Then, like the rest of the 77 million users, I got a seriously unapologetic letter from PSN:
| Valued PlayStation Network/Qriocity Customer: We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. (This was related to the DDOS attack from anoymous.) In response to this intrusion, we have:
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. (Why the fuck was it NOT encrypted?) It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. (And this too?) If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. (Now this is really serious. They are not telling us whether our credit cards have been encrypted properly. They do know, and they are not telling us.) For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security, tax identification or similar number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. (Why would I log on again, if ever?) Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your account statements and to monitor your credit or similar types of reports. (So you are not taking any responsibility?) We thank you for your patience (Actually I do not have any patience) as we complete our investigation of this incident, and we regret any inconvenience. (Oh really. we regret any inconvenience? really? I am not one of those gamers who live on the PSN, but this is my credit card that 77 million of us is talking about, and it's "regret for any inconvenience?" Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us atau.playstation.com/psnoutage should you have any additional questions. Sincerely, Sony Network Entertainment and Sony Computer Entertainment Teams |
Steve Gibson has talked about this on Security now (www.grc.com) and the fact that they advised that the hackers may have got your password, means that it was stored IN THE CLEAR. If it was stored as a salted hash, then there would have been no risk. Same with the credit cards.
Later reports have advised that they were using an old version of Apache AND, NO FUCKING FIREWALL to the PSN! Then it was very quick to point the finger to Anonymous.
Sony's stock has dropped a fair bit since the incident. If it was transparent, like Lastpass, and tell us exactly what went on, then it wouldn't have turned out to a PR disaster. But then, they couldn't could they? How can they tell the public that they were using unpatched web servers and not have a firewall, and on top of that, stored all passwords and customer information in the clear?
It is unforgivable that a company the size and wealth of Sony did not care about security (or so it seems with what was done). I don't care if its free - after all, we gave you credit card details, AND bought from you.
On a side note, working in the ICT sector, the price on security is not a price until there is a breach. The backend networks are mostly, more complex then required due to uncontrolled growth, and management is quick to get scapegoats (the guys who did the work) and fire them all, then announced that "we've fixed the problem." My opinion is, that the senior management who continually reject request for additional funding and resources are the people who should be fired, not the poor bloke who did what he was told.
0 comments:
Post a Comment