Article is very misleading, trying to get more hits. They did not get hacked again. Still shows us a great reason to not use the same password/username combo for everything.
Where does it say they were hacked in the article? The headline says "security breach". The article talks of "attacks". If the attempt to steal passwords isn't a security breach, what would you characterize it as with almost 100k accounts made vulnerable?
Thank you.
No company would ever come forward with any sort of negative news in regards to security, especially after one of the largest and most memorable ones to date, the only reason they are forthcoming is it happened, AGAIN!
This is why I will never play a SOE game again....EVER....
I know it's easier to just raise a pitchfork and yell into the night about evil corporations, but stop and think.
We're talking about brute force password cracking which is just a manual or automated system that tries passwords over and over from a sequence or list, logging the successes. This is an ancient and common occurrence.
"The PlayStation group claimed that the passwords used for the log-in attempts were obtained from other sources."
So, the most logical conclusion is that someone downloaded one of the hack lists from however long ago and retried those unsername/password combinations. If anything matched, it's because the user reset their password BACK to their old one or to a passwor dthey used on some other system that got hacked.
In this scenario, what did SOE do wrong exactly?
Attempting to guess 100 million password take time. During this time you have highly abnormal activity at your network, with an increased rate of login failures. If Sony fails to monitor this, in real time, and fails to block the offending sources of attack, then they have not learned enough since last attacks.
This is exactly what I'm talking about. You're so anxious to villify SOE that you are just latching on to key words and not even reading the article.
"In April, the group discovered that more than 100 million of its online accounts had been compromised."
Nowhere does it say that the current breach was the result of 100 million or even 1 million attempts. For all we know, they went through the list, filtered out the people who had their prev password set to Password1 and just tried those again. On a system with million of accounts regularly logging in and out (sometimes multiple times a day), A few hundred thousand failed attempts in the span of four days is barely a blip on the radar.
There isn't a "right" or "wrong" way to play, if you want to use a screwdriver to put nails into wood, have at it, simply don't complain when the guy next to you with the hammer is doing it much better and easier. - Allein "Graphics are often supplied by Engines that (some) MMORPG's are built in" - Spuffyre
This is why I will never play a SOE game again....EVER....
I know it's easier to just raise a pitchfork and yell into the night about evil corporations, but stop and think.
We're talking about brute force password cracking which is just a manual or automated system that tries passwords over and over from a sequence or list, logging the successes. This is an ancient and common occurrence.
"The PlayStation group claimed that the passwords used for the log-in attempts were obtained from other sources."
So, the most logical conclusion is that someone downloaded one of the hack lists from however long ago and retried those unsername/password combinations. If anything matched, it's because the user reset their password BACK to their old one or to a passwor dthey used on some other system that got hacked.
In this scenario, what did SOE do wrong exactly?
Attempting to guess 100 million password take time. During this time you have highly abnormal activity at your network, with an increased rate of login failures. If Sony fails to monitor this, in real time, and fails to block the offending sources of attack, then they have not learned enough since last attacks.
LOL, you're talking about a MAJOR ONLINE GAMING COMPANY! What would be deemed "abnormal"? Hmmm? You're talking about millions of players connecting all at the same time, some with multiple accounts. Do you realize how difficult it is to track down a small number (possibly even just 1) IP out of that many? Picture trying to find a person, with a unique ID number, and you can only go around looking.....in New York City, Tokyo, LA, and Chicago combined and that is NO WHERE NEAR the numbers of connections.
This is not a LAN we're talking about here. The fact that they got the jump on them so quickly shows that SOE is probably the best equipped company to deal with such a situation as this. I would find it VERY interesting to see if the XBox Live servers or the Blizzard or EA servers were to come under a similar attack, how they would are.
Having statistics of the source (IP) of failing logins is not a hard thing to do. And since Sony know what accounts that got compromised it looks like they do have that implemented.
The issue at hand is the lack of monitoring this data and act accordingly.
You know, it's easy to hate on Sony and the "big guy". This was a brute force attack. There is no real good way to defend against them. What they failed to mention was that the people who had passwords guessed probably had very short easy to guess passwords.
This IMO is being blown out of proportion. It was a brute force, nothing else.
Having statistics of the source (IP) of failing logins is not a hard thing to do. And since Sony know what accounts that got compromised it looks like they do have that implemented.
The issue at hand is the lack of monitoring this data and act accordingly.
No the issue at hand is that no matter what happened there would be a large amount of comments condeming SOE or Sony whether they're at fault or not.
For every minute you are angry , you lose 60 seconds of happiness."-Emerson
I'm no security expert but why on a basic discussion forums you get locked out after 5 failed attempts at login, but you can brute force passwords in a SOE database for hours without any problems ?
This is why I will never play a SOE game again....EVER....
I know it's easier to just raise a pitchfork and yell into the night about evil corporations, but stop and think.
We're talking about brute force password cracking which is just a manual or automated system that tries passwords over and over from a sequence or list, logging the successes. This is an ancient and common occurrence.
"The PlayStation group claimed that the passwords used for the log-in attempts were obtained from other sources."
So, the most logical conclusion is that someone downloaded one of the hack lists from however long ago and retried those unsername/password combinations. If anything matched, it's because the user reset their password BACK to their old one or to a passwor dthey used on some other system that got hacked.
In this scenario, what did SOE do wrong exactly?
Attempting to guess 100 million password take time. During this time you have highly abnormal activity at your network, with an increased rate of login failures. If Sony fails to monitor this, in real time, and fails to block the offending sources of attack, then they have not learned enough since last attacks.
This is exactly what I'm talking about. You're so anxious to villify SOE that you are just latching on to key words and not even reading the article.
"In April, the group discovered that more than 100 million of its online accounts had been compromised."
Nowhere does it say that the current breach was the result of 100 million or even 1 million attempts. For all we know, they went through the list, filtered out the people who had their prev password set to Password1 and just tried those again. On a system with million of accounts regularly logging in and out (sometimes multiple times a day), A few hundred thousand failed attempts in the span of four days is barely a blip on the radar.
Anxious or not...sorry my friend. The information is from the site referenced in the OP.
The latest attack appears to be an attempt to gain access to user accounts through password guesses.
Hackers launched a massive log-in process across both networks’ 100 million users, though the phoney passwords only allowed access to about 93,000 accounts.
Dear God... Sony DID NOT GET HACKED!!!!! The attempted and failed hack occurred with already stolen account information that was saved to a third party server. When the "hackers" tried to log in with all those account simultaneiously, Sony security measures forced a lockout and the servers went into a type of security mode that caused the to temporarily shut down. Sony has said IF anything was bought they will reverse the action fully refunding players. LOL people need to lighten up on Sony just a tad. Any game could have had this happen. This is the best way to deal with hackers. Sony's on the band wagon people. Release the vice grips from their ball sacks.
The error is by the users this time, sure Soe could monitor thing better, but if this program runs true different ips every 30 sec or so then it will be hard to block at all. and this time the soe server did detect it sutting fdown thier own service for a while.
the Users who's account got "hacked" simply had a weak simple stupit password. the user list was obtained in the big hack last time so this is realy a "PR" hack of bored kids ..beavis:huhuhu hey lets hack soe again hihihi huhuhu - butthead: huhuuhu yeaaaaa
You cant protect data forever and against all situations, Users have a responsibility as well and things like this makes the general public aware that whatever they do online is never save and never private. save&private are illusions belonging in the old world.
Just to give some figures to the people who lives in a dream world or are uneducated and thinks that "accessing all those accounts are done instantly and should leave no trace".
The attack was able to continue for 4 days, and this according to a source at Sony.
"These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or sources. These were unauthorized attempts to verify valid user accounts on our services using very large sets of sign-in IDs and passwords. Between October 7 - 10 US Pacific Daylight Time, we confirmed that these were unauthorized attempts, and took steps to thwart this activity."
It would be great if they learn for once and add an extra security feature for the Sony accounts. How hard is it to make an authentication software similar to blizzard token and give it on itunes store and android market. Hell, why not use gmail authenticator and implement it in their system... Lazy asses
Fair enough. But because you don't understand identity theft protection on this scale, you are able to make these outlandish statements about how bad sony is when banks can't even catch people that fast sometimes. This is something that is monitored in house no doubt. The amount of logins that happen each day when you combine them the across multiple platforms PS2, Ps3, computer and mobile devices is probably well over 10 million. How many times have you mistyped your password or username while logging in? Even if it was once, the database queries that along with all those other people that have done the same thing. Some people do it multiple times before they request assistance, then still manage to screw it up and have to call and get over the phone help. So lots of logins really doesn't mean much. Failed attempts doesnt mean much either when you consider how many people are logging. So for Sony to catch that in four days.... That pretty darn good!
Use the max amount of characters for a password is better I guess.
There is no way to have a password/username list that is not crackable.
Sorry.
14 character passwords, any combination of letters, lowercase and uppercase, numbers, and special characters (#$%#(*&! etc.) guess how long it takes to crack?
7 minutes.
That's right. EVERY single possible combination of numbers, letters, characters etc. up to a 14-digit password - 7 minutes to crack - references a Rainbow table it's called.
How big is this massive database table (text file) of all of these probably billions of combinations?
1.2 terabytes - you can fit it on a 80$ portable hard drive.
So what can they do?
Detect the intrusion/attempts and shut down the connection(s) before too many matches are made.
Sony is actually doing a great job now, if you read the blog in the OP, they are doing EVERYTHING right.
@sandbox Fair enough. But because you don't understand identity theft protection on this scale, you are able to make these outlandish statements about how bad sony is when banks can't even catch people that fast sometimes. This is something that is monitored in house no doubt. The amount of logins that happen each day when you combine them the across multiple platforms PS2, Ps3, computer and mobile devices is probably well over 10 million. How many times have you mistyped your password or username while logging in? Even if it was once, the database queries that along with all those other people that have done the same thing. Some people do it multiple times before they request assistance, then still manage to screw it up and have to call and get over the phone help. So lots of logins really doesn't mean much. Failed attempts doesnt mean much either when you consider how many people are logging. So for Sony to catch that in four days.... That pretty darn good!
As an example, let's say the attacker got access to 1000 different IP. To be able to examine 1 million accounts and get 900 000 login failures (and the other 100 000 success), that would give 900 login failures for each and every IP used. Do YOU consider this normal during day to day activities. And.. it happening to 1000 different IP's during a small time frame? Would not this ring a bell in you office. It would for sure in mine if I ran a company responsible for caring about 100 million accounts.
You are right that I don't understand identity theft of this scale, but I can do some simple math just to show ONE way of doing it.
But with 25 years in the IT industry I know for sure that rationalizing with the excuse that not even banks can handle it does not help prove any points from you.
Thanks, Reizla, that's probably true. Either way, even if folks haven't bothered to change their passwords, or have taken inadequate security measures, it's still a bummer that Sony's been hit again. I'm sure the 'red flag' was waved in hackers' faces by all the loud noise Sony has made about their new security measures. Some people simply can't resist the challenge, huh?
Even for those folk that did change their password, is their account still at risk. With the massice bot-networks active around the world, I'm surprosed that only 93K passwords have been retrieved. When these 'hackers' activate these bot-networks to 'guess' passwords, within a few months, all 100M passwords are 'in the open' again.
Problem is that once you've made a user account, you can't change your account name. And now that SONY has been hacked (the April hack, not this guessing round), the usernames of all old users (pre-April 2011) are known to the hackers and they can keep trying to 'guess' the passwords.
Only counter measure that SONY can add to this kind of 'guessing' is add a CAPCHA when a password has failed twice (trice?) in a row, along with an eMail to the account holder that an failed logon attempt was made from that IP address.
Actually no, most types of login authentication on the network side have a built in check for brute force hacks.
Usually its x # of wrong logins before the account is locked and that number is usually 5 or less. Hell even most forum software has that check.
Yes if there is no wrong log in check then its extremely easy to crack... but most companies are secure from this type of issue.
Well if you're going to quit any company that has had accounts hacked, you better quit playing Blizzard games...oh yeah, and anything by NCSoft......then there's SOE.....and EA, don't forget those guys. Pretty much ANY online company has had their security breached in some form or another.
I have news for you, the only truly 100% secure computer is an offline one (and by offline I mean no network connection).
There is a massive difference between having an account compromised via phising and social engineering, and having your network breached.
One is user error and not preventable easily on the company side
One is company error and preventable with a good security policy and security measures.
This is why I will never play a SOE game again....EVER....
I know it's easier to just raise a pitchfork and yell into the night about evil corporations, but stop and think.
We're talking about brute force password cracking which is just a manual or automated system that tries passwords over and over from a sequence or list, logging the successes. This is an ancient and common occurrence.
"The PlayStation group claimed that the passwords used for the log-in attempts were obtained from other sources."
So, the most logical conclusion is that someone downloaded one of the hack lists from however long ago and retried those unsername/password combinations. If anything matched, it's because the user reset their password BACK to their old one or to a passwor dthey used on some other system that got hacked.
In this scenario, what did SOE do wrong exactly?
Attempting to guess 100 million password take time. During this time you have highly abnormal activity at your network, with an increased rate of login failures. If Sony fails to monitor this, in real time, and fails to block the offending sources of attack, then they have not learned enough since last attacks.
LOL, you're talking about a MAJOR ONLINE GAMING COMPANY! What would be deemed "abnormal"? Hmmm? You're talking about millions of players connecting all at the same time, some with multiple accounts. Do you realize how difficult it is to track down a small number (possibly even just 1) IP out of that many? Picture trying to find a person, with a unique ID number, and you can only go around looking.....in New York City, Tokyo, LA, and Chicago combined and that is NO WHERE NEAR the numbers of connections.
This is not a LAN we're talking about here. The fact that they got the jump on them so quickly shows that SOE is probably the best equipped company to deal with such a situation as this. I would find it VERY interesting to see if the XBox Live servers or the Blizzard or EA servers were to come under a similar attack, how they would are.
Actually most basic services come with standard login protection.
Brute force hacks are pretty easy to stop with a 5 x login attempt shutdown which is pretty much industry standard.
I'm no security expert but why on a basic discussion forums you get locked out after 5 failed attempts at login, but you can brute force passwords in a SOE database for hours without any problems ?
Use the max amount of characters for a password is better I guess.
There is no way to have a password/username list that is not crackable.
Sorry.
14 character passwords, any combination of letters, lowercase and uppercase, numbers, and special characters (#$%#(*&! etc.) guess how long it takes to crack?
7 minutes.
That's right. EVERY single possible combination of numbers, letters, characters etc. up to a 14-digit password - 7 minutes to crack - references a Rainbow table it's called.
How big is this massive database table (text file) of all of these probably billions of combinations?
1.2 terabytes - you can fit it on a 80$ portable hard drive.
So what can they do?
Detect the intrusion/attempts and shut down the connection(s) before too many matches are made.
Sony is actually doing a great job now, if you read the blog in the OP, they are doing EVERYTHING right.
Documentation of 7 minutes please?
With some quick thumbnail math, I get 1+E25 combinations from standard ASCII codes in a 14 digit password.
Each of those has to be tried (including internet transit time). At one per second, that's
3.9E+17
years to try them all, but of course computers can process much faster than that.
This claim requires the computer to cycle
4.9E+20
passwords per second processed to try them all in 7 minutess--which I naturally find a little suspect.
Self-pity imprisons us in the walls of our own self-absorption. The whole world shrinks down to the size of our problem, and the more we dwell on it, the smaller we are and the larger the problem seems to grow.
There is a massive difference between having an account compromised via phising and social engineering, and having your network breached.
One is user error and not preventable easily on the company side
One is company error and preventable with a good security policy and security measures.
You are confusing the two.
Agreed, if your computer gets hacked it isn't the MMO companies fault (unless the hackers are employees, there have been some rumors about Chinese Blizzard workers doing stuff like that but as far I know that is just rumors).
If the companies data bases gets hacked on the other hand it is their fault, and a disaster for them. In fact that is the reason me and my entire guild finally left EQ2 for good, when VISA card numbers leaks to hackers from any kind of company they have it very hard to get the trust of the customers again.
I think this indeed is the worst thing that ever happened to Sony. Worse than the old Beta Max incident if anyone remember that, when Sony thought people would pay more for better video quality (yeah, they got revenge with the blue ray though).
I don't have any number on how many people that quit due to that, but it was 100% of my friends at least and that is just SOE, did was the mother companies fault and problem with millions of customers info comrpomized.
Comments
Thank you.
No company would ever come forward with any sort of negative news in regards to security, especially after one of the largest and most memorable ones to date, the only reason they are forthcoming is it happened, AGAIN!
This is exactly what I'm talking about. You're so anxious to villify SOE that you are just latching on to key words and not even reading the article.
"In April, the group discovered that more than 100 million of its online accounts had been compromised."
Nowhere does it say that the current breach was the result of 100 million or even 1 million attempts. For all we know, they went through the list, filtered out the people who had their prev password set to Password1 and just tried those again. On a system with million of accounts regularly logging in and out (sometimes multiple times a day), A few hundred thousand failed attempts in the span of four days is barely a blip on the radar.
There isn't a "right" or "wrong" way to play, if you want to use a screwdriver to put nails into wood, have at it, simply don't complain when the guy next to you with the hammer is doing it much better and easier. - Allein
"Graphics are often supplied by Engines that (some) MMORPG's are built in" - Spuffyre
Having statistics of the source (IP) of failing logins is not a hard thing to do. And since Sony know what accounts that got compromised it looks like they do have that implemented.
The issue at hand is the lack of monitoring this data and act accordingly.
You know, it's easy to hate on Sony and the "big guy". This was a brute force attack. There is no real good way to defend against them. What they failed to mention was that the people who had passwords guessed probably had very short easy to guess passwords.
This IMO is being blown out of proportion. It was a brute force, nothing else.
No the issue at hand is that no matter what happened there would be a large amount of comments condeming SOE or Sony whether they're at fault or not.
For every minute you are angry , you lose 60 seconds of happiness."-Emerson
1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage!
I'm no security expert but why on a basic discussion forums you get locked out after 5 failed attempts at login, but you can brute force passwords in a SOE database for hours without any problems ?
Anxious or not...sorry my friend. The information is from the site referenced in the OP.
The latest attack appears to be an attempt to gain access to user accounts through password guesses.
Hackers launched a massive log-in process across both networks’ 100 million users, though the phoney passwords only allowed access to about 93,000 accounts.
http://www.develop-online.net/news/38849/Sony-shocked-by-new-attack-on-100m-online-accounts
EDIT: Nowhere did I say that you claim. In fact, I'm saying the same as you in regards to the numbers of accounts challanged:
Attempting to guess 100 million password take time ... You see? Attempting...
But the same site referenced above as source also say “The overwhelming majority [were] failed matching attempts,"
indicating a lot more attempts that failed. And we know for a fact (source http://presscentre.sony.eu/content/detail.aspx?ReleaseID=7104&NewsAreaId=2) that the attack was ongoing for four days.
The error is by the users this time, sure Soe could monitor thing better, but if this program runs true different ips every 30 sec or so then it will be hard to block at all. and this time the soe server did detect it sutting fdown thier own service for a while.
the Users who's account got "hacked" simply had a weak simple stupit password. the user list was obtained in the big hack last time so this is realy a "PR" hack of bored kids ..beavis:huhuhu hey lets hack soe again hihihi huhuhu - butthead: huhuuhu yeaaaaa
You cant protect data forever and against all situations, Users have a responsibility as well and things like this makes the general public aware that whatever they do online is never save and never private. save&private are illusions belonging in the old world.
So an unknown group or individual managed to brute force 93,000 accounts from Sony and people actually think that isn't a serious issue?
Guess what, they used the same "it was just accounts from an un-used, old database" excuse during the last debacle as well.
How much of what they claimed turned out to be true?
The evidence speaks for itself, once bitten twice shy and all that.
Just to give some figures to the people who lives in a dream world or are uneducated and thinks that "accessing all those accounts are done instantly and should leave no trace".
The attack was able to continue for 4 days, and this according to a source at Sony.
"These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or sources. These were unauthorized attempts to verify valid user accounts on our services using very large sets of sign-in IDs and passwords. Between October 7 - 10 US Pacific Daylight Time, we confirmed that these were unauthorized attempts, and took steps to thwart this activity."
http://presscentre.sony.eu/content/detail.aspx?ReleaseID=7104&NewsAreaId=2
SOE already has - this was offered 2 months ago
http://massively.joystiq.com/2011/08/11/soe-releases-account-authenticators/
EQ2 fan sites
Oh no, now someone might have access to my email address and my epic trial characters from Sonys C-list of fail games!!!
Fair enough. But because you don't understand identity theft protection on this scale, you are able to make these outlandish statements about how bad sony is when banks can't even catch people that fast sometimes. This is something that is monitored in house no doubt. The amount of logins that happen each day when you combine them the across multiple platforms PS2, Ps3, computer and mobile devices is probably well over 10 million. How many times have you mistyped your password or username while logging in? Even if it was once, the database queries that along with all those other people that have done the same thing. Some people do it multiple times before they request assistance, then still manage to screw it up and have to call and get over the phone help. So lots of logins really doesn't mean much. Failed attempts doesnt mean much either when you consider how many people are logging. So for Sony to catch that in four days.... That pretty darn good!
Use the max amount of characters for a password is better I guess.
I wish hackers would get a life and stop trying to ruin other people's good time.
There is no way to have a password/username list that is not crackable.
Sorry.
14 character passwords, any combination of letters, lowercase and uppercase, numbers, and special characters (#$%#(*&! etc.) guess how long it takes to crack?
7 minutes.
That's right. EVERY single possible combination of numbers, letters, characters etc. up to a 14-digit password - 7 minutes to crack - references a Rainbow table it's called.
How big is this massive database table (text file) of all of these probably billions of combinations?
1.2 terabytes - you can fit it on a 80$ portable hard drive.
So what can they do?
Detect the intrusion/attempts and shut down the connection(s) before too many matches are made.
Sony is actually doing a great job now, if you read the blog in the OP, they are doing EVERYTHING right.
As an example, let's say the attacker got access to 1000 different IP. To be able to examine 1 million accounts and get 900 000 login failures (and the other 100 000 success), that would give 900 login failures for each and every IP used. Do YOU consider this normal during day to day activities. And.. it happening to 1000 different IP's during a small time frame? Would not this ring a bell in you office. It would for sure in mine if I ran a company responsible for caring about 100 million accounts.
You are right that I don't understand identity theft of this scale, but I can do some simple math just to show ONE way of doing it.
But with 25 years in the IT industry I know for sure that rationalizing with the excuse that not even banks can handle it does not help prove any points from you.
Actually no, most types of login authentication on the network side have a built in check for brute force hacks.
Usually its x # of wrong logins before the account is locked and that number is usually 5 or less. Hell even most forum software has that check.
Yes if there is no wrong log in check then its extremely easy to crack... but most companies are secure from this type of issue.
There is a massive difference between having an account compromised via phising and social engineering, and having your network breached.
One is user error and not preventable easily on the company side
One is company error and preventable with a good security policy and security measures.
You are confusing the two.
Actually most basic services come with standard login protection.
Brute force hacks are pretty easy to stop with a 5 x login attempt shutdown which is pretty much industry standard.
Someone gets it... yay!
Documentation of 7 minutes please?
With some quick thumbnail math, I get 1+E25 combinations from standard ASCII codes in a 14 digit password.
Each of those has to be tried (including internet transit time). At one per second, that's
3.9E+17
years to try them all, but of course computers can process much faster than that.
This claim requires the computer to cycle
4.9E+20
passwords per second processed to try them all in 7 minutess--which I naturally find a little suspect.
Self-pity imprisons us in the walls of our own self-absorption. The whole world shrinks down to the size of our problem, and the more we dwell on it, the smaller we are and the larger the problem seems to grow.
Agreed, if your computer gets hacked it isn't the MMO companies fault (unless the hackers are employees, there have been some rumors about Chinese Blizzard workers doing stuff like that but as far I know that is just rumors).
If the companies data bases gets hacked on the other hand it is their fault, and a disaster for them. In fact that is the reason me and my entire guild finally left EQ2 for good, when VISA card numbers leaks to hackers from any kind of company they have it very hard to get the trust of the customers again.
I think this indeed is the worst thing that ever happened to Sony. Worse than the old Beta Max incident if anyone remember that, when Sony thought people would pay more for better video quality (yeah, they got revenge with the blue ray though).
I don't have any number on how many people that quit due to that, but it was 100% of my friends at least and that is just SOE, did was the mother companies fault and problem with millions of customers info comrpomized.