Breakdown of today PSN hacking conference (in detail)

by Aftermathrar from Reddit

 

These were the major points that I caught, let me know if I missed any or misinterpreted them. X-posted from r/ps3, hopefully no one minds. A lot of this seems to be summed up in the latest blog post as well:http://blog.us.playstation.com/2011/04/30/press-release-some-playstation-network-and-qriocity-services-to-be-available-this-week/

About the attack

  • Not related to Anonymous, although they did bring up that they were being attacked by them for the past few months (repeatedly stated it was limited to DDoS).
  • This intrusion was very skillful and passed their firewall and other security measures because it looked like a normal transaction. It then made a tunnel and had a command attached as a trigger, at which point it was able to be manipulated remotely.
  • The attack used a known vulnerability. However, this vulnerability was not known to the management (really hope I understood that part correctly since it’s a biggie). Since then, security measures have been improved against that mechanism of attack.
  • Because it was an advanced attack and left “no traces”, they didn’t learn of it until the 19th/20th of April. They still aren’t aware of the scope of the data compromised, but say that CC info was a low possibility, since it was stored in a different part of the database and not likely read.
  • It took them until the 27th of April to confirm that data was compromised. They had been working with 3 different analysis entities starting from the 20th.
  • Information of up to 78 million accounts were taken, but some were likely duplicate/backup accounts. They later were asked about sales data, said that 37 million PS3s and 16 million PSPs had connected to PSN (install base of 50/69mil). There were 10 million Credit Cards connected to PSN at some point.
  • From what I understood, it seems that Sony will be doing more testing/inspection of its security measures to prevent future incidents like this. At the time though, SNEI believed their security to be good enough.

Compromised Information

  • Hirai said that no improper CC usage has been reported and they have no evidence of CC info being compromised. They said that Sony will pay for CC reissuing and assist with monitoring/insurance programs for customers. If there are any improper charges, they will be handled on a case-by-case basis.
  • CC info was encrypted and stored in a different part of the database from user personal information. Because of this, user information and CC information are being categorized separately.
  • User passwords were not encrypted, but were hashed.
  • Is still analyzing data of the attack, so they weren’t saying a whole lot about what had been taken.

Investigation

  • Entities from outside of Japan have contacted Sony and requested that they cooperate with their investigation process. FBI HQ seems to be the most involved currently. List of questions from USA House of Representatives has been received.
  • Didn’t give any more information, just said that investigations had been started globally.
  • They weren’t aware of the extent of the attack until the 27th of April, the conference was delayed because there was much more that they wanted to work out (in terms of compensation and other considerations).

Resumption of Services and Compensation

  • PSN compensation and CC-type compensation are being considered separately. Sony says they will cover credit card reissuing fees and will assist with credit monitoring/insurance programs.
  • Again saying that PSN will be online “within a week.” Going to be incrementally bringing services back online. Different regions may see services at different times.
  • All PSN users will get one free month of PSN+ (current PSN+ subscribers will also get 30 free days), Qrocity subscribers will get a free month, and there will be some titles available for free download. Will differ based on region and their plans are not finalized as of yet.
  • All services to be back online within a month.
  • As far as cost to Sony, they weren’t sure and it’d vary by region, but $15-$20 for PSN+ and a few thousand yen for the titles.

Immediate Actions Being Taken

  • Moving the data center from San Diego to a more secure location and adding new detection measures, firewalls, and encryption to make data more secure. Creating a new job position to monitor security. These things have already been done to an extent, but they wouldn’t comment specifically out of security considerations.
  • Sony is going to have a way for users to look at purchase history online (I think before PSN is actually up) to check for any abnormalities.
  • Sony will allow users to leave PSN. They are looking into ways to refund any balances on PSN or PSN+ fees if those exist for the user. There was one conflicting answer about this, but I’m pretty sure they’re working on a system to allow users to leave and erase their info if they desire.
  • Firmware will need to be updated as soon as PSN is back up and users will need to change their password.Passwords can only be changed on the PS3 system the account was created or via a verified email address. That seemed like a super important point, but it was only mentioned once. However, that means people don’t have to worry about a mad dash to change their password before a hacker does. As far as users changing a password from “A” to “B” and then back to “A,” they’ll alert users if they’re doing something like that, or if it’s close to their username or something.
  • Apparently the updates in Japan were even slower than the ones in the US/EU, so in Japan they’re probably going to set up a blog similar to the NA/EU.
  • Tablet/NGP launch dates will not be affected.
  • They’ll possibly be taking measures against the root key thing, although this part wasn’t clear and was there was a lot of rambling.
  • Want to re-earn user trust as well as developer trust on the PSN ecosystem.
  • They actually apologized for the incident!!

 

 

In

One response

  1. Homicidal Avatar
    Homicidal

    It seems that we’re getting some benefit out of this after all. Free PSN+ for a month and a whole bunch of free games.. I think Sony are handling this pretty well.

    It’s nice of them to cover the credit card reissuing fees too. Thankfully most of us in Kuwait aren’t affected since we mostly use those PSN Store cards.

Discover more from جيل اللاعبين المحظوظين

Subscribe now to keep reading and get access to the full archive.

Continue reading