Tokyo, May 3, 2011 - Press Release (Sony Hack)

Discussion of the May 2011 SOE downtime. Now largely retired, as servers have been restored as of May 14 2011.

Moderator: Littlabit

Forum rules
"SAN DIEGO, May 14, 2011 - Sony Online Entertainment LLC (SOE) announced today that restoration of its game services will begin today. The phased restoration will include the return of nearly all of SOE's portfolio of online games, the reinstatement of SOE's game forums and websites, and added functionality to require players to reset their passwords."
User avatar
Tarvas
Whee!
Posts: 2023
Joined: Sat Sep 05, 2009 9:48 am
Location: Dead in a ditch

Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Tarvas » Mon May 02, 2011 4:18 pm

Tokyo, May 3, 2011

SONY ONLINE ENTERTAINMENT ANNOUNCES
THEFT OF DATA FROM ITS SYSTEMS

Breach Believed to Stem From Initial Criminal Hack of SOE

Tokyo, May 3, 2011 - Sony Corporation and Sony Computer Entertainment announced today that their ongoing investigation of illegal intrusions into Sony Online Entertainment LLC (SOE, the company) systems revealed yesterday morning (May 2, Tokyo time) that hackers may have stolen SOE customer information on April 16th and 17th, 2011 (PDT). SOE is based in San Diego, California, U.S.A.

This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain.

With the current outage of the PlayStation® Network and Qriocity™ services and the ongoing investigation into the recent attacks, SOE had also undertaken an intensive investigation into its system. Upon discovery of this additional information, the company promptly shut down all servers related to SOE services while continuing to review and upgrade all of its online security systems in the face of these unprecedented cyber-attacks.

On May 1, Sony apologized to its customers for the inconvenience caused by its network services outages. The company is working with the FBI and continuing its own full investigation while working to restore all services.

Sony is making this disclosure as quickly as possible after the discovery of the theft, and the company has posted information on its website and will send e-mails to all consumers whose data may have been stolen.

The personal information of the approximately 24.6 million SOE accounts that was illegally obtained, to the extent it had been provided to SOE, is as follows:

name
address
e-mail address
birthdate
gender
phone number
login name
hashed password.
In addition to the information above, the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, include:

bank account number
customer name
account name
customer address.
SOE will grant customers 30 days of additional time on their subscriptions, in addition to compensating them one day for each day the system is down. It is also in the process of outlining a "make good" plan for its PlayStation®3 MMOs (DC Universe Online and Free Realms). More information will be released this week.

Additionally, the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in each region.

Sony Online Entertainment LLC (SOE) has been a recognized worldwide leader in massively multiplayer online games since 1999. Best known for its blockbuster hits and franchises, including EverQuest®, EverQuest® II, Champions of Norrath®, PlanetSide®, Free Realms®, Clone Wars Adventures™, and DC Universe Online™, SOE creates, develops and provides compelling online entertainment for virtually all platforms, including the PlayStation®3 Computer Entertainment System, Personal Computer, mobile and social networks. SOE is building on its proven legacy and pioneering the future of the interactive entertainment space through creative development and inspired gameplay design for audiences of all ages. To learn more, visit http://www.soe.com.

For more information and update about the SOE services, please visit http://www.soe.com/securityupdate.

About Sony Corporation
Sony Corporation is a leading manufacturer of audio, video, game, communications, key device and information technology products for the consumer and professional markets. With its music, pictures, computer entertainment and on-line businesses, Sony is uniquely positioned to be the leading electronics and entertainment company in the world. Sony recorded consolidated annual sales of approximately $78 billion for the fiscal year ended March 31, 2010. Sony Global Web Site: http://www.sony.net/

About Sony Computer Entertainment Inc.
Recognized as the global leader and company responsible for the progression of consumer-based computer entertainment, Sony Computer Entertainment Inc. (SCEI) manufactures, distributes and markets the PlayStation® game console, the PlayStation®2 computer entertainment system, the PSP® (PlayStation®Portable) handheld entertainment system and the PlayStation®3 (PS3®) system. PlayStation has revolutionized home entertainment by introducing advanced 3D graphic processing, and PlayStation 2 further enhances the PlayStation legacy as the core of home networked entertainment. PSP is a handheld entertainment system that allows users to enjoy 3D games, with high-quality full-motion video, and high-fidelity stereo audio. PS3 is an advanced computer system, incorporating the state-of-the-art Cell processor with super computer like power. SCEI, along with its subsidiary divisions Sony Computer Entertainment America Inc., Sony Computer Entertainment Europe Ltd., and Sony Computer Entertainment Korea Inc. develops, publishes, markets and distributes software, and manages the third party licensing programs for these platforms in the respective markets worldwide. Headquartered in Tokyo, Japan, SCEI is an independent business unit of the Sony Group.
Alan
I'm a Tank!
Image
Punked, Carvas, Harvas, Cayleb

User avatar
Glauri
Whee!
Posts: 2116
Joined: Fri May 29, 2009 7:15 am
Location: TEXAS!

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Glauri » Mon May 02, 2011 6:53 pm

Just what is a "hashed" password?
Do not regret growing older. It is a privilege denied to many.
Glauri

User avatar
Ommina
Whee!
Posts: 3918
Joined: Tue Oct 04, 2005 1:26 pm
Location: ömniöüs

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Ommina » Mon May 02, 2011 7:02 pm

Glauri wrote:Just what is a "hashed" password?


Instead of storing the password "as is" in the database, magic is performed on it first, and the results of said magic are stored instead, where said magic only works in one direction.

The point being that even if an entity (including SOE itself) looks at the password value stored, it does not tell them what the actual password is. Nor is there any (computationally likely) means to discover the original from the hash.

For example - a password might be 1234567890, but may be stored in the database as e807f1fcf82d132f9bb018ca6738a19f.

Joatmoneq
Whee!
Posts: 8
Joined: Fri Aug 07, 2009 5:32 pm

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Joatmoneq » Mon May 02, 2011 7:40 pm

I am glad to hear SOE has their password's hashed, however I am curious exactly how strong of an ecryption they were using.

Keep in mind the original program debuted comercially around 1999, which means it started the coding several years prior to that point.

Much encryption from that era can now be quickly broken using freely avaible hacker tools. Given that this is the same database that limited original stats to 255 (0-255 range, ie 256 total) because SOE had it assigned down to a single byte of storage per stat.. they were trying to maximize storage in their data base.

In that sort of environment I am not sure how robust of encryption they could be expected to have used. They likely went with industry standard, which is quite weak by current standards. Now I grant they have repeatedly overhauled parts of the game, but as you can see from the very patchwork style of content, whole areas go unchanged if they are unnoticed. I also know that quite frequently security is left by the wayside and not dealt with until its too late.

If they did in fact update the encryption algorithms, all is good and they should compliment their crew. However, if they didn't then its quite likely that the hackers have rainbow tables for these hashes by now and can crack them in seconds. I am really hoping that they updated it!

Joatmoneq
Whee!
Posts: 8
Joined: Fri Aug 07, 2009 5:32 pm

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Joatmoneq » Mon May 02, 2011 7:53 pm

What I am most interested in at this point is whether the hackers used a Zero day attack or if they simply exploited a known vulnerability which SOE was just negligent in fixing.

Fnord
Whee!
Posts: 195
Joined: Mon Aug 09, 2010 9:34 pm

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Fnord » Mon May 02, 2011 7:57 pm

Ommina wrote:
Glauri wrote:Just what is a "hashed" password?


Instead of storing the password "as is" in the database, magic is performed on it first, and the results of said magic are stored instead, where said magic only works in one direction.

The point being that even if an entity (including SOE itself) looks at the password value stored, it does not tell them what the actual password is. Nor is there any (computationally likely) means to discover the original from the hash.

For example - a password might be 1234567890, but may be stored in the database as e807f1fcf82d132f9bb018ca6738a19f.


However! Given a set of probable hashing algorithms combined with the likelihood of users picking insecure passwords like 'Password', it doesn't necessarily need to be broken to yield results. Simply hash 'Password' with all the standard algorithms and look for that hashed value in the table. If you find a matching hashed value - voila, free account!

User avatar
Ommina
Whee!
Posts: 3918
Joined: Tue Oct 04, 2005 1:26 pm
Location: ömniöüs

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Ommina » Mon May 02, 2011 8:24 pm

Which segues us into Lesson Two: Salting. I hope you're taking notes Glauri, there will be a quiz later.

Derdarr
Whee!
Posts: 1553
Joined: Wed Aug 10, 2005 9:17 pm
Contact:

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Derdarr » Mon May 02, 2011 8:36 pm

ok my head hurts now from reading what salting is...maybe the grades i got in high school wasnt just from not caring and partying too much :)

User avatar
Glauri
Whee!
Posts: 2116
Joined: Fri May 29, 2009 7:15 am
Location: TEXAS!

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Glauri » Mon May 02, 2011 8:41 pm

Oh, I AM taking notes! Just remember that you are speaking to a proud member of the slide rule generation!
Do not regret growing older. It is a privilege denied to many.
Glauri

User avatar
Ommina
Whee!
Posts: 3918
Joined: Tue Oct 04, 2005 1:26 pm
Location: ömniöüs

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Ommina » Mon May 02, 2011 9:30 pm

No no, it's not at all complex. Just that some sites make it more difficult than they need to.

Salting is nothing more than appending (or postpending, or even inserting) some knowable value before creating the hash.

So to use Fnord's example: Unwise User selects "panties" (number 52 of the 500 worst passwords of all time) as his password of choice.

This (depending on the hashing used) is stored in the database as 51d5eb780accf3a9d62036fd840e04ac. As Fnord points out, any would be password thief is going to use that same list of 500 passwords, create a hash, and look for 51d5 (etc) and gets a winner.

Instead, we add a salt first. Let's say our salt value is "it's not a robe Nlannie, it's a dress", which we stick onto the end of 'panties'. This turns our resulting hash into 148b98f990c24f8294ef016df5bae3ac, which won't be on any list. Unwise User is safe once again.

Except this approach, too, is flawed. Fnord, you're up!

User avatar
Glauri
Whee!
Posts: 2116
Joined: Fri May 29, 2009 7:15 am
Location: TEXAS!

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Glauri » Tue May 03, 2011 3:26 am

So is there a way to salt a password randomly -- i.e., before, within or after the password -- and still have it be recognized? Do companies generally stick to one method of salting with all their passwords? Do companies usually use a salt with a common number of units (bits?) for all passwords?
Do not regret growing older. It is a privilege denied to many.
Glauri

User avatar
Ommina
Whee!
Posts: 3918
Joined: Tue Oct 04, 2005 1:26 pm
Location: ömniöüs

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Ommina » Tue May 03, 2011 4:00 am

Well, for salting to work, the salt + password mix needs to be reproducible. So if you choose a random salt at a random location, you need to be able to reapply the salt + location later. Which is to say, you could choose a random value + location, but would need to store both for reuse on the next login.

As for the method & number of bits, well, that pushes into the territory of the flaw mentioned above. Since Fnord is slacking (probably using 'sleeping' as an excuse), I'll forge onward.

The problem with the method described earlier (using a known salt for all passwords) is, if a password is duplicated between accounts, the resulting hash will also be duplicated. This provides a pretty strong clue the the underlying password is likely a common word - which goes a long way to getting into the account.

Thus, a random salt (just like you asked!), stored in the database. Longer is generally gooder, but costs a bit more to create the hash. (Both for legitimate and not-so-legitimate users). Note that if an intruder wanders off with an entire database (in contrast to a single table), said intruder will also have the salt values. This is annoying, but not necessarily awful -- we've still made their day dramatically more difficult.

One final key to all this before I wander to bed. "hashed" is not the same as "encrypted". Encryption is two-way, you don't want that. Hashed is one way only, there is no secret decoder ring to go from a hashed value and get the original. As such, credit card & personal details should be encrypted, passwords should be hashed.

Fnord
Whee!
Posts: 195
Joined: Mon Aug 09, 2010 9:34 pm

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Fnord » Tue May 03, 2011 7:13 am

Apologies, I was indeed slacking under the guise of sleeping. All this salting/hashing/encrypting/decrypting is hard work.

User avatar
Glauri
Whee!
Posts: 2116
Joined: Fri May 29, 2009 7:15 am
Location: TEXAS!

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Glauri » Tue May 03, 2011 8:13 am

As to a random salt...what if the location (before or after) of the salt was based on the even/odd value of a specific bit in the hash? So the location of the salt in my password's hash might be different that yours, but would always be the same. Could the salt be based upon one of the other pieces of information I provide, as in my login name? Then it would be the same for me from time to time, but always be different from account to account even if I used the same password.
Do not regret growing older. It is a privilege denied to many.
Glauri

User avatar
Sharrien
Whee!
Posts: 1161
Joined: Tue Jun 03, 2008 2:06 pm

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Sharrien » Tue May 03, 2011 12:54 pm

On my recent 2-week reserve duty, I actually learned something useful. The military has some of the most mind-numbing restrictions on characters used in passwords, making it extremely difficult to come up with a password based on some easily remembered word or name (which is the point I guess) thus forcing most people to write it down (defeating the entire purpose). One of our IT folks who was tired of helping a couple dozen people fumble through creating network passwords taught me a little trick.

Instead of trying to mutate something familiar so that it has caps, symbols, numbers and you've already used "b0@B1e" in the past, use a pattern on your keyboard. For example, start with "n" and go straight up one of the diagonals, "n-j-i-9" then hit shift and go back up the same row "N-J-I-(". If you need more than 8 characters, do the same on another diagonal. Or a row. Or go down instead of up. This will satisfy the most anal password requirements and all your have to remember is a mnemonic like "New Jersey" to know you should start by going up the N-J diagonal.

Changing my EQ password to something like that will be the first thing I do when we can finally log back in.
Savage Spirit Sharrien Dreamstalker, Master Artisan, Master Researcher
Primal Elementalist Ravingronn Blazewarden, Master Artisan, Master Researcher

Fnord
Whee!
Posts: 195
Joined: Mon Aug 09, 2010 9:34 pm

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Fnord » Tue May 03, 2011 2:57 pm

Sweet, just let me know your username, I've been dying to play a BST :)

Praco
Whee!
Posts: 90
Joined: Mon Mar 27, 2006 8:08 am
Contact:

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Praco » Tue May 03, 2011 4:03 pm

Glauri wrote:Oh, I AM taking notes! Just remember that you are speaking to a proud member of the slide rule generation!



Whats a slide rule?

User avatar
Ommina
Whee!
Posts: 3918
Joined: Tue Oct 04, 2005 1:26 pm
Location: ömniöüs

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Ommina » Tue May 03, 2011 4:17 pm

Praco wrote:Whats a slide rule?


To avoid injury, wait until the previous rider is off before starting your descent.

User avatar
Atzanik
Whee!
Posts: 83
Joined: Wed Apr 14, 2010 4:25 pm
Location: Ontario, Canada

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Atzanik » Tue May 03, 2011 5:08 pm

Ommina wrote:
Praco wrote:Whats a slide rule?


To avoid injury, wait until the previous rider is off before starting your descent.


Excellent!
Image Image
ImageImage
ImageImage

User avatar
Sharrien
Whee!
Posts: 1161
Joined: Tue Jun 03, 2008 2:06 pm

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Sharrien » Wed May 04, 2011 8:13 am

Fnord wrote:Sweet, just let me know your username, I've been dying to play a BST :)


What would all the other mages say if I told them you had the urge to go furry?!
Savage Spirit Sharrien Dreamstalker, Master Artisan, Master Researcher
Primal Elementalist Ravingronn Blazewarden, Master Artisan, Master Researcher

Criploc
Whee!
Posts: 110
Joined: Thu Apr 09, 2009 4:34 pm

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Criploc » Wed May 04, 2011 11:30 am

I guess the chump in this video is the one who got all the hacking started.

http://www.eurogamer.net/articles/2011- ... do-with-me

Serano
Whee!
Posts: 94
Joined: Mon Sep 27, 2010 8:12 pm

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Serano » Wed May 04, 2011 7:24 pm

All these peeps changing passwords is going to screw up my password management book.

User avatar
kCii
Whee!
Posts: 237
Joined: Wed Apr 15, 2009 8:13 pm

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby kCii » Thu May 05, 2011 3:51 pm

Ommina said
"it's not a robe Nlannie, it's a dress"


denial, it's not pretty~

kC

Quartzy
Whee!
Posts: 9
Joined: Sat Mar 26, 2011 4:01 am

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Quartzy » Thu May 05, 2011 4:30 pm

I like peppering a lot more than salting especially on hash - hash browns, corned beef hash, hash and eggs, you name it.

Well you could even hash your user password list. Then you could "salt" and pepper it. It might just be useful for something after you were done.

As for me, I still think it was OER that done it while trying to FiXX rangers so they could not reproduce, seems everyone has a ranger alt these days.

^^

Praco
Whee!
Posts: 90
Joined: Mon Mar 27, 2006 8:08 am
Contact:

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Praco » Fri May 06, 2011 3:47 am

Atzanik wrote:
Ommina wrote:
Praco wrote:Whats a slide rule?


To avoid injury, wait until the previous rider is off before starting your descent.


Excellent!


So essentially Glauri played on the slide like a good girl and followed rules?
What were slides made of way back in them times?

User avatar
Ommina
Whee!
Posts: 3918
Joined: Tue Oct 04, 2005 1:26 pm
Location: ömniöüs

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Ommina » Fri May 06, 2011 3:49 am

Praco wrote:What were slides made of way back in them times?


Franks.

Praco
Whee!
Posts: 90
Joined: Mon Mar 27, 2006 8:08 am
Contact:

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Praco » Fri May 06, 2011 4:12 am

Ommina wrote:
Praco wrote:What were slides made of way back in them times?


Franks.



So like a German soldier's from centuries ago?

Zantetsuken
Iron Cutting Sword
Posts: 718
Joined: Sun May 08, 2005 9:40 am
Location: Beverly, Kentucky
Contact:

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Zantetsuken » Fri May 06, 2011 5:15 am

I like peppering my ketchup and salting my french fries. :D
Lightbringer Zantetsuken
"Men in battle, do not need women. My love is my Sword!" - The Almighty Dekar from Lufia II
Axe Master Verige
"The weak only strive to be weaker." - Magus from Chrono Trigger

Renaern
Whee!
Posts: 140
Joined: Sun May 03, 2009 7:31 am

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Renaern » Fri May 06, 2011 9:50 am

Criploc wrote:I guess the chump in this video is the one who got all the hacking started.

http://www.eurogamer.net/articles/2011- ... do-with-me

I want to punch his face as hard as I can, for as long as I can. :twisted:

User avatar
Nlannie
Mindless Lemming
Posts: 214
Joined: Thu Mar 31, 2005 9:53 am
Location: Vazaelle
Contact:

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Postby Nlannie » Fri May 06, 2011 6:06 pm

EQ down for the weekend per http://www.facebook.com/EverQuestLive
Image