Everybody's talking about the ongoing PlayStation Network outage, which Sony has admitted was caused be an illegal intrusion into the network. Here for your edification and/or reading pleasure, is a rundown of the entire sordid affair.
The Early Warning Signs
While we don't know exactly which weakness in the PSN infrastructure was exploited in order to steal user data, several media stories show that the hacking community has been discussing PSN security weaknesses and the ability for custom firmware to exploit those weaknesses for several months. One report stated that hackers claimed that users' credit card information was being sent in an unencrypted text file. That text file was protected by the PS3's SSL connection to the PSN, but hackers noted that custom firmware could subvert the system and sniff out an individual user's information.
Thus, the method identified by these hackers to steal credit card information would only be useful against gamers who had installed custom (read: hacked) firmware on their PS3, but that whole "unencrypted text file" thing seemed a bit worrysome. Ars Technica noted that this claim wasn't confirmed, but was consistent with other claims they'd been hearing about PSN security holes. If it is indeed true, one would think that Sony could have looked into better encryption for user information, SSL protection or no.
Of course, Sony's prosecution of George Hotz for hacking into his PS3 and publishing the means to do so is believed to have prompted a large number of attacks against Sony's network this year. Nobody knows if the intruder in this case was aligned with any "political" hacking groups or was primarily interested in information theft. Still, Sony has had a major target painted on its network infrastructure lately.
What Actually Happened?
We now know from Sony that there was an intrusion into their system between April 17 and 19 that may have involved the theft of reams of PSN user data, including user names, addresses, logins, passwords, and security questions. Credit card numbers may also have been stolen, but the three-digit CVV numbers that help secure credit card purchases were safe. Sony has not yet been given any evidence of illicit credit card activity as a result of this breach, but that's not surprising. Thieves who steal credit card information on this scale tend to sit on the information for some time before attempting to use it, in order to make it more difficult to track where and when a particular credit card number was stolen.
Once Sony learned about the intrusion on their system, they immediately shut the PSN down. It was originally expected to come back up around April 26, but thanks to the major scope of the invasion, a lengthy data analysis was necessary. The PSN is now expected to come up this week, and most major functionality will be back. The PSN store won't be coming back up initially, however, presumably so that better security can be implemented for financial transactions.
Sony admits that the web server vulnerability that was exploited in this intrusion was a known vulnerability of the system. Still, the attack was characterized as highly sophisticated, made by an intruder who knew how to cover his/her tracks. The FBI is conducting a criminal investigation, so if the intruder is caught, there's going to be major trouble coming his or her way.
At a press conference on April 24, Sony outlined the reparations that it will make to users to apologize for the downtime and respond to any consequences that may arise from information theft. Sony will add an extra month of service onto PlayStation Plus accounts, give all PSN users a free month-long PlayStation Plus membership, and provide some unspecified free PSN content to all users. Sony will assist customers in enrolling in locally-available theft-protection services, and the company is also considering covering the cost of credit card reissues for affected customers. Of course, Sony is taking steps to increase network security as well, including adding more firewalls and using better data encryption methods.
Of course, lawsuits are bound to be a topic of discussion whenever something like this happens. Several class action lawsuits are said to be in the works, but they may be facing an unexpected hurdle. The United States Supreme Court just made a ruling saying that companies no longer have to accept class action lawsuits from a large group of individual consumers, and can instead insist that consumers deal with their issues on an individual basis. Sony has said a few things that lead me to believe they'd prefer to deal with customers individually, so we'll see what happens to potential class action suers.
It's important to note that we still don't know exactly how much information was actually taken by the intrusion into the PSN, just that a large amount of data was potentially taken. If you're concerned about how this intrusion might affect you, there are a few things you can do. If you used the same user name and password for any other services as you did for your PSN account, change those passwords ASAP. Do not under any circumstances give password or credit card information to somebody who calls or e-mails you asking for that information, even if they sound official and have information about you. When the PSN comes back up, log in as soon as you can and change your password there. As for credit card information, it's always a good idea to pay attention to your credit card purchases. It's up to you if you ask your bank for a new credit card, but if you don't, just read your bill carefully every month and make sure you've got a credit card that has good security precautions.
Whew, what a mess! On one hand, I feel bad for Sony because hackers can and do attack major companies all over the world, and a server intrusion could happen to anybody. On the other hand, Sony could have done a better job at protecting user information, especially considering that the hacker used a known web server vulnerability and it appears that important information like passwords and possibly credit card numbers was unencrypted. Will Sony and the rest of the online industry learn from this incident? We can only hope so.
By Becky Cunningham
CCC Contributing Writer
*The views expressed within this article are solely the opinion of the author and do not express the views held by Cheat Code Central.*