In the wee hours of this morning a tipster contacted TSA, as well as PSU, with information as to why the PSN has been down for the last few days. Obviously we can’t validate the accuracy of this source, although screen grabs were provided showing his private conversation, apparently with a SCEE employee that he claims to have a close connection with.
This conversation yielded potentially new information, with the tipster stating that there was a “sustained LOIC attack on the PSN Store” and “a concentrated attack on PS servers holding account info”. We’re told that Admin Dev accounts were breached and the PSN was shut down by Sony, who are now in the process of restoring backups to new servers.
We’ve seen equally unsupported claims elsewhere that personal details, passwords and log history were breached, as well as the encrypted files storing credit card info. Apparently those card details are still secure because of the way they are encrypted but users’ personal info might have been attained during the attack. Obviously this is not confirmed and is based on hearsay but if true it is quite worrying.
Obviously this is all based on the claims of a source whose identity is unclear. As such, we’d advise you to be cautious about the validity. If true though, it could have very serious ramifications.
We would advise against anyone panicking based on these vague claims but there is some cause for concern and we would urge SCE to help set people’s minds at rest by making a more detailed official statement which either confirms or clearly denies the loss of data.
Source: Tipster
cc_star
They can make as many utterly pointless propaganda-like “we’re working on it” statements as they want, but until they dispel the growing rumours of customers details being accessed they look worse & worse
TURRICAN-808
In terms of PR, the excrement has hit the rotary blades! I thunk there might be a few people checking their bank statements , especially SONY staff members!
TURRICAN-808
*thunk ? lol – think
jediryan123
the defecation has hit the oscillation?
MaD dOctoR 79
I’m sorry, but would you prefer they lie about customer information being breached, or would you rather they wait till they have checked everything before making a stupid statement that is completely wrong?
“we’re working on it” is a perfectly legitimate statement to make, yes it’s very annoying to have no access to PSN, but I’m not going to lose any sleep over it (usually do that when it’s on)
and try to remember, this type of thing can happen to any company at any time…if your website goes down will you tell us that all our info is safe before actually checking?
Tuffcub
Agreed, I would prefer they know the exact details before releasing a statement
Uhyve
They already know whether or not customer data has been breached, if they don’t, then every network engineer working for Sony is truly incompetent.
cc_star
Agreed, I don’t know why people don’t get it.
skibadee
then there fine its like you want it to be that way.
E8_BALL_
@Uhyve
I’m curious as to how you know this a fact?
from what i can find by researching today, if cust details are compromised, the company holding those details, are required to inform the cust immediately by law.
Bladesteel
Good thing you guys aren’t doing computer forensics for a living then. I haven’t done anything like that but I know a little about how complex it might become. If you want an analogy: if the break in is like a “smash and grab” they would know if they had been at the vault (aka cc details) right away. If on the other hand there was a spy pretending to be one of the bank employees, they can’t know he hasn’t been in the vault even if they don’t find any fingerprints. The fun part is that if you have a smash and grab that got everything at the registers you still have to check the vault because the s&g may have been only to draw attention away from a spy. They only need one piece of proof to say someone was in the vault, but to say no one was they need to examine everything.
If Sony doesn’t know yet (still they might know, but not be telling us) it means either that credit cards weren’t compromised or if they were it was done by someone good at hiding their tracks.
Uhyve
@E8_BALL_: Mainly because I’ve done network security before, not at a professional level, but yeah, at a University level.
For one piece of coursework, we were given a packet dump from a honeypot that had been compromised and it’s really not that difficult to narrow down the data, using filters and stuff (maybe returning IPs which downloaded a weirdly large amount of information from a sensitive server).
That was easy for me and I only studied network security for a year, these people are professionals, so yeah, it wouldn’t have taken them more than a day.
Also, yes, it’s legally required of them to tell you if your credit card details have been compromised, which is why I haven’t cancelled my credit card. But then they’re only required to tell you if they “know”.
I mean really, your credit card details are probably safe, since they should be encrypted, at worst, your email address and passwords checksum may have been leaked… but then I suppose I don’t exactly trust Sony’s encryption right now…
E8_BALL_
thank you to both Uhyve & Bladesteel
most sense ive heard on this topic since this nightmare began, it can all get a little heated(myself incl).
when things are discussed in an informed & calm manner, removes a little tension from a volatile topic.
6thaxisOpenlearning.com
Bladesteel
I’m actually starting to wonder if it would be a good idea for big businesses that handle lots of credit card info to add some “honeypot” numbers in their data, that the banks would flag any attempted use of knowing the source right away because any fake number is used by only one company. (They may already be doing this but not telling us for all I know)
TURRICAN-808
Three little pigs (SONY) build a house of paper (PSN). But the Big Bad Wolf (Anonymous Hackers) comes along, huffs, puffs and blows the house of paper down!
The Three Little pigs aren’t happy, they must now rebuild their house much stronger. This time its gonna be a stone house!
And thats where we are at the moment folks, three little piggies are building a stronger house!!
Flash
I wouldn’t say they’re quite rebuilding a stone house, just putting stone reinforcements into the joists.
Crazyfrog23
But did the Big Bad Wolf (if it was an attack, by someone unknown) find any gold(personal and credit details) when the paper house was blown down?
TURRICAN-808
Crazyfrog 23 is right on!
We need to know, did the wolf get his hands on the jam jar!!
cc_star
It would take months to design a massively more secure system from the ground-up, surely they’re only applying some wooden shutters to the windows on the straw house
TURRICAN-808
Thats entirely feasible. The three pigs could also add some cannons that specifiacally target wolves
Or just use better firewalls :)
Lord_Gremlin
Hm. If I remember correctly the wolf got decapitated later? Or was that another fairytale?
ProjectJAY
I believe that was Little Red Riding Hood :P
Red Memory
I haven’t really been too worried or affected by all of this. However, SCEE & A’s communication (or lack thereof) is extremely troublesome. They’re losing serious goodwill points.
blarty
You don’t tell people of a nefarious nature that you’re locking your doors, you tell them that you’ve locked them. When any issue that may or may not be security related occurs, there is always a period where you keep quiet, with as few updates and missives as pocssible. I would rather have them not tell me what they’re doing and my account remain safe, than for them to publish what they’re up toon an hourly basis, and also be providing this information to the people who attacked them in the first place so they can then take another shot at it
Red Memory
Naturally. But that’s not what I mean; I’m talking about any sort of standard PR fare, even if they copy/paste answers to multiple people. It’s just not a good strategy to ignore incoming questions.
KeRaSh
Remain safe? What if they are already in the wrong hands? Wouldn’t you want to know as soon as possible to take the necessary steps to prevent any major financial damage?
rossthebassist
i think its a given that the communication between sony and its customers has always been lacking,
if the network has been breeched then i can live with the downtime, as i have a pc and a 360 to tie me over untill its back online.
i think in this matter sony must asses the damage / information stolen / accessed before they make any official statement. any premature statements will just cause a boat load of data protection headaches for them.
im all for security, take as long as you needs sony
Flash
If only more people were like this, instead of whining about ‘Sony don’t communicate enough, they should tell me when each individual worker goes to the toilet!!!!!’.
Red Memory
I agree; they definitely need to take the time they need. And they shouldn’t make any premature statements. But they do have a dedicated PR team that shouldn’t just ignore all the incoming questions. That’s just bad PR handling.
rossthebassist
a hey guys still offline we are working on it, ETA is 2 days. wouldnt go a miss but i deffo dont need to know whats going on, whats a hacker gonna do with my email address or my street address anyways? i learned from xbox never put your bankcard on a console.
wick15
Very interesting claims. Personally I am not hugely concerned about the downtime. Sony have obviously taken PSN offline since it was the best option they had, and I can totally back that. After all I would rather have the PSN in it’s full glory than it being hacked to bits and all my personal details being stolen.
What does concern me though is the lack of an official statement. Surely this should be something that takes priority? Leaving your customers in the dark isn’t very good PR and will surely haunt Sony for sometime.
At the end of the day, Sony have no one to blame but themselves. They started this, so they better see it through.
teflon
Did they really? Geohotz hacked the PS3 via Linux to gain access to the Hypervisor. Sony’s reaction was to remove Linux, and things have spiralled from there, with numerous overreactions from many sides, but Sony didn’t really start this.
wick15
In fairness, this wouldn’t have been nearly as bad if they hadn’t tried to sue Geohotz. They went about it completely the wrong way. By attacking him they stirred up a whole lot of bad. Royally pissing off hackers and many others around the world. I am confident that Sony wouldn’t have had this downtime if they hadn’t screwed up the Geohotz case so badly.
djhsecondnature
@wick15 – They could do nothing but sue him. They owed it to their shareholders, developers, publishers and gamers to protect their IP.
wick15
@djsecondnature I can understand it was the only choice they had, but surely they could have been some easier resolve? They went at him with such force only to stop him going near Sony products. Not really resolving the problem. He isn’t the only hacker out there and since the case Sony have had nothing but problems.
As much as I hate Geohotz, I really think Sony should have tried to get a more peaceful resolve. Maybe just pay him off quietly or try get him on board so they could at least fully understand how he is hacking the system.
teflon
A big corporation has very few options when it comes to this. In fact, it’s almost a direct parallel to a country’s course of action when it comes to terrorists.
You close the security holes that were exploited during the attacks, keep tabs on what they’re doing and, if possible, try to fix exploits before they can use them.
But most importantly through all of this, you do not negotiate with them. As soon as you bring a public hacker into the fold, you’ve set a precedent that others would try and exploit.
I think the main thing Sony got wrong were that their evidence vs. Geohotz was flawed. They got their desired result in stopping him hacking publicly anymore, but for many people just turned him into that plucky kid who bested Sony, which just garnered him more support especially after the manner in which they tried to corner him which just failed.
wick15
Fair enough. I’ll take these points on board.
Awayze
Geohot hacked the iPhone and that led to LOADS of piracy on iOS but did Apple sue? NO!
Apple released new firmwares to counter the jailbroken iOS firmware with new features but Sony went the wrong way by suing and removing features.
Uhyve
Funnily enough, Apple have never really managed to fully block the jailbreaks, and they’ve still not sued. While Sony have really pulled a minor miracle and somehow secured their OS (in a surprisingly short time), yet still went after the hackers.
You know, I think some people wouldn’t have had such a big problem with Sony’s actions if the lawsuit would’ve come down to the law, but in my opinion, they were trying to make it about who had the greater monetary backing. I mean, I still would’ve had a problem with it, but I would at least understand that it was a course of action that they believed necessary and be able to blame whatever verdict came about on (what I consider) messed up laws.
Kaminari
No. Hotz gained access to the Hypervisor to make Linux more useful on the PS3 — why did Sony decide to lock out RSX access and to cap hard disk speed to 25 MB/s is still a conundrum. Sony didn’t like their limitations to be circumvented and bluntly decided to disable Linux support altogether (which was, should it be reminded, an advertised feature of the PS3). Hotz then hacked the PS3 to mainly reactivate Linux support.
Ironically, nobody ever “cracked” the security algorythms of the PS3, which to this day remain untouched. Hotz simply found that the badly encrypted master keys were actually available to anyone and (in a very irresponsible fashion) decided to publish them.
Sony is largely to blame in the way they dealt with the problem.
teflon
Unlocking iPhones has been legal all along, pretty much, thanks to the DMCA exception that was put in place in ’06, whilst Jailbreaking has now been made legal as of the middle of last year.
Really, though, Apple didn’t care so much, since their business model is to sell a new phone to each customer every other year (pretty much) with yearly hardware releases. Far removed from the business model of a console, where once you buy one, you generally shouldn’t need to buy another, and the business is only made profitable via royalties taken from software sales.
Different business, so different tactics in defending it.
@Kaminari – Once Geohotz got into the Hypervisor, the gate to the path that would lead to game piracy was opened, however you want to spin it. They might have only got the master key after stumbling across some bungled coding, but the only reason why they were able to even see that was because of the access to the Hypervisor.
Flash
Sony didn’t start anything?
scion_tc1
They should have tracked his progress with the hack from day one and when he succeeded offered him a job, and some cake obviously.
Sympozium
Hope its back up soon…. sad about these attacks
teflon
The first thing that needs to happen once PSN is back up is to have a hugely important message pushed to all network attached PS3s at their next start up, covering the basics of how people should go about changing passwords, and removing bank details, should they so desire.
SolidSnake1324
I think SCEE/SCEA just don’t want to make premature statements, as they will be called liars or unprofessional, if said statements prove wrong, which is why they provide so little information at the moment.
Plus, secrecy is key in restoring safety to the PSN.
Flash
Exactly. They could very well say ‘we’ll be back up in two days’ just to keep people happy, when they don’t really know how long it’s gonna take, or they could just ask for people’s patience and get cracking on it.
KeRaSh
Really? Didn’t they already lie to us? Sproadic maintenance anyone?
Uhyve
There’s a phrase which describes this:
“Security through obscurity”
And it’s widely believed to be a massively flawed way of working in the security/programming world. Since it means that your security can be flawed but yeah, sure, you’re secure… as far as you know.
deezoned
1) Security was breached by hacking admin/dev accounts.
2) Systems/servers were “infected” and/or corrupted. Data may have been stolen in the process (TBD/TBC).
3) Restore (from image before intrusion) is in progress on new/fresh servers + transaction logs applied.
4) Measures are applied as to 1) can’t occur again
5) Servers/PSN will be reopened while maintaining a very high logging/supervision level. And, a new and further improved security system is being worked on and applied ASAP.
Just my 2 cents, but surely Sony, we’re expecting some more official statement…
Flash
More official statement? What else could they possibly say other than what they already have. They’ve told us that it’s a hack attempt. They’re told us why it’s offline. They’ve told us they’re working on fixing it and applying new security.
What more do people want?
deezoned
I can certainly live with all the time it takes for a proper measure to counter the problems (reopening prematurely would just make the problems worse), but in all incident management proceses communication is crucial. And, I think the communication updates are lacking. Even with nothing new to say, it’s important just to reassure all PSN users that progress is being made. We are 70 mio. PSN users and an entire industry waiting for info on 1) when the service will be back up, 2) if data has been compromised and 3) how this could happen and why it will never happen again.
Until more elaborate official statements are given the speculations will just escalate, rumors will form, lies will be told and panic may arise (from leaked personal and CC information?)
1-2 updates a day via Twitter/PSBlog is not in my view sufficient official information.
SolidSnake1324
1. once they’ve finished their project…this is an unscheduled mainteance so they probably don’t know when that will be…
2. once they know everything they’ll probably release a statement about that.
3. just lol
Foxhound_Solid
Y’all need to chill out, no news is good news. Just be frickin patient, im dude all will be revealed soon enough.