Sony gets hacked again, thousands affected

[Raphael123]

Sony: 93,000 PlayStation, SOE gamers' accounts cracked

So the PSN network has been hacked again. You would have thought that after the last outage they would have rock solid security.

Found this article: http://www.electronista.com/articles/11/10/11/sony.locks.down.93k.accounts.after.possible.breach/

 

[Keepa34]

Lol.. Again... Damn Sony are useless at security...

 

[weakest_link]

bwahahahahaahah haatis bossy psn still sucks it seems

on a side note tho, makes you wonder what changes they made in the 1st place

 

[qornea]

Sony gets hacked...again.

93,000 accounts compromised across Sony networks

 

[HavocXphere]

Sony said, and credit card information wasn't at risk.

Right. I suppose this time the CC details were hidden in stuff.txt not creditcards.txt

 

[to0kenZA]

Hahahahahaha!! I'm sorry- I know this is bad, but I can't help laughing, it's sooo funnnny! \/

 

[Dohc-WP]

about a month ago Howard stringer (sony CEO) said

"I'm pleased to tell you that the PSN is more secure and better than ever."

wonder what hes gonna say now

 

[Satarial]

In all fairness this isn't really Sony's fault.

Someone had a library of email addresses and passwords and tried them against the Sony database.
The info wasn't pulled from Sony.

The people who use the same email/password combo for everything are at fault.

 

[shadowfox]

Headline is a little misleading guys - this wasn't a hack - this sounds more like a brute-force attack to me.

Sony locked down those 93k accounts pretty damn quickly - I think the only people who should get the blame here are users with crappy passwords or duplicate info across sites.

 

[HavocXphere]

Headline is a little misleading guys - this wasn't a hack - this sounds more like a brute-force attack to me.

Doesn't matter. Brute-force is a valid technique for hacking accounts. Not particularly elegant or subtle though.

In all fairness this isn't really Sony's fault.

Someone had a library of email addresses and passwords and tried them against the Sony database.

Nope. Still Sony's fault. When you've got that level of brute force activity going on then the system should automatically catch it. Hell most firewalls on PCs react to activity level & automatically block some traffic if its unreasonably heavy (DoS protection).

Sony really needs to sort their shit out. As far as attacks go it doesn't get any more primitive than this & they should be able to deal with it.

 

[shadowfox]

I still believe Sony dealt with it pretty well, all things considering.

Given the level of activity PSN gets on a daily basis, if the attackers were even halfway clever they would've used maybe 1 - 3 permutations per e-mail address - and they wouldn't have pelted them in all at once. Even the most advanced system will take time to react to that.

This sort of thing happens all the time, but of course people like kicking Sony, because, lets face it, they put themselves in a position to be kicked. It's also a completely different attack from last time, where Sony's internal systems were compromised.

 

[Strifehart]

Doesn't matter. Brute-force is a valid technique for hacking accounts. Not particularly elegant or subtle though.

lol, but it's not brute force. It's an automated attempt trying to log in using a dataset of username/password combinations (which was available since the previous hack). Brute force generally does not have any password information available to start off with and simply runs through an algorithm trying to "guess" the password.

Anyone classifying this as a hack probably also thinks that the internet works because of "magic".

 

[HavocXphere]

Given the level of activity PSN gets on a daily basis, if the attackers were even halfway clever they would've used maybe 1 - 3 permutations per e-mail address - and they wouldn't have pelted them in all at once. Even the most advanced system will take time to react to that.

Nope. If they use 1-3 permutations per email then % of login attempts failing goes through the roof.

You're thinking about this the wrong way though. Mostly they use IPs for this. If you suddenly get 100s of thousands of logins from an IP then its probably not legit. To make it come from multiple IPs you'd need a bot-net & some serious coordination.

Companies operating on this scale can & should have super sophisticated systems for this. Check google...login from a different country & it immediately flags it as suspicious. Check Steam...just switching browsers causes your login to be flagged.

and they wouldn't have pelted them in all at once.

The problem with a paced brute force attack is that it takes a looooong time.

Given the level of activity PSN gets on a daily basis

Yeah that does make it difficult. People tend to be predictable though. Take a look at the Steam stats:
http://store.steampowered.com/stats/
Anything out of the usual shows up *very* clearly.

I still believe Sony dealt with it pretty well

Yeah the response was 100%. It should never get that far though...this is crisis management and if you're doing crisis management on systems like this then the system is broken.

 

[HavocXphere]

lol, but it's not brute force.

hmm well spotted. Didn't realize that simultaneous attempts against many accounts don't count as brute-force.

which was available since the previous hack

Article says it came from outside the co.

Anyone classifying this as a hack probably also thinks that the internet works because of "magic".

So classify it as a cracking attempt if you prefer that definition. Either way its gaining unauthorized access.

 

[ZAP_Tech]

That is just sad... Atleast it was delt withswiftly and Sony was more ope about the attack... And you still covered by the Identity protection Sony offered if you took it... But they say that CC details were safe, not sure if it is true.

As for the type of attack brute force is a form of hacking a slow and tedious one at, from what i gather they used cross referencing with a brute force attack, which would make it kinda a unique attack on the system. And the Firewall or the AI behind they firewall would probably tick it off as a failed login attempted. True Sony should implement a verification code after the 3rd attempt and a lock out after the 10th for a tie period. I myself would be lock out quite a bit as i have too many passwords to remember for every accout.

Someone had to notice the the activity on the system, to have learn it was a hacking in progress. Sony could be at fault, cause they had upgraded thier system recently... But fair enough they do have millions on logins at random times during the day everyday on thier system so good on them for noticing it and lock it down. For those users who just made a variation of thier old password shame on you, variation is not change.

 

[Isengard]

I'm just glad they caught it so soon and put a stop to it relatively quickly. Hoping my account wasn't one of them.

 

[shadowfox]

Nope. If they use 1-3 permutations per email then % of login attempts failing goes through the roof.

You're thinking about this the wrong way though. Mostly they use IPs for this. If you suddenly get 100s of thousands of logins from an IP then its probably not legit. To make it come from multiple IPs you'd need a bot-net & some serious coordination.

Companies operating on this scale can & should have super sophisticated systems for this. Check google...login from a different country & it immediately flags it as suspicious. Check Steam...just switching browsers causes your login to be flagged.

It probably was a bot-net, you're right. Although as far as I'm aware a login would only be flagged as suspicious once it actually logs in. And it's not a given, since if dynamic IPs are being used then people are logging in from different IPs every day. Fair enough if the entire IP block changes - but I use three different ISPs to log into various accounts on any given day - the entire range changes.

And Sony needs to cater for the lowest common denominator, which of course means the loads of dumbasses who can't spell properly.

I agree with you about Steam though - Steam's logins are on uber-paranoid level - I switched from nVidia to ATI and that was enough to flag me as logging in from a different system (I was 0.o for a moment).

I'm not arguing with you - I think your points are very valid. I do believe though - especially in the case of the 93k compromised accounts - that those users are to blame; the attackers probably just ran through the old data harvested previously and managed to get into those accounts where the users were too lazy to think up new passwords and just used the same ones. The attackers probably didn't even have to use different permutations.

lol, but it's not brute force. It's an automated attempt trying to log in using a dataset of username/password combinations

I'd still see it as some kind of brute-force. The attackers weren't going after any specific account, they were just throwing all the combos at the login system and hoping to get some hits.

 

[Strifehart]

So classify it as a cracking attempt if you prefer that definition. Either way its gaining unauthorized access.

True, but the skill required to gain "unauthorized" access when you already have the username and password combination isn't really rocket science.

Either way, I was under the impression that you couldn't log in if you didn't reset your password after the last hack. I know for a fact I was prompted to change my password the moment I logged in.

Then again, it's entirely possible to write a script that goes through the whole login process and resets the password. However, I'm sure I recall that upon resetting the password you get issues with an email that contains a link which you need to access in order to actually complete the reset/re-activation.

I'm rambling here, anyway ... I'll have to go check my archive to confirm if the above was actually the case.

 

[souluser7]

Hmm...never thought this would be happening again so soon - few hacks on Sony in the same year, not impressed. Especially after Sony assured us that they've ironed out all the kinks regarding this matter, well for the sake of those who own playstations I hope the matter gets resolved quickly

 

[addam]

I wonder how many people they get signing up for their services right now...