Attacks/Breaches
10/12/2011
01:58 PM
50%
50%

Sony Locks Accounts After Data Breach

Sony locks almost 100,000 accounts accessed by criminals who reused usernames and passwords stolen from a third-party site.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Sony has suffered a data breach involving the usernames and passwords of about 93,000 customers. But the exploit appeared to involve a massive number of credentials stolen from third-party sites, only some of which attackers were able to reuse to logon to people's PlayStation Network (PSN), or Sony Online Entertainment (SOE), or Sony Entertainment Network (SEN) accounts.

"These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites, or other sources," said Philip Reitinger, the chief information security officer (CISO) of Sony Group, in a blog post announcing the breach.

In other words, the unauthorized access of people's Sony accounts resulted from their reusing their usernames and passwords across multiple sites. "Given that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our networks," he said. "We have taken steps to mitigate the activity."

[Apple's products continue to highlight what relatively secure environments look like. What can we learn from Steve Jobs And Tech Security?]

Sony has locked the affected accounts, and said it's reviewing how accounts may have been accessed, and whether any unauthorized purchases were made. It said it would refund those purchases, but also that no credit card numbers were at risk.

For context, Reitinger said that the breach appeared to involve less than 0.1% of Sony's PSN, SEN, and SOE customer base. Sony is now reaching out to the 93,000 people whose external usernames and passwords attackers were able to match with their Sony accounts, and requiring them to reset their passwords. "We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account," he said.

Of course, Sony's security image is still reeling after its websites were compromised more than a dozen times earlier this year. In the most severe breach, which resulted in at least one class action lawsuit being filed, attackers stole information on more than 77 million PSN users, and the Sony gaming network was offline for more than a month.

In this case, Sony seems to be placing the blame for the attack on password reuse. But should Sony--especially given its status as the most exploited attack target of 2011--have done more to prevent such an attack from succeeding, not least by supplementing a system based solely on usernames and passwords?

"The fact that people reuse passwords is a known issue. Sony should be requiring more than using a username and password. And in their situation, in which people are coming in from hardware that they know, there's no excuse," said Joseph Steinberg, CEO of Green Armor Solutions, which sells identity verification software.

For example, he said, many financial services firms and healthcare companies are demonstrating identity verification state of the art, including extensive behind-the-scenes logic to help detect unusual behavior on the part of someone using otherwise acceptable username and password access credentials. For example, is a user based in New York City suddenly trying to log in from London? Or is a login attempt coming from a PC that's never been used before? In either case, identity verification systems can escalate the authentication, requiring more than just usernames and passwords to log in.

In the case of PSN, furthermore, Sony could even be using a PlayStation as part of a multi-factor authentication mechanism. "They control the hardware on the PlayStation, they should be doing strong authentication from that hardware," Steinberg said. "They really need to start thinking of their system as a financial system, rather than a gaming system."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sorry You'reStupid
50%
50%
Sorry You'reStupid,
User Rank: Apprentice
10/15/2011 | 1:34:29 AM
re: Sony Locks Accounts After Data Breach
Les Moor, maybe you know what you're talking about but if so, your comment certainly isn't evidence of such.

They aren't blaming others for their own problem, they are pointing out the fact that these peoples' accounts were compromised because they were stupid. They used their credentials in multiple places, entirely outside of Sony's control. Those 3rd party locations were insecure, and as a result those accounts were compromised.

It's not surprising that Mr. Steinberg, CEO of Green Armor Security Widgets Etc., would claim that everyone needs to use technology [remarkably like the stuff he sells.]

Could everyone use significantly more secure systems for their websites? Of course! There are always additional security measures available -- and they make the process of using their target websites more and more cumbersome in many cases. Sony has a set level of security and a set of processes for dealing with account authorization; it is impossible to do anything but speculate on how different events would be if they required additional levels of authentication. For all we could guess, requiring further security measures would breach the 'Whatever, Can't Be Bothered' threshold for some of Sony's customers. Additionally -- there are thousands of Sony customers (99%+ of them, actually) that are completely unaffected by this event, because they weren't stupid enough to reuse their credentials.
Les Moor
50%
50%
Les Moor,
User Rank: Apprentice
10/12/2011 | 6:37:22 PM
re: Sony Locks Accounts After Data Breach
Blah blah blah, blames others for their own problem. Sony doesn't take security seriously so how can they point the finger at anyone. sickening.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4632
Published: 2015-01-31
VMware vSphere Data Protection (VDP) 5.1, 5.5 before 5.5.9, and 5.8 before 5.8.1 does not properly verify X.509 certificates from vCenter Server SSL servers, which allows man-in-the-middle attackers to spoof servers, and bypass intended backup and restore access restrictions, via a crafted certifica...

CVE-2014-7287
Published: 2015-01-31
The key-management component in Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allows remote attackers to trigger unintended content in outbound e-mail messages via a crafted key UID value in an inbound e-mail message, as demonstrated by the outbound Subject header.

CVE-2014-7288
Published: 2015-01-31
Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allow remote authenticated administrators to execute arbitrary shell commands via a crafted command line in a database-backup restore action.

CVE-2014-8266
Published: 2015-01-31
Multiple cross-site scripting (XSS) vulnerabilities in the note-creation page in QPR Portal 2014.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) body field.

CVE-2014-8267
Published: 2015-01-31
Cross-site scripting (XSS) vulnerability in QPR Portal 2014.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the RID parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.