Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Sony PlayStation Network Outage - Day 5 - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sony PlayStation Network Outage - Day 5

The Sony PlayStation Network and Qriocity service have been down since Wednesday the 20th. Sony is still working on bringing them back online. Sony is communicating regularly on this - you can find their original and current updates here:


Reading between the lines, they seem to be following the methodology for Incident Response, commonly phrased in these steps that I learned in SEC504: 

  • Preparation
  • Identification
  • Containment
  • Eradication
  • Recovery
  • Lessons Learned

Given that we're a number of days in, I hope that they are working on later phases of Eradication, making sure that the original attack vector is taken care of so that once they bring the service back online they won't see a recurrance of the event.

Hats off to them - they're doing all the right things, and communicating regularly with their client community as they do it ! I feel for them, given the length of the outage though.


Rob VandenBrink


Rob VandenBrink

578 Posts
ISC Handler
Apr 25th 2011
Given that the probable root cause is that they tried to shut the barn door after the code-signing keys got out and ticked off a bunch of people by lawsuitting GeoHot, I'm not sure the correct people learned anything or are doing much right. They effectively painted a big sign on their back reading "Kick Me" and the folks at HBGary Federal learned how well that approach works.

Sony was forewarned a couple of months ago when they started banning modded consoles and people figured out there was a very easy way to turn the process back on Sony and ban virtually anybody.

"A post on the SKFU blog states that bans are currently based just on user accounts and the PlayStation 3 console IDs. The way around this is that hackers can modify the information that is sent and received by the PlayStation 3, thus they could not only get themselves unbanned, they could in theory, cause innocent users to get a ban.

The theory even goes on to suggest that a simple Windows application could be created that would go through all PlayStation console IDs and get the world's consoles banned in around 24 hours."

An unauthenticated DoS? I wonder what else Sony left unauthenticated.
Huh? Those six steps are just plain common sense. Of course they're doing something along those lines.

As for "communicating regularly" ... Sony aren't particularly renowned for being forthcoming with information. Two or three days between updates is pretty weak, even by their standards.

"Unfortunately, I don’t have an update or timeframe to share at this point in time" ... says it all.
Quite honestly, I have to agree with Bob. Communicating regularly is not something that Sony is good at.

If you happen to follow any of the PS3 discussion boards and research this incident further, you'll note it is alleged by some posters that both personal and credit card information for PSN accounts was breached as well.

Sony needs to address these concerns one way or the other very quickly, as it has been 5+ days since the breach was discovered. That gives someone with the alleged credit card data a pretty good head start at using it, and is making a lot of PSN users very anxious.
Incident Response aside, I hope that during lessons learned they can communicate to 3rd parties the importance of not relying on network login to verify application! I get no Hulu on PS3 during this outage :( and they use both Hulu authentication AND PSNet authentication to start up application.
Some speculation on the actual incident itself here:
Sony have confirmed they were hacked as well as what details were taken (basically everything) -
I wonder where the is going to shake out in comparison to the T.J. Maxx compromise in 2007? And 6+ frickin' days to publicly advise that credit card information may have been (it's only posted on the EU website)? T.J. Maxx mostly only affected North American (err.. American) customers. This one here is world wide.

I'm some glad I only gave only the mandatory required info when I created my account, and didn't use my primary email of my email.

Wow - what an ugly mess! No amount of PR is going to help them with this.
This is why I use a Discover Card for online purchases. Their "secure online account numbers" give you a unique card number linked to your real account, but it can only be used by the original place it was used. Steal it all you want, just be sure you can process the charge through the company you hacked.

70 million compromised according to some reports. This will keep Verizon's 2010 report conclusions from being used in their 2011 report. :-)
Citibank has "Virtual Account Numbers" as well which are generated on the fly. Only good for the remainder of the month, and only good at that particular merchant....been using those for years.....

68 Posts
I just came across this article. PII was apparently stolen. Hopefully this will get vetted shortly!5795913/sony-comes-clean-playstation-network-hackers-have-stolen-personal-data

4 Posts
Another option is to not use a credit card for these game networks. Sony (and MS and Nintendo) sell "refill" cards in various denominations. They work like gift cards - put in a code and get the credit for the card's value - no CC required.

3 Posts
Unfortunately, a significant number of consumers will get mad, rant and rave publicly, but change nothing about their use of Sony products (it's like saying I'll never use Microsoft products again - You're likely using their products whether you know it or not!). The real shame is in consumers lack of knowledge around securing their online engagement.

1)As Angela mentioned, just use a re-fillable credit card/debit card or create a bank account that's used just for facilitating online purchases.

2) Setup multiple email aliases as dcolpitts suggests

3) Limit the amount of information willfully given. You're friends will find you regardless...

And the Japanese are notoriously tight-lipped (Nuclear crisis anyone?). I don't imagine their communication pre/mid/post incident will differ much. Their PR people will find a way to make the masses happy. It may take six weeks or six months, but gaming is what it is and consumers will continue to buy/support/use their PS3's and PSP's.
1 Posts
It certainly seems that almost everyone is talking about the wrong things here. "Sony's reputation" , or viewing Hulu on some piece of luxuryware. Or coulda-shoulda-woulda. ( If Sony actually cared an iota about their customers. )

Listen - 77 million usernames, passwords and birthdays were leaked. And perhaps credit card info.
Within one day of Gawker loosing 1 million, there were 200,000 plain text username/passwords floating around.
And that was leaked by grey-hats.

But _this_ is huge. Basically every day for the next year, 211,000 phishing emails can be sent saying happy birthday, open your present here.
( Start XSS etc, download keylogger, etc. )
And that is just one simple ruse.
Has ANYONE talked about the scope of the leak and the amount of people who -besides not being able to play some stupid game - will loose their identity or their bank account?
Are we going to wake up and really ask the important questions here?
Is it time to PCI V 2 ??? etc.
And even then - what about he 77 million sheep who just got ate by whatever APT-like gang that did this?
I assume that the Sony solution was fully PCI (Payment Card Industry) compliant. All of the biggest leaks are fully certified secure solutions.

As a small retailer we struggle with some of the more stupid PCI requirements and the costs, yet the biggest threat and biggest gains comes from the large companies or the payment clearinghouses, as history has shown.

We need to find a replacement for the credit card numbers, at least for all the card-not-present transactions. Why not use 32 character one-time-use credit card numbers ? Then the exposure of them will be without value.

And make a legal requirement that passwords MUST be encrypted/hashed with a unique salt. And that e-mail adresses should be encrypted.

The problem is the pre-internet creditcard numbers, and insecure storage of data.
Povl H.

79 Posts
Sony have updated everyone again -

"The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted"

Povl H.
4 Posts

Sign Up for Free or Log In to start participating in the conversation!