NEWS FROM THE LAB - Wednesday, April 27, 2011

Questions and Answers on the Sony Hacks Posted by Mikko @ 13:09 GMT

PlayStation Network is currently undergoing maintenance.

Q: What is PSN?
A: It's the Sony PlayStation Network, an online gaming network.

Q: What devices can access it?
A: Sony PlayStation 3 (PS3) Sony PlayStation Portable (PSP). You can also use your PSN login on the Sony discussion forums.

Q: If I have a Playstation 3, do I also have a PSN account?
A: Not necessarily. PS3s and PSPs work fine without an Internet connection. However, the majority of users do use the online access feature and thus have created an account.

Q: Why does a gaming network have credit card information?
A: PSN is also a media delivery network. Users buy games, movies and music from there with their credit cards.

Q: How long has PSN been down?
A: Since 20th of April, 2011.

Q: What was stolen?
A: Sony believes that the stolen information includes name, address, e-mail address, birth date, password, and handle of all PSN users. They also believe credit card numbers may have been stolen, but not their security (CVV) codes.

Q: How many accounts were stolen?
A: Up to 77 million. Which would make this one of the biggest data breaches ever.

Q: What should end users do?
A: If you have used the same username/e-mail address with the same password in some other service, change the password now. When PSN comes back online, change your password there as well.

Q: What should end users do regarding their credit cards?
A: They should follow their credit card bills careful for any signs of fraudulent purchases. If you see any signs of fraud, report it to your credit card issuer.

Q: What kind of credit cards do you recommend for online use?
A: In general, credit cards are safer than alternatives, as long as you carefully follow your bills. We especially like systems such as the one provided by Bank of America, where you can generate temporary credit card numbers for online use. Citibank and Discover offer the same or similar technology.

Q: Who hacked PSN?
A: We don't know.

Q: Was it "Anonymous"?
A: Anonymous has recently launched several attacks against Sony to protest Sony's tactics. However, Anonymous has announced they are not behind this breach.

Sony vs Anonymous

Q: What's the connection to Rebug?
A: Rebug is a custom firmware for PS3 that enables access to lots of features that are otherwise unreachable. In particular, recent versions made it possible for a normal PS3 to look like a developer unit. In some cases, this could be used to steal content from PSN shops for free. While the Rebug hack could be used to steal credentials and credit cards numbers from the PS3 unit it's running on, there's no obvious way it could be used to steal information on a larger scale. Rebug developers do not believe it was connected to the breach in any way.

Q: So, this could never happen on the gaming networks of XBOX and Wii, right?
A: We wouldn't bet on that.

Here's a link to Sony's official PSN hack Q&A.

Added questions on 3rd of May, 2011:

Q: What's SOE?
A: It's Sony Online Entertainment System, which is an online gaming network like PSN but for PC games.

Q: Does SOE have any games I would have heard of?
A: Yes, EverQuest (also known as EverCrack for its addictiveness). There are some other games too, including Star Wars Galaxies, The Matrix Online, PlanetSide and DC Universe Online.

EverQuest II image from mmofront.com

Q: What happened with SOE?
A: It was hacked as well. Sony announced on the 3rd of May that attackers had stolen personal information for a 24.6 million SOE accounts, including names, addresses, telephone numbers, e-mail addresses, gender, date of birth, login ID, and hashed passwords. Combining stolen records from PSN and SOE takes the total over 100 million stolen accounts, which must be some sort of a record. This is pretty big. For example, we have scores of employees at F-Secure who are affected.

Q: Did they steal anything else?
A: Yes. They were able to steal "an outdated database from 2007", which included 12,700 credit or debit card numbers and 10,700 direct debit records of European customers. That means bank account information.

Q: Why did Sony have "an outdated database from 2007" online?
A: Beats us.

Q: Were the credit card numbers in the "outdated database from 2007" encrypted?
A: Sony isn't telling.

Q: What do they say?
A: They have an announcement to SOE customers here.

Q: Any idea who did it?
A: We don't know. But there is some speculation there could be a connection to layoffs that just happened in Sony's Denver, Seattle and Tucson studios.

Q: Why do people hate Sony?
A: The MAKE magazine has a long article on this. To summarize, Sony has long history of going after legitimate innovation, hobbyists, and competition. Examples:

  •  Shipping hidden Windows rootkits on music CDs
  •  Threatening hobbyists for creating software that enables Sony's Aibo robot dog to dance
  •  Shutting down vendors who want to write emulators that would allow playing your old original PlayStation 1 CDs on your PC
  •  Suing companies that build systems for bypassing region restrictions
  •  Killing Linux support on PS3
  •  Suing makers, hackers, and tinkers such as Geohot
  •  And now: losing your personal info, your credit card number and your bank account details