sony psn data breach

so i knew something was fishy when psn was down for a few days (just in time for portal 2 btw).

http://arstechnica.com/gaming/news/2011/04/sony-admits-utter-psn-failure-your-personal-data-has-been-stolen.ars

the wording of the statement on their blog is very careful to not admit any kind of error on their part, but here is what we know +  some assumptions...

1) passwords were store as un-hashed plain text
2) their dev network was not sandboxed from their production network (unlike xbox live)
3) no encryption (this is a big assumption based on the missing language that would most certainly be included in the statement if data were encrypted)

this is a big deal and inexcusable for a company with the resources of sony.

Well, it is free. XBL has a lot of paid member money to make sure the experience is better. Also Sony declared war to hackers, which made them the main target for attacks. I still think they over reacted to that hacker who released the master key. The master key is bound to be cracked and shared at sometime (which already happened), it was expected and shouldn't make a big fuss about it. Not only they sued the guy, but, Sony made a big mistake demanding all the traffic IP to the site, which is a violation of privacy and war on the community. Even if they have good service, DDoS can easily over flood their network. I am sure there are several groups of hackers doing DDoS on Sony servers right now.

1) passwords were store as un-hashed plain text

Why would you say that? What proof do you have?

2) their dev network was not sandboxed from their production network (unlike xbox live)

Why would you say that? What proof do you have?

3) no encryption (this is a big assumption based on the missing language that would most certainly be included in the statement if data were encrypted)

Why would you say that? What proof do you have?

The master key is bound to be cracked and shared at sometime (which already happened), it was expected and shouldn't make a big fuss about it.

What? That doesn't make any sense. Has Verisign lost their master key in the many years they have been running? Has Microsoft lost it's master signing key (which would allow someone to make malicious Windows Updates)? Have Google? Has your bank?

If "master keys" (which are just PKI private keys) should be expected to be lost, then the whole of SSL is broken, and we should expect that someone else would be able to brute force them, then you've found a neat way of generating really big prime numbers really fast.

Sony suck because they generated the private key wrongly, which took the whole 4096-bit key down to a few bits of entropy which would be brute-forcable. If they had done it correctly then Hotz would have really struggled to brute force the whole 4096-bit key. (hint: it would have taken longer than the lifetime of the universe even if he could harness a billion GHz of computation power out of every atom in the universe)

This all seems like an awful lot of assumption and hearsay.

Well the passwords were leaked, which shouldn't have been possible (why were they storing passwords?)

10 hours ago, evildictait​or wrote

Why would you say that? What proof do you have?

I think a lot of this stuff comes from the leaked hacker IRC logs, which actually looked somewhat credible.

11 hours ago, evildictait​or wrote

*snip*

 (hint: it would have taken longer than the lifetime of the universe even if he could harness a billion GHz of computation power out of every atom in the universe)

Or this is the first evidence that quantum chips exist in the wild...

I wouldn't be surprised if a trained chimpanzee broke into Sony's servers.

2 hours ago, Cream​Filling512 wrote

Well the passwords were leaked, which shouldn't have been possible (why were they storing passwords?)

"Recover your password" features. If you're running a service like PSN where the servers are physically secure and the only access is through a documented API and the weaknesses lie elsewhere in the system then it's reasonable to say it's acceptable to store passwords as plaintext. Or maybe the backend was developed by a bunch of freshfaced grads who only have experience of developing PHP apps as part of their undergrad coursework.

17 hours ago, magicalclick wrote

Well, it is free. XBL has a lot of paid member money to make sure the experience is better. Also Sony declared war to hackers, which made them the main target for attacks. I still think they over reacted to that hacker who released the master key. The master key is bound to be cracked and shared at sometime (which already happened), it was expected and shouldn't make a big fuss about it. Not only they sued the guy, but, Sony made a big mistake demanding all the traffic IP to the site, which is a violation of privacy and war on the community. Even if they have good service, DDoS can easily over flood their network. I am sure there are several groups of hackers doing DDoS on Sony servers right now.

++

The thing is a lot of companies have no clue how to deal with "the Internet community". These big companies really need to hire "Interwebs experts", which qualifiations include "hanging out on 4chan for the lulz". I'm totally serious.

What did the GeoHotz lawsuit accomplished? So GeoHotz can't hack the PS3 anymore but he already released his exploit and the genie is out of the bottle. What the hell is a lawsuit going to do? Plus it's not like GeoHotz is the only hacker on earth, he just happens be good at the PR game. So all they really accomplished was to give a bunch of lawyers a bunch of money and piss off Anonymous. Good moves Sony.

When it comes to security the solution is always a technical and social one. Lawyers are fine for corporation to corporation type business but not to protect yourself from "the Internet".

15 minutes ago, W3bbo wrote

*snip*

"Recover your password" features. If you're running a service like PSN where the servers are physically secure and the only access is through a documented API and the weaknesses lie elsewhere in the system then it's reasonable to say it's acceptable to store passwords as plaintext. Or maybe the backend was developed by a bunch of freshfaced grads who only have experience of developing PHP apps as part of their undergrad coursework.

 

Recover your password is silly, any reputable service just gives you the ability to reset it.

@W3bbo:Even to recover a password, they shouldn't have been storing them. At the very least the password should be salted and hashed. Ideally they should reset the password and send you a temporary one.

I don't have a PSN account, so I don't know how they do things.

@magicalclick: "Well, it is free. XBL has a lot of paid member money to make sure the experience is better."

Sony PlayStation Network http://us.playstation.com/psn/playstation-plus/
$49.99/yr @ $4/Mo.
or
$71.96/yr @ $6/Mo.
or
FREE

XBox Live https://live.xbox.com/en-US/Flows/ManageSubscription/ChooseSubscription.aspx
$59.99/yr (Gold)
or
$119.88/yr @ $9.99/Mo. (Gold)
or
FREE (Silver)

Free services should be exempted from our expectations of due diligence, best practices and common sense? If someone hacks my bank and steals my money and information I shouldn't care because my services are "free"?

16 hours ago, evildictait​or wrote

If "master keys" (which are just PKI private keys) should be expected to be lost, then the whole of SSL is broken, and we should expect that someone else would be able to brute force them, then you've found a neat way of generating really big prime numbers really fast.

Revoke SSL certificate is important among security group. Recent Win update revoked plenty of stolen SSL certificates (such as big named Google certificates), and WinPh7 is planned to have that updated as well.

Let me make it clear, I was talking about cracking PS3 machine is not a big deal when the hacker bought it and crack it at home. It is not the same as hacking Sony servers. Of course, the new Sony Servers got compromised is a big NO NO, and that's what they get when war on hacker community.

Also there was no reason for them to be storing payment infomation either.

It took Sony 6 days to tell 75 million people that their personal info (and possibly CC info) was stolen by hackers?

10 hours ago, W3bbo wrote

*snip*

"Recover your password" features. If you're running a service like PSN where the servers are physically secure and the only access is through a documented API and the weaknesses lie elsewhere in the system then it's reasonable to say it's acceptable to store passwords as plaintext.

No it isn't. If anything it's more stupid in that case since the password is rarely something you actually need to use.