Thursday, April 28, 2011

Sony nukes Playstation Network from orbit

By now, most of you have heard that Sony has shut down Playstation Network - Sony's on-line Internet service that lets PS3 owners play online.  The service has been down for a week.  Here's what we know.

1. They got hacked, by persons unknown.  Someone got inside their network from the outside, so badly that Sony is rebuilding the servers that run Playstation Network.  What this means is that the intrusion was so bad that Sony wasn't really sure just what might have been installed on their servers.  Rather than trying to forensically identify changes the Bad Guys made, they're reinstalling the server OS and application software ("Nuke from Orbit").  This means that it was a very severe intrusion indeed.

2. The Bad Guys got persona information - including credit card numbers - on everyone who uses Play Station network.  If you have a PS3 and use Playstation Network, they have your credit card number.  Watch your billing statement for the next 6-9 months for strange transactions.  When Playstation Network comes back up, change your password, duh.  Probably no good reason to change the credit card number - the Bad Guys already have it, right?  Absolutely you should change your password and the the security question you gave them.

3. Rumors say that the hack was in retaliation for Sony's lawsuit against the guy who reverse engineered the PS3.  Possible, but two things make me think that this is at best just a cover: (a) Sony settled with the gentleman, and (b) Bad Guys dig stealing millions of credit card numbers (77 million, in this case).

4. The legal jackasses are already circling Sony's bleeding carcass.

5.  One rumor is that the hack came from a PS3 console.  I'm skeptical.  Playstation Network is an Internet service, so by definition you can get there from any Internet device.  There are far better hacking platforms than a PS3 (i.e. Windows or (especially) Linux boxes where you can install general hacking tools.  Not impossible on a PS3 (see #3, above), but not the path of least resistance.

6. Sony has handled this pretty poorly.  The information about the situation has been coming out slowly, and has been changing day by day.  While the lawsuit is idiotic (Sony didn't tell you to change your credit card number?  Dude, the Bad Guys already have your credit card number!  You want to give them another?), Sony hasn't exactly covered themselves in glory by being forthright to their users.  Rebuilding is The Right Thing, but they should have told everyone earlier what they were doing, and why.


Ken said...

Thirty years after Johnson & Johnson (the Tylenol tampering case) showed everyone how it's done, no one has learned the essential lessons.

Keads said...

The loss of the PS Network also killed my Netflix streaming on the PS3. That will be interesting to watch too.

Anonymous said...

...And now I'm done with PSN. I haven't used it for anything in six months anyway, and I've used the console for very little besides F@H anyway. Boo.