Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sony Targeted Yet Again; Thwarts Attackers This Time

Posted by Unknown on from the script-kiddies-gone-wild dept.

alphadogg writes with an excerpt from a Network World article: "Sony suspended 93,000 user accounts on several of its gaming and entertainment networks after unauthorized login attempts on those accounts. The attempts occurred on the PlayStation Network, Sony Entertainment Network, and Sony Online Entertainment, and the company says that login information likely acquired from other sources was tested en masse on the networks. Only a 'small number' of the attempts were successful, and no credit card information was leaked. ... Sony Chief Information Security Officer Philip Reitinger said that 'less than one tenth of one percent' of the networks' users may have been affected."

42 of 68 comments (clear)

  1. 93 million accounts? by vlm · · Score: 1

    "Sony suspended 93,000 user accounts

    'less than one tenth of one percent' of the networks' users

    Sony has over 93 million accounts?
    As far as I know only about 50 million PS3s have been sold, some to upgraders / replacers / theft or fire insurance claims, so there's probably less than 50 million PS3 user accounts.
    The other 50 million or so accounts are ... ?

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    1. Re:93 million accounts? by Anonymous Coward · · Score: 1

      Can't more than one person have an account on a single PS3?

    2. Re:93 million accounts? by Mordermi · · Score: 1

      Just to note: Some people may have multiple accounts. I know people with 2+ PSN accounts.

      But it is also for two other divisions of their network, not just PSN.

    3. Re:93 million accounts? by Sockatume · · Score: 1

      During the hacking fiasco, the press was reporting that there were 100m PlayStation Network accounts, which covers both the PS3 and the PSP. That gives us a total of around 75m units. While many of the remaining 25m will be dummy accounts used to download items from the regional PSN stores (which was quite popular in the early days), I'm sure that the majority are simply friends, family members etc.

      --
      No kidding!!! What do you say at this point?
    4. Re:93 million accounts? by scdeimos · · Score: 1

      SOE does online PC games too, you know.

    5. Re:93 million accounts? by msauve · · Score: 1

      "Sony has over 93 million accounts?"

      Right on this page - Related Links - "77 Million Accounts Stolen From Playstation Network." And, as the summary says, this is about more than that - "PlayStation Network, Sony Entertainment Network, and Sony Online Entertainment."

      So, yes, 93 million accounts is reasonable, based solely on information found on the same page you posted to.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    6. Re:93 million accounts? by diersing · · Score: 1

      From the Sony Online Entertainment and Sony Entertainment Network?

      His blog post breaks them down as - (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000)

    7. Re:93 million accounts? by pnewhook · · Score: 1

      Wow 50 million PS3s? Increase that by another 50% and it's getting close to the number of Blackberry subscribers...

      --
      Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
    8. Re:93 million accounts? by Verunks · · Score: 1

      Sony has over 93 million accounts? As far as I know only about 50 million PS3s have been sold, some to upgraders / replacers / theft or fire insurance claims, so there's probably less than 50 million PS3 user accounts. The other 50 million or so accounts are ... ?

      I have 5 accounts myself, iirc 2 europeans, 1 american, 1 japanese, 1 hong kong, I bet others have more than one account too

    9. Re:93 million accounts? by Anonymous Coward · · Score: 1

      Sony has over 93 million accounts?

      It is only 265510(oct) or 16B48(hex) accounts

      You've tried to be clever, but fucked up by a considerable margin. Try again. Clue: 10^6 not 10^3.

    10. Re:93 million accounts? by xmousex · · Score: 1

      I have 8 accounts, and 0 PS3s.

    11. Re:93 million accounts? by maxwell+demon · · Score: 1

      Ok, 77 million accounts were stolen, and now 93 million accounts are left. Therefore before the theft, there have been 170 million accounts. Right? :-)

      --
      The Tao of math: The numbers you can count are not the real numbers.
    12. Re:93 million accounts? by Hyppy · · Score: 1

      Wow 50 million PS3s? Increase that by another 50% and it's getting close to the number of Blackberry subscribers...

      Which is, what, about 1.5% of cell phones?

    13. Re:93 million accounts? by Jeng · · Score: 1

      Current and past SOE customers for games such as Everquest and Star Wars Galaxies.

      --
      Don't know something? Look it up. Still don't know? Then ask.
    14. Re:93 million accounts? by VGPowerlord · · Score: 1

      As far as I know only about 50 million PS3s have been sold, some to upgraders / replacers / theft or fire insurance claims, so there's probably less than 50 million PS3 user accounts.

      As far as I know, PSN accounts are not tied to consoles, so why would upgraders / replacers / fire insurance claims have anything to do with this?

      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
    15. Re:93 million accounts? by pnewhook · · Score: 1

      Of all worldwide cellphones yes, but for smartphones they are #2 in the world, right behind Nokia (android), and ahead of Apple. Although why anyone wants to buy an Android and give their money to Microsoft is beyond me.

      --
      Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
    16. Re:93 million accounts? by Sir_Sri · · Score: 1

      SOE (EQ, SWG, whatever that star wars adventure kids game is), the PSP, qirosity or however their marketing dipshit spelled it which is a mobile music service. Also, once you create an account it exists forever basically (I'm sure they *can* be deleted, but usually aren't).

      The playstation network, and sony's network services in general are a whole lot bigger than just the PS3. There's a lot of overlap between PSP and PS3 owners probably, but the other services not necessarily. How many people played the Matrix onine, Clone wars adventures, vanguard and registered their PSP and Sony-Ericsson phone all using just one account? Most of those people don't overlap, so there' s a lot of accounts (some of which will be so outdated as to be useless).

    17. Re:93 million accounts? by Gription · · Score: 2

      In Grand Tourismo 5 there is a feature where the game gives you a "birthday gift car" that was produced in the year of your birth. Lots of people were making multiple fake accounts to try and get really rare and expensive cars. Once they got the car they would give it as a gift to their main account.
      (PSN patched the game so people couldn't trade expensive cars any more so that glitch is gone.)

      I could easily believe there are lots of fake accounts out there for similar reasons.

    18. Re:93 million accounts? by pnewhook · · Score: 1

      Ok thanks. Nokia is the #1 smartphone maker in the world and Android is the #1 smartphone OS. I just assumed they were related. I actually don't know anyone with an Android phone myself.

      --
      Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
  2. Numbers, please! by aglider · · Score: 1

    'less than one tenth of one percent'

    Which means ... how many accounts?
    Are you contacting the compromised account owners for assistance?

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
    1. Re:Numbers, please! by maxwell+demon · · Score: 1

      Which means ... how many accounts?

      Given that they suspended 93000 accounts (see the first line of the summary), Id expect that to be the number of compromised accounts.

      --
      The Tao of math: The numbers you can count are not the real numbers.
  3. Coincidence? by maxwell+demon · · Score: 1

    "login information likely acquired from other sources was tested en masse on the networks."
    Acquired from other sources? Maybe from wine hq?

    --
    The Tao of math: The numbers you can count are not the real numbers.
  4. Probably a more appropriate title these days... by Viol8 · · Score: 1

    .. would be Security Officer - Sony.

    (For headscratchers - think TLA).

  5. Re:"Sony Chief Information Security Officer" by elrous0 · · Score: 1

    Could be worse. Google hired a former TV psychic as head of their Apps security.

    And, no, I'm not joking.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  6. "Sony Flips the Bird at Noggly Hax0rz" by Gimbal · · Score: 1

    ...news at 4:11

    "Now back to you, Bob"

  7. Re:Didn't they say the same thing last time? by Sockatume · · Score: 4, Insightful

    No, last time they kept quiet about the scale, nature, and results of the attack, while this time they've announced the scale (90,000+ users), nature (user/password attempts), and results (some accounts are compromised) of the attack. It would appear that they have learned at least a little.

    --
    No kidding!!! What do you say at this point?
  8. Re:"Sony Chief Information Security Officer" by Viol8 · · Score: 2

    Well at least he could foresee what hacks were coming and when!

    Couldn't he...? Whaddyamean no?

  9. 93,000 DoS'd accounts by sgt+scrub · · Score: 2, Interesting

    Sounds like the attack was successful to me.

    --
    Having to work for a living is the root of all evil.
    1. Re:93,000 DoS'd accounts by DigiShaman · · Score: 1

      Does SOE enforce password complexity requirements? If not, I'm guessing all these vulnerable accounts were using easy-to-guess passwords.

      --
      Life is not for the lazy.
    2. Re:93,000 DoS'd accounts by sgt+scrub · · Score: 1

      I don't know. I assume not. Enforcing complex passwords, IMHO, would be better than shutting down thousands of user accounts. Are people connecting to their Sony account and receiving the following message, "We are sorry. Your password sucked. Your account has been disabled. Please go fuck yourself. --Sony"?

      --
      Having to work for a living is the root of all evil.
    3. Re:93,000 DoS'd accounts by Solandri · · Score: 1

      If this is what I think it is, then the accounts DOSed themselves. Most people use the same username and password on different accounts. The spate of "hacked" gaming accounts I've read about recently were mostly due to people signing up for a gaming site or gold buying site. That site gets hacked or sells its username/password list to thieves, who then try the same usernames/passwords to login to various games.

      If Sony detects this sort of login behavior (multiple failed login attempts to many different accounts coming from the same IP), the correct response is to lock the account with a message saying that their password has been compromised, and to request a password reset.

    4. Re:93,000 DoS'd accounts by Rob+Kaper · · Score: 1

      Assuming the compromised database had proper hashing with per-user salts, you are right. In any other case, the vulnerability here was the third-party storage and not the password strength. (On top of password re-use, of course).

    5. Re:93,000 DoS'd accounts by sgt+scrub · · Score: 1

      If Sony detects this sort of login behavior (multiple failed login attempts to many different accounts coming from the same IP), the correct response is to lock the account

      This is essentially a vector for denial of service. Set up a brute force attack from a throw away ip address with one user:pass. Attack 2 then 3 then 4 then 5... accounts until you hit the sweet spot. Then whenever you wish to DoS Sony user accounts you hit Sony with a brute force attack above the known number of accounts. Or equally malicious, since you know the limit, you can truly use a brute force attack under the sweet spot to avoid detection.

      --
      Having to work for a living is the root of all evil.
  10. Re:"Sony Chief Information Security Officer" by asylumx · · Score: 2

    So then he's "SCISO" right? (Schizo... )

  11. Re:Or... by Anonymous Coward · · Score: 1

    I noticed that I couldn't log in to EQ2 last night, but there was a post in the forums about SOE taking things offline for maintenance at 8PM PST (normally they do it at 7am PST). Then, I got this email in the morning:

    We are writing to let you know that we have detected an unauthorized attempt to verify the validity of your Sony Online Entertainment ("SOE") Station Account name and password. We believe there was an attempt to use a scripted application of a large set of sign-in IDs and passwords against our network database. This attempt appears to include a large amount of data obtained from one or more compromised ID and password lists obtained from other companies, sites or other sources.

    To protect you, we have locked your XYZ Station Account. To reopen the account, please contact SOE customer service at 1 (858) 537-0898 to verify your identity. We will walk you through the password reset process then.

    Please note that your credit card number is NOT at risk. As a precaution, please review your account for unusual activity and please contact us at 1 (858) 537-0898; we will work with any users with whom we confirm have had unauthorized purchases with account wallet funds, and restore those funds.

    We want to take this opportunity to remind our consumers about the increasingly common threat of account theft, as well as the importance of having a strong password and having a username/password combination that is not associated with other online services or sites. We advise you to create a new password that is strong, consisting of a combination of numbers, letters and special characters or symbols.
    Thank you,
    Sony Online Entertainment

  12. Re:Or... by poofmeisterp · · Score: 1

    Too bad that was anonymous.

  13. Re:Or... by Sockatume · · Score: 1

    You don't have to have "the best security and tracking team on the planet" to notice that someone's trying tens of thousands of usernames and passwords and failing. And it doesn't exactly scream competence when it turns out that user details your company failed to protect are now being actively used by fraudsters. It just compounds the original failure.

    --
    No kidding!!! What do you say at this point?
  14. Misleading Summary by sangreal66 · · Score: 2

    The summary states that there 93,000 login attempts and that a small number of the attempts were successful. This is false. There was an undisclosed number of attempts, and 93,000 accounts were successfully compromised. From Sony's own statement:

    There were approximately 93,000 accounts globally (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000) where the attempts succeeded in verifying those accounts’ valid sign-in IDs and passwords, and we have temporarily locked these accounts.

  15. Re:Or... by poofmeisterp · · Score: 1

    You don't have to have "the best security and tracking team on the planet" to notice that someone's trying tens of thousands of usernames and passwords and failing.

    I didn't say that they ARE the best team. I said "PR stunt" which is targeted at the unknowing, not the most knowledgeable receiver.

    And it doesn't exactly scream competence when it turns out that user details your company failed to protect are now being actively used by fraudsters. It just compounds the original failure.

    I also mentioned the possibility that these users don't exist. "PR STUNT" - italicized and capped. I don't know how to make what I said more clear.

    If you're one of the users of a company that releases that kind of information, and you aren't one of the "affected" people, it increases your feeling of safety and security. Simple logic, simple stunt. While they're at it, they may as well have people out on the 'net putting forth information that maintains the feelings of gravity and reality toward this situation that supposedly occurred (again, making others feel they "[weren't] the ones affected"). In fact, there was an anonymous comment in reply to mine where an anonymous commenter posted the notification they got from Sony. If it weren't an anonymous commenter, it would bear some weight. Anonymous = could be as false as the earth being the center of the universe.

    I'm not saying that this IS what happened; I'm saying that it's odd that they are so publicly releasing information about it when, in fact, companies try to keep it as quiet as possible. And I'll balance your counterargument in advance - they also didn't say "we are dedicated to making people aware of the situation, and are striving to be more open than [competitors]."

    If you're going to really play the game, play it through at the beginning to avoid losing customers' positive feelings.

  16. Re:Decent Catch by wiedzmin · · Score: 1

    Maybe. Except this wasn't really a hacking attempt... not even a brute-force password cracking attempt... more like an automated login script more or less. Wake me up when they catch an actual intrusion, through SQL injection or some perimeter vulnerability they may have. This here is a positive publicity stunt.

    --
    Bow before me, for I am root.
  17. Families often have more by Quila · · Score: 1

    One for each parent, one for each kid. That way the trophies and such stay separate.

  18. 'Thwarted'? Try 'tripped over'. by microcentillion · · Score: 1

    93,000 compromised accounts. If they can tell that an account was compromised vs. a legitimate use, that means there was something unique to these logins. For the sake of argument, let's just say it was a browser-agent. Let's also make some baseline assumptions:
    - Let's say that the 93,000 accounts only make up 10% of the total scope of the attack. 930,000 accounts hit, or 1% of the account-base (according to Sony).
    - Let's say that only 1 attempt was ever made per account (the most difficult scenario to detect).
    - Let's assume that across all the accounts on these systems, 1% of the logins are fat-fingered, and 50% of the user-base logs in per day: 2% average user error.
    * These assumptions are very biased in Sony's favor.

    If suddenly 930,000 of your accounts (2% of daily logins) had a 90% login failure rate across the board, that would be a terrifying moment for a sysadmin.
    If suddenly 930,000 of your accounts started seeing logins from a uniquely distinguishable user-agent, that's a blatant attack.
    If, with a dedicated security team, it takes you 3 days to notice that this is going on, there is undeniable incompetence.

    Thwarted? No. It was probably some lone sysadmin scanning through the logs that said 'hey, this user-agent sure is showing up a lot...'.

    --
    But clearly you have something better to say...