XI
you are not logged in
News

Possible SCEE Source Cites Reason For PSN Outage

Rage against the machine.

In the wee hours of this morning a tipster contacted TSA, as well as PSU, with information as to why the PSN has been down for the last few days. Obviously we can’t validate the accuracy of this source, although screen grabs were provided showing his private conversation, apparently with a SCEE employee that he claims to have a close connection with.

This conversation yielded potentially new information, with the tipster stating that there was a “sustained LOIC attack on the PSN Store” and “a concentrated attack on PS servers holding account info”. We’re told that Admin Dev accounts were breached and the PSN was shut down by Sony, who are now in the process of restoring backups to new servers.

We’ve seen equally unsupported claims elsewhere that personal details, passwords and log history were breached, as well as the encrypted files storing credit card info. Apparently those card details are still secure because of the way they are encrypted but users’ personal info might have been attained during the attack. Obviously this is not confirmed and is based on hearsay but if true it is quite worrying.

Obviously this is all based on the claims of a source whose identity is unclear. As such, we’d advise you to be cautious about the validity. If true though, it could have very serious ramifications.

We would advise against anyone panicking based on these vague claims but there is some cause for concern and we would urge SCE to help set people’s minds at rest by making a more detailed official statement which either confirms or clearly denies the loss of data.

Source: Tipster

Read more: # #
113 Comments
  1. cc_star
    Team TSA: Writer
    Since: Forever

    They can make as many utterly pointless propaganda-like “we’re working on it” statements as they want, but until they dispel the growing rumours of customers details being accessed they look worse & worse

    Comment posted on 24/04/2011 at 11:17.
    • TURRICAN-808
      Member
      Since: Jan 2011

      In terms of PR, the excrement has hit the rotary blades! I thunk there might be a few people checking their bank statements , especially SONY staff members!

      Comment posted on 24/04/2011 at 11:24.
      • TURRICAN-808
        Member
        Since: Jan 2011

        *thunk ? lol – think

        Comment posted on 24/04/2011 at 11:25.
      • jediryan123
        Member
        Since: Nov 2008

        the defecation has hit the oscillation?

        Comment posted on 24/04/2011 at 14:17.
    • MaD dOctoR 79
      Member
      Since: Dec 2010

      I’m sorry, but would you prefer they lie about customer information being breached, or would you rather they wait till they have checked everything before making a stupid statement that is completely wrong?

      “we’re working on it” is a perfectly legitimate statement to make, yes it’s very annoying to have no access to PSN, but I’m not going to lose any sleep over it (usually do that when it’s on)

      and try to remember, this type of thing can happen to any company at any time…if your website goes down will you tell us that all our info is safe before actually checking?

      Comment posted on 24/04/2011 at 13:32.
      • Tuffcub
        On the naughty step.
        Since: Dec 2008

        Agreed, I would prefer they know the exact details before releasing a statement

        Comment posted on 24/04/2011 at 14:08.
      • Uhyve
        Member
        Since: Sep 2008

        They already know whether or not customer data has been breached, if they don’t, then every network engineer working for Sony is truly incompetent.

        Comment posted on 24/04/2011 at 14:26.
      • cc_star
        Team TSA: Writer
        Since: Forever

        Agreed, I don’t know why people don’t get it.

        Comment posted on 24/04/2011 at 16:33.
      • skibadee
        Member
        Since: Oct 2009

        then there fine its like you want it to be that way.

        Comment posted on 24/04/2011 at 17:59.
      • E8_BALL_
        Member
        Since: Jul 2010

        @Uhyve
        I’m curious as to how you know this a fact?

        from what i can find by researching today, if cust details are compromised, the company holding those details, are required to inform the cust immediately by law.

        Comment posted on 24/04/2011 at 19:13.
      • Bladesteel
        Member
        Since: Sep 2008

        Good thing you guys aren’t doing computer forensics for a living then. I haven’t done anything like that but I know a little about how complex it might become. If you want an analogy: if the break in is like a “smash and grab” they would know if they had been at the vault (aka cc details) right away. If on the other hand there was a spy pretending to be one of the bank employees, they can’t know he hasn’t been in the vault even if they don’t find any fingerprints. The fun part is that if you have a smash and grab that got everything at the registers you still have to check the vault because the s&g may have been only to draw attention away from a spy. They only need one piece of proof to say someone was in the vault, but to say no one was they need to examine everything.

        If Sony doesn’t know yet (still they might know, but not be telling us) it means either that credit cards weren’t compromised or if they were it was done by someone good at hiding their tracks.

        Comment posted on 24/04/2011 at 20:10.
      • Uhyve
        Member
        Since: Sep 2008

        @E8_BALL_: Mainly because I’ve done network security before, not at a professional level, but yeah, at a University level.

        For one piece of coursework, we were given a packet dump from a honeypot that had been compromised and it’s really not that difficult to narrow down the data, using filters and stuff (maybe returning IPs which downloaded a weirdly large amount of information from a sensitive server).

        That was easy for me and I only studied network security for a year, these people are professionals, so yeah, it wouldn’t have taken them more than a day.

        Also, yes, it’s legally required of them to tell you if your credit card details have been compromised, which is why I haven’t cancelled my credit card. But then they’re only required to tell you if they “know”.

        I mean really, your credit card details are probably safe, since they should be encrypted, at worst, your email address and passwords checksum may have been leaked… but then I suppose I don’t exactly trust Sony’s encryption right now…

        Comment posted on 24/04/2011 at 20:26.
      • E8_BALL_
        Member
        Since: Jul 2010

        thank you to both Uhyve & Bladesteel
        most sense ive heard on this topic since this nightmare began, it can all get a little heated(myself incl).
        when things are discussed in an informed & calm manner, removes a little tension from a volatile topic.

        6thaxisOpenlearning.com

        Comment posted on 24/04/2011 at 20:56.
      • Bladesteel
        Member
        Since: Sep 2008

        I’m actually starting to wonder if it would be a good idea for big businesses that handle lots of credit card info to add some “honeypot” numbers in their data, that the banks would flag any attempted use of knowing the source right away because any fake number is used by only one company. (They may already be doing this but not telling us for all I know)

        Comment posted on 24/04/2011 at 21:25.
  2. TURRICAN-808
    Member
    Since: Jan 2011

    Three little pigs (SONY) build a house of paper (PSN). But the Big Bad Wolf (Anonymous Hackers) comes along, huffs, puffs and blows the house of paper down!
    The Three Little pigs aren’t happy, they must now rebuild their house much stronger. This time its gonna be a stone house!

    And thats where we are at the moment folks, three little piggies are building a stronger house!!

    Comment posted on 24/04/2011 at 11:20.
    • Flash
      Member
      Since: May 2009

      I wouldn’t say they’re quite rebuilding a stone house, just putting stone reinforcements into the joists.

      Comment posted on 24/04/2011 at 11:24.
    • Crazyfrog23
      Member
      Since: Jan 2010

      But did the Big Bad Wolf (if it was an attack, by someone unknown) find any gold(personal and credit details) when the paper house was blown down?

      Comment posted on 24/04/2011 at 11:29.
      • TURRICAN-808
        Member
        Since: Jan 2011

        Crazyfrog 23 is right on!

        We need to know, did the wolf get his hands on the jam jar!!

        Comment posted on 24/04/2011 at 11:32.
    • cc_star
      Team TSA: Writer
      Since: Forever

      It would take months to design a massively more secure system from the ground-up, surely they’re only applying some wooden shutters to the windows on the straw house

      Comment posted on 24/04/2011 at 11:41.
      • TURRICAN-808
        Member
        Since: Jan 2011

        Thats entirely feasible. The three pigs could also add some cannons that specifiacally target wolves

        Or just use better firewalls :)

        Comment posted on 24/04/2011 at 11:47.
    • Lord_Gremlin
      Member
      Since: Nov 2009

      Hm. If I remember correctly the wolf got decapitated later? Or was that another fairytale?

      Comment posted on 24/04/2011 at 12:47.
      • ProjectJAY
        Member
        Since: Aug 2009

        I believe that was Little Red Riding Hood :P

        Comment posted on 24/04/2011 at 13:00.
  3. Red Memory
    Member
    Since: Mar 2010

    I haven’t really been too worried or affected by all of this. However, SCEE & A’s communication (or lack thereof) is extremely troublesome. They’re losing serious goodwill points.

    Comment posted on 24/04/2011 at 11:23.
    • blarty
      Member
      Since: Apr 2011

      You don’t tell people of a nefarious nature that you’re locking your doors, you tell them that you’ve locked them. When any issue that may or may not be security related occurs, there is always a period where you keep quiet, with as few updates and missives as pocssible. I would rather have them not tell me what they’re doing and my account remain safe, than for them to publish what they’re up toon an hourly basis, and also be providing this information to the people who attacked them in the first place so they can then take another shot at it

      Comment posted on 24/04/2011 at 11:50.
      • Red Memory
        Member
        Since: Mar 2010

        Naturally. But that’s not what I mean; I’m talking about any sort of standard PR fare, even if they copy/paste answers to multiple people. It’s just not a good strategy to ignore incoming questions.

        Comment posted on 24/04/2011 at 12:04.
      • KeRaSh
        Member
        Since: Nov 2009

        Remain safe? What if they are already in the wrong hands? Wouldn’t you want to know as soon as possible to take the necessary steps to prevent any major financial damage?

        Comment posted on 24/04/2011 at 14:22.
  4. rossthebassist
    Member
    Since: Nov 2009

    i think its a given that the communication between sony and its customers has always been lacking,
    if the network has been breeched then i can live with the downtime, as i have a pc and a 360 to tie me over untill its back online.
    i think in this matter sony must asses the damage / information stolen / accessed before they make any official statement. any premature statements will just cause a boat load of data protection headaches for them.

    im all for security, take as long as you needs sony

    Comment posted on 24/04/2011 at 11:25.
    • Flash
      Member
      Since: May 2009

      If only more people were like this, instead of whining about ‘Sony don’t communicate enough, they should tell me when each individual worker goes to the toilet!!!!!’.

      Comment posted on 24/04/2011 at 11:30.
      • Red Memory
        Member
        Since: Mar 2010

        I agree; they definitely need to take the time they need. And they shouldn’t make any premature statements. But they do have a dedicated PR team that shouldn’t just ignore all the incoming questions. That’s just bad PR handling.

        Comment posted on 24/04/2011 at 11:33.
      • rossthebassist
        Member
        Since: Nov 2009

        a hey guys still offline we are working on it, ETA is 2 days. wouldnt go a miss but i deffo dont need to know whats going on, whats a hacker gonna do with my email address or my street address anyways? i learned from xbox never put your bankcard on a console.

        Comment posted on 24/04/2011 at 11:37.
  5. wick15
    Member
    Since: Jul 2009

    Very interesting claims. Personally I am not hugely concerned about the downtime. Sony have obviously taken PSN offline since it was the best option they had, and I can totally back that. After all I would rather have the PSN in it’s full glory than it being hacked to bits and all my personal details being stolen.

    What does concern me though is the lack of an official statement. Surely this should be something that takes priority? Leaving your customers in the dark isn’t very good PR and will surely haunt Sony for sometime.

    At the end of the day, Sony have no one to blame but themselves. They started this, so they better see it through.

    Comment posted on 24/04/2011 at 11:39.
    • teflon
      Community Team
      Since: May 2009

      Did they really? Geohotz hacked the PS3 via Linux to gain access to the Hypervisor. Sony’s reaction was to remove Linux, and things have spiralled from there, with numerous overreactions from many sides, but Sony didn’t really start this.

      Comment posted on 24/04/2011 at 11:49.
      • wick15
        Member
        Since: Jul 2009

        In fairness, this wouldn’t have been nearly as bad if they hadn’t tried to sue Geohotz. They went about it completely the wrong way. By attacking him they stirred up a whole lot of bad. Royally pissing off hackers and many others around the world. I am confident that Sony wouldn’t have had this downtime if they hadn’t screwed up the Geohotz case so badly.

        Comment posted on 24/04/2011 at 11:54.
      • djhsecondnature
        Since: Forever

        @wick15 – They could do nothing but sue him. They owed it to their shareholders, developers, publishers and gamers to protect their IP.

        Comment posted on 24/04/2011 at 12:01.
      • wick15
        Member
        Since: Jul 2009

        @djsecondnature I can understand it was the only choice they had, but surely they could have been some easier resolve? They went at him with such force only to stop him going near Sony products. Not really resolving the problem. He isn’t the only hacker out there and since the case Sony have had nothing but problems.

        As much as I hate Geohotz, I really think Sony should have tried to get a more peaceful resolve. Maybe just pay him off quietly or try get him on board so they could at least fully understand how he is hacking the system.

        Comment posted on 24/04/2011 at 12:11.
      • teflon
        Community Team
        Since: May 2009

        A big corporation has very few options when it comes to this. In fact, it’s almost a direct parallel to a country’s course of action when it comes to terrorists.

        You close the security holes that were exploited during the attacks, keep tabs on what they’re doing and, if possible, try to fix exploits before they can use them.

        But most importantly through all of this, you do not negotiate with them. As soon as you bring a public hacker into the fold, you’ve set a precedent that others would try and exploit.

        I think the main thing Sony got wrong were that their evidence vs. Geohotz was flawed. They got their desired result in stopping him hacking publicly anymore, but for many people just turned him into that plucky kid who bested Sony, which just garnered him more support especially after the manner in which they tried to corner him which just failed.

        Comment posted on 24/04/2011 at 13:22.
      • wick15
        Member
        Since: Jul 2009

        Fair enough. I’ll take these points on board.

        Comment posted on 24/04/2011 at 13:29.
      • Awayze
        Member
        Since: Jul 2010

        Geohot hacked the iPhone and that led to LOADS of piracy on iOS but did Apple sue? NO!

        Apple released new firmwares to counter the jailbroken iOS firmware with new features but Sony went the wrong way by suing and removing features.

        Comment posted on 24/04/2011 at 16:32.
      • Uhyve
        Member
        Since: Sep 2008

        Funnily enough, Apple have never really managed to fully block the jailbreaks, and they’ve still not sued. While Sony have really pulled a minor miracle and somehow secured their OS (in a surprisingly short time), yet still went after the hackers.

        You know, I think some people wouldn’t have had such a big problem with Sony’s actions if the lawsuit would’ve come down to the law, but in my opinion, they were trying to make it about who had the greater monetary backing. I mean, I still would’ve had a problem with it, but I would at least understand that it was a course of action that they believed necessary and be able to blame whatever verdict came about on (what I consider) messed up laws.

        Comment posted on 24/04/2011 at 17:21.
      • Kaminari
        Member
        Since: Jan 2010

        No. Hotz gained access to the Hypervisor to make Linux more useful on the PS3 — why did Sony decide to lock out RSX access and to cap hard disk speed to 25 MB/s is still a conundrum. Sony didn’t like their limitations to be circumvented and bluntly decided to disable Linux support altogether (which was, should it be reminded, an advertised feature of the PS3). Hotz then hacked the PS3 to mainly reactivate Linux support.

        Ironically, nobody ever “cracked” the security algorythms of the PS3, which to this day remain untouched. Hotz simply found that the badly encrypted master keys were actually available to anyone and (in a very irresponsible fashion) decided to publish them.

        Sony is largely to blame in the way they dealt with the problem.

        Comment posted on 24/04/2011 at 18:03.
      • teflon
        Community Team
        Since: May 2009

        Unlocking iPhones has been legal all along, pretty much, thanks to the DMCA exception that was put in place in ’06, whilst Jailbreaking has now been made legal as of the middle of last year.

        Really, though, Apple didn’t care so much, since their business model is to sell a new phone to each customer every other year (pretty much) with yearly hardware releases. Far removed from the business model of a console, where once you buy one, you generally shouldn’t need to buy another, and the business is only made profitable via royalties taken from software sales.

        Different business, so different tactics in defending it.

        @Kaminari – Once Geohotz got into the Hypervisor, the gate to the path that would lead to game piracy was opened, however you want to spin it. They might have only got the master key after stumbling across some bungled coding, but the only reason why they were able to even see that was because of the access to the Hypervisor.

        Comment posted on 24/04/2011 at 18:36.
    • Flash
      Member
      Since: May 2009

      Sony didn’t start anything?

      Comment posted on 24/04/2011 at 11:49.
    • scion_tc1
      Member
      Since: Sep 2009

      They should have tracked his progress with the hack from day one and when he succeeded offered him a job, and some cake obviously.

      Comment posted on 24/04/2011 at 12:11.
  6. Sympozium
    Member
    Since: Aug 2009

    Hope its back up soon…. sad about these attacks

    Comment posted on 24/04/2011 at 11:40.
  7. teflon
    Community Team
    Since: May 2009

    The first thing that needs to happen once PSN is back up is to have a hugely important message pushed to all network attached PS3s at their next start up, covering the basics of how people should go about changing passwords, and removing bank details, should they so desire.

    Comment posted on 24/04/2011 at 11:47.
  8. SolidSnake1324
    Member
    Since: Apr 2011

    I think SCEE/SCEA just don’t want to make premature statements, as they will be called liars or unprofessional, if said statements prove wrong, which is why they provide so little information at the moment.
    Plus, secrecy is key in restoring safety to the PSN.

    Comment posted on 24/04/2011 at 11:50.
    • Flash
      Member
      Since: May 2009

      Exactly. They could very well say ‘we’ll be back up in two days’ just to keep people happy, when they don’t really know how long it’s gonna take, or they could just ask for people’s patience and get cracking on it.

      Comment posted on 24/04/2011 at 11:53.
    • KeRaSh
      Member
      Since: Nov 2009

      Really? Didn’t they already lie to us? Sproadic maintenance anyone?

      Comment posted on 24/04/2011 at 14:27.
    • Uhyve
      Member
      Since: Sep 2008

      There’s a phrase which describes this:

      “Security through obscurity”

      And it’s widely believed to be a massively flawed way of working in the security/programming world. Since it means that your security can be flawed but yeah, sure, you’re secure… as far as you know.

      Comment posted on 24/04/2011 at 17:36.
  9. deezoned
    Member
    Since: Jul 2009

    1) Security was breached by hacking admin/dev accounts.
    2) Systems/servers were “infected” and/or corrupted. Data may have been stolen in the process (TBD/TBC).
    3) Restore (from image before intrusion) is in progress on new/fresh servers + transaction logs applied.
    4) Measures are applied as to 1) can’t occur again
    5) Servers/PSN will be reopened while maintaining a very high logging/supervision level. And, a new and further improved security system is being worked on and applied ASAP.

    Just my 2 cents, but surely Sony, we’re expecting some more official statement…

    Comment posted on 24/04/2011 at 11:51.
    • Flash
      Member
      Since: May 2009

      More official statement? What else could they possibly say other than what they already have. They’ve told us that it’s a hack attempt. They’re told us why it’s offline. They’ve told us they’re working on fixing it and applying new security.

      What more do people want?

      Comment posted on 24/04/2011 at 11:55.
      • deezoned
        Member
        Since: Jul 2009

        I can certainly live with all the time it takes for a proper measure to counter the problems (reopening prematurely would just make the problems worse), but in all incident management proceses communication is crucial. And, I think the communication updates are lacking. Even with nothing new to say, it’s important just to reassure all PSN users that progress is being made. We are 70 mio. PSN users and an entire industry waiting for info on 1) when the service will be back up, 2) if data has been compromised and 3) how this could happen and why it will never happen again.

        Until more elaborate official statements are given the speculations will just escalate, rumors will form, lies will be told and panic may arise (from leaked personal and CC information?)

        1-2 updates a day via Twitter/PSBlog is not in my view sufficient official information.

        Comment posted on 24/04/2011 at 12:03.
      • SolidSnake1324
        Member
        Since: Apr 2011

        1. once they’ve finished their project…this is an unscheduled mainteance so they probably don’t know when that will be…
        2. once they know everything they’ll probably release a statement about that.
        3. just lol

        Comment posted on 24/04/2011 at 12:14.
  10. Foxhound_Solid
    Is a smart cookie.
    Since: Dec 2009

    Y’all need to chill out, no news is good news. Just be frickin patient, im dude all will be revealed soon enough.

    Comment posted on 24/04/2011 at 11:58.

Leave a Reply

You must be logged in to post a comment.

Latest Comments