Use the max amount of characters for a password is better I guess.
There is no way to have a password/username list that is not crackable.
Sorry.
14 character passwords, any combination of letters, lowercase and uppercase, numbers, and special characters (#$%#(*&! etc.) guess how long it takes to crack?
7 minutes.
That's right. EVERY single possible combination of numbers, letters, characters etc. up to a 14-digit password - 7 minutes to crack - references a Rainbow table it's called.
How big is this massive database table (text file) of all of these probably billions of combinations?
1.2 terabytes - you can fit it on a 80$ portable hard drive.
So what can they do?
Detect the intrusion/attempts and shut down the connection(s) before too many matches are made.
Sony is actually doing a great job now, if you read the blog in the OP, they are doing EVERYTHING right.
Well that is true to some extent but not 100%
First of yes, any password can be cracked with enough time. However rainbow tables are for hashes and breaking a hash list not a brute force password attack.
Brute force password attacks are easily stopped by setting up account login attempt checking. If x account fails to provide correct credentials x # of times its locked for protection. If this happens more than x # of times its red flagged. All that can be done automatically.
As for rainbow tables and hash lists, you first have to penetrate the server and get the hash, then even with a good rainbow table a properly salted hash is going to give you a hell of a time in solving.
For instance, on one of my web apps we have user accounts, the user makes a password lets say in this instance TestPass is the password.
With Sha1 you get f9c57e84c62be16e069c4272eebc40e24f9133f0 as the database pw.
Now thats crackable...eventually with a rainbow table and that would take longer than 7 minutes to generate. A 14 character Rainbow table would take you an extremely long time to generate on a home pc.
Now, salting said hash you automatically add some random giberish at the end of the pw. For this demo we'll ad "Randomhashsalt21455123512@%^@&;@$%@#$^&;#@$&;"
That hashes to e459ba48d4f1195f6a5793c3ae31bf7bcb1c28c5 a completely different hash. The ammount of time and effort to break 2 of these, then compare the two, figure out the salt, and then rerun with salt to break the pw's would be way to much time and effort for your PSN account.
And again... this would require the Hash table, which would have all been changed assuming the got it originally... with the mandatory pw reset.
There is a massive difference between having an account compromised via phising and social engineering, and having your network breached.
One is user error and not preventable easily on the company side
One is company error and preventable with a good security policy and security measures.
You are confusing the two.
Agreed, if your computer gets hacked it isn't the MMO companies fault (unless the hackers are employees, there have been some rumors about Chinese Blizzard workers doing stuff like that but as far I know that is just rumors).
If the companies data bases gets hacked on the other hand it is their fault, and a disaster for them. In fact that is the reason me and my entire guild finally left EQ2 for good, when VISA card numbers leaks to hackers from any kind of company they have it very hard to get the trust of the customers again.
I think this indeed is the worst thing that ever happened to Sony. Worse than the old Beta Max incident if anyone remember that, when Sony thought people would pay more for better video quality (yeah, they got revenge with the blue ray though).
I don't have any number on how many people that quit due to that, but it was 100% of my friends at least and that is just SOE, did was the mother companies fault and problem with millions of customers info comrpomized.
And this is the main issue affecting MMO's and consumers in general. The main way to protect yourself from Social engineering attacks is education. Sure there are measures... but a company can only do so much.
Its hard enough to protect your company from social engineering attacks via education. Trying to educate a few million users most still in their teens is impossible.
Use the max amount of characters for a password is better I guess.
There is no way to have a password/username list that is not crackable.
Sorry.
14 character passwords, any combination of letters, lowercase and uppercase, numbers, and special characters (#$%#(*&! etc.) guess how long it takes to crack?
7 minutes.
That's right. EVERY single possible combination of numbers, letters, characters etc. up to a 14-digit password - 7 minutes to crack - references a Rainbow table it's called.
How big is this massive database table (text file) of all of these probably billions of combinations?
1.2 terabytes - you can fit it on a 80$ portable hard drive.
So what can they do?
Detect the intrusion/attempts and shut down the connection(s) before too many matches are made.
Sony is actually doing a great job now, if you read the blog in the OP, they are doing EVERYTHING right.
Documentation of 7 minutes please?
With some quick thumbnail math, I get 1+E25 combinations from standard ASCII codes in a 14 digit password.
Each of those has to be tried (including internet transit time). At one per second, that's
3.9E+17
years to try them all, but of course computers can process much faster than that.
This claim requires the computer to cycle
4.9E+20
passwords per second processed to try them all in 7 minutess--which I naturally find a little suspect.
i think there is a degree of misinformation going on about password strength and relative security.. people who stick with a numerical password of 4-8 characters, are obviously going to be easy to 'guess' however, it has long been advised for people to 'upgrade' their passwords to something more robust, a combination of 4 uppercase, 4 lowercase, at least 2 numbers, and 2 'special' characters (%^$* etc) cannot be cracked in anything less than days.. computers GPU's are about the strongest tool to use in cracking passwords, but even they can't crack that level of password protection in anything near viable time frames, and most definitely not in a time frame measured in minutes or seconds.. weeks and days is more likely... the most likely scenario is that the passwords that were 'guessed' were passwords farmed from other sources rather than 'random generation' .. this really gets down to basics, password security is the users responsibility, SOE, like other companies can only advise you on how strong, or not, your password is, if you choose to make it more vulnerable by using it as a login on various forums/websites etc, is the users lookout.. in other words, those people who were hacked, probably only had themselves to blame.. its time people accepted that in the modern world, Internet security is your own responsibility, ignoring this is just playing into the hands of various hackers/criminals etc, who rely on peoples ignorance to profit from their mistakes.. half the problem is that people think the internet is a secure environment..
Use the max amount of characters for a password is better I guess.
There is no way to have a password/username list that is not crackable.
Sorry.
14 character passwords, any combination of letters, lowercase and uppercase, numbers, and special characters (#$%#(*&! etc.) guess how long it takes to crack?
7 minutes.
That's right. EVERY single possible combination of numbers, letters, characters etc. up to a 14-digit password - 7 minutes to crack - references a Rainbow table it's called.
How big is this massive database table (text file) of all of these probably billions of combinations?
1.2 terabytes - you can fit it on a 80$ portable hard drive.
So what can they do?
Detect the intrusion/attempts and shut down the connection(s) before too many matches are made.
Sony is actually doing a great job now, if you read the blog in the OP, they are doing EVERYTHING right.
Documentation of 7 minutes please?
With some quick thumbnail math, I get 1+E25 combinations from standard ASCII codes in a 14 digit password.
Each of those has to be tried (including internet transit time). At one per second, that's
3.9E+17
years to try them all, but of course computers can process much faster than that.
This claim requires the computer to cycle
4.9E+20
passwords per second processed to try them all in 7 minutess--which I naturally find a little suspect.
It isn't processing them.
It is a table of txt files, already processed called a Rainbow table. It's how Brute force attacks are done.
All the processing is to do is access the text on the table, every possible value is pre-calculated.
That big table of pre-calculated values to compare against is 1.2 terabytes.
Rainbow tables.
Hence, 7 minutes to compare to what's in the table.
*edit*
Yes this is EXACTLY why people use hash's and salts, and I'm sure sony does, but what the article says is that tehy already had the passwords and usernames from before because people did not change them.
Makes it super easy that way eh?
Hence, Sony locked the accounts and is forcing password changes once they detected the "hack"
So, this is why I bring this information up, Sony is doing EVERYTHING possible and are doing a great job with this most current issue.
So all the "LOOK AT SONY NOT GOINT TO SUB BLAH BLAH" troll BS in this thread is completely stupid
Now explain how your drive full of pregenerated passwords can be attempted without processing time at the server side.
Self-pity imprisons us in the walls of our own self-absorption. The whole world shrinks down to the size of our problem, and the more we dwell on it, the smaller we are and the larger the problem seems to grow.
This is why I will never play a SOE game again....EVER....
I know it's easier to just raise a pitchfork and yell into the night about evil corporations, but stop and think.
We're talking about brute force password cracking which is just a manual or automated system that tries passwords over and over from a sequence or list, logging the successes. This is an ancient and common occurrence.
"The PlayStation group claimed that the passwords used for the log-in attempts were obtained from other sources."
So, the most logical conclusion is that someone downloaded one of the hack lists from however long ago and retried those unsername/password combinations. If anything matched, it's because the user reset their password BACK to their old one or to a passwor dthey used on some other system that got hacked.
In this scenario, what did SOE do wrong exactly?
What did SOE do wrong?
How about basic preventive measures to defend against this kind of attack?
They are grossly negligent in protecting their customer's personal information. Period.
Now explain how your drive full of pregenerated passwords can be attempted without processing time at the server side.
Cause it has to try one combination at a time.
So yes, it does have to process on the server side, but it's not like they are entering billions of user names and billions of passwords at the same time.
More like thousands (distributed) of attempts at a time.
Easier to catch thousands from the same IP block at the same time, but that is why really advanced folk use random computers with no knowledge they are participating in an attack, to spread out the IP range across potentially every where.
The REAL point I was trying to make is that you will NEVER have a 100% secure system, all passwords ARE crackable and it doesn't take as much time and effort as people think.
The REAL point is that Sony did a great job with their press release and reponse to THIS attack.
The REAL point I was trying to make is that you will NEVER have a 100% secure system, all passwords ARE crackable and it doesn't take as much time and effort as people think.
I'm sorry, but that's exactly what I was disputing. Your offered figure of 7 minutes is a ridiculous claim, given the number of combinations and the required minimum xmit+processing time involved for each. I just wanted documentation.
Of course, brute forcing gets shut off after the first five attempts, so its moot anyway.
Self-pity imprisons us in the walls of our own self-absorption. The whole world shrinks down to the size of our problem, and the more we dwell on it, the smaller we are and the larger the problem seems to grow.
Pretty clear people did not read the blog post by Sony.
We want to let you know that we have detected attempts on Sony Entertainment Network, PlayStation Network and Sony Online Entertainment (“Networks”) services to test a massive set of sign-in IDs and passwords against our network database. These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources.
How about basic preventive measures to defend against this kind of attack?
They are grossly negligent in protecting their customer's personal information. Period.
You have no idea what you are talking about.
Just please bow out of the conversation. Thank you.
security is an issue thats not really understood all that easily, by a 'significant' proportion of players/general internet users... in this case, it seems the 'weak link' in the chain is the users themselves, there is very little that can be done by the 'host' to negate that.. although what little can be done, SOE does appear to be doing, by locking those affected and forcing password resets etc.. its an area thats overlooked so much, players of WoW complain all the time about account hackings, but the problem there even, is the players themselves and insecure account password management/practices.. Blizzard took the easy way out with an idiot proof (almost) authenticator method - which SquareEnix also used for FFXIV btw.. and several other developers have followed suit, if only with a smart phone app that does the same thing (Trion - Rift) but even these measures can be avoided if the players use decent anti-virals and anti-malware programs (and regular system checks... installing the software doesnt automatically protect. you have to run it occasionally too ) .. and the obvious.. dont use one username/password for everything.. and.. a decent password... which if you have to write it down somewhere.. either put it in an encrypted word/open office document, or a safe location where roomies/siblings etc.. can't readily access it.. .. okay my own paranoia levels on these kinds of things are perhaps OTT.. but.. as the old saying goes.. just because your paranoid.. doesnt mean their not out to get you
How about basic preventive measures to defend against this kind of attack?
They are grossly negligent in protecting their customer's personal information. Period.
You have no idea what you are talking about.
Just please bow out of the conversation. Thank you.
Defending your argument with personal attacks is a clear sign you are losing the argument...
I very highly doubt it is SOP for any company to get that volume of failed logins for four days straight. Inadequate log monitoring led to this breach.
Add to this (preventable) incident the fact they have been breached in the past, how can you possably conclude they aren't negligent?!?!
So, stop the personal attacks and use some common sense...
How about basic preventive measures to defend against this kind of attack?
They are grossly negligent in protecting their customer's personal information. Period.
You have no idea what you are talking about.
Just please bow out of the conversation. Thank you.
Defending your argument with personal attacks is a clear sign you are losing the argument...
I very highly doubt it is SOP for any company to get that volume of failed logins for four days straight. Inadequate log monitoring led to this breach.
Add to this (preventable) incident the fact they have been breached in the past, how can you possably conclude they aren't negligent?!?!
So, stop the personal attacks and use some common sense...
preventable ?? exactly how?
1. shut down the login server... 100 percent guaranteed to work.. but.. every legitimate user suffers..
2. tell them to stop ... like you know.. they're going to listen to you right
3. Block the IP's of the hackers.. which never works because they can change them at a moments notice...
4. disable the affected accounts and force the users to reset their passwords etc.. which they did..
how exactly does that make them negligent.. .. SOE arent exactly my favourite company.. but at least their trying to do the right thing..
This is why I will never play a SOE game again....EVER....
I know it's easier to just raise a pitchfork and yell into the night about evil corporations, but stop and think.
We're talking about brute force password cracking which is just a manual or automated system that tries passwords over and over from a sequence or list, logging the successes. This is an ancient and common occurrence.
"The PlayStation group claimed that the passwords used for the log-in attempts were obtained from other sources."
So, the most logical conclusion is that someone downloaded one of the hack lists from however long ago and retried those unsername/password combinations. If anything matched, it's because the user reset their password BACK to their old one or to a passwor dthey used on some other system that got hacked.
In this scenario, what did SOE do wrong exactly?
Attempting to guess 100 million password take time. During this time you have highly abnormal activity at your network, with an increased rate of login failures. If Sony fails to monitor this, in real time, and fails to block the offending sources of attack, then they have not learned enough since last attacks.
The fact that they were able to identify that this attack was happening in time to limit the damage to 1% of their customer base is very good. I would have expected at minimum a 5% impact from this kind of attack. The time it takes to determine there is an attack going and then stopping it isn't instantanious even with specific software that detects and stops these attacks. No matter what, by the time you notice and stop the attack some damage is already done.
This type of attack is extremly common and happens to any major company that stores username/passwords like Blizzard, your bank, hospitals, universities, etc... It's not impossible to protect from this kind of attack but you will almost always have some damage mostly from people that have easy to 'guess' passwords. The easiest way to minimize the impact of this kind of attack is with a system like steam, and a few games, have implemented where every time you try to log into your account and its from a different IP then your last login, you get sent a code to your email that you have to put in before you can log in.
IMO, Sony did all they could here and did very well. This doesn't show a lapse in their security like the last time. BTW Cyber Security and Database security is what I do for a living.
This is not good. I was looking forward to EQ and Planetside Next, however if they are still having security issues like this, well i dunno if i can trust them.
If you are having issues with this, i'de suggest you disconnect your PC from the internet as fast as you can! Brute force password guessing is done on a daily basis for a lot of wannabe hackers. It one of the easier ways to get user name/passwords for games, emails, system accounts.
1. shut down the login server... 100 percent guaranteed to work.. but.. every legitimate user suffers..
2. tell them to stop ... like you know.. they're going to listen to you right
3. Block the IP's of the hackers.. which never works because they can change them at a moments notice...
4. disable the affected accounts and force the users to reset their passwords etc.. which they did..
how exactly does that make them negligent.. .. SOE arent exactly my favourite company.. but at least their trying to do the right thing..
I agree, they are trying and being open about it, for that I give them kudos.
For an attack to go un-addressed for four days, that is negligent. It was preventable by having proactive log monitoring (which you'd think they'd be all over after the last attack). It was preventable by having a 4-failed attempt lockout (several available including CAPTCHA, time-based lockout, etc.). It was preventable by using adaptive IP blocking.
It was preventable.
They APPEAR to be woefully re-active instead of being pro-active. I, for one, will not reward a company that behaves this way by buying their product. All anyone here can do is speculate as to the actual series of events that occurred, but one thing is certain...SOE will NOT tell you it could have been prevented.
This is why I will never play a SOE game again....EVER....
I know it's easier to just raise a pitchfork and yell into the night about evil corporations, but stop and think.
We're talking about brute force password cracking which is just a manual or automated system that tries passwords over and over from a sequence or list, logging the successes. This is an ancient and common occurrence.
"The PlayStation group claimed that the passwords used for the log-in attempts were obtained from other sources."
So, the most logical conclusion is that someone downloaded one of the hack lists from however long ago and retried those unsername/password combinations. If anything matched, it's because the user reset their password BACK to their old one or to a passwor dthey used on some other system that got hacked.
In this scenario, what did SOE do wrong exactly?
Attempting to guess 100 million password take time. During this time you have highly abnormal activity at your network, with an increased rate of login failures. If Sony fails to monitor this, in real time, and fails to block the offending sources of attack, then they have not learned enough since last attacks.
The fact that they were able to identify that this attack was happening in time to limit the damage to 1% of their customer base is very good. I would have expected at minimum a 5% impact from this kind of attack. The time it takes to determine there is an attack going and then stopping it isn't instantanious even with specific software that detects and stops these attacks. No matter what, by the time you notice and stop the attack some damage is already done.
This type of attack is extremly common and happens to any major company that stores username/passwords like Blizzard, your bank, hospitals, universities, etc... It's not impossible to protect from this kind of attack but you will almost always have some damage mostly from people that have easy to 'guess' passwords. The easiest way to minimize the impact of this kind of attack is with a system like steam, and a few games, have implemented where every time you try to log into your account and its from a different IP then your last login, you get sent a code to your email that you have to put in before you can log in.
IMO, Sony did all they could here and did very well. This doesn't show a lapse in their security like the last time. BTW Cyber Security and Database security is what I do for a living.
Thanks for one of the few reasonable arguments here today.
Using statistics, standard deviation and such goes a long way, and are quite easy to monitor with proper tools.
In the this case, I *think* the attack was done with data from the previous breach, that would allow the attacker to make just one attempt at every account with the old password. This would not trigger any red flags for locked account etc and I'm pretty sure the attack would be hidden in the statistics by the normal noise for some time, compared to an clean brute force attack.
You provided an example of a possible solution that sounds fair to me. How come then that you think "Sony did all they could here and did very well"?
I agree, they are trying and being open about it, for that I give them kudos.
For an attack to go un-addressed for four days, that is negligent. It was preventable by having proactive log monitoring (which you'd think they'd be all over after the last attack). It was preventable by having a 4-failed attempt lockout (several available including CAPTCHA, time-based lockout, etc.). It was preventable by using adaptive IP blocking.
It was preventable.
They APPEAR to be woefully re-active instead of being pro-active. I, for one, will not reward a company that behaves this way by buying their product. All anyone here can do is speculate as to the actual series of events that occurred, but one thing is certain...SOE will NOT tell you it could have been prevented.
Use the max amount of characters for a password is better I guess.
There is no way to have a password/username list that is not crackable.
Sorry.
14 character passwords, any combination of letters, lowercase and uppercase, numbers, and special characters (#$%#(*&! etc.) guess how long it takes to crack?
7 minutes.
That's right. EVERY single possible combination of numbers, letters, characters etc. up to a 14-digit password - 7 minutes to crack - references a Rainbow table it's called.
How big is this massive database table (text file) of all of these probably billions of combinations?
1.2 terabytes - you can fit it on a 80$ portable hard drive.
So what can they do?
Detect the intrusion/attempts and shut down the connection(s) before too many matches are made.
Sony is actually doing a great job now, if you read the blog in the OP, they are doing EVERYTHING right.
Well that is true to some extent but not 100%
First of yes, any password can be cracked with enough time. However rainbow tables are for hashes and breaking a hash list not a brute force password attack.
Brute force password attacks are easily stopped by setting up account login attempt checking. If x account fails to provide correct credentials x # of times its locked for protection. If this happens more than x # of times its red flagged. All that can be done automatically.
As for rainbow tables and hash lists, you first have to penetrate the server and get the hash, then even with a good rainbow table a properly salted hash is going to give you a hell of a time in solving.
For instance, on one of my web apps we have user accounts, the user makes a password lets say in this instance TestPass is the password.
With Sha1 you get f9c57e84c62be16e069c4272eebc40e24f9133f0 as the database pw.
Now thats crackable...eventually with a rainbow table and that would take longer than 7 minutes to generate. A 14 character Rainbow table would take you an extremely long time to generate on a home pc.
Now, salting said hash you automatically add some random giberish at the end of the pw. For this demo we'll ad "Randomhashsalt21455123512@%^@&;@$%@#$^&;#@$&;"
That hashes to e459ba48d4f1195f6a5793c3ae31bf7bcb1c28c5 a completely different hash. The ammount of time and effort to break 2 of these, then compare the two, figure out the salt, and then rerun with salt to break the pw's would be way to much time and effort for your PSN account.
And again... this would require the Hash table, which would have all been changed assuming the got it originally... with the mandatory pw reset.
Login failure counts have been stand practices on some environments for many years. I am surprised it still isn't SOP. It should be mandated by law if it needs to be.
Kyleran: "Now there's the real trick, learning to accept and enjoy a game for what
it offers rather than pass on what might be a great playing experience
because it lacks a few features you prefer."
John Henry Newman: "A man would do nothing if he waited until he could do it so well that no one could find fault."
FreddyNoNose: "A good game needs no defense; a bad game has no defense." "Easily digested content is just as easily forgotten."
LacedOpium: "So the question that begs to be asked is, if you are not interested in
the game mechanics that define the MMORPG genre, then why are you
playing an MMORPG?"
Use the max amount of characters for a password is better I guess.
There is no way to have a password/username list that is not crackable.
Sorry.
14 character passwords, any combination of letters, lowercase and uppercase, numbers, and special characters (#$%#(*&! etc.) guess how long it takes to crack?
7 minutes.
That's right. EVERY single possible combination of numbers, letters, characters etc. up to a 14-digit password - 7 minutes to crack - references a Rainbow table it's called.
How big is this massive database table (text file) of all of these probably billions of combinations?
1.2 terabytes - you can fit it on a 80$ portable hard drive.
So what can they do?
Detect the intrusion/attempts and shut down the connection(s) before too many matches are made.
Sony is actually doing a great job now, if you read the blog in the OP, they are doing EVERYTHING right.
Well that is true to some extent but not 100%
First of yes, any password can be cracked with enough time. However rainbow tables are for hashes and breaking a hash list not a brute force password attack.
Brute force password attacks are easily stopped by setting up account login attempt checking. If x account fails to provide correct credentials x # of times its locked for protection. If this happens more than x # of times its red flagged. All that can be done automatically.
As for rainbow tables and hash lists, you first have to penetrate the server and get the hash, then even with a good rainbow table a properly salted hash is going to give you a hell of a time in solving.
For instance, on one of my web apps we have user accounts, the user makes a password lets say in this instance TestPass is the password.
With Sha1 you get f9c57e84c62be16e069c4272eebc40e24f9133f0 as the database pw.
Now thats crackable...eventually with a rainbow table and that would take longer than 7 minutes to generate. A 14 character Rainbow table would take you an extremely long time to generate on a home pc.
Now, salting said hash you automatically add some random giberish at the end of the pw. For this demo we'll ad "Randomhashsalt21455123512@%^@&;@$%@#$^&;#@$&;"
That hashes to e459ba48d4f1195f6a5793c3ae31bf7bcb1c28c5 a completely different hash. The ammount of time and effort to break 2 of these, then compare the two, figure out the salt, and then rerun with salt to break the pw's would be way to much time and effort for your PSN account.
And again... this would require the Hash table, which would have all been changed assuming the got it originally... with the mandatory pw reset.
Login failure counts have been stand practices on some environments for many years. I am surprised it still isn't SOP. It should be mandated by law if it needs to be.
And especially when you attembts are over time, you can avoid getting locked out by trying 4 times (if the count gets locked after 5 tries) and try 4 times again after a short while. In most cases it resets after a few hours.
The REAL point I was trying to make is that you will NEVER have a 100% secure system, all passwords ARE crackable and it doesn't take as much time and effort as people think.
I'm sorry, but that's exactly what I was disputing. Your offered figure of 7 minutes is a ridiculous claim, given the number of combinations and the required minimum xmit+processing time involved for each. I just wanted documentation.
Of course, brute forcing gets shut off after the first five attempts, so its moot anyway.
I got that information from an IT security audit seminar I went to a few weeks ago.
I assumed it was accurate, and it REALLY suprised me too!
I of course assumed that this of course wasn't taking into account bandwidth, server response time, salts/hashing which we went on to discuss afterwards, etc.
I would advise ppl to change passwords often and only buy the playstation cards with $ set amounts on them. Dont give them any CC or debit info.
***Raises plunger in Salute to bayonetta...one sexy gaming girl!***
All my opinions are just that..opinions. If you like my opinions..coolness.If you dont like my opinion....I really dont care. Playing: ESO, WOT, Smite, and Marvel Heroes
Seems like some people didn't really comprehend what happend.
Hacker gets login names and passwords from another source.
Hacker checked those login names and passwords against sony's networks.
They didn't keep trying to log into the same account over and over, so no captcha or lockouts are going to work.
The hackers had a list:
Username: joeschmoe Password:kittycat45
The hackers tried to log into the various sony networks using the username joeschmoe and the password kittycat45. They didn't try to log into a sony account for user joeschmoe 1000 times by guessing at possible passwords, they didn't know diffinetively if there was an account named joeschmoe, they just used the information they got someplace else. some of thoese acounts and passwords linked to those accounts worked.
The accounts they were able to access were ones that had the correct user name and password obtained from someone other then Sony, because the persons used the same username and password someplace else.
You use the same username and password for curse.com as you do your wow account, someone gets the list of registered users on curse, then uses those names and passwords to login to WoW. THAT'S what happend here.
OMGZ! They did it over 4 days!!1 If they changed their IP adress every few minutes, and didn't routinely attempt to access the same account, exactly how fast would SOE detect this. They didn't say how many attempts were done in a single day; so it may be reasonable to assume the hacker may have limitted the number of access to try and avoid detection. 25 million on day one, 25 million on day two, etc. etc. until finally on day four SOE security got a red flag that several million attempts are being made to log into with invalid accounts; not to mention it was spread across multiple networks. They didn't tell us how many atempts were made over the PSN network, or the network for PC accounts; they aren't the same networks. How many accounts out of 100 million are attempting to log in at any given moment? Of those trying to log in, how many get their username or password wrong? No one can claim it took to long for them to detect this, because no one knows how long it SHOULD take. The same thing could have happend to Blizzard, but never reported; we don't know if it would take them 4 days, 10 days, or 1 day. SOE is the only company actually telling us it's happening to them. And don't dobt for a minute that it's not happening to blizzard, the account hijacking MMO king.
When a Blizzard customer servive rep tells you to use the generator because it's pretty common for accounts to get stolen, there's a problem. You don't see blizzard posting blogs about it, or articles on game sites talking about rampant hacking in WoW do you? No, they just send an email to you if they suspect your account is being run by a bot, or if the hacker is spamming gold sales, or you have to rely on a friend to call and ask if it's you playing.
I haven't seen a single post by a single person condemning or even defending SOE that seemed to comprehend what the blog stated. eveee
Comments
Well that is true to some extent but not 100%
First of yes, any password can be cracked with enough time. However rainbow tables are for hashes and breaking a hash list not a brute force password attack.
Brute force password attacks are easily stopped by setting up account login attempt checking. If x account fails to provide correct credentials x # of times its locked for protection. If this happens more than x # of times its red flagged. All that can be done automatically.
As for rainbow tables and hash lists, you first have to penetrate the server and get the hash, then even with a good rainbow table a properly salted hash is going to give you a hell of a time in solving.
For instance, on one of my web apps we have user accounts, the user makes a password lets say in this instance TestPass is the password.
With Sha1 you get f9c57e84c62be16e069c4272eebc40e24f9133f0 as the database pw.
Now thats crackable...eventually with a rainbow table and that would take longer than 7 minutes to generate. A 14 character Rainbow table would take you an extremely long time to generate on a home pc.
Now, salting said hash you automatically add some random giberish at the end of the pw. For this demo we'll ad "Randomhashsalt21455123512@%^@&;@$%@#$^&;#@$&;"
That hashes to e459ba48d4f1195f6a5793c3ae31bf7bcb1c28c5 a completely different hash. The ammount of time and effort to break 2 of these, then compare the two, figure out the salt, and then rerun with salt to break the pw's would be way to much time and effort for your PSN account.
And again... this would require the Hash table, which would have all been changed assuming the got it originally... with the mandatory pw reset.
And this is the main issue affecting MMO's and consumers in general. The main way to protect yourself from Social engineering attacks is education. Sure there are measures... but a company can only do so much.
Its hard enough to protect your company from social engineering attacks via education. Trying to educate a few million users most still in their teens is impossible.
i think there is a degree of misinformation going on about password strength and relative security.. people who stick with a numerical password of 4-8 characters, are obviously going to be easy to 'guess' however, it has long been advised for people to 'upgrade' their passwords to something more robust, a combination of 4 uppercase, 4 lowercase, at least 2 numbers, and 2 'special' characters (%^$* etc) cannot be cracked in anything less than days.. computers GPU's are about the strongest tool to use in cracking passwords, but even they can't crack that level of password protection in anything near viable time frames, and most definitely not in a time frame measured in minutes or seconds.. weeks and days is more likely... the most likely scenario is that the passwords that were 'guessed' were passwords farmed from other sources rather than 'random generation' .. this really gets down to basics, password security is the users responsibility, SOE, like other companies can only advise you on how strong, or not, your password is, if you choose to make it more vulnerable by using it as a login on various forums/websites etc, is the users lookout.. in other words, those people who were hacked, probably only had themselves to blame.. its time people accepted that in the modern world, Internet security is your own responsibility, ignoring this is just playing into the hands of various hackers/criminals etc, who rely on peoples ignorance to profit from their mistakes.. half the problem is that people think the internet is a secure environment..
It isn't processing them.
It is a table of txt files, already processed called a Rainbow table. It's how Brute force attacks are done.
All the processing is to do is access the text on the table, every possible value is pre-calculated.
That big table of pre-calculated values to compare against is 1.2 terabytes.
Rainbow tables.
Hence, 7 minutes to compare to what's in the table.
*edit*
Yes this is EXACTLY why people use hash's and salts, and I'm sure sony does, but what the article says is that tehy already had the passwords and usernames from before because people did not change them.
Makes it super easy that way eh?
Hence, Sony locked the accounts and is forcing password changes once they detected the "hack"
So, this is why I bring this information up, Sony is doing EVERYTHING possible and are doing a great job with this most current issue.
So all the "LOOK AT SONY NOT GOINT TO SUB BLAH BLAH" troll BS in this thread is completely stupid
Now explain how your drive full of pregenerated passwords can be attempted without processing time at the server side.
Self-pity imprisons us in the walls of our own self-absorption. The whole world shrinks down to the size of our problem, and the more we dwell on it, the smaller we are and the larger the problem seems to grow.
What did SOE do wrong?
How about basic preventive measures to defend against this kind of attack?
They are grossly negligent in protecting their customer's personal information. Period.
Cause it has to try one combination at a time.
So yes, it does have to process on the server side, but it's not like they are entering billions of user names and billions of passwords at the same time.
More like thousands (distributed) of attempts at a time.
Easier to catch thousands from the same IP block at the same time, but that is why really advanced folk use random computers with no knowledge they are participating in an attack, to spread out the IP range across potentially every where.
The REAL point I was trying to make is that you will NEVER have a 100% secure system, all passwords ARE crackable and it doesn't take as much time and effort as people think.
The REAL point is that Sony did a great job with their press release and reponse to THIS attack.
You have no idea what you are talking about.
Just please bow out of the conversation. Thank you.
So first they had stored credit cards in plain text.
Now they dont protect vs simple brute force.
And im amazed that people are defending them.
Look google mail. Type 3 times wrong password and see what pops. yes its CATCHPA.
I'm sorry, but that's exactly what I was disputing. Your offered figure of 7 minutes is a ridiculous claim, given the number of combinations and the required minimum xmit+processing time involved for each. I just wanted documentation.
Of course, brute forcing gets shut off after the first five attempts, so its moot anyway.
Self-pity imprisons us in the walls of our own self-absorption. The whole world shrinks down to the size of our problem, and the more we dwell on it, the smaller we are and the larger the problem seems to grow.
Pretty clear people did not read the blog post by Sony.
We want to let you know that we have detected attempts on Sony Entertainment Network, PlayStation Network and Sony Online Entertainment (“Networks”) services to test a massive set of sign-in IDs and passwords against our network database. These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources.
security is an issue thats not really understood all that easily, by a 'significant' proportion of players/general internet users... in this case, it seems the 'weak link' in the chain is the users themselves, there is very little that can be done by the 'host' to negate that.. although what little can be done, SOE does appear to be doing, by locking those affected and forcing password resets etc.. its an area thats overlooked so much, players of WoW complain all the time about account hackings, but the problem there even, is the players themselves and insecure account password management/practices.. Blizzard took the easy way out with an idiot proof (almost) authenticator method - which SquareEnix also used for FFXIV btw.. and several other developers have followed suit, if only with a smart phone app that does the same thing (Trion - Rift) but even these measures can be avoided if the players use decent anti-virals and anti-malware programs (and regular system checks... installing the software doesnt automatically protect. you have to run it occasionally too
) .. and the obvious.. dont use one username/password for everything.. and.. a decent password... which if you have to write it down somewhere.. either put it in an encrypted word/open office document, or a safe location where roomies/siblings etc.. can't readily access it.. .. okay my own paranoia levels on these kinds of things are perhaps OTT.. but.. as the old saying goes.. just because your paranoid.. doesnt mean their not out to get you 
Defending your argument with personal attacks is a clear sign you are losing the argument...
I very highly doubt it is SOP for any company to get that volume of failed logins for four days straight. Inadequate log monitoring led to this breach.
Add to this (preventable) incident the fact they have been breached in the past, how can you possably conclude they aren't negligent?!?!
So, stop the personal attacks and use some common sense...
preventable ?? exactly how?
1. shut down the login server... 100 percent guaranteed to work.. but.. every legitimate user suffers..
2. tell them to stop ... like you know.. they're going to listen to you right
3. Block the IP's of the hackers.. which never works because they can change them at a moments notice...
4. disable the affected accounts and force the users to reset their passwords etc.. which they did..
how exactly does that make them negligent.. .. SOE arent exactly my favourite company.. but at least their trying to do the right thing..
The fact that they were able to identify that this attack was happening in time to limit the damage to 1% of their customer base is very good. I would have expected at minimum a 5% impact from this kind of attack. The time it takes to determine there is an attack going and then stopping it isn't instantanious even with specific software that detects and stops these attacks. No matter what, by the time you notice and stop the attack some damage is already done.
This type of attack is extremly common and happens to any major company that stores username/passwords like Blizzard, your bank, hospitals, universities, etc... It's not impossible to protect from this kind of attack but you will almost always have some damage mostly from people that have easy to 'guess' passwords. The easiest way to minimize the impact of this kind of attack is with a system like steam, and a few games, have implemented where every time you try to log into your account and its from a different IP then your last login, you get sent a code to your email that you have to put in before you can log in.
IMO, Sony did all they could here and did very well. This doesn't show a lapse in their security like the last time. BTW Cyber Security and Database security is what I do for a living.
If you are having issues with this, i'de suggest you disconnect your PC from the internet as fast as you can! Brute force password guessing is done on a daily basis for a lot of wannabe hackers. It one of the easier ways to get user name/passwords for games, emails, system accounts.
I agree, they are trying and being open about it, for that I give them kudos.
For an attack to go un-addressed for four days, that is negligent. It was preventable by having proactive log monitoring (which you'd think they'd be all over after the last attack). It was preventable by having a 4-failed attempt lockout (several available including CAPTCHA, time-based lockout, etc.). It was preventable by using adaptive IP blocking.
It was preventable.
They APPEAR to be woefully re-active instead of being pro-active. I, for one, will not reward a company that behaves this way by buying their product. All anyone here can do is speculate as to the actual series of events that occurred, but one thing is certain...SOE will NOT tell you it could have been prevented.
Thanks for one of the few reasonable arguments here today.
Using statistics, standard deviation and such goes a long way, and are quite easy to monitor with proper tools.
In the this case, I *think* the attack was done with data from the previous breach, that would allow the attacker to make just one attempt at every account with the old password. This would not trigger any red flags for locked account etc and I'm pretty sure the attack would be hidden in the statistics by the normal noise for some time, compared to an clean brute force attack.
You provided an example of a possible solution that sounds fair to me. How come then that you think "Sony did all they could here and did very well"?
Edit: Spelling
QFE,
Login failure counts have been stand practices on some environments for many years. I am surprised it still isn't SOP. It should be mandated by law if it needs to be.
Epic Music: https://www.youtube.com/watch?v=vAigCvelkhQ&list=PLo9FRw1AkDuQLEz7Gvvaz3ideB2NpFtT1
https://archive.org/details/softwarelibrary_msdos?&sort=-downloads&page=1
Kyleran: "Now there's the real trick, learning to accept and enjoy a game for what it offers rather than pass on what might be a great playing experience because it lacks a few features you prefer."
John Henry Newman: "A man would do nothing if he waited until he could do it so well that no one could find fault."
FreddyNoNose: "A good game needs no defense; a bad game has no defense." "Easily digested content is just as easily forgotten."
LacedOpium: "So the question that begs to be asked is, if you are not interested in the game mechanics that define the MMORPG genre, then why are you playing an MMORPG?"
And especially when you attembts are over time, you can avoid getting locked out by trying 4 times (if the count gets locked after 5 tries) and try 4 times again after a short while. In most cases it resets after a few hours.
I got that information from an IT security audit seminar I went to a few weeks ago.
I assumed it was accurate, and it REALLY suprised me too!
I of course assumed that this of course wasn't taking into account bandwidth, server response time, salts/hashing which we went on to discuss afterwards, etc.
I am happy i live in the netherlands and whe use a payment option named iDeal.
I just dont understand why iDeal is only in the Netherlands becouse its so easy to use and 1000 times more secure then all this creditcard crap.
I would advise ppl to change passwords often and only buy the playstation cards with $ set amounts on them. Dont give them any CC or debit info.
***Raises plunger in Salute to bayonetta...one sexy gaming girl!***
All my opinions are just that..opinions. If you like my opinions..coolness.If you dont like my opinion....I really dont care.
Playing: ESO, WOT, Smite, and Marvel Heroes
Seems like some people didn't really comprehend what happend.
Hacker gets login names and passwords from another source.
Hacker checked those login names and passwords against sony's networks.
They didn't keep trying to log into the same account over and over, so no captcha or lockouts are going to work.
The hackers had a list:
Username: joeschmoe Password:kittycat45
The hackers tried to log into the various sony networks using the username joeschmoe and the password kittycat45. They didn't try to log into a sony account for user joeschmoe 1000 times by guessing at possible passwords, they didn't know diffinetively if there was an account named joeschmoe, they just used the information they got someplace else. some of thoese acounts and passwords linked to those accounts worked.
The accounts they were able to access were ones that had the correct user name and password obtained from someone other then Sony, because the persons used the same username and password someplace else.
You use the same username and password for curse.com as you do your wow account, someone gets the list of registered users on curse, then uses those names and passwords to login to WoW. THAT'S what happend here.
OMGZ! They did it over 4 days!!1 If they changed their IP adress every few minutes, and didn't routinely attempt to access the same account, exactly how fast would SOE detect this. They didn't say how many attempts were done in a single day; so it may be reasonable to assume the hacker may have limitted the number of access to try and avoid detection. 25 million on day one, 25 million on day two, etc. etc. until finally on day four SOE security got a red flag that several million attempts are being made to log into with invalid accounts; not to mention it was spread across multiple networks. They didn't tell us how many atempts were made over the PSN network, or the network for PC accounts; they aren't the same networks. How many accounts out of 100 million are attempting to log in at any given moment? Of those trying to log in, how many get their username or password wrong? No one can claim it took to long for them to detect this, because no one knows how long it SHOULD take. The same thing could have happend to Blizzard, but never reported; we don't know if it would take them 4 days, 10 days, or 1 day. SOE is the only company actually telling us it's happening to them. And don't dobt for a minute that it's not happening to blizzard, the account hijacking MMO king.
When a Blizzard customer servive rep tells you to use the generator because it's pretty common for accounts to get stolen, there's a problem. You don't see blizzard posting blogs about it, or articles on game sites talking about rampant hacking in WoW do you? No, they just send an email to you if they suspect your account is being run by a bot, or if the hacker is spamming gold sales, or you have to rely on a friend to call and ask if it's you playing.
I haven't seen a single post by a single person condemning or even defending SOE that seemed to comprehend what the blog stated. eveee