Sony's PSN Attacked Again! 93,000 Accounts Compromised!

[vgmaster]

Here's some nice music for all the PSN users to hear while they're outraged about it still being shut down

EDIT: Geez guys, it was just a joke. I didn't mean to offend or anything.

http://www.youtube.com/watch?v=sWdQBblec0M

Edited May 7, 2011 by vgmaster

[LunarEdge]

As much as it sucks that the PSN is down, it isn't so bad IMO. Yeah, the hacking part and the possibility of my personal info being out there does suck, but not being able to access online play isn't so bad if you ask me. If anything, I've had my time pretty occupied and less distracted since PSN was taken down. Also, my friends and myself have been hanging out more and playing more local games since the system was shut down.

[Scar]

The likelihood of a third attack succeeding is slim. SOE got hacked first and it seemed nobody was watching until PSN got hacked shortly after - thusly no security upgrades and running on the same security ideology.

The third strike would have to be a success going through the original security, the enhanced security from Sony, the additional security from the 1Billion dollar firm they hired and I think I read of a second security firm assisting with firewalls. Long story short, they're going to be hacking a completely different animal. Especially if there is a mandatory forced firmware upgrade required to access the new PSN, most likely a similar firmware base but with a new/rebuilt security system. I can't see a third attack happening successfully, and I'll be happy watching Sony take the opportunity to monitor their network and get these little twats.

Seriously I want to use the major C word on these bunch of tarts, despite what they or anyone else may say, these people are a disgrace to themselves, and a disgrace if they even dare try using the "greater good" arguement when they get found. They are helping nobody with this, meaning this is just unwarranted cyber-terrorism, about as "greater good" as terrorism tends to be. I'm not too affected, I cancelled my card and am waiting on a new one to be issued to me from my bank, so if they even have my card details good luck using them. I just hope these people's electrical plugs overheat and they burn in their sleep. That will be a good day for humanity.

Roareye Black.

This.

Hacking a network the first time, and again shortly afterwards is one thing. However, hacking a restructured network with many, many more security measures, with many a security firm and even Federal Agencies monitering every little detail, is a completely different beast. It could also lead to them getting caught....I hope.

[Detective Shadzter]

As expected, the restoration has been delayed.

Service Restoration Update

As you may know, we’ve begun the process of restoring the service through internal testing of the new system. We’re still working to confirm the security of the network infrastructure, as well as working with a variety of outside entities to confirm with them of the security of the system. Verifying the system security is vital for the process of restoration. Additional comprehensive system checks and testing are still required, and we must complete that process before bringing the systems online.

As you’ve heard us say, our utmost priorities are the security of the network and ensuring your data is safe. We won’t restore the services until we can test the system’s strength in these respects.

When we held the press conference in Japan last week, based on what we knew, we expected to have the services online within a week. We were unaware of the extent of the attack on Sony Online Entertainment servers, and we are taking this opportunity to conduct further testing of the incredibly complex system. We know many of you are wanting to play games online, chat with your friends and enjoy all of the services PlayStation Network and Qriocity services have to offer, and trust me when I say we’re doing everything we can to make it happen. We will update you with more information as soon as we have it. We apologize for the delay and inconvenience of this network outage.

http://blog.eu.playstation.com/2011/05/07/service-restoration-update/

http://blog.us.playstation.com/2011/05/06/service-restoration-update/

[GameFarnsworth940]

You have got to be kidding me. Another delay.

Well I'm off to put my PSN card and Cecil code in a warehouse in a big tight sealed box handled by topmen becvause there's no way I'll get to use this stuff.

Top. Men.

[Candescence]

Oh, by the way? Those personal details were actually released.

Sony on Friday said it would have to further delay the return of PlayStation Network following a massive security breach, just as reports stated hackers posted personal details stolen from a Sony database.

According to Reuters report out of Tokyo, Sony was able to remove those published details from a website, although the report didn't say exactly what website hosted the stolen information.

Personal details of some 2,500 people were posted, including names and "some addresses" that were in a 2001 database. The security breach has affected 77 million PSN and Qriocity accounts, and 24.6 million Sony Online Entertainment accounts.

Ouch.

Also:

Sony is also reportedly considering offering a reward for help in catching the perpetrators of the cyber attack, according to Wall Street Journal's All Things Digital blog, which cited "people familiar with the matter."

Huh.

Edited May 7, 2011 by Masaru Daimon

[Scar]

Oh, by the way? Those personal details were actually released.

Ouch.

2001 Database? I wasn't aware that PSN even existed back then. OK, maybe SOE did, but they don't have anywhere near as 77 Million Users on that database.

Also, seeing has I haven't seen those details floating around anywhere, it seems Sony managed to get the site down before anything could come of it. Which does correspond to them having hired several security firms to handle security. They must be watching the net like hawks.

Also:

Huh.

Thats sort of cool. I guess it provides more incentive for regular folk, who happened to be well learned in the whole "hacking" Business, to go out there and find these fuck-faces.

You have got to be kidding me. Another delay.

Honestly, I don't care.

I'd rather have top notch, fully tested security and a delayed relaunch, than the system going online quickly and suffering another attack later on.

Edited May 7, 2011 by Scar

[Dobkeratops]

2001, eh? I must have missed something because I couldn't login on PSN from my PS2

e: hah, beaten. Shouldn't have gone to get some candy from the bowl.

Edited May 7, 2011 by Dobkeratops

[Tornado]

I'd prefer they get it up working rather than get it up only to have it go down again as a result of whatever fuckers made the promise to take it down a third time.

2001 Database? I wasn't aware that PSN even existed back then.

Probably.

Edited May 7, 2011 by Tornado

[Eternal EX]

Just when you think it's over.....

Sony Hackers Rumored To Be Planning Third Wave Of Attacks

Just when you think it’s over…it’s not over. The as-yet-unnamed group of hackers who infiltrated the Sony network are planning a third “major attack” against the company, according to Cnet.

News of these new plans was leaked by a user in a hacker chat room who says he’s personally seen various discussion threads related to this latest threat.

According to the witness in question, the group of hackers has already infiltrated several Sony servers. They intend to amass as much personal data as possible and then go public with it.

It’s still not known whether the group known only as Anonymous has anything to do with the attacks on Sony. So far, Anonymous has denied playing any role whatsoever in the PlayStation Network and Sony Online Entertainment attacks.

The failure of Sony’s security network has resulted in investigations by the FBI, the Department of Justice, Congress, and the New York State Attorney General, as well as data security and privacy authorities in the U.K., Canada, and Taiwan, just to name a few.

It is thought that this latest round of attacks could happen as early as this weekend.

I have a feelling someone already posted this.

Edited May 7, 2011 by Ultimate X360

[Scar]

Just when you think it's over.....

I have a feelling someone already posted this.

Yep, we already know about this.

And this is probably why the PSN relaunch has been delayed. How can you hack something which isn't even active for people outside of workers.

[Eternal EX]

How can you hack something which isn't even active for people outside of workers.

That's how pro the hacker is. So you better hide yo kids, hide yo wife and hide everything else too.

[Vec]

Luckily I wasn't able to buy a PS3 yet, so I don't have to fear about this . But I hope all this thing's over when I can buy one

[Candescence]

From the comments of the first article in my last post:

Worth noting there's a bit of a misrepresentation (a mistranslation by Reuters?) of the latest breach: the data of the 2,500 sweepstakes contestants was posted by Sony staff on an employee-use server which, for some reason, had public access enabled. All the "hackers" did was post the address all over the net.

So. Much. Fail.

Excuse me while I bang my head against a wall repeatedly. It's amazing how this company has so many incompetent employees.

[Scar]

From the comments of the first article in my last post:

So. Much. Fail.

Excuse me while I bang my head against a wall repeatedly. It's amazing how this company has so many incompetent employees.

Wasn't that 2500 personal info stuff from a 2001 database? Also, is there any proof of this? I've seen a lot of these random comments.

Also, are you looking for things that Sony did wrong? It certainly seems like it.

Edited May 8, 2011 by Scar

[Carbo]

If a questionable matter regarding any party is raised I personally think it's more than okay to post it. That's what a forum is for after all, y'know, discussing things. It doesn't matter if it's "trying to find mistakes Sony did", it's bloody obvious people want to do that. User information was extorted and we'd love to know how and why, whether or not we're in some kind of risk, and if it's proven to be not true then hey, we're all completely okay with that aren't we?

That said I myself do wonder whether there is any merit to that comment. The comment was first made aware over at Retro though.

Edited May 8, 2011 by Carbo

[Candescence]

That said I myself do wonder whether there is any merit to that comment. The comment was first made aware over at Retro though.

Yeah, it was first made aware over at Retro. Pretty much all of my links and quotes and stuff comes from Retro, who are far less inclined to dismiss such things immediately.

Let's be frank, I've repeatedly said that I don't condone what these hackers are doing, but I'm certainly not giving Sony the benefit of the doubt. As Carbo said, I personally would like to know the full, true details of how and why - and there are heavy implications that has been gross negligence of online security on Sony's part, which is especially why I have no intention of letting them play the victim card, and as far as I and many people I know are concerned, Sony deserves whatever heat they get.

That being said, I don't go actively looking for these things, I'm just the guy who passes on stuff from Retro. XD

[Badnik Mechanic]

From the comments of the first article in my last post:

So. Much. Fail.

Excuse me while I bang my head against a wall repeatedly. It's amazing how this company has so many incompetent employees.

I don't think your really in any position to comment on incompetancy considering all the complete and utter bollocks you've posted in this topic so far regarding information and claims thats turned out to be completly wrong.

I could set my watch by it, every time I log in I find another link by you in this topic and it's to a claim thats completely wrong or made up.

Edited May 8, 2011 by Hogfather

[Scar]

All I know, is that if the info that has been posted (and immediately taken down) was from a 2001 database, then all the credit card information would be out of date. email addresses may have changed, as might have personal details and such.

Besides, if it was just a comment made on the article without source, I'm not inclined to beleive it. People thought that all PSN Personaly information was in plain-text format. This was shortly proved wrong as the Credit Information was Encrypted and some of the personal information was Cryptographically Hashed, so there was an additional level of protection there.

[Shaddix Leto Croft]

No PSN until end of May?

A spokesperson for Sony Japan has warned that PlayStation Network may not be fully operational again until 31st May.

Shigenori Yoshida told Bloomberg that the plan was to "restart services fully" by that day.

As of today, PSN has been offline for 19 days. The service went down on 20th April.

Should the PSN restoration go the distance, the online platform will have been unusable for 41 days.

A phased restoration of PlayStation Network was supposed to happen last week.

On Saturday, however, Sony announced (via the European PlayStation blog) a delay to this strategy brought on by the breach of Sony Online Entertainment's servers.

As you may know, we've begun the process of restoring the service through internal testing of the new system. We're still working to confirm the security of the network infrastructure, as well as working with a variety of outside entities to confirm with them of the security of the system. Verifying the system security is vital for the process of restoration. Additional comprehensive system checks and testing are still required, and we must complete that process before bringing the systems online.

As you've heard us say, our utmost priorities are the security of the network and ensuring your data is safe. We won't restore the services until we can test the system's strength in these respects.

When we held the press conference in Japan last week, based on what we knew, we expected to have the services online within a week. We were unaware of the extent of the attack on Sony Online Entertainment servers, and we are taking this opportunity to conduct further testing of the incredibly complex system. We know many of you are wanting to play games online, chat with your friends and enjoy all of the services PlayStation Network and Qriocity services have to offer, and trust me when I say we're doing everything we can to make it happen. We will update you with more information as soon as we have it. We apologize for the delay and inconvenience of this network outage.

Well if you are a PSN user watch this video over and over it may make the month go quicker

I do expect alot of pissed off PSN users now without online longer now D:

Edited May 9, 2011 by Shaddix Leto Croft

[Dobkeratops]

It was stated by Sony on April they'd have the online functions running first but stuff like the Store would take longer. But we shouldn't be surprised it's being reported now, reading a couple paragraphs on the topic at hand is nowhere as integral to gaming journalism as it is to put up click grabbing shock headlines.

[Detective Shadzter]

More from Anonymous.

On 20th day of PlayStation Network down time, Anonymous hits back

Monday 9-May-2011 12:19 PM

Hacktivist group outlines history, attacks press over rumour-mongering reports

As Sony's PlayStation Network reaches its 20th day of global down time, Global 'hacktivist' group Anonymous has hit back over critics suggesting it is to blame with its strongest message yet.

The Financial Times reported over the weekend that it had spoken to members of the cyber-activist group, who had admitted that its members were "likely to have been behind the recent hacking attacks on Sony".

The hacks have famously led to an unauthorised third-party accessing details related to 77 million PSN accounts and 24.6 million Sony Online Entertainment subscriptions. Sony told US Congress that subsequent to the attack, it had found a file on its PSN servers bearing Anonymous slogan: 'We are legion.'

Anonymous has been engaged in anti-Sony campaign ever since the company began court proceedings against hacker George Hotz in January - particularly in reaction to Sony obtaining the IP addresses of all the people who visited Hotz' blog, something Anonymous deemed "'offensive against free speech and internet freedom".

However, Anonymous has repeatedly denied having any involvement in the attacks, or any will to access consumer credit card details.

Now the group has fired over a press release entitled: 'Sony, I am disappoint', once again denying it is responsible for bringing down PlayStation Network, and attacking the Financial Times and others in the media for pointing the finger over the PSN hack.

The document is labelled A 'HiveMind Effort' from Anonymous Holdings LLC (Bermuda). In addition to claiming that "there is no membership to Anonymous, ie. anyone can participate" and pointing out that "Anonymous allows anyone to join" its online chatrooms, it reads:

Yesterday, an article appeared in Financial Times, alleging Anonymous' involvement in the data and identity theft of some hundred million users of Sony's Playstation Network and Sony Online Entertainment. This crime is now being investigated by the Homeland Security Agency (HSA), the Department of Justice (DOJ), and other legal entities.

Once again Anonymous has been blamed for a security breach, this time by the journalist Joseph Menn, in his article "Hackers point finger over Sony incursion" [1]. Here, Anonymous wishes to lay out our case against these allegations and false assumptions:

First, let us consider a different article by Menn published on the Financial Times website and entitled "Hackers Warned of Arrest" [2]. This poor piece of journalism has already been extensively referenced in the Sony matter and is being used by many people who oppose Anonymous as proof of guilt. The only quoted source used by Menn was the now infamous Aaron Barr, former CEO of the humiliated HBGary. Barr made the claim that a chat room called #anonymous, founded by the identity "Q", was irrefutable proof that this "Q" began the movement known as Anonymous. Confident in his assertion, he attempted to sell this and other pieces of so-called "intelligence" about the nature of Anonymous to the U.S. FBI.

His information, however, was incorrect. It would be considered common knowledge that Anonymous began as a "meme", or shared belief, at the turn of the century and later developed to become a "global collective conscience" in 2006. But it was not until 2008 that Anonymous became a true display of "power in numbers". Organised protests against the "Church" of Scientology were staged in over 140 cities around the world, forever associating the Guy Fawkes mask and the right to protest with the movement.

Second, just like Anonymous, John Doe and Joe Bloggs are placeholders, rather than proper names, and are available for free use without repercussions. However because of this, there is no membership to Anonymous and anyone can claim to be a "member". It could be said that "Anonymous is anonymous to Anonymous".

Barr and Menn did not pause to protect the integrity of their professions, but instead made clearly misinformed assumptions, and accordingly published a factually incorrect article. The article was highly scrutinized as being blatantly biased against Anonymous and its participants, and many readers pointed out obvious inconsistencies in the technicalities, and the physical time line.

Third, in the primary article, Menn claims that a "member" of Anonymous, Kayla, made comments as an apparent admission of guilt from the "leaders". Kayla reportedly said, "If you say you are Anonymous, and do something as Anonymous, then Anonymous did it". This statement is inherently weak; an equivalent statement would be that "I confess to being human. Humans performed the attack". Andy Greenburg at Forbes [3] got it right.

Finally, Menn's reference to "technical details" [1] regarding a vulnerability in Sony's network without revealing actual content isn't useful. Until the forensics reports are released we don't know which exploit was used. The forensic investigators need to conclude their work, and speculation in articles, blogs and comments brings the factual results no closer.

Menn's anonymous source claims that "a few ops disappeared" but so has a solid chunk of software infrastructure including NickServ and channel bots over attacks during the PSN outages. Menn's other quotes are a vague mixture of assertions and denials. During the PSN downtime, Anonymous closed #opsony and put "sony" on the automatic kick list as 'profanity' last week.

Is all of this attention on Anonymous acting as a distraction from other problems, and overhyping the nature of the DDoS attacks? Sony's recurring issues are beyond providing free game credits:

In order to process credit cards, every company needs to be PCI compliant. "If you are a merchant that accepts payment cards, you are required to be compliant with the PCI Data Security Standard" [4]. Since Sony's network was "unpatched and had no firewall installed" [5], that is a clear violation of the PCI standards and ongoing reviews [4], thus likely to be criminal negligence [see Further Reading]. More importantly, "I can't think of a major data breach where the company was PCI compliant," said Ira Rothken, the lead attorney handling the class action lawsuit [6].

Sony has been accused of false billing, especially in the repairs department: customers who provided credit card details for an MMORPG are charged $150 for repairs to PS3s that they don't own; repairs are double billed and then referred to retailers; equipment is charged $150 multiple times (2-4) for repairs that aren't performed. [7 and Further Reading]

A decent credit card transaction gateway includes recurring billing as an option. Data mining by corporations has a profit motive, but as Sony has demonstrated it can be a massive liability. Why not start a discussion about corporate responsibility to protect user information, especially since they didn't need it to begin with?

Sony's response to the U.S. Senate [8] is to request more laws and further the myth of "best practices." Since Sony was warned of security holes months in advance [5], one of those "best practices" would be to accept the advice of the experts. In Sony's passing the blame there is no justification for the collection and retention of personal information they didn't need.

Outraged about the blatant coverup and shameful misdeeds, other internet hacker groups will apparently proceed with attacks [9] over Sony's mishandling of the matter. These reactions prove that requesting legislation to cover up corporate crimes and the abuse of law is frowned upon by all online communities, not just the Legion of Anonymous. Apparently Sony will have to learn the hard way that corporate malfeasance will not go unpunished. When the dust settles Sony may have more to fear from a massive class action lawsuit by their user base than the brief actions of the Global Hacker Nerd Brigade, Anonymous... Let THE GAMEs begin. :>

Knowledge is free.

We are Anonymous.

We are Legion.

We do not forgive.

We do not forget.

Expect us.

http://www.computerandvideogames.com/300602/news/on-20th-day-of-playstation-network-down-time-anonymous-hits-back/

[Dobkeratops]

I'm not going to touch a forever anon press release without a biohazard suit, but

Since Sony's network was "unpatched and had no firewall installed"

False.

Speaking of which

But the funny thing about this kind of "common knowledge" in the age of the Internet is the way rumors have an unfortunate tendancy to be repeated as fact. Just a week ago it was "common knowledge" that Sony stored every PSN password in plain text. It was also "common knowledge" that Sony Online Entertainment hadn't been compromised. Neither of those things proved true.

[...]

As it turns out, it is fairly simple to use Google's webcache to show what version of Apache the PSN servers were using back in March. According to a page request archived by Google on March 23, 2011, at that time Sony was running version 2.2.17 of the software. You can see from Apache's website that 2.2.17 is the latest stable version of the webserver available even today. This is a direct repudiation of the claims being made that Sony's webservers were out of date by as much as five years.

[...]

It's sad to say, but many are so eager to see Sony's eye blackened that they are willing to believe any rumor that puts the PlayStation in a negative light. We are in a backwards world where everything Sony says is assumed to be a lie or conspiracy, and anonymous IRC chat logs of dubious origins have miraculously become the most trusted news source in the industry. Here we have a concrete example of why it's important to actually verify your source before repeating something as fact.

[Carbo]

Speaking of Anon

Civil war appears to have broken out in the ranks of headless 'hacktivist' collective Anonymous, with claims that a rogue admin has seized control of two key sites used to coordinate the loose-knit group's online direct action.

The news follows speculation that a breakaway group of Anonymous members was responsible for the hacking attacks on Sony's PlayStation Network and Online Entertainment Network, which saw personal information, including credit card details, stolen from as many as 100 million users' accounts.

In a message to users posted on AnonOps.in, part of Anonymous's AnonOps network, admins accused a former comrade of organising a "coup d'etat".

The rogue operator - 'Ryan' - who is also alleged to be behind the revamped 'Oh Internet' relaunch of notorious shock site Encyclopedia Dramatica - is accused of stealing the IP addresses and passwords of users on two Anonymous sites, AnonOps.net and AnonOps.ru, before launching Denial of Service (DoS) attacks against them.

The sites are used by Anonymous to provide communication services such as IRC chat between members, and were key in organising activity such as Operation Payback, launched against copyright holders and anti-piracy groups, including dodgy UK legal outfit ACS:Law. The sites were also key in organising Anonymous activity in support of the recent uprisings in Tunisia and Egypt, and ongoing protests in Syria.

Former admins 'shitstorm', 'Nerdo', 'owen', 'blergh' and 'Power2All' declared themselves "profoundly sorry for this drama" and issued the following warning to Anonymous members, urging them to steer clear of the sites:

"We would STRONGLY ADVISE all users to STAY AWAY from AnonOps.net and AnonOps.ru, and they should be considered COMPROMISED. Using or connecting to any service on those addresses may put your computer, and by extension your person, at risk."

An update posted early this morning includes a screen shot taken of a revenge hacking attack carried out by supporters of the 'old' admins, outing the culprit's full name and address

Nuoh dear

[goku262002]

I already knew the Anons are having a civil war with eachother read it somewhere a week back. I thought it was rouge anons who were behind the attack and not Anonymous themselves.

Edited May 9, 2011 by goku262002