• Sony Music Japan Hacked Through SQL Injection Flaw

    // Gradly // blog, Featured, News, Rants & Raves, Scandal, Sony No Responses

    Another day, another attack on Sony. Just when you couldn’t imagine it getting any worse for Sony, a new attacks on the Sony Music Japan and Greece websites (SonyMusic.gr, SonyMusic.co.jp), exposing databases using SQL injection techniques. Sony has suffered from two hacks last month lead to compromising over 100 million accounts along with usernames, password, credit cards info.

    The good news? The database information that was published does not contain names, passwords or other personally identifiable information. The attackers noted that there are two other databases on the site that are vulnerable and it remains unclear whether they contain sensitive information.

    It isn’t clear whether the hackers are able to inject data into the database, or simply access the tables and records it contains. If they are able to alter the records, this could be used to insert malicious code that could be used to compromise people browsing the site.

    While there is an enormous target on Sony’s back as a result of these very public attacks it is unclear why this is happening. Is Sony taking security seriously or are there simply so many flaws from the past that exist in their public facing sites that it will take them a long time to patch them all?

    I hope this is the last time to report on a flaw at Sony. Sony has announced they are working with several professional organizations to get their security house in order and for their sake I hope this happens sooner rather than later.

    [via nakedsecurity]

  • PSN Accounts Threatened by New Password Exploit [Updated]

    // Gradly // blog, Consoles, Featured, News, PS3, Scandal, Sony 1 Response

    Sony’s new PlayStation Network security measures have seemingly been compromised just days after the service reboot.

    According to reports from Nyleveia, a new exploit enables attackers to change other users’ passwords via the PSN password reset page members are forced to access when they first reconnect to the online service.

    Attackers can apparently reset the password themselves using just a PSN account email and date of birth, pieces of data that were compromised in the recent PSN hack.

    Despite the methods currently employed to force a password change when you first reconnect to the PlayStation network, your accounts still remain unsafe.
    A new hack is currently doing the rounds in dark corners of the internet that allows the attacker the ability to change your password using only your account’s email and date of birth.

    It has been proven to me through direct demonstration on a test account, so I am without any shadow of a doubt that this is real.

    I would suggest that you secure your accounts now by creating a completely new email that you will not use ANYWHERE ELSE, and switching your PSN account to use this new email. You risk having your account stolen, when this hack becomes more public, if you do not make sure that your PSN account’s email is one that cannot be affiliated with or otherwise traced to you.

    While we originally assumed this was a poor hoax designed only to stir the community into another frenzy, the individual who we are in contact with requested just two pieces of information from us: this being an account email and the date of birth used for that account. We promptly created a new account via us.playstation.com and provided the individual with the email address and date of birth used.

    Roughly a minute later they requested that we try to login with the password we used for the account (which they did not know at any point), and sure enough, we were presented with an invalid username and/or password prompt.

    While we will not reveal specific details regarding how the exploit is performed for obvious reasons, we can say that the exploit involves a vulnerability in the password reset form currently implemented, not properly verifying tokens.

    Updated:

    Sony has fixed the security breach found today. Sony’s Patrick Seybold has issued an update via the PlayStation Blog denying it was a “hack”, and saying Sony has fixed the issue.

    We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.

    Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up.

  • PlayStation Network PSN Is Back Again, Firmware 3.61 Released

    // Gradly // blog, Consoles, Games, News, PS3, Rants & Raves, Scandal, Software, Sony 1 Response

    Sony just announced that over the next several hours it will be flipping the lights back on in its Playstation Network that has been since hackers attacked it nearly a month ago.

    The company announced a phased restart to its network starting with the Americas followed by Europe, Australia, New Zealand and the Middle East. the company has also pushed out a software update 3.61 that will prompt users to change their password as part of the new security procedures put in place.

    Hirai announced advanced security technology, encryption and additional firewalls:

    We have greatly updated our data security systems. These changes were the result of an intensive investigation aided by some of the most respected forensic and security experts in the computer industry.

    Here is the statement released from Sony today:

    Thank you for your patience and encouragement over the last few weeks. As covered in the post from earlier today, you can now update the firmware on your PS3 and change your password. Kazuo Hirai just announced that we have begun the phased restoration by region of some of the services, starting with online multiplayer functionality.

    Please note that these services will take a bit of time to be turned on and rolled out to the whole country. The process has begun and some states are being turned on now, so please be patient as we reach your city and state. We’ll be updating the map below as service comes online in individual states. It will take several hours to restore PSN throughout the entire country, so please keep checking back for the latest updates. In the meantime, now’s a great time to get your PS3’s firmware updated, which is required to get online.

  • More Details On PlayStation Network Hack

    // Gradly // blog, Consoles, Games, News, PS3, Rumors, Scandal, Sony 1 Response

    Sony Computer Entertainment has issued an update on last week’s “external intrusion” on its PlayStation Network, an attack that forced the network offline and may have exposed the personal information of millions of members.

    On the company’s PlayStation.blog, senior director of corporate communications Patrick Seybold writes that the PlayStation maker will be “taking steps to make our services safer and more secure than ever before.”

    That includes “a new system software update that will require all users to change their password once PlayStation Network is restored.” Presumably, that software update will come to both the PSP and PlayStation 3 within the week. Currently, PSN accounts are locked out of the system, making a change to personal information and passwords impossible.

    For PSN account holders who may be concerned about the damage already done to their personal information or credit cards, Sony offers the following updates.

    On the safety of your personal and financial information…

    The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

    On the credit card details that PlayStation Network and Qriocity do and do not store…

    While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.

    [via: kotaku]