Well, That Was Fast: Sony's New PSN System? Hacked!
from the hiccup dept
So, it took a few weeks for Sony to get everything in order after its er… hiccup in exposing the details of everyone on the PlayStation Network. And, now it appears that the Japanese government’s worries that Sony hadn’t really fixed the problem or made its system secure appear to be coming true. There are reports this morning that the new password reset system has been exploited, such that you could change anyone’s password if you have their email and date of birth. You know where you could have gotten that info? From the original hacked data. Right. Hic
Comments on “Well, That Was Fast: Sony's New PSN System? Hacked!”
Dear Sony
I see you are Having tea with Karma again.
Sincerely,
Anonymous
Don't taunt hackers... Part Duex
http://www.techdirt.com/articles/20110518/03135114315/sony-ceo-howard-stringer-month-long-hackathon-merely-hiccup.shtml#c27
Just saying. They had it commin.
Re: Don't taunt hackers... Part Duex
What a travesty
Dear Anonymous,
OK WE GIVE UP!! PLEASE STOP!!
– Sony
Oh .... better one !
Dear Sony
Karma Much??
Sincerely,
GeoHot
Company-wide pattern?
The PS3 crack that kicked off Sony’s recent legal campaign against GeoHot and Anonymous’ subsequent DDOS attacks was made possible by the PS3 validating all games through a single root key. Bad security practice appears to be endemic at Sony, from DRM to network security.
Re: Company-wide pattern?
to their credit the PS3 went uncracked the longest out of any game system, so the DRM wasn’t really flawed and they did fix what geohot did pretty fast and remove you from psn if you were using the modified firmware.
However their network security seems be a one step beyond saying “Just set the password to “secret” who is gonna fuck with us?”
Re: Re: Company-wide pattern?
Well, sony also didn’t ask to be hacked until pretty recently. There isn’t much of a need to jailbreak something that officially supports running custom code. You can’t really start the time until they stopped.
Re: Re: Company-wide pattern?
“””to their credit the PS3 went uncracked the longest out of any game system, so the DRM wasn’t really flawed and they did fix what geohot did pretty fast”””
1. Not to Sony’s credit because no one who knew what they were doing was really trying.
2. Yes, the PS3 went “uncracked the longest”, see #1.
3. The DRM was very very very flawed. Sorry, I’m not going to give a link, but the hackers’ who worked on the real crack (after Geohot) have put out a lengthy explanation.
4. They did not “fix” what Geohot did at all.
*Ahem*
BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAH*wheeze*AHAHAHAHAH
One more ....
Dear Sony
ha … No Wait … HA!!!!!
Sincerely,
The Xbox 360 Dev Team
Not really a hack this time
This is purely lousy design…
My turn!
Dear Sony,
You should have done what we did…
Friend codes are the future!
Sincerely,
Nintendo
Re: My turn! ...
Dear Sony PS3,
I feel your pain…..no kids want to play with me either.
Sincerely,
Michael Jackson
Re: Re: My turn! ...
ouch!
More hiccups?
Dear Sony,
Those hiccups must be just awful, what with your head so far up your ass!
Re: More hiccups?
Oh, so that’s how you land in the hospital for a month with the hiccups.
Sony IT guy
Sony IT guy – “Okay! Just rebooted the system. Does it work now?”
Re: Sony IT guy
What IT guy? It’s probably some lawyer that knows how to reinstall windows and thus he thinks he can fix a server. After all sony’s workforce is 99% lawyers
Re: Re: Sony IT guy
You’d be surprised at how true this really is. I used to be a game tester for them back in the PS2 days testing games for platform compliance. We were theoretically supposed to be finding bugs before a game went gold. Reality tho was that we would have to write up any and all game issues which could create a liability for Sony. 80+ Game Testers writing up “bugs” about trademarks appearing in other publishers’ titles. We worked for the Legal Dept.
Re: Sony IT guy
I have to say it…this is getting well into TJX territory.
Re: Re: Sony IT guy
TJX territory? They passed TJX territory at the first hiccup.
Sony needs to redesign their console with a ring of status lights and a LCD display. This way they can red ring of death their consoles while scrolling your personal and credit card information in the LCD.
That’s considered notification that your personal information has been leaked isn’t it? As an added bonus, you won’t have to wait 7 days to find out.
Three possible explanations
1. They had the reset password auth key generator key from the previous intrusion, or got in again and stole it
The most likely scenario.
2. They found the auth keys in the confirmation page that shows after submitting an email address & DOB
Very poor design I’ve seen on some sites before but you’d have to be incompetent or negligent to code something like this.
3. They guessed it or social engineered it
Unlikely…
Re: Three possible explanations
4. The seed for the auth key generator is the same seed for all the PS3 keys.
Re: Re: Three possible explanations
ALWP dude. I think that would fall under option 3 though, as well as brute-forcing.
Re: Three possible explanations
Read the article.
When logging back into the PSN, Sony is forcing everyone to reset their passwords.
To verify a user, since the old passwords were stolen, they needed to use some other piece of information to confirm users.
So instead they decided to use the email and DOB. The same information that was stolen along with the passwords.
This kind of oversight is epic Picard level facepalm.
Re: Re: Three possible explanations
I read the article and my list of possible explanations are correct.
Resetting passwords by email address alone(no DOB) is a standard way of starting a two-phase authorization.
If you read the forum thread that Kotaku linked to, you can see that someone received an initial email that said something along the lines of “Click this link to reset your password”.
Normally that’s where a fraudulent password reset request would end unless someone had access to a user’s email account, however seconds later they received another email saying the request was completed.
Sony just stated on their blog that this was a “URL exploit”, so now I present two other explanations which I forgot to list.
4. Sony set their script to automatically bypass the second phase so people wouldn’t have to check their email account.
Heads should roll if this is true, but I doubt it. Why even make a two-phase auth system if they’re going to bypass it themselves?
5. Sony let blank auth keys reset passwords (the official explanation?)
Maybe the programmer accidentally put something like a = instead of == for matching… But the structure of the links make me call bull on this.
Re: Re: Re: Three possible explanations
Now I think I know what really happened. Check out update #3 on Kotaku article.
The script set a cookie when someone reset a password. Then it let blank auth keys go through, and figured out what account you wanted to reset based on the cookie they set earlier.
Sony should work on its fanbase...
Last I checked, having a supportive group of fans is far more effective than any amount of engineering. If the fans are on your side, you can tap into the community and summon its collective power to solve problems. Instead, Sony has built a fortress to defend itself from fans. It stays behind its walls and simply attaches bait (in the form of entertainment) to hooks and fishes for fans from the safety of its castle. Heaven forbid the fishermen have any meaningful interaction with their catch! The fish (or their money) are all that matter!
It could be worse!
You could receive a service pack on your game console which has a chance to brick your box and it’s mandatory to enable additional copyright protection which makes reading retail disks impossible.
Though, you’ll be blessed with a free console, at least two weeks of no games, and one year of XBox Live free of charge for the “trouble” of preventing your legally purchased products from working.
Thank goodness I own a Wii! Since developers shunned this piece of crap, I’ve nothing to worry about.
😐
It could be worse!
You could receive a service pack on your game console which has a chance to brick your box and it’s mandatory to enable additional copyright protection which makes reading retail disks impossible.
Though, you’ll be blessed with a free console, at least two weeks of no games, and one year of XBox Live free of charge for the “trouble” of preventing your legally purchased products from working.
Thank goodness I own a Wii! Since developers shunned this piece of crap, I’ve nothing to worry about.
😐
Re: It could be worse!
brand new free system, freebies valued at 70$, two weeks ‘ish’ downtime. Not sure how its worse….
although its definitely shitty, yeah console breaking drm
And thus was the beginning of the end for the PS3.
Maybe they will learn that any security that can be unlocked, can be broken? There are enough people with the will and skill to do it out there. And they love a good challenge as much as they love wiping the smug grins from Sony’s face.
Obvious fail is obvious. Couldn’t happen to a nicer company. bwahahahahahahaha. Eat it Sony!
wow, the fanbois are going to be having a fit of apoplexy over this.
okay… thats +1 for the use of fanboys, +.5 for the alternate spelling, +3 for big archaic word used correctly and its on a triple word space… +70.5 for me.
Re: Re:
Yahtzee!
If this is a hiccup god forbid they get the flu.
haiku (so maybe Sony will understand)
My dearest Sony,
Obvious fail on this one,
Karma is a bitch…
*giggle*
Re: haiku (so maybe Sony will understand)
Whilst claiming that these security holes have been fixed, the servers are being hacked as the rep speaks.
Well sucks to be them.
Whatever profit Sony was supposedly “losing” to piracy and jailbreaking has been immensely surpassed by the ongoing degree of fuckupitude.
A Sony Representative claims that these “Security breaches are a very rare exception to the rule, a once in a lifetime event,” at the same time that his servers are being hacked.
I think I mentioned this yesterday. Somebody needs to start a PR team in Anonymous to start getting kickstarter pools together for future projects.
Spitball caption on ad:
Brought to you by the same folks that braught you Climate-Gate. The same folks that filled the need in “Waste 60 bucks on a game I cant demo? FTS” & Sony hacks brings you….
The thing of it is the entertainment value is huge. Think about Hacker(the movie) like competitions on destroying senators that go against he public interest. I distinctly remember if the government fears the people….
“if you have their email and date of birth”
or even Facebook, or most social networks.
Why they got hacked
Sony remove Other OS
Who uses Other OS? – people who make supercomputers from lots of PS3’s – what do they use them for?
security research
“On 30 December 2008, a group of researchers announced at the 25th Chaos Communication Congress how they had used MD5 collisions to create an intermediate certificate authority certificate which appeared to be legitimate when checked via its MD5 hash.[7] The researchers used a cluster of Sony Playstation 3s at the EPFL in Lausanne, Switzerland”
Irony of ironies – were Sony hacked by their own hardware?
And now a phishing site found on one of their servers…
http://latimesblogs.latimes.com/technology/2011/05/sony-servers-hacked-host-credit-card-phishing-site.html
And it just keeps getting worse for Sony:
http://www.foxnews.com/scitech/2011/05/20/sony-hacked-playstation-so-net-isp/