Playstation Data Theft

[PunK BeaR]

Millions of internet users hit by massive Sony PlayStation data theft

Sensitive personal details of tens of millions of internet users have been stolen by hackers in one of the biggest ever cases of data theft, it has emerged.

Fraudsters have obtained data on millions of online video gamers – including three million Britons - after targeting Sony’s PlayStation Network.

The electronics giant is contacting around 70 million customers warning that details including their names, addresses, dates of birth, passwords and security questions have been stolen.

Sony also admitted that the hackers may have gained access to people’s credit card details.

Thankfully, this doesn't effect me as im still using the old PS2 offline. However, it does effect 70 million users and is gonna have a huge impact on Sony and online console gaming in general. No doubt it will also add more weight to the argument for greater control and restrictions on internet usage.

[Roseland69]

We got a PS3 and signed into the PSN (including card details) in January. I saw the news last night and felt strangely compelled to say "******".

[Ash4781]

The playstation network being down does get people out of the house (my gf was cheering and ch4 news suggested this yesterday ). Though the underlying story is much worse.

[Son of Limahl]

The playstation network being down does get people out of the house. Though the underlying story is much worse.

It's much worse alright!

I've just come across a blog that provides its readers with an overview of so-called 'secure' databases, which have been hacked in recent years. In a display of autistic brilliance, the author paints a picture whereby this sort of event appears commonplace; yet is not always reported by our mainstream media. This particular blog appears to be concerned about potential vulnerabilities in 'contactless' banking and secure access systems; already scheduled for mass 'roll-out' here in the UK during 2011.

Can't wait to see how this all pans out...

Anyway, here's the linky-link: http://contactless.wordpress.com/2011/04/27/a-decade-of-database-hacking-and-potential-id-theft/

[contractor]

http://www.dailymail.co.uk/sciencetech/article-1381000/Playstation-Network-hacked-Sony-admits-hackers-stolen-77m-users-credit-card-details.html

If Sony a technology company cant protect from hackers what hope does Amazons Cloud have from hackers?

Sony have made several monumental **** ups here, all of which are infosec101. Although I wouldn't recommend cloud services for PII data, I'm sure Amazon are not the donkeys that Sony are.

So far we know that Sony are guilty of:

Never trust the client (they did)

Don't rely on security through obscurity (they did)

Use encryption for PII/confidential data (they didn't, during transmission or storage)

Have a layered approach to security (nope)

Create a modular architecture (nope)

I could go on, but the bottom line is that the PSN was made as a free service, probably built with low cost in mind (rather than their customer's data security).

[The Masked Tulip]

xbox has been hacked for several weeks now - some kind of game mod that makes it impossible to kill someone, they have endless ammo in a gun, can fly and move so fast your eyes see them as a blur.

It has made the games impossible. Games like capture the flag in Call of Duty World at War (COD WAW) are either over in seconds or last forever as the fecker with the mod grabs the flag in a nano-second and then flies up into the air. They just 'stand' there hoovering as a dot in the distance but you can't kill them either.

If you look at their profiles the feckers are advertising the mods for sale for £2.50 or a tenner payable to paypal accounts. Sometimes, and I don't know how they do it, you get an advert for their mods pop up on your screen. I only play xbox games on my xbox - i.e. have never downloaded any content - so have no idea how they are doing it.

I checked over the weekend and discovered loads of forums full of people complaining - even on the MS xbox forums, but MS either can't fix the problem or does not care I guess?

It has made playing on the xbox pointless now. I won't be renewing my membership.

[Ash4781]

xbox has been hacked for several weeks now - some kind of game mod that makes it impossible to kill someone, they have endless ammo in a gun, can fly and move so fast your eyes see them as a blur.

It has made the games impossible. Games like capture the flag in Call of Duty World at War (COD WAW) are either over in seconds or last forever as the fecker with the mod grabs the flag in a nano-second and then flies up into the air. They just 'stand' there hoovering as a dot in the distance but you can't kill them either.

If you look at their profiles the feckers are advertising the mods for sale for £2.50 or a tenner payable to paypal accounts. Sometimes, and I don't know how they do it, you get an advert for their mods pop up on your screen. I only play xbox games on my xbox - i.e. have never downloaded any content - so have no idea how they are doing it.

I checked over the weekend and discovered loads of forums full of people complaining - even on the MS xbox forums, but MS either can't fix the problem or does not care I guess?

It has made playing on the xbox pointless now. I won't be renewing my membership.

Isn't that the glitchers? I've seen this when the PSN was up players flying through levels. I've seen it in quite a few games when a glitch means you do odd stuff.

[MC Fur Q]

Got an email from Sony this evening telling me my details were taken though they don't yet know if the CC details went too.

Have been all over the place tonight changing account passwords and email addresses as I had several that used the same login as I had used with the PS3.

Sony are a bunch of tossers and I'm going to sue them (if I can) should anyone manage to rip me off.

[rxe]

Never trust the client (they did)

Everyone trusts the client. If I am conceptually sitting behind you while you type details into your bank page, and can adjust the page you are typing on to get you to hand over more data, I can gain access to your account. All "secure" pages are vulnerable to this - about the only thing that isn't is the PIN sentry type of 1 time password generators - and these have their own set of problems.

[200p]

Digital money = dangerous.

Stick to bricks and mortar

[The Masked Tulip]

Isn't that the glitchers? I've seen this when the PSN was up players flying through levels. I've seen it in quite a few games when a glitch means you do odd stuff.

I don't know why some people call it a glitch? A glitch is a bug or a mistake.

A deliberate modified hack of the system that allows one player to cheat whilst wrecking the game for everyone else is not a glitch. It is a cheat.

[SHERWICK]

Games like capture the flag in Call of Duty World at War (COD WAW) are either over in seconds or last forever as the fecker with the mod grabs the flag in a nano-second and then flies up into the air. They just 'stand' there hoovering as a dot in the distance but you can't kill them either.

I don't know why but that sounded so funny!

[@contradevian]

xbox has been hacked for several weeks now - some kind of game mod that makes it impossible to kill someone, they have endless ammo in a gun, can fly and move so fast your eyes see them as a blur.

It has made the games impossible. Games like capture the flag in Call of Duty World at War (COD WAW) are either over in seconds or last forever as the fecker with the mod grabs the flag in a nano-second and then flies up into the air. They just 'stand' there hoovering as a dot in the distance but you can't kill them either.

If you look at their profiles the feckers are advertising the mods for sale for £2.50 or a tenner payable to paypal accounts. Sometimes, and I don't know how they do it, you get an advert for their mods pop up on your screen. I only play xbox games on my xbox - i.e. have never downloaded any content - so have no idea how they are doing it.

I checked over the weekend and discovered loads of forums full of people complaining - even on the MS xbox forums, but MS either can't fix the problem or does not care I guess?

It has made playing on the xbox pointless now. I won't be renewing my membership.

You could at least report their paypal accounts to Paypal I suppose.

[PopGun]

I don't know why some people call it a glitch? A glitch is a bug or a mistake.

A deliberate modified hack of the system that allows one player to cheat whilst wrecking the game for everyone else is not a glitch. It is a cheat.

I gave up playing modern warfare on PSN because of this. I emptied a whole mag in one guys’ head as he rang towards me and knifed my gullet open.

After reviewing another of my 'death shots' it was apparent that my adversaries could also see through walls, shoot me in the head from unbelievable distances (whilst moving) and only ever be killed by others with the same 'bot'.

Other players are just very good of course, however I tend to worry about these more.

[contractor]

Everyone trusts the client. If I am conceptually sitting behind you while you type details into your bank page, and can adjust the page you are typing on to get you to hand over more data, I can gain access to your account. All "secure" pages are vulnerable to this - about the only thing that isn't is the PIN sentry type of 1 time password generators - and these have their own set of problems.

You are talking about Man in the Middle scenarios and No, not everyone trusts the client. You auth the host one way (mayby using tls client certs), then the user another. Depending on the sensitivity of the data one might implement dynamically generated passwords using seed tokens (eg. secure-id). What Sony did was not bother with secondary checking of the PS3 as they thought that the single check in place using the cert on the box was fine.

When the PS3 certs were found all bets were off. As the root certs were compromised PS3s should not have been trusted in any way - that was when Sony should have done something about it, not now.

[Pezerinno]

Got an email from Sony this evening telling me my details were taken though they don't yet know if the CC details went too.

Have been all over the place tonight changing account passwords and email addresses as I had several that used the same login as I had used with the PS3.

Sony are a bunch of tossers and I'm going to sue them (if I can) should anyone manage to rip me off.

I have just realised my PSN account is associated with my old email address so not sure if I'm been emailed or not. Like you I have used the same password on some accounts so guess I better change them to be safe.

[rxe]

You are talking about Man in the Middle scenarios and No, not everyone trusts the client. You auth the host one way (mayby using tls client certs), then the user another. Depending on the sensitivity of the data one might implement dynamically generated passwords using seed tokens (eg. secure-id). What Sony did was not bother with secondary checking of the PS3 as they thought that the single check in place using the cert on the box was fine.

I'm not talking about a man in the middle attack at all.

Most security systems depend on the user typing in a password. Most (nearly all in common use today) rely on pre-remembered passwords or sections of them. Some don't, PINSentry is the obvious example. So the linkage between client and server can be as secure as you like, but if I am watching you type the password in, I can become you. For systems that request sections on passwords (3D Secure), if you log in more than three times, I have your full password.

Now clearly, if I am literally standing next to you while you type, you'll notice. If I am a program on your computer, designed to detect when you are on a 3D secure page, and simply record the text and key strokes, then I can obtain your credentials and most people will never know.

Encryption has made man in the middle bloody difficult. So the crims have gone for the equivalent of you leaving your password on a post-it. This is the evolution of the "bot-net" that started with spam, and now is going onto something more productive.

Look up Zeus.

[contractor]

I'm not talking about a man in the middle attack at all.

Most security systems depend on the user typing in a password. Most (nearly all in common use today) rely on pre-remembered passwords or sections of them. Some don't, PINSentry is the obvious example. So the linkage between client and server can be as secure as you like, but if I am watching you type the password in, I can become you. For systems that request sections on passwords (3D Secure), if you log in more than three times, I have your full password.

Now clearly, if I am literally standing next to you while you type, you'll notice. If I am a program on your computer, designed to detect when you are on a 3D secure page, and simply record the text and key strokes, then I can obtain your credentials and most people will never know.

Encryption has made man in the middle bloody difficult. So the crims have gone for the equivalent of you leaving your password on a post-it. This is the evolution of the "bot-net" that started with spam, and now is going onto something more productive.

Look up Zeus.

3ds is a pile of shitë that just passes the buck onto the customer (thus absolving the card issuer). I'm talking about proper 2 factor auth which does protect against things like password reuse.