Page 1 of 3

Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Mon May 02, 2011 4:18 pm
by Tarvas
Tokyo, May 3, 2011

SONY ONLINE ENTERTAINMENT ANNOUNCES
THEFT OF DATA FROM ITS SYSTEMS

Breach Believed to Stem From Initial Criminal Hack of SOE

Tokyo, May 3, 2011 - Sony Corporation and Sony Computer Entertainment announced today that their ongoing investigation of illegal intrusions into Sony Online Entertainment LLC (SOE, the company) systems revealed yesterday morning (May 2, Tokyo time) that hackers may have stolen SOE customer information on April 16th and 17th, 2011 (PDT). SOE is based in San Diego, California, U.S.A.

This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain.

With the current outage of the PlayStation® Network and Qriocity™ services and the ongoing investigation into the recent attacks, SOE had also undertaken an intensive investigation into its system. Upon discovery of this additional information, the company promptly shut down all servers related to SOE services while continuing to review and upgrade all of its online security systems in the face of these unprecedented cyber-attacks.

On May 1, Sony apologized to its customers for the inconvenience caused by its network services outages. The company is working with the FBI and continuing its own full investigation while working to restore all services.

Sony is making this disclosure as quickly as possible after the discovery of the theft, and the company has posted information on its website and will send e-mails to all consumers whose data may have been stolen.

The personal information of the approximately 24.6 million SOE accounts that was illegally obtained, to the extent it had been provided to SOE, is as follows:

name
address
e-mail address
birthdate
gender
phone number
login name
hashed password.
In addition to the information above, the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, include:

bank account number
customer name
account name
customer address.
SOE will grant customers 30 days of additional time on their subscriptions, in addition to compensating them one day for each day the system is down. It is also in the process of outlining a "make good" plan for its PlayStation®3 MMOs (DC Universe Online and Free Realms). More information will be released this week.

Additionally, the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in each region.

Sony Online Entertainment LLC (SOE) has been a recognized worldwide leader in massively multiplayer online games since 1999. Best known for its blockbuster hits and franchises, including EverQuest®, EverQuest® II, Champions of Norrath®, PlanetSide®, Free Realms®, Clone Wars Adventures™, and DC Universe Online™, SOE creates, develops and provides compelling online entertainment for virtually all platforms, including the PlayStation®3 Computer Entertainment System, Personal Computer, mobile and social networks. SOE is building on its proven legacy and pioneering the future of the interactive entertainment space through creative development and inspired gameplay design for audiences of all ages. To learn more, visit http://www.soe.com.

For more information and update about the SOE services, please visit http://www.soe.com/securityupdate.

About Sony Corporation
Sony Corporation is a leading manufacturer of audio, video, game, communications, key device and information technology products for the consumer and professional markets. With its music, pictures, computer entertainment and on-line businesses, Sony is uniquely positioned to be the leading electronics and entertainment company in the world. Sony recorded consolidated annual sales of approximately $78 billion for the fiscal year ended March 31, 2010. Sony Global Web Site: http://www.sony.net/

About Sony Computer Entertainment Inc.
Recognized as the global leader and company responsible for the progression of consumer-based computer entertainment, Sony Computer Entertainment Inc. (SCEI) manufactures, distributes and markets the PlayStation® game console, the PlayStation®2 computer entertainment system, the PSP® (PlayStation®Portable) handheld entertainment system and the PlayStation®3 (PS3®) system. PlayStation has revolutionized home entertainment by introducing advanced 3D graphic processing, and PlayStation 2 further enhances the PlayStation legacy as the core of home networked entertainment. PSP is a handheld entertainment system that allows users to enjoy 3D games, with high-quality full-motion video, and high-fidelity stereo audio. PS3 is an advanced computer system, incorporating the state-of-the-art Cell processor with super computer like power. SCEI, along with its subsidiary divisions Sony Computer Entertainment America Inc., Sony Computer Entertainment Europe Ltd., and Sony Computer Entertainment Korea Inc. develops, publishes, markets and distributes software, and manages the third party licensing programs for these platforms in the respective markets worldwide. Headquartered in Tokyo, Japan, SCEI is an independent business unit of the Sony Group.

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Mon May 02, 2011 6:53 pm
by Glauri
Just what is a "hashed" password?

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Mon May 02, 2011 7:02 pm
by Ommina
Glauri wrote:Just what is a "hashed" password?
Instead of storing the password "as is" in the database, magic is performed on it first, and the results of said magic are stored instead, where said magic only works in one direction.

The point being that even if an entity (including SOE itself) looks at the password value stored, it does not tell them what the actual password is. Nor is there any (computationally likely) means to discover the original from the hash.

For example - a password might be 1234567890, but may be stored in the database as e807f1fcf82d132f9bb018ca6738a19f.

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Mon May 02, 2011 7:40 pm
by Joatmoneq
I am glad to hear SOE has their password's hashed, however I am curious exactly how strong of an ecryption they were using.

Keep in mind the original program debuted comercially around 1999, which means it started the coding several years prior to that point.

Much encryption from that era can now be quickly broken using freely avaible hacker tools. Given that this is the same database that limited original stats to 255 (0-255 range, ie 256 total) because SOE had it assigned down to a single byte of storage per stat.. they were trying to maximize storage in their data base.

In that sort of environment I am not sure how robust of encryption they could be expected to have used. They likely went with industry standard, which is quite weak by current standards. Now I grant they have repeatedly overhauled parts of the game, but as you can see from the very patchwork style of content, whole areas go unchanged if they are unnoticed. I also know that quite frequently security is left by the wayside and not dealt with until its too late.

If they did in fact update the encryption algorithms, all is good and they should compliment their crew. However, if they didn't then its quite likely that the hackers have rainbow tables for these hashes by now and can crack them in seconds. I am really hoping that they updated it!

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Mon May 02, 2011 7:53 pm
by Joatmoneq
What I am most interested in at this point is whether the hackers used a Zero day attack or if they simply exploited a known vulnerability which SOE was just negligent in fixing.

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Mon May 02, 2011 7:57 pm
by Fnord
Ommina wrote:
Glauri wrote:Just what is a "hashed" password?
Instead of storing the password "as is" in the database, magic is performed on it first, and the results of said magic are stored instead, where said magic only works in one direction.

The point being that even if an entity (including SOE itself) looks at the password value stored, it does not tell them what the actual password is. Nor is there any (computationally likely) means to discover the original from the hash.

For example - a password might be 1234567890, but may be stored in the database as e807f1fcf82d132f9bb018ca6738a19f.
However! Given a set of probable hashing algorithms combined with the likelihood of users picking insecure passwords like 'Password', it doesn't necessarily need to be broken to yield results. Simply hash 'Password' with all the standard algorithms and look for that hashed value in the table. If you find a matching hashed value - voila, free account!

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Mon May 02, 2011 8:24 pm
by Ommina
Which segues us into Lesson Two: Salting. I hope you're taking notes Glauri, there will be a quiz later.

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Mon May 02, 2011 8:36 pm
by Derdarr
ok my head hurts now from reading what salting is...maybe the grades i got in high school wasnt just from not caring and partying too much :)

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Mon May 02, 2011 8:41 pm
by Glauri
Oh, I AM taking notes! Just remember that you are speaking to a proud member of the slide rule generation!

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Mon May 02, 2011 9:30 pm
by Ommina
No no, it's not at all complex. Just that some sites make it more difficult than they need to.

Salting is nothing more than appending (or postpending, or even inserting) some knowable value before creating the hash.

So to use Fnord's example: Unwise User selects "panties" (number 52 of the 500 worst passwords of all time) as his password of choice.

This (depending on the hashing used) is stored in the database as 51d5eb780accf3a9d62036fd840e04ac. As Fnord points out, any would be password thief is going to use that same list of 500 passwords, create a hash, and look for 51d5 (etc) and gets a winner.

Instead, we add a salt first. Let's say our salt value is "it's not a robe Nlannie, it's a dress", which we stick onto the end of 'panties'. This turns our resulting hash into 148b98f990c24f8294ef016df5bae3ac, which won't be on any list. Unwise User is safe once again.

Except this approach, too, is flawed. Fnord, you're up!

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Tue May 03, 2011 3:26 am
by Glauri
So is there a way to salt a password randomly -- i.e., before, within or after the password -- and still have it be recognized? Do companies generally stick to one method of salting with all their passwords? Do companies usually use a salt with a common number of units (bits?) for all passwords?

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Tue May 03, 2011 4:00 am
by Ommina
Well, for salting to work, the salt + password mix needs to be reproducible. So if you choose a random salt at a random location, you need to be able to reapply the salt + location later. Which is to say, you could choose a random value + location, but would need to store both for reuse on the next login.

As for the method & number of bits, well, that pushes into the territory of the flaw mentioned above. Since Fnord is slacking (probably using 'sleeping' as an excuse), I'll forge onward.

The problem with the method described earlier (using a known salt for all passwords) is, if a password is duplicated between accounts, the resulting hash will also be duplicated. This provides a pretty strong clue the the underlying password is likely a common word - which goes a long way to getting into the account.

Thus, a random salt (just like you asked!), stored in the database. Longer is generally gooder, but costs a bit more to create the hash. (Both for legitimate and not-so-legitimate users). Note that if an intruder wanders off with an entire database (in contrast to a single table), said intruder will also have the salt values. This is annoying, but not necessarily awful -- we've still made their day dramatically more difficult.

One final key to all this before I wander to bed. "hashed" is not the same as "encrypted". Encryption is two-way, you don't want that. Hashed is one way only, there is no secret decoder ring to go from a hashed value and get the original. As such, credit card & personal details should be encrypted, passwords should be hashed.

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Tue May 03, 2011 7:13 am
by Fnord
Apologies, I was indeed slacking under the guise of sleeping. All this salting/hashing/encrypting/decrypting is hard work.

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Tue May 03, 2011 8:13 am
by Glauri
As to a random salt...what if the location (before or after) of the salt was based on the even/odd value of a specific bit in the hash? So the location of the salt in my password's hash might be different that yours, but would always be the same. Could the salt be based upon one of the other pieces of information I provide, as in my login name? Then it would be the same for me from time to time, but always be different from account to account even if I used the same password.

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Tue May 03, 2011 12:54 pm
by Sharrien
On my recent 2-week reserve duty, I actually learned something useful. The military has some of the most mind-numbing restrictions on characters used in passwords, making it extremely difficult to come up with a password based on some easily remembered word or name (which is the point I guess) thus forcing most people to write it down (defeating the entire purpose). One of our IT folks who was tired of helping a couple dozen people fumble through creating network passwords taught me a little trick.

Instead of trying to mutate something familiar so that it has caps, symbols, numbers and you've already used "b0@B1e" in the past, use a pattern on your keyboard. For example, start with "n" and go straight up one of the diagonals, "n-j-i-9" then hit shift and go back up the same row "N-J-I-(". If you need more than 8 characters, do the same on another diagonal. Or a row. Or go down instead of up. This will satisfy the most anal password requirements and all your have to remember is a mnemonic like "New Jersey" to know you should start by going up the N-J diagonal.

Changing my EQ password to something like that will be the first thing I do when we can finally log back in.

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Tue May 03, 2011 2:57 pm
by Fnord
Sweet, just let me know your username, I've been dying to play a BST :)

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Tue May 03, 2011 4:03 pm
by Praco
Glauri wrote:Oh, I AM taking notes! Just remember that you are speaking to a proud member of the slide rule generation!

Whats a slide rule?

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Tue May 03, 2011 4:17 pm
by Ommina
Praco wrote:Whats a slide rule?
To avoid injury, wait until the previous rider is off before starting your descent.

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Tue May 03, 2011 5:08 pm
by Atzanik
Ommina wrote:
Praco wrote:Whats a slide rule?
To avoid injury, wait until the previous rider is off before starting your descent.
Excellent!

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Wed May 04, 2011 8:13 am
by Sharrien
Fnord wrote:Sweet, just let me know your username, I've been dying to play a BST :)
What would all the other mages say if I told them you had the urge to go furry?!

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Wed May 04, 2011 11:30 am
by Criploc
I guess the chump in this video is the one who got all the hacking started.

http://www.eurogamer.net/articles/2011- ... do-with-me

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Wed May 04, 2011 7:24 pm
by Serano
All these peeps changing passwords is going to screw up my password management book.

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Thu May 05, 2011 3:51 pm
by kCii
Ommina said
"it's not a robe Nlannie, it's a dress"


denial, it's not pretty~

kC

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Thu May 05, 2011 4:30 pm
by Quartzy
I like peppering a lot more than salting especially on hash - hash browns, corned beef hash, hash and eggs, you name it.

Well you could even hash your user password list. Then you could "salt" and pepper it. It might just be useful for something after you were done.

As for me, I still think it was OER that done it while trying to FiXX rangers so they could not reproduce, seems everyone has a ranger alt these days.

^^

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Fri May 06, 2011 3:47 am
by Praco
Atzanik wrote:
Ommina wrote:
Praco wrote:Whats a slide rule?
To avoid injury, wait until the previous rider is off before starting your descent.
Excellent!
So essentially Glauri played on the slide like a good girl and followed rules?
What were slides made of way back in them times?

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Fri May 06, 2011 3:49 am
by Ommina
Praco wrote:What were slides made of way back in them times?
Franks.

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Fri May 06, 2011 4:12 am
by Praco
Ommina wrote:
Praco wrote:What were slides made of way back in them times?
Franks.

So like a German soldier's from centuries ago?

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Fri May 06, 2011 5:15 am
by Zantetsuken
I like peppering my ketchup and salting my french fries. :D

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Fri May 06, 2011 9:50 am
by Renaern
Criploc wrote:I guess the chump in this video is the one who got all the hacking started.

http://www.eurogamer.net/articles/2011- ... do-with-me
I want to punch his face as hard as I can, for as long as I can. :twisted:

Re: Tokyo, May 3, 2011 - Press Release (Sony Hack)

Posted: Fri May 06, 2011 6:06 pm
by Nlannie
EQ down for the weekend per http://www.facebook.com/EverQuestLive