Apparently Sony doesn't really rate-limit logins (say, per IP), leaving their customers open to password bruteforce attempts. One would hope - but, sadly, not expect - that they would learn...
Apparently Sony doesn't really rate-limit logins (say, per IP), leaving their customers open to password bruteforce attempts
I'd love to know from someone in the business whether bruteforce attempts like this typically come from a single IP, multiple IPs or a unique IP per account break-in attempt. If it's anything but the latter, one would really hope a company as high-profile and as targeted as Sony would be checking more thoroughly for this kind of stuff.
I think the lesson here is twofold: Sony either doesn't get or doesn't care about user security. And they aren't interested in securing their network against even the simplest of hacking attempts. I deleted my PSN account long ago and I recommend anyone still on the network to leave. Sony will continue to be hacked for the next decade, and while that's unfortunate, it shows what's important to them. Bottom line: Sony does not care about you enough to secure their data against hackers. At all. Act accordingly.
I think you read the article wrong. Sony is stating that they detected a large number of sign in attempts, which many failed, but 93,000 succeeded. The attempts were made using the data (they assume) obtained from the prior hacks on the various Sony sites. This is not a new breach, but a follow through with the data from prior breaches, probably due to the affected users not updating their credentials from the prior hack.
On issue that JoachimSchipper points out [1] is that Sony probably isn't rate limiting, or throttling login attempts, which is a security issue, as it opens up the possibility of brute force attacks
Sony seems to be learning its lesson... it disclosed the hack attempts, locked the accounts and are looking into securing the login system further as a result of this.
As an aside, I would point out that XBL hack reports (with purchased/stolen points) have been running rampant for the last year[4], with Microsoft working hard to bury the reports. One of the editors at VE3D was hit by it and had a few thousand Points purchased against their account.
There have been on-again/off-again rumors that the iTunes store has been compromised for the last year with people reporting apps purchased against their accounts and Apple saying that no hack has occurred (oddly enough this all took place after the iTunes store ratings shenanigans in 2010[1][2]).
As a customer I'd rather places disclosed hack attempts to me and what they were doing to combat it than cover it up, deny it, say it never happens and everything is safe and then wait for the other shoe to drop.
This reminds me of the LastPass announcement[3] when they detected an irregularity in the form of a few extra bytes transferred from a source to destination server where the bytes that arrived were less than were sent, so they went to defcon3, posted the issue on the block and set forth on rebuilding and locking the systems down without every actually confirming a hack... just being safe.
There were a fair share of people irate at the news; I wonder how much of it was anger at the team (you couldn't really claim they didn't know what they were doing) or just anger at the fact that something they had set-and-forget(ed) was now suddenly they had to worry about.
No one ever wants to hear the bad news, but bad news delivered along side "how we are fixing it" is always a good way to tell if your data is in good hands.
[+] [-] JoachimSchipper|14 years ago|reply
[+] [-] mattmanser|14 years ago|reply
On the positives, at least they're being open about it now and they detected it.
[+] [-] mootothemax|14 years ago|reply
I'd love to know from someone in the business whether bruteforce attempts like this typically come from a single IP, multiple IPs or a unique IP per account break-in attempt. If it's anything but the latter, one would really hope a company as high-profile and as targeted as Sony would be checking more thoroughly for this kind of stuff.
[+] [-] haasted|14 years ago|reply
Any guesses as to where the original list of usernames and passwords may have come from?
[+] [-] brador|14 years ago|reply
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] daimyoyo|14 years ago|reply
[+] [-] phsr|14 years ago|reply
On issue that JoachimSchipper points out [1] is that Sony probably isn't rate limiting, or throttling login attempts, which is a security issue, as it opens up the possibility of brute force attacks
[1] http://news.ycombinator.com/item?id=3102489
[+] [-] rkalla|14 years ago|reply
As an aside, I would point out that XBL hack reports (with purchased/stolen points) have been running rampant for the last year[4], with Microsoft working hard to bury the reports. One of the editors at VE3D was hit by it and had a few thousand Points purchased against their account.
There have been on-again/off-again rumors that the iTunes store has been compromised for the last year with people reporting apps purchased against their accounts and Apple saying that no hack has occurred (oddly enough this all took place after the iTunes store ratings shenanigans in 2010[1][2]).
As a customer I'd rather places disclosed hack attempts to me and what they were doing to combat it than cover it up, deny it, say it never happens and everything is safe and then wait for the other shoe to drop.
This reminds me of the LastPass announcement[3] when they detected an irregularity in the form of a few extra bytes transferred from a source to destination server where the bytes that arrived were less than were sent, so they went to defcon3, posted the issue on the block and set forth on rebuilding and locking the systems down without every actually confirming a hack... just being safe.
There were a fair share of people irate at the news; I wonder how much of it was anger at the team (you couldn't really claim they didn't know what they were doing) or just anger at the fact that something they had set-and-forget(ed) was now suddenly they had to worry about.
No one ever wants to hear the bad news, but bad news delivered along side "how we are fixing it" is always a good way to tell if your data is in good hands.
[1] http://www.engadget.com/2010/07/04/inexplicable-rise-in-ipho... [2] http://www.thebuzzmedia.com/itunes-app-store-hacked-again-us... [3] http://blog.lastpass.com/2011/05/lastpass-security-notificat... [4] http://www.joystiq.com/2011/06/17/report-lulzsec-hacking-gro...