Sophos Cloud Optix
I have been skimming the glut of news stories covering the PlayStation hack following Sony’s statement yesterday.
The issues that keeps coming back to me are these:
1. Sony, like any company who keeps customer account details, is responsible for keeping this sensitive data safe.
So the question is, How could these details, potentially including credit card details, of a whopping 70 million users not be encrypted? It baffles the mind.
Perhaps the data was indeed encrypted, but if it was, how come Sony haven’t stated this?
Let’s say I accidentally leave my front door ajar, leave the house for a few days, and return to find that I was robbed. People will say I am a bit of an dodo brain, but I will still get sympathy from friends and family and we will all blame the thief.
But, if I convince all my friends and family to trust me with their prized possessions, pile their valuables on my coffee table, and then leave the front door open, I doubt they will be very supportive when I meekly approach them saying, “whoopsie – someone took them. These things happen, right?”
So it is no wonder that so many people are annoyed. They have a right to be.
2. What the F*** happened at PSN?
Having read Sony’s statement, they thank their “valued” customers for patience/goodwill/understanding (annoying in itself since I doubt many feel patient, generous or understanding). They also tell you to be wary of scams, which is all well and good.
But they don’t tell us what happened.
I really REALLY want Sony to stand up and explain how the company screwed up, how the bad guys got into their system, why the data wasn’t properly stored: a clear and concise explanation and, where appropriate, a straight-up apology for their oversights/misplaced bets/mistakes/etc
(Shall we place a bet on whether an APT was responsible? – sorry, couldn’t help it…)
It won’t get your data back, but at least we’ll all have some idea of how this happened. And it might do wonders to repair the trust issues it is bound to face with its stakeholders. More importantly, it will help other companies learn from Sony’s mistakes.
True, it can take some time to sort through all the bits and bobs before you provide a detailed explanation. But Sony set a rather slooooooow pace by waiting a week between its first announcement and yesterday’s statement.
So what can you do?
Read advice on your next steps, including changing your passwords and credit cards, from fellow Naked Security writer Graham Cluley.
Affected users have also been invited to get in touch directly with Sony if you have any questions.
Why not ask for a public explanation and apology? Feel free to share the response with Naked Security.
Some good questions to ask them! Another one that caught my eye:
"we believe that an unauthorized person has obtained the following information that you provided…PlayStation Network/Qriocity password and login"
The password? Really? But this should be hashed, right? I shouldn't need to change my passwords since the attacker just obtained non-reversible hashes….right???
Don't tell me there were in plain-text….
We are in the midst of complying with PCI standard, and the first words out of my mouth were "Uhh, PCI anyone?" And I'm willing to bet we are a LOT smaller than PSN in terms of amount of card processing done per month.
Their failure to provide details of any technical nature is disturbing. I mean, RSA got hacked and they did full disclosure. Why can't PSN?
typo: It won't get your data back, but at least *they will you will* have some idea of
Thanks, I've fixed on Carole's behalf.
If user passwords and security question answers have been compromised, that means they are stored in plain text. Or at best two-way encrypted. Even I know it's safer to use one-way encryption/hashing. I'd expect a giant like Sony to do this too. Right?
I lost all trust in Sony years ago when the rootkit thing first surfaced (and then they did it again iirc). Fortunately I do not have a Playstation account, but my brother does. It's amazing how they can consistently treat their customers like dirt, when they're not even the best at anything. Not #1 console, not #1 handheld game, not #1 e-reader, laptop, wristwatch, radio, not #1 anything I can think of. They're third and fourth place all around but act like everyone owes them something.
Funnily enough, I expect Japanese businesses to have higher standards of corporate ethics than American ones.
I always get a chuckle when I see a statement like "More importantly, it will help other companies learn from Sony's mistakes". This type of thing has been going on long enough that the companies that have the ability to learn from others mistakes have already done so, all the ones that can't/won't learn or don't care are the ones we see here every week or two.
It’s not that bad. Time to move on. Besides xbox live was down for 15 days in the past. Xbox live is a subscription service whereas PSN is free. Every one in the western world has their data in the hands of hackers already. This same situation happened at Verizon Wireless a few weeks ago.
While I agree that companies are responsible for keeping account data safe, the way you word it makes it sound like the hackers did nothing to get to the data. I more proper analogy would probably be,
"You left your house, shut the first door, locked all three locks, shut the second door, enterered the keycode to lock the door, and finally shut and locked the vault door. But you didn't realize that someone had been watching you, and investigating exactly what security you were using, to exploit the holes."
No data is 100% safe, and yes, Sony messed up, but don't make it sound so trivial. Hackers didn't just walk in and steal the data. It was a targeted operation requiring alot of work to be accomplished.
Secondly, you ask WTF happened to PSN?! Well, data breaches require an enormous amount of investigation, so Sony cannot just come out immediately and say exactly what happened. It can take a very long time to follow the trail to what happened, and exactly what information had been compromised. Sony isn’t holding out on it’s customers because they want to. They will explain what happened when they know what happened. It’s not like the hackers left a note detailing how they breached the system.
Please don’t paint this like it’s something simple.
Added to this, there’s a very good reason Sony doesn’t apologize… it’s the same reason NO large business apologizes anymore: apology is admission of guilt. If they apologize, they’ll be sunk in thousands of related lawsuits, and heads will roll. If they play their cards as close as is legally possible, the entire fiasco will eventually blow over and everyone will forget about it, just like they did about the two (two!) rootkit fiascos and the various other Sony shenanigans that have occurred over the years.
RSA can do full disclosure because they’re a security company, and they were adhering to best practices when their data leaked — they can say “oops, sorry about that. We did everything we could, and it wasn’t enough.” Sony’s not about to say “oops, sorry about that. We ignored your privacy rights, ignored our responsibilities to a number of privacy laws and industry certifications world-wide, and are still not completely sure about what was done due to our lack of a solid Information Security policy.”
You see, it appears that the way Sony PSN (not Sony, they protect themselves behind single incorporation for each of their subsidiaries) stored their data, it likely failed not only PCI compliance (which means they shouldn’t have been processing credit cards — their CC processing rating’s about to take a dive) but also the BC, Ontario and Quebec data privacy acts in Canada, and likely a number of others across North America.
If they don't know some of the details by now, it isn't a good sign they ever will. Waiting a week and still not telling their customers very much isn't good business.
Finally, you say, “So the question is, How could these details, potentially including credit card details, of a whopping 70 million users not be encrypted? It baffles the mind.”
Just because the data was taken, does not mean it is not encrypted. Encrypted data can still be taken, it will just take some more work to get to the data once you have the encrypted files. Sony still has to let their customers know that the data was taken, because the data could be decrypted and then used.
From the playstation blog:
"I wanted to take this opportunity to clarify a point and answer one of the most frequently asked questions today.
There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon. "
http://blog.us.playstation.com/2011/04/26/clarify…
In other words, they only just found out that personal data was stolen (if they are telling the truth). I also want to remind people that we still dont know yet if the data was or was not encrypted. Calm down a bit until we know for sure, ne?
Why did hackers target Sony? Did they know it would be a good haul? Did they know it would be easy? Could this be part of a recent downward slide for Sony thinking they are too big to hurt, remember the battery recalls. could people be upset with Sony, they did remove features from the Playstation people had paid good money for!
Why did hackers target Sony?
Maybe with Sony's experience writing rootkits, they saw Sony as competition.
Everybody in the world seems to be asking "why didn't they encrypt data"? Cryptography seen as a fairy dust – just add "encryption" (whatever that means) and now your data is safe. Bla bla.
I'm sorry but while this is understandable for newbies, anybody working in the security industry should understand it. Encryption is just a way to swap a big secret (a database of 70 million users) with a smaller one (the encryption key) – but you still have a secret (of same value) to keep.
Take your house analogy. After having been robbed once you decide to put the strongest door and lock (AES+Blowfish+Serpent). OK but If the thief is able to get the key he will still be able to easily get inside your house and steal your belongings.
In other words, any system which actually processes some data will need to have the encryption/decryption key – if you can break in this system, then you get the key and can get at the data even if it is stored encrypted.
A huge tech company like Sony should a disaster planin place for just such an occurence. One that gets the system back up in a reasonable time frame. I simply cannot imagine telling our customers internet banking is down and we have no idea when it will be back. Just be patient and wait when it comes back it will be better. My bosses would fire me and the whole department if we gave them such an answer.
Sony's disaster plan has failed miserably. Sony needs to get the network back up and running yesterday. This console is designed to be online and that functionality is gone. The time frame for return is simply unacceptable.
Sony has failed it's trusted customer base in many ways on this one and is continuing to fail us.
It seems since Sony is a very large corporation, an incident like this attracts way more attention (and lawsuits) than a smaller firm would. In fact many smaller online entities have been hacked and data compromised, but since they are smaller, not much news was made of it.
Personally the last Sony product I purchased was a PS2 (this has nothing to do with Sony as a manufacturer…just that other products served my needs better). With this development I am very glad of this. And of course I will be leery of Sony products and services from now on. This is not to say that I would refuse to use or buy them however.
I have the gut feeling that Sony irritated too many hackers. Personally I feel that Sony has acted inappropriately regarding such things as people modifying their own units to utilise self-made content, etc. Hackers naturally feel even more strongly on this matter. And several probably got together and decided to take their misplaced revenge.