posters are making it seem like Sony intentionally did this and not someone else.
I wonder if someone steals your wallet, how long does it take you to notice its gone or that some stuff in there is missing?
I wouldn't in this situation, I think it'd be best to err on the safer side.
Yup, definitely. I'm changing my birthday right away.
Btw the actions of these hacker/pirate groups are reaching unprecedented levels just head here:
http://blumenthal.senate.gov/press/release/index.cfm?id=82698973-255D-4B92-9E18-39E5937C9361
Something tells me that there is going to be an ip trace to whoever did this, of course I'm sure those loyalist hacker/pirates have their cyanide pills in their gums.
http://blumenthal.senate.gov/press/release/index.cfm?id=82698973-255D-4B92-9E18-39E5937C9361
Something tells me that there is going to be an ip trace to whoever did this, of course I'm sure those loyalist hacker/pirates have their cyanide pills in their gums.
It depends. If after stealing my wallet they lock my pants in the closet where I can't get at them for a week it makes it hard to notice.
And any hacker who had any part in this deserves everything bad they get, this is the evil/bad kind of hacking that even I disapprove of.
No, I don't think Sony intentionally did anything. I just think they absolutely messed up their handling of this situation. If they had some suspicion my information was compromised last week, I should have known last week.
Also, the people who steal information like this are pieces of shit that deserve to be in prison. Doesn't excuse the fact that Sony let their customers down.
In this digital age, when you're dealing with 50-75 million user accounts with personal and financial information, it's their job to protect the data. As consumers, there is a certain amount of accountability we expect out of the companies that control our information. Much like bkilian talked about Amazon, there are many different ways legitimate companies protect their consumers information. This is going to go down as most likely the biggest breach of personal information in the digital age we've had so far.
I accept a certain amount if responsibility every time I purchase something digitally. Waiting a full week to inform us of this data breach is inexcusable. Period.
I accept a certain amount if responsibility every time I purchase something digitally. Waiting a full week to inform us of this data breach is inexcusable. Period.
Thanks Sony. Now I'm going through and changing all my passwords since stupid me assumed PSN would be secure and I could use the same common password I use on other trusted sites.
I wonder how many people will be canned over this. Sony should also get a nice fat fine for setting a new standard in poor communication and security.
I wonder how many people will be canned over this. Sony should also get a nice fat fine for setting a new standard in poor communication and security.
Now, not to take any blame away, but if any user is using the same password info on all sites they use, I blame this solely on the user.
Similar threads
