*ren* PSN Down, Customer Info Compromised

[Xenus]

Once again just because they were comprised doesn't mean their security was poor. That will come out later if true.

However there should be a fine or something for their slow response in admitting data might be compromised. If there was any question at all if it was they should have released a statement to the effect of PSN was hacked. Account data may have been compromised. We have shut down PSN to prevent further intrusion and are investigating into what if any data has been compromised.

 

[AntShaw]

Once again just because they were comprised doesn't mean their security was poor. That will come out later if true.
.

The fact that ALL the data that was compromised speaks solely to their poor security. Period.

 

[Xenus]

Nowhere in their statement does it say all data is compromised. They aren't sure if CC's were compromised or not. What they do know at the moment is at least some data was compromised and that once anything is compromised it's better to work on the premise all has been compromised.

 

[AntShaw]

This is the data that was compromised:

Name
Shipping address
Billing address
Country
E-mail address
Birthdate
PSN/Qriocity ID
PSN/Qriocity password
PSN/Qriocity security question and answer
Purchase history

That gives access to all data registered as a PSN user. If they can access my account with Username and Password. They have access to all our information.

 

[RobertR1]

Now, not to take any blame away, but if any user is using the same password info on all sites they use, I blame this solely on the user.

I'm not a fan of password per site. I use a common account for all my ecommerce accounts, a different one for banking, a different one for social sites (forums, etc) and another for signing up for various things on the internet, one for business user and another for personal. Until today, I've found that to work well for me.

Props to those like memory exercise of remembering a different password for each site.

 

[Xenus]

Not if the CC isn't stored in plain txt which I haven't run across an online shopping site that doesn't encrypt the credit cards as xxxxxxxx1511 when asking if you want to use it. Also just because that data has been considered compromised doesn't mean they have it in that form. They could of dumped encrypted data. Which means assuming they weren't really stupid as to have one master key versus encrypting ever users data separately and depending on level of encryption the data it could take them anywhere from a few seconds to inordinately long to get a single users data out of the encryption.

Also even if they had your username and password in straight readable form it doesn't mean everyone was compromised Say they log in and do a txt dump of the data in the profile so they could get around encryption. They can't dump 77 million very quickly or they risk getting shut down before they even start. So how much they have would dependent on how long they have been in the system.

There is simply not enough known about the situation to make a judgement on the security one way or another at this point by anyone but the people at Sony and the forensics firm and even they might not know the full extent of it yet.

 

[makattack]

http://arstechnica.com/gaming/news/2011/04/sonys-black-eye-is-a-pr-problem-not-a-legal-one.ars

A good article talking about all this...

My favorite quote:

While researching this story, I called my bank and asked if they had heard anything about the breach. "No, but I have a PlayStation 3 at home and I know Sony was going to make an announcement today or tomorrow—what's going on?" the man on the phone said. I explained who I was, and read him a few sections from Sony's announcement. There was silence on the line for a moment. "Oh crap," he said, finally, before getting up and getting his manager.

 

[eastmen]

I just want to state that this is a perfect example of why using point cards / cash cards purchased at a retailer and entered into the console is much safer than leaving your credit card info on the site.


I don't even use a real credit card for amazon/newegg , i go to the bank and get a one time gift card made and used

 

[Scott_Arm]

They had access to that information for about three days. I'm not taking any chances. I'm review every single account I can think of, to check passwords. When I can check my security question in PSN, I'll be going back to review my other accounts again.

 

[Scott_Arm]

I just want to state that this is a perfect example of why using point cards / cash cards purchased at a retailer and entered into the console is much safer than leaving your credit card info on the site.


I don't even use a real credit card for amazon/newegg , i go to the bank and get a one time gift card made and used

Yep. Pretty sure I'm going to remove my credit card info from every online account I can think of, and that will let me.

 

[digitalwanderer]

There is simply not enough known about the situation to make a judgement on the security one way or another at this point by anyone but the people at Sony and the forensics firm and even they might not know the full extent of it yet.

Begging your pardon, but that's simply not true. I can say with full and perfect accuracy that their security was inadequate.

 

[Scott_Arm]

Begging your pardon, but that's simply not true. I can say with full and perfect accuracy that their security was inadequate.

There are people treating this like it's not that big a deal, but heads will roll at Sony over this one. It's pretty much guaranteed that some people have had harsh weeks, which may have ended in some unwanted "vacation" time.

 

[Xenus]

Indeed but to create an example of what I means by levels of compromise. Say I have 2 identical databases of 50 million records each with 30 fields.

Now database1 has been encrypted with a master key for the whole database that takes 10 mins to brute force on average.

Now database2 I encrypted each field in each record with an encryption that takes 1 month on average to break. Now instead of getting everyone's data in 10 mins it takes 30 months or 2.5 years of comp time just to get all of one person's data. 125 million years of comp time to get everyone's.

Now obviously this a very contrived example but it shows just cause I was able to dump a database and therefore the information within is compromised doesn't mean that they can suddenly read all the data therein. Now judging by Sony's reaction the believe data can be pulled off the database and at least some users can have their data decrypted in a timely manor but that doesn't necessarily point to terrible security.

Digi yes you can say their security was inadequate in the sense of all security is inadequate as it all can be broken and whenever it is it obviously wasn't enough. However you cannot say as some have been implying that Sony's security policies were lax or negligent as has been implied by some.

 

[bRoNx]

I have a couple of questions after reading all the posts here:

1 - Is there any way to create an "adequate" security system? Don't hackers figure it out sooner-or-later?

2 - Is there any chance that these evil people would be brought to justice?

 

[AlphaWolf]

I have a couple of questions after reading all the posts here:

1 - Is there any way to create an "adequate" security system? Don't hackers figure it out sooner-or-later?

2 - Is there any chance that these evil people would be brought to justice?

Depends on your definition of adequate, but if you mean better, I think the answer is yes.

As to the second question, no, Sony will never be brought to justice.

 

[Xenus]

1. Adequate always depends on security required with the data you are protecting and the trade off between usability and security you are willing to make. But even then it will eventually be broken nothing is 100% secure. It's all about making it not worth the time without making usability unduly complicated. Even then someone might break it just to say they did even if the contents within weren't worth their time.

2. Depends on who these evil people are. The FBI will likely be able to make a chain to find out who they are unless they are really really good. However if the are in China, Russia, some other country that doesn't care or encourages it they cannot touch them.

 

[Rockster]

How strong or weak Sony's security was/is, I can't speak to. I will say however, that as someone who has helped design, build, and support a significant web presence and associated payment processing system, that time, features, and customer conveniences work against security. And when management sets a priority on delivering more functionality and customer convenience at a pace which is determined necessary to be successful; security can and will take a back seat. PSN, in my mind, has been playing catchup with a number of other services for sometime, and I can't help but wonder because of my own personal experiences, if that influenced their vulnerability at all.

 

[Xenus]

Indeed I kinda feel bad for Sony's coder monkeys and infrastructure guys who have to fix this. They will be getting very little sleep for quite a while now.

 

[digitalwanderer]

Digi yes you can say their security was inadequate in the sense of all security is inadequate as it all can be broken and whenever it is it obviously wasn't enough. However you cannot say as some have been implying that Sony's security policies were lax or negligent as has been implied by some.

Sure I can, and their own response to this incident proved it. Waiting a week?

It just seems bad news keeps trickling out, I'm really expecting to hear that the CC info was stolen over the next few days.

 

[AntShaw]

FAQ up on US blog: http://us.playstation.com/support/answer/index.htm?a_id=2356

I haven't received any email yet. I don't know if that speaks to my info not being compromised or again....Sony's inability to inform their customers in a timely matter of compromised info.