PlayStation Network 'exploit' discovered: Sony, get your act together

PlayStation Network 'exploit' discovered: Sony, get your act together

Summary: Sony had to shut down access to the PSN password system after hackers uncovered yet another security exploit. Can this company ever again get its act together to the satisfaction of security-conscious gamers?

SHARE:

Editor's note: The headline was changed from "PlayStation Network down, again" to "PlayStation Network 'exploit' discovered" and some changes have been made to the body copy to more accurate reflect the issue.

In what can only be described as a complete debacle, Sony has pulled access to its PlayStation Network password page after yet another security exploit has been discovered. It's the latest embarrassment to the company, which has experienced more than its share of shameful moments in recent weeks.

Sony took the PSN password changing system down for "maintenance" after the Web site Nylevia offered details of how PlayStation Network accounts could still be compromised, even after Sony recently restored service with improved security.

According to Nylevia, a hacker could take over a PlayStation Network account by knowing the user's account name and date of birth - two pieces of information stolen by data thieves in the April break-in.

Nylevia has confirmed the hack works, and has notified Sony of the problem. Sony has responded by taking the Web page for PlayStation Network passwords offline - users attempting to visit the site are getting a "maintenance notice." (Editor's note: Please see the update at the end of this editorial for Sony's statement on the issue.)

In April Sony blacked out PSN, its Qriocity streaming music service and Sony Online Entertainment (SOE) services after the company discovered that a hacker or hackers broke in to the systems and made off with personal information on more than 100 million user accounts, including names, addresses and passwords. A small number of non-US credit cards were taken from SOE servers, as well.

It took Sony more than three weeks to finally resurrect services, after its first attempt was aborted (that's when Sony discovered that SOE servers got hit, too).

Talk about embarrassing.

When Sony's name came up in discussions by a Congressional subcommittee, a security expert said that Sony used versions of the open source Apache Web server software that went "unpatched and had no firewall installed."

Between the original PSN break-in, Sony's discovery later that SOE servers had been compromised, and this most recent issue, Sony's had a bad month. But even before that, Sony was targeted for retribution by the collective known as "Anonymous." The group staged a Denial of Service attack against Sony servers after Sony took legal action by a hacker named George Hotz (known by his online name Geohot); Hotz had successfully enabled PlayStation 3s to install alternate operating system software - a feature originally supported by Sony but later removed in a firmware update.

Sony really needs to get its act together and tighten security as much as possible.

In the interim, more and more gamers will likely do what I'm doing - playing their Xbox 360s using Microsoft's comparatively much more robust Xbox Live service.

Update: After this editorial was posted, Sony updated its PlayStation blog with the following statement:

"We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.

"Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up."

More:

Topics: Hardware, Mobility, Networking, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

38 comments
Log in or register to join the discussion
  • rather than defect to the unsafe M$ XBOX

    you should urge sony to use Linux and the best OSS practices.
    Linux Geek
    • RE: PlayStation Network down, again: Sony, get your act together

      @Linux Geek You're really a one-trick pony, aren't you?
      flargh
      • RE: PlayStation Network down, again: Sony, get your act together

        @flargh
        More accurately the workhorse of FOSS.
        Linux Geek
      • RE: More accurately the workhorse of FOSS.

        @Linux Geek

        LOL... Do you walk around with that saying on your T-Shirt?

        Get a life.
        bobiroc
    • RE: PlayStation Network down, again: Sony, get your act together

      @Linux Geek Or they could just embrass the hacker community and use Windows Server and intelligently update their server software through System Center.
      jessiethe3rd
    • RE: PlayStation Network down, again: Sony, get your act together

      @Linux Geek
      Sony already uses Linux with Apache, you idiot.
      illegaloperation
      • Exactly, last time it is Apache unpacthed

        @day2die
        Who know what is this time. There are plenty holes in linux for hackers.
        FADS_z
    • RE: PlayStation Network down, again: Sony, get your act together

      @Linux Geek Still spouting the same old crap? Seriously dude get a new act.
      Bates_
    • RE: PlayStation Network down, again: Sony, get your act together

      @Linux Geek ,,, Right: An in view of the How's & Why's of how this vulnerabilty/ies get/s used, the OS will keep users from asking for it, and allowing anything into their machines? How does a missing firewall get fixed by using one of the 'nixes? And so on. Good grief, Charlie Brown!
      tom@...
    • RE: PlayStation Network down, again: Sony, get your act together

      @Linux Geek Unix is more secure and connectable than ANYTHING Linux has...but without proper updating and maintanance they all suk!!!
      Double Aught Code
  • RE: PlayStation Network down, again: Sony, get your act together

    you should urge your reporters to do some original reporting. why are so many sites regurgitating shit thats not true?
    mobstar
  • RE: PlayStation Network down, again: Sony, get your act together

    They sure don't test out their stuff before turning it on do they?
    Servers corrupted, easy to hack in accounts.
    After a break in all major parts should be checked before doing anything.
    MoeFugger
  • RE: PlayStation Network down, again: Sony, get your act together

    Peter your article is both misleading, incorrect, and an example of poor (or perhaps bias?) Journalism.

    First to make sure your wrong, I turned around and turn on my ps3 and then actually logged into the PSN.

    Second, the exploit while bad can't be done WITHOUT INFORMING THE VICTIM. Making it to a large degree useless.

    Third, At least Sony is aware they were hacked.. being someone who has an interest in hacking.. I can honestly say there is a way to get into ANY system and professional hackers never get found out.. by that I mean a hacker can have access to your computer, your server, your system, for an incredibly long time and you will never.. ever find out.

    I don't even know why I am commenting on this bias tripe. I have no desire to defend Sony.. they screwed up, they are paying a big price for it.

    Maybe I just get disgusted by all the bias in the tech world...
    Snow_Fox
    • RE: PlayStation Network down, again: Sony, get your act together

      @Snow_Fox ,,, "Maybe I just get disgusted by all the bias in the tech world... "

      Amen to that! Makes for boring reading, too, which is why I often don't get past the 2nd paragraph of these articles AND the responses! When one has nothiing to say, that's exactly what they should say - NOTHING!
      tom@...
      • RE: PlayStation Network down, again: Sony, get your act together

        @tom@... "When one has nothiing to say, that's exactly what they should say"

        Back at ya.

        - Peter
        flargh
  • RE: PlayStation Network down, again: Sony, get your act together

    >a security expert said that Sony used versions of the open source Apache Web server software that went ?unpatched and had no firewall installed.?

    This isn't the first time a company has been hacked because they don't keep their security measures up to date. Theoretically under a free market those companies that screw up this will lose customers and eventually go out of business, BUT: How many consumers must have their card details stolen, identities cloned, etc etc before those companies with poor security fall by the wayside?

    I think governments should help expedite this process by slapping big fines on companies found to have made these elementary mistakes in securing people's private data, which can in turn be used to fund the police actions required to catch the criminals.

    (This isn't a dig specifically at Sony btw).
    OffsideInVancouver
    • RE: PlayStation Network down, again: Sony, get your act together

      @OffsideInVancouver

      I completely disagree. How do we define "elementary mistakes".

      Furthermore should we apply the same "stupidity tax" to users? There are pop ups people enter their information into that are obviously scams... They should no better.. there is a flashing light changing from 20$ to 20 yen emphasizing the symbol being changed.. no thats not fishy at all that it cost 20 of any currency in the world...

      You also unfortunately miss out on a major point.. Fines are only going to be issued after it has happened.. Well a good hacker is going to be in a system for years before anyone realizes it..

      Also any time you run updates, you run risk with stability issues.. patching a server isn't the same as patching a home computer.. there is still a chance (even bigger than a home computer probably) something can go horribly wrong.. No excuse to not do it at all but, the laws you propose create a large grey area for the government to play favorites with.

      How soon after a patch is released should it be forced to be updated? What if the patch creates another more serious hole? What if, what if, what if.

      Its not really a black and white case in a lot of instances.

      Also, while sony is clearly at fault here.. I hate to point this out but, all your law would do is encourage a lot of pointless lawsuits by people dumb enough to enter their info in obviously fake pop ups or wire money to African "royalty".
      Snow_Fox
      • RE: PlayStation Network down, again: Sony, get your act together

        @Snow_Fox

        Hi - I'm talking purely about data protection. If a user gets scammed through a pop-up, or gives their bank details to a Nigerian prince then that is their concern, however if a company wants to keep the name, address and card details of users on file then they need to have high levels of security around that data. No system is un-hackable, but not patching it and having no firewall makes it pretty hard to claim that they were doing their best to safeguard user data. Similarly, I believe when HB Gary were compromised by Anonymous it was through the use of basic SQL injection. This is incompetence, pure and simple. If a building contractor is negligent in their application of safety codes then they can be fined, even if no-one has actually been hurt on-site. If we have legistlation in place to protect our physical selves then I believe we should have comparable legistlation to protect our digital selves also.
        OffsideInVancouver
  • RE: PlayStation Network down, again: Sony, get your act together

    Why does it seem that recently, a lot of ZDnet's writers can only regurgitate incorrect information? <br><br>1. PSN never went down. Sony took down the password reset WEBPAGE and they informed users about it shortly after the fact. <br><br>2. All the articles and the so-called "authority" on Sony's security can easily be countered by some quick and simple checks done by Bitmob. See <br><a href="http://bitmob.com/articles/detective-work-reveals-psn-servers-up-to-date" target="_blank" rel="nofollow"><a href="http://bitmob.com/articles/detective-work-reveals-psn-servers-up-to-date" target="_blank" rel="nofollow">http://bitmob.com/articles/detective-work-reveals-psn-servers-up-to-date</a></a><br><br>3. Peter, all your articles seem to scream Xbox cultist. You've written nothing but "Sony is bad! Xbox is great!" articles for the past month. Other stuff has happened in the gaming industry. Why is there no article on the recent event where Xbox consoles were bricked by a recent firmware update? What about the news on Nintendo's Project Cafe?
    Crion629
    • RE: PlayStation Network down, again: Sony, get your act together

      @Crion629

      you have no idea how effing awesome you are just for that article alone. THANK YOU.
      Snow_Fox