Respond
April 29, 2011

Continued Fail

By now everyone including your grandmother has read about the Sony PSN breach that has led to downtime of the network approaching 2 full weeks, and compromise of over 2 million PSN accounts. This topic has been covered extensively in the media, and my goal is not to rehash existing information. However, given that I got my notification email from Sony yesterday afternoon, there are a couple things that I think are important to go over.

First, in the email Sony states that "between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised." Well, I'm glad they could pinpoint it to within a 3 day period. Essentially, right at the front of the email what that says to me is "we really have almost no idea what happened or when it happened. We essentially have been monitoring nothing, and if the attackers had wished to remain under the radar they probably could have." Kudos Sony.

Second, the email says that "[w]hen the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password." Ummmm, what? Why wouldn't you reset them before restoring service, and email a link to create a new password in some secure manner? This really baffles me. I mean you have confirmed that the hackers took the usernames and passwords for the PSN accounts for the millions of people on there. If I was the hacker, and I just wanted to really mess with you, I would have that database queued up and ready to churn through the following algorithm as soon as you brought PSN back up:

  1. Log into account with existing username/password.
  2. Edit account and reset password to randomly generated string.
  3. Watch Sony flounder for another week.

I mean I don't know. Maybe it's just me, but that seems like something it would take about 30 minutes to script and set up across a distributed network of computers. I would definitely get a personal kick out of letting you make the big "We're back up!!!" announcement and then pulling the rug out from under you again just to make you look stupid. Also, the beauty is the attacker would only need to hit a large number of accounts, not all of them. Since Sony would have no way to tell which were legitimately and illegitimately reset, they would have to follow up by resetting all of them.

I'm really starting to not buy the claim that Sony hired an outside security firm to help with the disaster cleanup here. It seems inevitable that the fail will continue to come in waves on this story.

Continue reading

cybersecurity newsletter
The MPG newsletter

Get great curated articles into your inbox.

Our semi-regular newletter is a great source of information.
No spam!