• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

PSN Hack Update: FAQs in OP, Read before posting

Status
Not open for further replies.
DXB-KNIGHT said:
Lets say that if your account was robbed and the bank simply didn't inform you and haven't compensated you and told you its the thieves fault not ours.
What would you do?
But I have been informed. But to answer your question, even if they did inform me i'd still be mad at them, as I am with Sony. I can't blame/criticize/sue someone we don't even know who. That's not to say I think this is Sonys fault.
 

Cruzader

Banned
tenchir said:
Wow, some people don't really grasp how hard it is to secure digital data this day and age. Much like achilles heel, no matter how strong your security is, a hacker just need a flaw in the system to exploit it. If a security company like SecureID(they make the RSA dongle) can get hacked, then don't any security system to be safe. Raging against Sony for their "weak" security system is just idiotic, especially when we don't know how the hack was done or how they secured it.
Obviously Sony are the only company to get hacked these days. Very incompetent compared to Visa or Amazon or some government agency.
 

RuGalz

Member
ClosingADoor said:
What points to that? I haven't seen anything that would point to Sony not encrypting the passwords.

And hasn't encryption been pretty standard for at least ten years if not longer?.

They clearly stated that CC table was encrypted and didn't mention anything about personal information being encrypted. So draw your own conclusion from that.

Plenty of forums and smaller e-commerce sites don't encrypt password because it's not a requirement and adds burden to the system; or, it's just an old system that hasn't been updated. Most recent dslreports.com's breach, leaked people's info including password in plain text for example. While you may think it's illogical, I wouldn't assume it is a standard practice.
 
Metalmurphy said:
And you know this how?
We know they were running out of date versions of Apache and Linux, and we also know that their security logs were available for all the world to see (even after the intrusion)... the former is bad, the latter is inexcusable (logs make for an excellent attack vector).
 

LowParry

Member
surly said:
I agree with your last sentence, but Sony are working to make the security of PSN stronger and they're aiming to have done that within 2 weeks. Why not make it that strong to begin with? Why didn't they salt and hash passwords? Why did they have a bunch of user data completely unencrypted? Other companies may do the same things, but that doesn't get Sony off the hook - it only makes those other companies as bad as Sony.


For all we know, Sony's methods could be equivalent to other company's methods of security. One thing is for sure, what's happened to Sony, will no doubt give other company's the initiative of placing more security measures in their system. It sucks to see Sony being made an example to be honest. Though from a consumers side, I see every right for someone being mad at Sony. Though their anger seems very one sided.
 
Psychotext said:
We know they were running out of date versions of Apache and Linux, and we also know that their security logs were available for all the world to see (even after the intrusion)... the former is bad, the latter is inexcusable (logs make for an excellent attack vector).
No we don't. Did you miss the other guy saying that the header meant nothing?

There's also no telling those web servers had anything to do with where the db were stored.

Not really sure how logs (are they even security logs?) are really that bad. Then again, I'm not an hacker. But nothing relevant came from those logs as I'm sure you know.
 

rpmurphy

Member
tenchir said:
Wow, some people don't really grasp how hard it is to secure digital data this day and age. Much like achilles heel, no matter how strong your security is, a hacker just need a flaw in the system to exploit it. If a security company like SecureID(they make the RSA dongle) can get hacked, then don't any security system to be safe. Raging against Sony for their "weak" security system is just idiotic, especially when we don't know how the hack was done or how they secured it.
Preventing an attack is only one aspect of security though. If people are talking about PSN's information security policies as a whole, then there is likely to be more holes that they failed to address that could have mitigated and controlled the damage that this intrusion had caused.
 

Mithos

Member
I really can't see why Sony need to store ANY information about me at all.

Login-name (my mailadress in this case), password and PSN-ID (displayname), that is ALL information Sony needs.
When you make a purchase, you enter name, address, CC-info etc, but it never gets stored, just check/confirm and voila.
 

test_account

XP-39C²
Mithos said:
I really can't see why Sony need to store ANY information about me at all.

Login-name (my mailadress in this case), password and PSN-ID (displayname), that is ALL information Sony needs.
When you make a purchase, you enter name, address, CC-info etc, but it never gets stored, just check/confirm and voila.
It seems to be some kind of standard policy for these types of services. But i do wonder what good it will do though because there is no control for if the name and adress etc. you write is real or fake. And even if you write a completely fake name, you still get to register.
 

KJTB

Member
Mithos said:
I really can't see why Sony need to store ANY information about me at all.

Login-name (my mailadress in this case), password and PSN-ID (displayname), that is ALL information Sony needs.
When you make a purchase, you enter name, address, CC-info etc, but it never gets stored, just check/confirm and voila.

I agree. Didn't really think about this either though, why the fuck does Sony need my address?
 

Diablos

Member
Mithos said:
I really can't see why Sony need to store ANY information about me at all.

Login-name (my mailadress in this case), password and PSN-ID (displayname), that is ALL information Sony needs.
When you make a purchase, you enter name, address, CC-info etc, but it never gets stored, just check/confirm and voila.
Seriously. Store the name/addy/CC/etc info on the console and then the network reads it when making purchases, but wouldn't actually store it remotely.
 
Acquiescence said:
Well, if the PS4 is locked down tighter than the Queen's clacker then we'll know who to blame won't we!

*cough*GeoHot*cough* (if it wasn't obvious enough)

If PS4 and NGP aren't region free, I don't think it will have anything to do with hacking. Probably due to publisher pressure and seeing MS and Nintendo still have great success selling region locked consoles.
 
H_Prestige said:
If PS4 and NGP aren't region free, I don't think it will have anything to do with hacking. Probably due to publisher pressure and seeing MS and Nintendo still have great success selling region locked consoles.

Any publisher could region lock their games if they wanted to.
 

Ultima_5

Member
Any word yet on the status of everyone's credit card information? I'm kind of concerned about it, and want to be sure before i tell my parents (i used their credit card). I don't want them to become more paranoid of buying things over the internet than they have to...
 

test_account

XP-39C²
Ultima_5 said:
Any word yet on the status of everyone's credit card information? I'm kind of concerned about it, and want to be sure before i tell my parents (i used their credit card). I don't want them to become more paranoid of buying things over the internet than they have to...
Sony has said that the creditcard information was encrypted on their server and that the CVV (security code on back of the cards) were not stored. But arent you protected against CC fraud regardless?
 
H_Prestige said:
Not on PS3 and PSP. That's what happens on the 360.

I'm almost 100% certain that at the start of this gen Sony said that region locking was up to publishers. I believe it was Phil Harrison that said it when he was asked about it. He mentioned that all of Sony's games would be region free but the publishers would have an option of locking or making it region free. Stranglehold was once region locked but Midway reversed their decision when a lot of backlash occurred from the announcement

See? Sometimes it pays to whine, and whine loudly. Midway's decision to region-lock Stranglehold was decidedly uncool, and gamers, understandably, were pissed. So pissed that Midway have seemingly reversed the decision, a moderator on the official Stranglehold boards saying that both the regular edition and the collector's edition (the one with Hard-Boiled) are now region-free.

http://kotaku.com/285961/midway-backs-down-stranglehold-now-region+free
 

Ultima_5

Member
test_account said:
Sony has said that the creditcard information was encrypted on their server and that the CVV (security code on back of the cards) were not stored. But arent you protected against CC fraud regardless?
I would assume so, but i figure it's better safe than sorry. thank you
 
SolidSnakex said:
I'm almost 100% certain that at the start of this gen Sony said that region locking was up to publishers. I believe it was Phil Harrison that said it when he was asked about it. He mentioned that all of Sony's games would be region free but the publishers would have an option of locking or making it region free. Stranglehold was once region locked but Midway reversed their decision when a lot of backlash occurred from the announcement



http://kotaku.com/285961/midway-backs-down-stranglehold-now-region+free

If that were the case, I think the ps3 would have just as many region locked games as 360. Instead it has a grand total of zero.

With Stranglehold wasn't the issue that it came bundled with a blu ray movie?
 

test_account

XP-39C²
Ultima_5 said:
I would assume so, but i figure it's better safe than sorry. thank you
No problem =)

For sure, it doesnt hurt to be safe than sorry indeed. I wouldnt want my card to be abused even if i am protected. But i just wanted to mention/ask it since even if your card should be abused by someone else, at least (hopefully) your protected against losing money at least :)
 
H_Prestige said:
If that were the case, I think the ps3 would have just as many region locked games as 360. Instead it has a grand total of zero.

I disagree. Doesn't MS region lock some of their games? If they do then why shouldn't third party publishers? On the other hand Sony doesn't region lock any of their games. If you set a standard then publishers will often follow it. The standard on the PS3 is that the games are region free and if you don't do it then you get the type of reaction that Midway received.

H_Prestige said:
With Stranglehold wasn't the issue that it came bundled with a blu ray movie?

No, they were region locking both the standard and collector's versions.
 
Metalmurphy said:
No we don't. Did you miss the other guy saying that the header meant nothing?
If you're going to spoof headers you don't spoof with some random version from a couple of months back. You put something else in completely (so that at first glance it isn't even Apache / Linux, reduces automated attacks) or remove the version number altogether (far more effort to identify actual version and which attack vectors you should be using).

...and yeah, having your logs visible to the world is that bad. When someone is attacking your servers it lets them know exactly what's having an effect and what's not simply by looking at the results the server is logging. More than that, certain things being reported vs not can let you know exactly what's running on a server which enables you to target your attack far more precisely.
 

kamorra

Fuck Cancer
Cruzader said:
Obviously Sony are the only company to get hacked these days. Very incompetent compared to Visa or Amazon or some government agency.

There was a data leak at Visa and Amazon?
 

test_account

XP-39C²
pix said:
PS3 HACKED!!!! FERP'S THREE PSN SAFETY STEPS 4 U ;-)

Probably already posted but this is great lol
Hehe =) Maybe it has been posted before, but i didnt see it before not at least.


Psychotext said:
If you're going to spoof headers you don't spoof with some random version from a couple of months back. You put something else in completely (so that at first glance it isn't even Apache / Linux, reduces automated attacks) or remove the version number altogether (far more effort to identify actual version and which attack vectors you should be using).

...and yeah, having your logs visible to the world is that bad. When someone is attacking your servers it lets them know exactly what's having an effect and what's not simply by looking at the results the server is logging. More than that, certain things being reported vs not can let you know exactly what's running on a server which enables you to target your attack far more precisely.
Which logs are these?
 

obonicus

Member
Psychotext said:
We know they were running out of date versions of Apache and Linux, and we also know that their security logs were available for all the world to see (even after the intrusion)... the former is bad, the latter is inexcusable (logs make for an excellent attack vector).

Where did you see 'security logs'? They were HTTP request logs. And how are logs an excellent attack vector? Unless someone screwed up a log implementation, the worst I can see them doing is giving the perpetrator insight into how the server is responding when they attempt their shenanigans. You shouldn't have them be public, but they're not the smoking gun you claim they are.

Just as an aside, people should be clear about how they're speculating about what the attack is about. No one has any idea about what actually happened; when people state authoritatively 'xxx was out of date' you have less tech-savvy people actually believing this to be the cause.
 

test_account

XP-39C²
Metalmurphy said:
GraceNote Proxy log that had nothing to do with the hack.
What is that? I saw some screenshot of something that someone claimed to be a PSN access log, but i dont really know what this was about.
 
obonicus said:
You shouldn't have them be public, but they're not the smoking gun you claim they are.
Never said they were a smoking gun, but if you're making mistakes on basic level security aspects like that then you're making them elsewhere. That's just an example we have clear proof of.

That said, it's quite possible that security on those servers were handled by a completely separate team. Though any network is only as good as its weakest security, with any breach providing a potential jumping point to to intended target.

Hopefully we'll eventually find out (via the congress questions most likely) how their network was breached and then we'll know exactly what they did wrong. It's highly unlikely they were attacked with a previously unknown platform vulnerability (because it wouldn't have just been them taken out, there are far tastier morsels out there)... but who knows if we'll ever get to see that information.
 
test_account said:
What is that? I saw some screenshot of something that someone claimed to be a PSN access log, but i dont really know what this was about.
It's not a PSN access log, it's just the Gracenote server log

http://shockwavelounge.blogspot.com/2011/04/playstation-network-log-of-hacker.html
(just disregard the actual article text as it's completely incorrect)

nickslicl said:
hm, just got prompted to d/l a LBP 2 update.
Update servers are separate from PSN servers.
 

obonicus

Member
Psychotext said:
Never said they were a smoking gun, but if you're making mistakes on basic level security aspects like that then you're making them elsewhere. That's just an example we have clear proof of.

We don't need that to say that Sony's security might have huge holes. The RNG thing on the PS3 is a much more blatant indication, honestly.

That said, it's quite possible that security on those servers were handled by a completely separate team. Though any network is only as good as its weakest security, with any breach providing a potential jumping point to to intended target.

True, but even the supposed unpatched exploits mentioned briefly in that pasties note don't mean the server necessarily was exploitable. They may depend on payloads that are difficult to take advantage of. Ideally they would be patched, and they may have been the point of entry, but it could just as easily been something else.

Hopefully we'll eventually find out (via the congress questions most likely) how their network was breached and then we'll know exactly what they did wrong. It's highly unlikely they were attacked with a previously unknown platform vulnerability (because it wouldn't have just been them taken out, there are far tastier morsels out there)... but who knows if we'll ever get to see that information.

Oh, definitely, there was some hole in their system and it probably was old. There always is. I'm just saying that we shouldn't point to any of the known issues so far as more than speculation, because there's no confirmation, and none of them so far is a gaping hole that had to be the point of failure. PSN is a juicy target, though, so I wouldn't rule out a 'new' exploit for that reason, but more because generally it's something already known that is exploited. Even with good turnover, patching a server on a production system requires a lot of planning.
 
obonicus said:
We don't need that to say that Sony's security might have huge holes. The RNG thing on the PS3 is a much more blatant indication, honestly.
Because network security and console security are one and the same, and done by the same people.
 
RuGalz said:
They clearly stated that CC table was encrypted and didn't mention anything about personal information being encrypted. So draw your own conclusion from that.

Plenty of forums and smaller e-commerce sites don't encrypt password because it's not a requirement and adds burden to the system; or, it's just an old system that hasn't been updated. Most recent dslreports.com's breach, leaked people's info including password in plain text for example. While you may think it's illogical, I wouldn't assume it is a standard practice.

If you have ever coded a website or service in the last 5 years (PSN went online in 2006 I think) and you don't use encryption on your passwords, you are doing something very, very wrong.

Of course you can debate about the level of encryption that certain systems use (the forum you are on now probably uses the standard vbulletin one, so that is an md5 encryption of your password, then salt it and md5 encrypt again), but no encryption is just stupid.

I hope Sony clears this up tomorrow. And I too am amazed by dslreports btw.
 

KaYotiX

Banned
kamorra said:
There was a data leak at Visa and Amazon?
If you use a CC at all you should assume your info is out in the wild. Pay attention to statements every month. Should be common practice by now, if you never check your statements then your asking to be taken advantage of.
 

obonicus

Member
Metalmurphy said:
Because network security and console security are one and the same, and done by the same people.

Of course not, but it suggests that code and systems may not be audited or inspected as closely as they should be.
 

plainr_

Member
I think Sony needs to give us an option (like XBL) to change account names. I don't feel comfortable knowing that there is probably a database out there that one could use to find out where I live simply by entering my PSN ID. Hilarious as it sounds, I have had some people genuinely pissed off at me for accidentally team killing them. God knows what these people are capable of if they get hold of our personal info.
 

Raistlin

Post Count: 9999
Mithos said:
I really can't see why Sony need to store ANY information about me at all.

Login-name (my mailadress in this case), password and PSN-ID (displayname), that is ALL information Sony needs.
When you make a purchase, you enter name, address, CC-info etc, but it never gets stored, just check/confirm and voila.
Actually age is a legal requirement in many territories.

As for CC info, do they always record it or can u do per-purchase transactions? (serious question)
 

RuGalz

Member
Raistlin said:
Actually age is a legal requirement in many territories.

As for CC info, do they always record it or can u do per-purchase transactions? (serious question)

I remember it's optional if you want to store CC info. (or maybe I always go and delete it after I make a purchase).
 
Status
Not open for further replies.
Top Bottom