If what the latest is true, the people responsible are Anonymous.
If we were reading the same article based on Sony's letter to Congres, then Anonymous was running a DDoS while the hack occured and not so much that Anonymous was responsible for the hack. Of course I could be off-base on that so if anyone has the link/better info, feel free to correct me.
Of course, the second one could be questioned, I thought Anonymous had a history of letting everyone know when they had done something (and usually why they did it) so seems plausible they didn't perform the actual hack.
I am pretty sure Anonymous is not behind this. As they are known as so called Hacktivists who so far only performed so called DDoS attacks to take down websites out of protest and have so far not been involved in Data theft.
The databreach is most probably done by a cybercriminal organisation who were just waiting for the right moment to do it and have Anonymous get the blame for it.
Originally posted by JeroKane It has been mentioned everywhere already that Sony nor SOE bothered to encrypt our Personal Information, except for the credit card table (most probably due to the simple fact they are legaly forced to do so). Our names, adresses, birthdates, email adresses, phone numbers, gender, login / account names were stored in PLAIN TEXT in their databases!!
Encrypting a public, wide access database?
Do you even understand how encryption works or even do you have any idea what you talk about?
It has been mentioned everywhere already that Sony nor SOE bothered to encrypt our Personal Information, except for the credit card table (most probably due to the simple fact they are legaly forced to do so).
Our names, adresses, birthdates, email adresses, phone numbers, gender, login / account names were stored in PLAIN TEXT in their databases!!
Encrypting a public, wide access database?
Do you even understand how encryption works or even do you have any idea what you talk about?
What would be the difference between encrypting the personal information tables vs the credit card tables? It isn't like the SOE game servers are hammering those tables during gameplay and the performance would bog the games down.
I'm curious what the problem would be to encrypt that information?
Consider that if SOE had one database of credit card information that wasn't encrypted it isn't to hard to believe that they had more. I don't think SOE made an exception for that data and then decided to store it somewhere for no reason.
It has been mentioned everywhere already that Sony nor SOE bothered to encrypt our Personal Information, except for the credit card table (most probably due to the simple fact they are legaly forced to do so).
Our names, adresses, birthdates, email adresses, phone numbers, gender, login / account names were stored in PLAIN TEXT in their databases!!
Encrypting a public, wide access database?
Do you even understand how encryption works or even do you have any idea what you talk about?
The one that has no idea what happened and why is you my friend. Seeing how you desperately trying to defend Sony/SOE and blunty ignoring all the facts
The database that stores personal information does not have any different performance requirements as teh database storing your credit/debit card information!
In fact, on the old 2007 database from which data was stolen, SOE stored all your personal and financial information in one database, also without encryption. That was so far the biggest crime on their part. To still have that database online in a live online network!
Originally posted by Daffid011 What would be the difference between encrypting the personal information tables vs the credit card tables?
The difference is access, who and why is accessing the table. You simply need way less access to credit card numbers.
Encrypting internal database like CRM, is usually ok because there is limited users working with the data.
Often it is recommended to encrypt the columns(credit card numbers) but encrypting the database fully can be problematic in regards to key distribution and storage.
As I said earlier, I am no expert on IT security, probably those issues I described can be solved and there is some solution out there but I just want to remind that encryption isn't an answer, at least not the ultimate not easy one.
Originally posted by JeroKane The database that stores personal information does not have any different performance requirements as teh database storing your credit/debit card information!
Who said a word about performance? You obviously have no clue what you talk about...
It won't. VBV/Mastercard Securecode (aka 3DSecure) is an extra layer of security handled by your issuing bank to ensure you are who you say you are. At most, when the exchange occurs (which happens between your browser and your bank's servers) the vendor - in this case SOE - get an authentication token back that they may store, but is pretty much useless.
Short version:
1. You enter your CC data.
2. SOE process it and get a request for VBV/Mastercard Securecode back from your issuing bank.
3. You enter your details into an interface provided by your BANK (though it may look like it's a part of the vendor's website).
4. Bank okays or denies the transaction with the vendor.
Sorry for the off-topic. plz gief back pre-CU SWG. thx.
Thank you for being one of the many intelegent ones out there.
This proccess works alot like Amazon.com and google checkout. It might look like the vendros website but its really another site. In this case, its your banks own authentication.
When i pay a bill online using bank of america check card they actually pop-up a secure window directly from BOA to authenticate my info and then send the authentication code to the site, for example, Verizon Wireless.
The only information stored on Sony's server is a hash encryption of the banks authentication code to SOE.
The database that stores personal information does not have any different performance requirements as teh database storing your credit/debit card information!
Who said a word about performance? You obviously have no clue what you talk about...
You are right I don't know a lot about it outside the loss of some performance. Nothing I'm afraid to admit.
Aside from what you point out as being some standard practice, it sure seems like securing the personal information of all those customers would have saved Sony a ton of trouble wouldn't you agree? Storing that information is clear text is going to cost the company millions and millions of dollars just in the Identity theft program they are offering on top of the rest of their new found problems.
So from a security standpoint, not encrypting (or whatever solution) the personal information seems to be a very poor choice. One the should have been addressed. Would you agree?
There is another issue to this argument. What are the requirments by the industry that allows you to process credit card transactions? And then one step further, what are the requirements for storing said numbers in a database for subscription based transactions? Simply put, its called PCI compliance. Sony's terrible mismanagement in security puts them in direct violation of this set of rules which vary from state to state but all having common grounds.
Dilly dally shilly shally all day about whether or not an entire DB or a table or a field needs to be encrypted. The data such as credit card numbers AND fields that are unique unto the user's security say like password are supposed to be encrypted. And this isn't exactly new stuff, folks. That half arsed db from 2007 that was left in the open for no justifiable reason - the PCI Compliance regulations were in place before its existence. No opt out excuse on this one.
Well, one thing you can be almost certain of... None of this will even touch good Old Smed. ^^ What boggles the mind is that they used a long out dated suite, unpatched and no firewall.
Originally posted by kefkah The data such as credit card numbers AND fields that are unique unto the user's security say like password are supposed to be encrypted. And this isn't exactly new stuff, folks. That half arsed db from 2007 that was left in the open for no justifiable reason - the PCI Compliance regulations were in place before its existence. No opt out excuse on this one.
Basically all what PCI complains requires is credit card number encryption, passwords are hashed anyway.
That dated database is legit concern, as I already stated earlier. Funny enough, it is the least questioned and discussed subject in Sony case.
I am reminded of how slow they were to deal with hackers in planetside back when the guys using those trainers kept making free trial accounts and ruining all the fun for everyone. Now perhaps they will take all of this hacking shit more seriously and hopefully not just this global problem they now have.
On a side note. I think it's about time that SOE started accepting paypal as another payment source. Out of all the mmos I play they are the only one that does not and that's usually the payment source I use when it's available.
On a side note. I think it's about time that SOE started accepting paypal as another payment source. Out of all the mmos I play they are the only one that does not and that's usually the payment source I use when it's available.
I'm not sure it is such a good idea for SOE to be asking players for more sensative information at this time.
For all thoe saying, you are going to sue Sony over this...
some things to ponder..
1. You chose to go online. First and foremost, this was your first mistake in the eyes of the court.
2. You chose to give Sony your email and whatever information you wanted to, if you chose your real-life information, that was your choice.
3. Sony offers many ways to pay for their products, including game cards which can be bought in a variety of ways and areas. So you were not forced to give Sony your credit card information, once again, your choice to do so.
To blame this on Sony is ridiculous, it was hackers (or crackers, the supposed new term) who did this, first reports point to Anonymous. Take your hate spewed bile and point it at them.
Do I personally blame Anonymous? I'll wait for the FBI to decide, but they definitely aren't innocent.
For all thoe saying, you are going to sue Sony over this...
some things to ponder..
1. You chose to go online. First and foremost, this was your first mistake in the eyes of the court.
2. You chose to give Sony your email and whatever information you wanted to, if you chose your real-life information, that was your choice.
3. Sony offers many ways to pay for their products, including game cards which can be bought in a variety of ways and areas. So you were not forced to give Sony your credit card information, once again, your choice to do so.
To blame this on Sony is ridiculous, it was hackers (or crackers, the supposed new term) who did this, first reports point to Anonymous. Take your hate spewed bile and point it at them.
Do I personally blame Anonymous? I'll wait for the FBI to decide, but they definitely aren't innocent.
I don't agree. If I go online, provide my e-mail to a company such as Sony, and pay for products, I expect a degree of protection by that company. If Sony, or any other company, fails to offer that protection, then they are at fault.
The data such as credit card numbers AND fields that are unique unto the user's security say like password are supposed to be encrypted. And this isn't exactly new stuff, folks. That half arsed db from 2007 that was left in the open for no justifiable reason - the PCI Compliance regulations were in place before its existence. No opt out excuse on this one.
Basically all what PCI complains requires is credit card number encryption, passwords are hashed anyway.
That dated database is legit concern, as I already stated earlier. Funny enough, it is the least questioned and discussed subject in Sony case.
Actually it is! As that 2007 database is what is going to cost SOE most money! As it is exactly THAT database that is now going to have serious concequences for over 10,700 European people for which they will have to start paying Identity Theft protection!
As those people now got their full personal information AND full bank account information exposed !
I may be one of them but im not that worried. It's just the complete unnecessary hassle that Sony provides by keeping my old data that annoys me a lot. I am not your customer, you don't need my data, period.
For all thoe saying, you are going to sue Sony over this...
some things to ponder..
1. You chose to go online. First and foremost, this was your first mistake in the eyes of the court.
2. You chose to give Sony your email and whatever information you wanted to, if you chose your real-life information, that was your choice.
3. Sony offers many ways to pay for their products, including game cards which can be bought in a variety of ways and areas. So you were not forced to give Sony your credit card information, once again, your choice to do so.
To blame this on Sony is ridiculous, it was hackers (or crackers, the supposed new term) who did this, first reports point to Anonymous. Take your hate spewed bile and point it at them.
Do I personally blame Anonymous? I'll wait for the FBI to decide, but they definitely aren't innocent.
Well... Given how past instances have worked, I doubt Sony is going to be held as blameless as you appear to wish them to be. Using an unpatched server, with no firewall is not a good start. I suspect they violated any number of federal and state(not to mention EU) agency requirements. Blaming the victim may be SOP in some quarters, but I suspect its not going to work well in this instance.
Not to mention that Sony isn't as likely to have purchased nearly as many politicians as say Microsoft and Google have(at least not in the US/EU). That alone is likely to have dire consequences. Thats not even taking into account the damage to image/brand that continues to take place. The longer their network is down, the worse this gets for them.
As for Anonymous, they've stated that they have not been responsible for the data theft. Given that they haven't made a habit of lying(such as Sony and various governments have) I'd tend to believe them at this point. Looking at their past history, this type of thing just isn't their style.
I really hope Sony offers up like 6 months of full station access to all their games. That would be kinda cool. I know on the playstation side we'd get only a free month of PS+ which I think is kind of a crappy apology.
Disclaimer: This is not a troll post and is not here to promote any negative energy. Although this may be a criticism, it is not meant to offend anyone. If a moderator feels the post is inappropriate, please remove it immediately before it is subject to consideration for a warning. Thank you.
Originally posted by Excalaber2 I really hope Sony offers up like 6 months of full station access to all their games. That would be kinda cool. I know on the playstation side we'd get only a free month of PS+ which I think is kind of a crappy apology.
Why would they do that? They are the victims here...
I really hope Sony offers up like 6 months of full station access to all their games. That would be kinda cool. I know on the playstation side we'd get only a free month of PS+ which I think is kind of a crappy apology.
Why would they do that? They are the victims here...
Sony is not the victim. The cardholders that trusted Sony to maintain a higher level of security are the victims. Sony's lack of ability to maintain security makes them nearly as guilty as the hackers in my book.
I really hope Sony offers up like 6 months of full station access to all their games. That would be kinda cool. I know on the playstation side we'd get only a free month of PS+ which I think is kind of a crappy apology.
Why would they do that? They are the victims here...
Sony is not the victim. The cardholders that trusted Sony to maintain a higher level of security are the victims. Sony's lack of ability to maintain security makes them nearly as guilty as the hackers in my book.
So one provided entertainment services and the other broke the law and Sony/SOE are just as guilty as a criminal? You work at a bank. Someone goes Oceans 11 on you and robs you in the middle of the night. Is it your fault? Yes, they could have done better security. Every company could probably use it. But if people just obeyed the laws we wouldn't need all that crap. It's networking bud, there are always holes and if a hacker wants in, they'll get in.
I think I may be the only person not really concerned about this. I only use prepaid Visa gift cards with the exact amount I need online so I don't care who gets the numbers. Though I know SOE is going to lose out a lot. I wonder what they'll do to make it up to their customers.
Comments
I am pretty sure Anonymous is not behind this. As they are known as so called Hacktivists who so far only performed so called DDoS attacks to take down websites out of protest and have so far not been involved in Data theft.
The databreach is most probably done by a cybercriminal organisation who were just waiting for the right moment to do it and have Anonymous get the blame for it.
Encrypting a public, wide access database?
Do you even understand how encryption works or even do you have any idea what you talk about?
What would be the difference between encrypting the personal information tables vs the credit card tables? It isn't like the SOE game servers are hammering those tables during gameplay and the performance would bog the games down.
I'm curious what the problem would be to encrypt that information?
Consider that if SOE had one database of credit card information that wasn't encrypted it isn't to hard to believe that they had more. I don't think SOE made an exception for that data and then decided to store it somewhere for no reason.
The one that has no idea what happened and why is you my friend. Seeing how you desperately trying to defend Sony/SOE and blunty ignoring all the facts
The database that stores personal information does not have any different performance requirements as teh database storing your credit/debit card information!
In fact, on the old 2007 database from which data was stolen, SOE stored all your personal and financial information in one database, also without encryption. That was so far the biggest crime on their part. To still have that database online in a live online network!
But whatever.
The difference is access, who and why is accessing the table. You simply need way less access to credit card numbers.
Encrypting internal database like CRM, is usually ok because there is limited users working with the data.
Often it is recommended to encrypt the columns(credit card numbers) but encrypting the database fully can be problematic in regards to key distribution and storage.
As I said earlier, I am no expert on IT security, probably those issues I described can be solved and there is some solution out there but I just want to remind that encryption isn't an answer, at least not the ultimate not easy one.
Who said a word about performance? You obviously have no clue what you talk about...
Thank you for being one of the many intelegent ones out there.
This proccess works alot like Amazon.com and google checkout. It might look like the vendros website but its really another site. In this case, its your banks own authentication.
When i pay a bill online using bank of america check card they actually pop-up a secure window directly from BOA to authenticate my info and then send the authentication code to the site, for example, Verizon Wireless.
The only information stored on Sony's server is a hash encryption of the banks authentication code to SOE.
You are right I don't know a lot about it outside the loss of some performance. Nothing I'm afraid to admit.
Aside from what you point out as being some standard practice, it sure seems like securing the personal information of all those customers would have saved Sony a ton of trouble wouldn't you agree? Storing that information is clear text is going to cost the company millions and millions of dollars just in the Identity theft program they are offering on top of the rest of their new found problems.
So from a security standpoint, not encrypting (or whatever solution) the personal information seems to be a very poor choice. One the should have been addressed. Would you agree?
There is another issue to this argument. What are the requirments by the industry that allows you to process credit card transactions? And then one step further, what are the requirements for storing said numbers in a database for subscription based transactions? Simply put, its called PCI compliance. Sony's terrible mismanagement in security puts them in direct violation of this set of rules which vary from state to state but all having common grounds.
Mastercard & Visa as well as any cc authorization are more than in the clear to actually deny any transactions performed by Sony or any of its divisions. Doubtful they will do so but it also puts them under the line of fire for state laws. That is where congressional investigations comes in. Say you live in Nevada... http://www.infolawgroup.com/2010/03/articles/nevada-security-of-personal-in/a-closer-look-at-the-pci-compliance-and-encryption-requirements-of-nevadas-security-of-personal-information-law/
Dilly dally shilly shally all day about whether or not an entire DB or a table or a field needs to be encrypted. The data such as credit card numbers AND fields that are unique unto the user's security say like password are supposed to be encrypted. And this isn't exactly new stuff, folks. That half arsed db from 2007 that was left in the open for no justifiable reason - the PCI Compliance regulations were in place before its existence. No opt out excuse on this one.
Well, one thing you can be almost certain of... None of this will even touch good Old Smed. ^^ What boggles the mind is that they used a long out dated suite, unpatched and no firewall.
If you don't know, don't make assumptions.
And no, I do not agree.
Basically all what PCI complains requires is credit card number encryption, passwords are hashed anyway.
That dated database is legit concern, as I already stated earlier. Funny enough, it is the least questioned and discussed subject in Sony case.
I am reminded of how slow they were to deal with hackers in planetside back when the guys using those trainers kept making free trial accounts and ruining all the fun for everyone. Now perhaps they will take all of this hacking shit more seriously and hopefully not just this global problem they now have.
On a side note. I think it's about time that SOE started accepting paypal as another payment source. Out of all the mmos I play they are the only one that does not and that's usually the payment source I use when it's available.
I'm not sure it is such a good idea for SOE to be asking players for more sensative information at this time.
For all thoe saying, you are going to sue Sony over this...
some things to ponder..
1. You chose to go online. First and foremost, this was your first mistake in the eyes of the court.
2. You chose to give Sony your email and whatever information you wanted to, if you chose your real-life information, that was your choice.
3. Sony offers many ways to pay for their products, including game cards which can be bought in a variety of ways and areas. So you were not forced to give Sony your credit card information, once again, your choice to do so.
To blame this on Sony is ridiculous, it was hackers (or crackers, the supposed new term) who did this, first reports point to Anonymous. Take your hate spewed bile and point it at them.
Do I personally blame Anonymous? I'll wait for the FBI to decide, but they definitely aren't innocent.
I don't agree. If I go online, provide my e-mail to a company such as Sony, and pay for products, I expect a degree of protection by that company. If Sony, or any other company, fails to offer that protection, then they are at fault.
Actually it is! As that 2007 database is what is going to cost SOE most money! As it is exactly THAT database that is now going to have serious concequences for over 10,700 European people for which they will have to start paying Identity Theft protection!
As those people now got their full personal information AND full bank account information exposed !
I may be one of them but im not that worried. It's just the complete unnecessary hassle that Sony provides by keeping my old data that annoys me a lot. I am not your customer, you don't need my data, period.
WOW,eq2,Vanguard,WAR,LOTRO,AOC,Rift Aion, SWTOR, TERA.
Currently playing GW2.
Well... Given how past instances have worked, I doubt Sony is going to be held as blameless as you appear to wish them to be. Using an unpatched server, with no firewall is not a good start. I suspect they violated any number of federal and state(not to mention EU) agency requirements. Blaming the victim may be SOP in some quarters, but I suspect its not going to work well in this instance.
Not to mention that Sony isn't as likely to have purchased nearly as many politicians as say Microsoft and Google have(at least not in the US/EU). That alone is likely to have dire consequences. Thats not even taking into account the damage to image/brand that continues to take place. The longer their network is down, the worse this gets for them.
As for Anonymous, they've stated that they have not been responsible for the data theft. Given that they haven't made a habit of lying(such as Sony and various governments have) I'd tend to believe them at this point. Looking at their past history, this type of thing just isn't their style.
I really hope Sony offers up like 6 months of full station access to all their games. That would be kinda cool. I know on the playstation side we'd get only a free month of PS+ which I think is kind of a crappy apology.
Disclaimer: This is not a troll post and is not here to promote any negative energy. Although this may be a criticism, it is not meant to offend anyone. If a moderator feels the post is inappropriate, please remove it immediately before it is subject to consideration for a warning. Thank you.
Why would they do that? They are the victims here...
Oh really?
http://webcache.googleusercontent.com/search?q=cache:h9540GDnnIoJ:auth.np.ac.playstation.net:443/+auth.np.ac.playstation.net&hl=en&strip=0
Stop making conclusions based on stupid rumors and learn to filter information you read...
Sony is not the victim. The cardholders that trusted Sony to maintain a higher level of security are the victims. Sony's lack of ability to maintain security makes them nearly as guilty as the hackers in my book.
So one provided entertainment services and the other broke the law and Sony/SOE are just as guilty as a criminal? You work at a bank. Someone goes Oceans 11 on you and robs you in the middle of the night. Is it your fault? Yes, they could have done better security. Every company could probably use it. But if people just obeyed the laws we wouldn't need all that crap. It's networking bud, there are always holes and if a hacker wants in, they'll get in.
I think I may be the only person not really concerned about this. I only use prepaid Visa gift cards with the exact amount I need online so I don't care who gets the numbers. Though I know SOE is going to lose out a lot. I wonder what they'll do to make it up to their customers.