Support NeoGAF

[Blimblim]

What is typically done in the industry is that they subscribe to services such as CERT to get notified of vulnerabilities when they are discovered. And then depending on the severity of the vulnerability and the impact they would have a mitigation plan to install the fix in a timely manner, i.e. 30 days for Sev 1, 45 Days for Sev 2, etc. So if Sony had something similar in place and just got caught where they hadn't completely rolled out the fix yet or this was a new vulnerability that hand't been identified yet, then they were following industry best practices and it could have happened to pretty much any company then. On the other hand, if Sony either didn't bother to make themselves aware of known vulnerabilities or had and hadn't bothered to mitigate them then that is a big problem.

I'm a bit disturbed about the fact that it doesn't appear they are willing to share any details of what happened. If this is something previously undiscovered then they really should be working with the security advisorisy organizations and affected software developers so that other companies can also work on protecting themselves. They may well be doing that behind the scenes but I would think it would be good press to say that if they actually were.

Depending on the severity of the issue, you may have to fix it *RIGHT AWAY*, as in "no time to do the full QA cycle because the exploit is out there and it gives full control to our servers in a matter of seconds". I've seen it happen, and it will happen again.
Imagine if someone found a way to exploit a buffer overflow in apache, and basically any server running apache was exploitable instantly. Would you wait?
If you wait weeks or even days before deploying a fix for an easily scanned and exploited issue, you deserve everything that happens to you. This isn't your private enterprise server, as soon as you've got a public IP it's your duty to make sure there is nothing exploitable there.

Didn't Sony mention the hacker(s) used an injection? I somehow thought I saw that in part of presentation from last week?

 

[Imperial Hot]

This is so fucking lame.

How long are we going to be waiting? Shit.

 

[Stoffinator]

I'm wondering if this is holding up the PSN from coming back?

http://www.maxconsole.net/content.php?45841-Sony-must-answer-questions-before-PSN-returns&

 

[Fuzzy]

This is so fucking lame.

How long are we going to be waiting? Shit.

Friday the 13th is next week. Just saying.

 

[darkwing]

I'm wondering if this is holding up the PSN from coming back?

http://www.maxconsole.net/content.php?45841-Sony-must-answer-questions-before-PSN-returns&

this would kill the May 4, May 5, May 6 groups

 

[pantyhelmet]

Well, given that purported members of the group have been vocal about sticking it to Sony with stuff like the DDoS attacks, it's hard not at least suspect that an organized Anonymous attack might have caused this. .

the sad part is there are people who see this as nothing more than a coincidence.

 

[Fuzzy]

I'm wondering if this is holding up the PSN from coming back?

http://www.maxconsole.net/content.php?45841-Sony-must-answer-questions-before-PSN-returns&

They did today according to the PS blog.
http://blog.us.playstation.com/2011/05/04/sonys-response-to-the-u-s-house-of-representatives/

EDIT:

the sad part is there are people who see this as nothing more than a coincidence.

Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.
We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.”

 

[Neuromancer]

this would kill the May 4, May 5, May 6 groups

I've already given up hope, today was my day to shine. And I blew it.

 

[UberTag]

Two things I'll add to this thread.

First off, another class action lawsuit has been proposed against Sony for damages stemming from the PSN security breach. This one in Ontario for only a billion dollars or so.

Secondly, while I have seen no charges to date on my credit card (still linked to my PSN account; last used in late March; in all likelihood secure and encrypted), I can pass along that my boss is fighting $500 in fraudulent charges with her credit card company. (These charges came in the form of attempts to redirect funds from her credit card to a PayPal account.)

Her card was fully secure apart from being on PSN; the key difference between us being that her card was used to purchase Black Ops map packs while the network was exposed between April 17th & 19th. This further backs up the theory that while the credit card database store was encrypted and CVVs not retained that anyone making purchases while the breach took place may have had their credit card details exposed.

This also explains Sony's carefully worded language on the issue.

 

[Steve Youngblood]

the sad part is there are people who see this as nothing more than a coincidence.

Well, I don't think it's unfair to suggest that it might be a coincidence. Just as I don't think it's unfair to suggest that it might not be. I don't think the outspoken, 'hacktivist' wing of the operation planned this kind of attack, but that doesn't mean that a rogue member didn't run off and do his own thing. Then again, maybe the person ultimately responsible has nothing to do with what is commonly understood to be this nebulous, "Anonymous" group, but left that file anyway, since apparently anyone can claim to be a member.

I don't know. It's all speculation. However, the existence of that file hardly sheds new light. We're still where we started with only knowing that unknown hackers stole data.

 

[XiaNaphryz]

Well, I don't think it's unfair to suggest that it might be a coincidence. Just as I don't think it's unfair to suggest that it might not be. I don't think the outspoken, 'hacktivist' wing of the operation planned this kind of attack, but that doesn't mean that a rogue member didn't run off and do his own thing. Then again, maybe the person ultimately responsible has nothing to do with what is commonly understood to be this nebulous, "Anonymous" group, but left that file anyway, since apparently anyone can claim to be a member.

I don't know. It's all speculation. However, the existence of that file hardly sheds new light. We're still where we started with only knowing that unknown hackers stole data.

Indeed. If an unrelated hacker wanted to get into PSN and knew an Anon DDOS was going to happen, they could easily have timed things to occur at the same time. Whether Anon's actions actually enabled them to pull off what they did or not remains to be seen.

And to clarify, the purported anon file Sony found was on the SOE servers and not the PSN servers, correct? And the SOE intrusion actually occurred well before the PSN one?

 

[Amir0x]

Slowly catching up on things right now. So Sony is saying they were under DDOS attack from Anonymous at the same time as the security breach, and that the two events may or may not have been related.

Is that an accurate summary?

Yup.

Another great win for ANONYMOUS - truly defenders of a great mass of innocent bystanders

 

[Mikey Jr.]

If someone told me 2 weeks ago that on May 4th we would still be unsure when PSN would be up, I would have spat in their faces and danced on their graves.

2 fucking weeks.

Wow.

And like no fucking end in sight. Its just the same bullshit like usual. "We'll be providing details shortly about when PSN will be restored."

They've been saying this for 2 weeks.

Dunno, I'm just pissed thats all.

Got like MK I want to play online, Portal 2, Homefront, Uncharted 2.

EURGHHH

 

[LiK]

Yup.

Another great win for ANONYMOUS - truly defenders of a great mass of innocent bystanders

Aka all those dead mangled bodies on the road.

 

[The Lamonster]

Yup.

Another great win for ANONYMOUS - truly defenders of a great mass of innocent bystanders

They are now like an annoying dad that just wants to be cool and help out but ends up being annoying and making things needlessly more complicated by his actions.

 

[Dr. Malik]

If it does come back next week it better come with a firmware full of new features and possibly a new UI.

 

[CadetMahoney]

this would kill the May 4, May 5, May 6 groups

c'mon 5th, cmooooonn 5th!

 

[test_account]

Two things I'll add to this thread.

First off, another class action lawsuit has been proposed against Sony for damages stemming from the PSN security breach. This one in Ontario for only a billion dollars or so.

I read about this earlier today, and surely it must be cheaper, not to speak of being much more secure, to get a new creditcard instead of keep checking your account for 2 years? 1 billion divided on 1 million users is 1000 dollars each. Surely it isnt that expencive to change card.

Secondly, while I have seen no charges to date on my credit card (still linked to my PSN account; last used in late March; in all likelihood secure and encrypted), I can pass along that my boss is fighting $500 in fraudulent charges with her credit card company. (These charges came in the form of attempts to redirect funds from her credit card to a PayPal account.)

Her card was fully secure apart from being on PSN; the key difference between us being that her card was used to purchase Black Ops map packs while the network was exposed between April 17th & 19th. This further backs up the theory that while the credit card database store was encrypted and CVVs not retained that anyone making purchases while the breach took place may have had their credit card details exposed.

This also explains Sony's carefully worded language on the issue.

That is an interesting theory, if people who purchased something from the PS Store between 17th and 19th of April, maybe they got their creditcard numbers stolen?

 

[Amir0x]

They are now like an annoying dad that just wants to be cool and help out but ends up being annoying and making things needlessly more complicated by his actions.

Because they are literally run by a mass of sixteen year olds

 

[No45]

It's already confirmed to work by a lot of people including Valve forum admins/moderators.

Ah, I thought PSN had been down the whole time. Forgot you folks got it a couple of days before us.

 

[The Lamonster]

Because they are literally run by a mass of sixteen year olds

This comment made me wonder about the age of Geohot and goddamn, dude is only 21 years old.

 

[arnoldocastillo2003]

Hey guys have you seen this:

Sony chief information officer, Shinji Hasejima, in an interview stated:

The vulnerability of the network was a known vulnerability, one known of in the world. But Sony was not aware of it... was not convinced of it. We are now trying to improve aspects of it."

“We thought we had taken enough management and control measures (to ensure the network was secure), but looking back, there might have been room for further enhancement,” Shiro Kambe added, “We have to admit we were not fully sufficient.

 

[dirkdiggy]

still chuckling over the back and forth on the Playstation Blog's comments after the latest update

http://blog.us.playstation.com/2011/05/04/sonys-response-to-the-u-s-house-of-representatives/

 

[onQ123]

if the government want to be involved & they know all this about what the hackers said on their website about the severs being outdated & all that how come they haven't taken down any of the hacking websites?

they take down websites that share music why not take down websites that share hacking tools & information about hacking?

I'm not saying that they should do this but if they feel the need to jump in now & question sony about everything that happened & they say that they seen the hackers talk about this months ago why didn't they shut down the website to slowdown the communication between the hackers as they plan their attacks?

 

[test_account]

Hey guys have you seen this:

Sony chief information officer, Shinji Hasejima, in an interview stated:

Yep, it was mentioned on the press conferance that was on Sunday. Although i havnt read that exact translation before that you mention here.

 

[Dambrosi]

They did today according to the PS blog.
http://blog.us.playstation.com/2011/05/04/sonys-response-to-the-u-s-house-of-representatives/

EDIT:

So, wait. Two separate attacks took place on Sony servers.

First, an attack on SOE's servers, which is where Sony claims the text file implicating Anonymous was found.

Second, the main attack on the PSN servers that we all know about.

Oddly, the first attack was only discovered/revealed after the full extent of the PSN attack became known, but that's another topic. What interests me is that, if the Sony claims are true (and there's no reason to think they would lie to the Feds and Congress), then there's no evidence to tie Anonymous to the PSN attacks at all, and only very thin circumstantial evidence to tie them to the SOE attack.

If, as I suggested a while back, the Anonymous text file is just a red herring designed to throw investigators off the scent, then AnonOps' denial of responsibility for any anti-Sony attacks during this whole affair is true, and there's a lot of roast crow and gravy to be served up.

 

[lowrider007]

still chuckling over the back and forth on the Playstation Blog's comments after the latest update

http://blog.us.playstation.com/2011/05/04/sonys-response-to-the-u-s-house-of-representatives/

Am I missing something, how are people leaving comments?, don't you have to be signed into PSN to do that?

 

[XiaNaphryz]

So, wait. Two separate attacks took place on Sony servers.

First, an attack on SOE's servers, which is where Sony claims the text file implicating Anonymous was found.

Second, the main attack on the PSN servers that we all know about.

Oddly, the first attack was only discovered/revealed after the full extent of the PSN attack became known, but that's another topic. What interests me is that, if the Sony claims are true (and there's no reason to think they would lie to the Feds and Congress), then there's no evidence to tie Anonymous to the PSN attacks at all, and only very thin circumstantial evidence to tie them to the SOE attack.

If, as I suggested a while back, the Anonymous text file is just a red herring designed to throw investigators off the scent, then AnonOps' denial of responsibility for any anti-Sony attacks during this whole affair is true, and there's a lot of roast crow and gravy to be served up.

I thought there were technically 3 attacks, with a DDOS attack occurring at the same time as the PSN intrusions?

 

[Steve Youngblood]

If, as I suggested a while back, the Anonymous text file is just a red herring designed to throw investigators off the scent, then AnonOps' denial of responsibility for any anti-Sony attacks during this whole affair is true, and there's a lot of roast crow and gravy to be served up.

Well, from where I'm sitting, I don't think anyone needs to eat crow. The fact of the matter is that given the nebulous nature of Anonymous and the known facts (up to this point at least), we don't really know anything.

 

[Raoh]

Am I missing something, how are people leaving comments?, don't you have to be signed into PSN to do that?

cookies

I'm signed on at work but not at home.

 

[lunarworks]

Shoulda taken that one step further and photoshopped PS logos on their uniforms.

 

[androvsky]

if the government want to be involved & they know all this about the what the hackers said on their website about the severs being outdated & all that how come they haven't taken down any of the hacking websites?

they take down websites that share music why not take down websites that share hacking tools & information about hacking?

I'm not saying that they should do this but if they feel the need to jump in now & question sony about everything that happened & they say that they seen the hackers talk about this months ago why didn't they shut down the website to slowdown the communication between the hackers as they plan their attacks?

What?
The government hosts websites that share hacking information. Here's one: http://web.nvd.nist.gov/

The reason is that if you're going to prevent system break-ins, it's important that the people monitoring the servers have reliable, up-to-date information on what vulnerabilities exist so they can fix them. The tools are also important, especially if you're trying to convince your boss it's time to upgrade. It's one thing to say someone could theoretically take over your server, and another to load up metasploit and do it in the middle of a meeting.

 

[AgentChris]

How realistic is it for these low life losers to be found?

They should be thrown into prison for a long time.

 

[Vamphuntr]

Google ads is funny in this thread.

 

[VGChampion]

How realistic is it for these low life losers to be found?

They should be thrown into prison for a long time.

Or take away their computers and make them live in the real world.

 

[Lince]

If it does come back next week it better come with a firmware full of new features and possibly a new UI.

so they are trying to bring it back up ASAP (with limited functionality) and you want them to spend extra time developing, testing, and implementing more features? do you want the PSN to be back online before 2012 ?

 

[Sblargh]

Or take away their computers and make them live in the real world.

Jesus christ, dude. They are still human.

 

[Ickman3400]

No psn today huh. God doesn't want me having Vampire Bloodlines, I'm convinced now

 

[Psi]

No psn today huh. God doesn't want me having Vampire Bloodlines, I'm convinced now

What does that game have to do with PSN?

 

[Fuzzy]

Google ads is funny in this thread.

I just have a stupid Chrome ad.

 

[darkwing]

I salute the brave May 4th group

 

[KernelPanic]

That is an interesting theory, if people who purchased something from the PS Store between 17th and 19th of April, maybe they got their creditcard numbers stolen?

It sounds like the CC database was secure but the transaction records were not.

 

[Dambrosi]

I thought there were technically 3 attacks, with a DDOS attack occurring at the same time as the PSN intrusions?

I thought the DDOS attack was on the SOE server, not the PSN one?

And if it was Anon who perpetrated a DDOS on the SOE server, wouldn't they announce that it was them? And didn't they state that they were stopping their anti-Sony attacks (because they were hurting legit customers) a few weeks before the attacks took place?

No, something's wrong here.

I guess we don't really know anything, the whole affair smells of speculation and propaganda from all sides, and the actually guilty hackers will probably never be caught because of this.

Though really, all I want to do is play some MAHVEL.

No psn today huh. God doesn't want me having Vampire Bloodlines, I'm convinced now

...Eh? I'm 37 and what is...I don't...what?

 

[XiaNaphryz]

I thought the DDOS attack was on the SOE server, not the PSN one?

And if it was Anon who perpetrated a DDOS on the SOE server, wouldn't they announce that it was them? And didn't they state that they were stopping their anti-Sony attacks (because they were hurting legit customers) a few weeks before the attacks took place?

No, something's wrong here.

I guess we don't really know anything, the whole affair smells of speculation and propaganda from all sides, and the actually guilty hackers will probably never be caught because of this.

Though really, all I want to do is play some MAHVEL.

This is my stance on this as well.

 

[Ickman3400]

What does that game have to do with PSN?

Thats' what I was going to use my $20 on when I won

 

[Des0lar]

Fuck, I won't be able to redeem my Steam PS3 copy till next week, am I?

 

[Cold-Steel]

I thought the DDOS attack was on the SOE server, not the PSN one?

And if it was Anon who perpetrated a DDOS on the SOE server, wouldn't they announce that it was them? And didn't they state that they were stopping their anti-Sony attacks (because they were hurting legit customers) a few weeks before the attacks took place?

No, something's wrong here.

I guess we don't really know anything, the whole affair smells of speculation and propaganda from all sides, and the actually guilty hackers will probably never be caught because of this.

Though really, all I want to do is play some MAHVEL.

Or maybe you guys give them too much credit, and they all of the incidents are related to each other and only after Anon realized what had happened did they deny outright any criminal activity because someone spilled the beans and Anon quickly acted to disassociate itself with certain "rogue elements".

This has Anon all over it. Maybe the intruder didn't realize what they were doing until it was too late - just like Anon itself.

 

[FunkyPajamas]

Fuck, I won't be able to redeem my Steam PS3 copy till next week, am I?

I'm thinking December 21st, 2012.

 

[onQ123]

What?
The government hosts websites that share hacking information. Here's one: http://web.nvd.nist.gov/

The reason is that if you're going to prevent system break-ins, it's important that the people monitoring the servers have reliable, up-to-date information on what vulnerabilities exist so they can fix them. The tools are also important, especially if you're trying to convince your boss it's time to upgrade. It's one thing to say someone could theoretically take over your server, and another to load up metasploit and do it in the middle of a meeting.

if the government new about it months ago & just watched the hacking groups plan the attacks that make them just as much in fault as sony,


so I'm thinking the same people that are saying sony is at fault because the system couldn't keep the hackers out either knew they could get in & didn't do anything to stop it or they was in the same boat as sony & thought the system was good enough & didn't think that the hackers would get in & take personal information.

 

[Steve Youngblood]

I guess we don't really know anything, the whole affair smells of speculation and propaganda from all sides, and the actually guilty hackers will probably never be caught because of this.

Whether or not they get caught, I don't think it will be affected by the politics and the theatre surrounding the whole affair. It'll be a matter of investigative talent and resources. If it's not Anonymous, I don't think we'll find ourselves in a situation where the people in charge of finding the culprit lament that they might have caught the real bad guys if not for wasting all their resources chasing down that seemingly rock-solid text file lead implicating Anonymous. "It had to be them! It was a text file! It was their signature, easily replicated calling card that anyone could have put there! Anyone would have made the mistake of taking it at face value!"