Well.. Sony, this sucks for you.

[Remilia]

http://www.soe.com/securityupdate/pressrelease.vm

New stuff.

Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained. We will be notifying each of those customers promptly.

Don't say Apache, sick of hearing a web server being called a database. I'm just curious why they have bank account numbers. Server should've been updated however.

[ZyngaFail]

curse you hackers! *shakes fist*

now we just need someone to hack into WoW and give everyone flying unicorn mounts.

one can only hope...

Hackers are just people with specific "skills" that happen to make stuff work that is not supposed to work.

Mostly hackers are not bad at all, but there's of course some black hats that abuse this to their personal gain.

Sony is who you should be blaming, not so much the hackers. Leave your data unprotected and this is bound to happen, especially if you piss off internet rights supporters and install rootkits on people's PCs! (Sony themselves were hacking YOU in 2005)

[Deleted]

What's this got to do with wow?

Uhh nothing, HENCE WHY IT'S IN OFF TOPIC-VIDEO GAMES... L2READ >.>

[ZyngaFail]

Don't say Apache, sick of hearing a web server being called a database. I'm just curious why they have bank account numbers. Server should've been updated however.

No, you misunderstood. The machine was compromised through a bug in an ancient version of Apache they were still running. Turns out the hackers found an authentication server running on the same computer, they got the DB credentials from the config file and dumped the whole thing for their own usage.

[Remilia]

No, you misunderstood. The machine was compromised through a bug in an ancient version of Apache they were still running. Turns out the hackers found an authentication server running on the same computer, they got the DB credentials from the config file and dumped the whole thing for their own usage.

Yeah, that would seem more plausible. Most people don't even know what Apache is, which is what bugs me.

[ZyngaFail]

It's just such an appallingly bad security practice to run old versions of known defective software (they were even alerted of this in February), and worse, running them on your freaking authentication server with full access to the unencrypted DB with all personal information of your consumers. :x

I am really wondering how people can still be supporting Sony after this third major security FAIL from them in 2011.

[apepi]

2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened

They really can not do their own security?I mean...REALLY?

[ZyngaFail]

They really can not do their own security?I mean...REALLY?

Yeah that made me sigh as well, they have plenty of security engineers working for them already.

[Deleted]

Serious h8 post here, but god damn it serves them right for screwing up SWG. (sony, not the players still playing it. Like there's any left anyway LoL)

[Remilia]

Yeah that made me sigh as well, they have plenty of security engineers working for them already.

If every corporation has their own security task force, 3rd party security companies wouldn't even exist.

[ZyngaFail]

If every corporation has their own security task force, 3rd party security companies wouldn't even exist.

They are a software and hardware developer, ALL of their engineers should be very familiar with security.

These are the fundamental basics that they got totally wrong, you learn this stuff in every Computer Science uni as a compulsory course; even if you don't take any Cryptography.

[LolToon]

Yeah that made me sigh as well, they have plenty of security engineers working for them already.

Oooooor maybe it's the fact they could possibly think there was an INSIDE JOB from said security? Rotten Security HAPPENS >_>

[ZyngaFail]

Oooooor maybe it's the fact they could possibly think there was an INSIDE JOB from said security? Rotten Security HAPPENS >_>

Uh nah, then they would not even have had to hack into PSN, they would have just taken home a clone of the DB on a USB stick.

Besides, there have been public IRC logs from February about their security that speak for themselves.

Not to mention the gigantic failure that was PS3 digital rights enforcement. They coded their own ECDSA version that they didn't even bother to get certified by FIPS and as a result got their private key reversed that is hardwired into the hardware, i.e. cannot be changed ever. How did that happen? Well they were supposed to use a random number in some place and they were actually using the same number every time!

[Remilia]

They are a software and hardware developer, ALL of their engineers should be very familiar with security.

These are the fundamental basics that they got totally wrong, you learn this stuff in every Computer Science uni as a compulsory course; even if you don't take any Cryptography.

All engineer would be familiar with the basics of security, that would generally be correct. However, if you go deep into cyber-security, there are a lot of things. Cryptography is only one part of security, there are many. I'm just saying that people that focus specifically on cyber-security has more knowledge than your average engineer.

[ZyngaFail]

All engineer would be familiar with the basics of security, that would generally be correct. However, if you go deep into cyber-security, there are a lot of things. Cryptography is only one part of security, there are many. I'm just saying that people that focus specifically on cyber-security has more knowledge than your average engineer.

Yeah but we're not even talking on a cryptography-level here, they were hacked because they used an old version of Apache which there existed known remote code execution exploits for.

In either case they do have special security engineers working for them, that's how they "designed" the PS3 security (although their reinvent the wheel-philosophy turned out to be a catastrophic failure for them).

Stuff does not just get hacked if you plan it out correctly. Unless it's worth billions to some hacker (which face it, this Playstation data is not by a long shot), who will then in the majority of the cases turn up in real life inside your datacenter and make clones of your HDDs.

This whole hacking thing is blown WAY out of proportion by the media and by conspiracy theorists. And it makes me sad so many people are seeming to be buying into it.

[Remilia]

Yeah but we're not even talking on a cryptography-level here, they were hacked because they used an old version of Apache which there existed known remote code execution exploits for.

In either case they do have special security engineers working for them, that's how they "designed" the PS3 security (although their reinvent the wheel-philosophy turned out to be a catastrophic failure for them).

I may be wrong here, but I thought PS3's security was based because of the hardware.

Whether they have a special security 'task force' I don't know. But I highly doubt having an extra pair of eyes (or lots of em) will hurt.

[ZyngaFail]

I may be wrong here, but I thought PS3's security was based because of the hardware.

Whether they have a special security 'task force' I don't know. But I highly doubt having an extra pair of eyes (or lots of em) will hurt.

The PS3's security is based on cryptographic digital signatures. By signing the hash digest of a game executable, Sony proves to your PS3 that they allowed that code to run. But Sony gave away their signing key, by making that one mathematical mistake.. which really should not have happened since Security 101 is "Do not write your own crypto-system, use the ones out there that are already verified unless you are prepared to spend years proving yours correct and 30k$ getting it certified by FIPS."

[anywherenotes]

This would strongly impact my decision on paying with CC on any Sony website, if I was considering doing so.

Running outdated software on servers which are accessed externally is ridiculous. It was probably a money saver, less employees/cheaper employees/less license fees/less consulting, the decision must have been one of those ... gross incompetence is very unlikely, although terrible management can make it hard for people to speak up, so that's possible.
Hopefully they will get hit with lawsuits, and drown under them, but probably they won't.
The least we can do as consumers, is not invest into a company with such issues.

[Remilia]

The PS3's security is based on cryptographic digital signatures. By signing the hash digest of a game executable, Sony proves to your PS3 that they allowed that code to run. But Sony gave away their signing key, by making that one mathematical mistake.. which really should not have happened since Security 101 is "Do not write your own crypto-system, use the ones out there that are already verified unless you are prepared to spend years proving yours correct and 30k$ getting it certified by FIPS."

Ah. My only comment really just wondering is. If they were to use another hash system, how would they go about using it. I'm just saying because its a hash and not an encryption. Hash is usually one way system while encryption needs a key for recovery reasons.

[Irony]

Anonymous.

If anonymous had done this, they'd be bragging about this and letting everyone know. They're really not anonymous.