UPDATE: Per this update Sony has now taken down the entire Sony Online Entertainment service for online games: “We have had to take the SOE service down temporarily. In the course of our investigation into the intrusion into our systems we have discovered an issue that warrants enough concern for us to take the service down effective immediately. We will provide an update later today (Monday).” I’d be willing to bet a vulnerability was discovered as part of the ongoing PSN assessment and has nothing to do with last week’s intrusion, but we’ll see what the day brings.
As part of a weekend press conference Sony put their cards down on the table (as much as they’re likely to) as to the nature of the hack that resulted in the PSN being taken offline for the past couple of weeks. (Spoiler: It was a “sophisticated” attack. Headline!) They also explained their plans for restoring PSN service (slowly) and how they intend to compensate PSN users for enduring the experience. (Have some free stuff!) It’s worth pointing out they have yet to confirm any cases of credit card fraud as a result of the hack, insisting that they still haven’t found any specific evidence that this information has been stolen. (I’m inclined to give them the benefit of the doubt here.) The two big parts of the press release address the “initial phase” of PSN restoration and the “Complimentary Offering and Welcome Back Appreciation Program” and are quoted below…
On service restoration:
The initial phase of the rollout will include, but is not limited to, the following:
– Restoration of Online game-play across the PlayStation®3 (PS3) and PSP® (PlayStation®Portable) systems. This includes titles requiring online verification and downloaded games
– Access to Music Unlimited powered by Qriocity for PS3/PSP for existing subscribers
– Access to account management and password reset
– Access to download un-expired Movie Rentals on PS3, PSP and MediaGo
– PlayStation®Home
– Friends List
– Chat Functionality
On user compensation:
While there is no evidence at this time that credit card data was taken, the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in each region.
The company will also rollout the PlayStation Network and Qriocity “Welcome Back” program, to be offered worldwide, which will be tailored to specific markets to provide our consumers with a selection of service options and premium content as an expression of the company’s appreciation for their patience, support and continued loyalty.
Central components of the “Welcome Back” program will include:– Each territory will be offering selected PlayStation entertainment content for free download. Specific details of this content will be announced in each region soon.
– All existing PlayStation Network customers will be provided with 30 days free membership in the PlayStation Plus premium service. Current members of PlayStation Plus will receive 30 days free service.
– Music Unlimited powered by Qriocity subscribers (in countries where the service is available) will receive 30 days free service.Additional “Welcome Back” entertainment and service offerings will be rolled out over the coming weeks as the company returns the PlayStation Network and Qriocity services to the quality standard users have grown to enjoy and strive to exceed those exceptions.
There’s more detail about the attack itself and Sony’s new security measures at the link for the full release. You can find the Euro version of the press release here. The Escapist has a nifty graphic that uses the unrivaled power of PowerPoint to explain how the intrusion occurred. Who wants to translate that for us in the comments?
Further perspective to be found at Gamasutra and Opposable Thumbs. And Joystiq’s got a piece citing the New York Times as saying the US Congress is on the case. Yay?
And, yes, I do keep posting these stories as an excuse to use pictures of old trainwrecks.
That picture is pretty vague in terms of actual details, as there are a lot of intrusions with the same characteristics, but the lowdown is: there was a vulnerability in the application server, which has been used to install a “backdoor” into the application server. From there, they got direct access to the database server (somehow managing to escalate privileges in the database too, it seems, which would be in itself a different and quite sophisticated attack), retrieving the information.
The thing is – it’s a lot of information going “upstream”, and it definitely took a while. Such behavior should be detectable quite easily with some degree of network monitoring, which means one of two things: either Sony has been lacking in good network monitoring, or the intruders managed to “hide” the information retrieval as if it was regular traffic, which would be quite sophisticated indeed.
I doubt Sony will provide any detailed information regarding that, but, in their defense, I’m convinced they’ll “fortify” their security to prevent it from ever happening again.
Thanks for writing that up. The tech details are outside my wheelhouse, but I absolutely agree with that last paragraph. After all this, Sony should end up being one of the safer (emphasis on safe*er*)places to put your information online. There’s no way they can afford for this sort of thing to happen a second time.
“Sony put their cards down on the table”
Right after they put all of our cards on the table anyway. Hey-o!
Zing! lol
I’ve seen on some other site comments from posters like “Sony should offer an early beta of Uncharted 3 to make up for this”. Or all the fuss over whether tropies- TROPHIES!- are at risk. I can’t believe people would even think about something like that in this situation. “What free game or fun time can I have out of this”. I’m a hell of a lot more worried about getting that $2000 bill for a hi-fi stereo system bought by somebody in the Ukraine then getting to play a fucking Uncharted 3 beta…really shows you how young/disconnected/naive/stupid some “gamers” are.
And out of all this, what Sony offers turns out to be a marketing opportunity…30 day trial periods for paid services…geez.
I have to agree.
I’ll be the first to admit, I’m a total trophy whoar. I just have to get them all. They are my pokemon.
However, when this hack happened, my first thought was “Did I have anything important on that account.”. Answer was no. I stopped asking myself questions.
“Should I get free things” or “ARE MY PWESHUS TROPHY GIFS SAFE!!!” didn’t ever cross my mind. No offence to anyone, but I find the idea that all that people would care about in this is either what they can scab Sony out of merch wise or if your various digital achievments that nobody in the long term will give a damn about are safe is well into pity terittory. I wouldn’t even bother arguing, or making fun. I’d just walk away.