More BIG Trouble for Sony

[oZii]

Source Gamespot: http://www.gamespot.com/news/6311008.html?tag=topslot;thumb;1

Sony Online Entertainment confirms info on 10,700 European bank records may be stolen along with credit card details of nearly 13,000 and personal info for 24.6 million customers after games, websites taken down.

Spoiler

Trouble seemed to be afoot at Sony Online Entertainment this morning, when the publisher brought game servers and websites related to its portfolio of massively multiplayer online games offline. As suspected, SOE has now confirmed that it, too, has suffered a security breach similar to the one plaguing the PlayStation Network and Qriocity services.


24.6 million SOE accounts have been compromised.
In a statement issued to GameSpot, SOE has now confirmed that approximately 24.6 million accounts as well as 12,700 non-US credit or debit card numbers and expiration dates may have been stolen. The information may have been obtained by hackers between April 16 and 17, and SOE believes that it was part of the initial attack that compromised the PSN and Qriocity service.

"This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007," the statement reads. "The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands, and Spain."

Of the 24.6 million compromised accounts, SOE said that hackers may have obtained names, addresses, e-mail addresses, birth dates, genders, phone numbers, login names, and passwords. SOE noted that the password data is stored in a hashed form and not plain text.

The foreign direct debit record information includes bank account numbers, customer names, account names, and customer addresses. The breach was discovered as Sony's engineers and outside consultants reviewed SOE's system in the wake of the attack on the PSN and Qriocity services.

According to SOE, the 24.6 million accounts were not game-specific. Games that fall under the publishing label include EverQuest, EverQuest 2, DC Universe Online, Free Realms, Star Wars Galaxies, Pirates of the Burning Sea, Vanguard: Saga of Heroes, and PlanetSide.

SOE said that it would add 30 days of free game time to current customers' subscriptions to make up for the service interruption. The publisher also promised that it would be offering a one-for-one match of free game time for each day that servers are offline.

Current Events as of May 5th 2011

New Message from Anonymous posted today about the recent press releases from Sony.

http://anonops.blogspot.com/2011/05/lets-be-clear-we-are-legion-but-it.html#comments

Anoymous Message to Sony :LET'S BE CLEAR, WE ARE LEGION, BUT IT WASN'T US. YOU ARE INCOMPETENT SONY

------------------------------------------------------------------------------------------------

Story May 5th 2011
http://www.gamespot.com/news/6312333.html?tag=updates;editor;all;title;2

Sony knew PSN had no Firewall

Excerpt

Cybersecurity expert Dr. Gene Spafford testified before Congress that Sony knew the PSN's security was outdated.
One person who did show up to testify was Dr. Gene Spafford of Purdue University, who is also head of the US Public Policy Council of the Association for Computing Machinery. According to Consumer Reports, the cybersecurity expert had some harsh words for Sony, saying that the company knew the PSN's defenses were outdated for months prior to the attack, which occurred from April 17 to 19.

Spoiler

This morning, the US House of Representatives' Subcommittee on Commerce, Manufacturing, and Trade began hearings on the threat of data theft to American consumers. Among those invited to testify was Sony Corp. executive vice president Kaz Hirai on the recent PlayStation Network outage and data breach. Hirai declined, instead sending a detailed account of the cyberattack to Subcommittee chairwoman Mary Bono Mack (R-CA) in the form of a letter.


Cybersecurity expert Dr. Gene Spafford testified before Congress that Sony knew the PSN's security was outdated.
One person who did show up to testify was Dr. Gene Spafford of Purdue University, who is also head of the US Public Policy Council of the Association for Computing Machinery. According to Consumer Reports, the cybersecurity expert had some harsh words for Sony, saying that the company knew the PSN's defenses were outdated for months prior to the attack, which occurred from April 17 to 19.

Spafford testified security experts discovered discussions on forums that talked about how the PSN's security was lacking. He said that the threads revealed that the network was using old versions of the Apache Web server software, which "was unpatched and had no firewall installed." He also testified that two to three months before the attack, the vulnerability was reported "in an open forum monitored by Sony employees," but the company took no action.

"If Dr. Spafford's assessment is accurate, it's inexcusable that Sony not only ran obsolete software on servers containing confidential data, but also that the company continued to do so after this information was publicly disclosed," said Consumer Reports technology editor Jeff Fox.

As of press time, US Sony reps had not responded to requests for comments on Dr. Spafford's testimony. However, in its letter to Congress, the company outlined a number of measures it had taken to beef up security, including moving its servers to a new facility, adding additional firewalls, enhancing data encryption and protection, and increasing automated software monitoring. The company has also hired three outside data security firms to help with its ongoing investigation of the attack, which the Federal Bureau of Investigation and Department of Homeland Security are assisting in.

[UPDATE] Video of Dr. Spafford's testimony is now online, and his full quote on the PSN break-in is as follows (begins around the 55' mark):

"On a few of the security mailing lists that I read, there were discussions that individuals who work in security and participate in the Sony Network had discovered several months ago, while they were examining the protocols on the Sony Network to examine how the games worked, they had discovered that the [PlayStation] Network servers were hosted on Apache Web servers--that's that form of software. But they were running on very old versions of Apache software that were unpatched and had no firewall installed, and so these were potentially vulnerable. They had reported these in an open forum that was monitored by Sony employees, but had seen no response and no change or update to the software. … [And] that was two to three months from when the break-ins occurred."

The cybersecurity expert also said that the Sony intrusion alone compromised 100 million accounts both on the PSN and its Qriocity service. He also cited the total cost of the breach to Sony, credit card companies, and other outfits, which the Ponemon Institute estimated as being $24 billion, although he put the figure at $21 billion.

Spafford also cited postings in credit-card theft forums in which thieves of such information complained that the PSN breach was so great that it was depressing the price of such information by a "factor of five or 10" on the black market.

He also said that cybersecurity breach notification laws were good, but only "after the fact." The problem, according to Spafford, was that law enforcement was not adequately equipped to deal with the problem. He also said that most companies were not equipped with enough security measures because "investing in security measures affects the bottom line. They don't understand the risks involved by not investing in security. … So when they are hit, they pass that cost along to their customers, and to the rest of society."

Spafford thinks the solution is to limit the amount of data kept by companies such as Sony and to "age the data" so it expires after a certain time.

May 5 2011

Thanks axi0m

Ill add it

Source
http://blog.us.playstation.com/2011/...y_theft_050511

Sony Offering Free ‘AllClear ID Plus’ Identity Theft Protection in the United States through Debix, Inc.

Excerpt

Last weekend, Sony Computer Entertainment announced that we will provide complimentary enrollment in an identity theft protection program. Here are the details of this program for PlayStation Network and Qriocity account holders in the United States only. We are working to make similar programs available in other countries/territories where applicable. Information will be posted on local websites/blogs when available.
Sony Computer Entertainment and Sony Network Entertainment International have made arrangements with Debix, Inc., one of the industry’s most reputable identity protection firms, to offer AllClear ID Plus at no cost to PlayStation Network and Qriocity account holders for 12 months

Spoiler

from the time an account holder registers for the program.
Please note that we will start sending out activation emails for this program over the next few days, and you will have until June 18th to sign-up and redeem your code. You will need to sign up directly through AllClearID, not on Sony’s websites, and details, including step-by-step instructions for the program, will be emailed to United States PSN and Qriocity Account holders soon.
The details of the program include, but are not limited to:
Cyber monitoring and surveillance of the Internet to detect exposure of an AllClear ID Plus customer’s personal information, including monitoring of criminal web sites and data recovered by law enforcement. If his/her personal information is found, the customer will be alerted by phone and/or email and will be provided advice and support regarding protective steps to take. The customer will also receive monthly identity status reports. Debix works with an alliance of cyber-crime experts from the government, academia and industry to provide these services.
Priority access to licensed private investigators and identity restoration specialists. If an AllClear ID Plus customer receives an alert, or otherwise suspects that he/she may be the victim of identity theft, the customer can speak directly, on a priority basis, with an on-staff licensed private investigator, who will conduct a comprehensive inquiry. In the case of an identity theft, the customer can work with an identity restoration specialist to contact creditors and others, and take necessary steps to restore the customer’s identity.
A $1 million identity theft insurance policy per user to provide additional protection in the event that an AllClear ID Plus customer becomes a victim of identity theft. This insurance would provide financial relief of up to $1 million for covered identity restoration costs, legal defense expenses, and lost wages that occur within 12 months after the stolen identity event.
More information will be available on the enrollment page, a link which will be included in the email you will receive.
We continue to work around the clock to have some PlayStation Network services and Qriocity services restored, and will be providing you specific details shortly.
Thank you.

May 5 2011

Anonymous issues full statement: http://anonops.blogspot.com/

Excerpt

Last month, an unknown party managed to break into Sony's servers and acquired millions of customer records including credit card numbers. Insomuch as that this incident occurred in the midst of Anonymous' OpSony, by which participants engaged in several of our standard information war procedures against the corporation and its executives, Sony and other parties have come to blame Anonymous for the heist. Today, in a letter directed to members of Congress involved in an inquiry into the situation, Sony claimed to have discovered a file on its servers, presumably left by the thieves in question, entitled "Anonymous" and containing a fragment of our slogan, "We are Legion." In response, we would like to raise the following points:

Spoiler

1. Anonymous has never been known to have engaged in credit card theft.
2. Many of our corporate and governmental adversaries, on the other hand, have been known to have lied to the public about Anonymous and about their own activities. HBGary, for instance, was caught lying a number of times to the press, to the public, and to Anonymous itself (in this phone call, for instance, ( http://tinyurl.com/...) CEO Aaron Barr makes a number of untrue statements regarding the intent of his "research," claiming for instance that he never tried to sell the information to the FBI when e-mails acquired soon showed that he had been set to do just that; executive Karen Burke was also caught lying to Bloomberg about having not seen an incriminating e-mail that she had in fact replied to just a few days before). The U.S. Chamber of Commerce lied about not having seen the criminal proposal created by them for Team Themis; Palantir lied about not having any idea what their employees were up to; Berico publicly denounced a plan that they had actively engaged in creating; etc. There is no corporation in existence will choose the truth when lies are more convenient.
3. To the contrary, Anonymous is an ironically transparent movement that allows reporters in to our operating channels to observe us at work and which has been extraordinarily candid with the press when commenting on our own activities, which is why reporters prefer to talk to us for truthful accounts of the situation rather than go to our degenerate enemies to be lied to.
4. Whoever broke into Sony's servers to steal the credit card info and left a document blaming Anonymous clearly wanted Anonymous to be blamed for the most significant digital theft in history. No one who is actually associated with our movement would do something that would prompt a massive law enforcement response. On the other hand, a group of standard online thieves would have every reason to frame Anonymous in order to put law enforcement off the track. The framing of others for crimes has been a common practice throughout history.
5. It should be remembered that several federal contractors such as HBGary and Palantir have been caught planning a variety of unethical and potentially criminal conspiracies by which to discredit the enemies of their clients. This is not a theory - this is a fact that has been reported at great length by dozens of journalists with major publications. Insomuch as that our enemies have either engaged in or planned to engage in false flag efforts, it should not be surprising that many of the journalists who have covered us, who know who we are and what motivates us - and who have alternatively seen the monstrous behavior of those large and "respectable" firms that are all too happy to throw aside common decency at the behest of such clients as Bank of America and the U.S. Chamber of Commerce - also have their suspicions that some capable party performed this operation as a means by which to do great damage to Anonymous in the public eye. Those who consider such a prospect to be somehow unlikely are advised to read about what was proposed by Team Themis in their efforts to destroy Wikileaks, and should otherwise take a few minutes to learn about COINTELPRO and other admitted practices by the U.S. intelligence community. The fact is that Anonymous has brought a great deal of discomfort to powerful entities such as Booz Allen Hamilton, Palantir, and much of the federal government; the Justice Department in particular is likely unhappy that our efforts revealed that it was they themselves who recommended the now-discredited "law firm" Hunton & Williams to Bank of America in order that the latter might better be able to fight back against Wikileaks. All of this is now public record, and anyone who finds it laughable that those or other entities may have again engaged in tactics that they are known to have engaged in in the past is not qualified to comment on the situation.
Anonymous will continue its work in support of transparency and individual liberty; our adversaries will continue their work in support of secrecy and control. The FBI will continue to investigate us for crimes of civil disobediance while continuing to ignore the crimes planned by major corporations with which they are in league.
We do not forget, even if others fail to remember.
We not forgive, even if others forgive our enemies for those things for which we are attacked.
We are legion, and will remain so no matter how many of our participants are raided by armed agents of a broken system.
We are Anonymous.

May 5 2011
axi0m with the original post
Sony Maybe hit with A Third Attack this weekend

Source G4Tv via CNET

http://g4tv.com/thefeed/blog/post/71...-this-weekend/

Excerpt

Sony may be hit by yet another attack this weekend. According to CNET, hackers are planning to attack Sony's website in the next few days.

Spoiler

The attack is said to be a response to Sony's handling of the PSN security breach. The plan would be to publicize some or all of the data hackers were able to find on Sony's servers. This would potentially include the names, addresses and credit card numbers of upwards of 75 million PSN users.
NEWS: Sony To Offer "AllClear ID Plus" Identity Theft Protection For Free
A group of hackers were talking in an IRC channel when someone who either overheard or was a part of the conversation told CNET about the plan. These hackers claim to have access to Sony's servers.
This is, of course, not confirmed, especially since no one has taken credit for the attacks. In Sony's statement to the US House of Representatives they claimed to have discovered files hinting at Anonymous involvement, such as the words "We are legion." Anonymous has repeatedly denied their involvement and further condemned the theft of credit card numbers.
Sony did not get back to CNET about these reports.


Read more: http://www.g4tv.com/thefeed/blog/post/712436/sony-may-be-hit-by-a-third-attack-this-weekend/#ixzz1LXEpnTMf

 

[Lady Death]

/facepalm

Well that is just...fantastic.

 

[Tim Static]

Sony....you fucking retards...

 

[Radian]

Haha oh wow.

 

[GNG Iniquity]

Oh, boy...c'mon Sony don't go bankrupt due to lawsuits until Twisted Metal comes out please. I'd like to play that!

 

[BecomingDeath13]

Sony....you fucking retards...

LMAO!!!! THIS ALL THE WAY!!!!!! ALL THE FUCKING WAY!!!

That statement deserved caps ^

 

[Chris Salinas]

poor sony

 

[Eight]

Just when you thought they couldn't get boned any harder...:violin:

 

[Dark_Rob]

Anonymous really did a number on them. Oh well, they did tell Sony they were coming and Sony sat on they're asses and did nothing. Serves them right.
(Im well aware Anonymous has said they didnt do it, but trust me, they did. They are the only ones who could have.)

 

[lobo]

"We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.”."


um...

R

O

F

L

 

[Dark_Rob]

"We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.”."


um...

R

O

F

L

LOL! Sony was crazy to not take them seriously. Now they are getting raped for they're stupidity.

 

[REYTHEGREAT]

Anonymous really did a number on them. Oh well, they did tell Sony they were coming and Sony sat on they're asses and did nothing. Serves them right.
(Im well aware Anonymous has said they didnt do it, but trust me, they did. They are the only ones who could have.)

i think they did it also. but only the first time. you know when they "attack" a company they usually come out and say it, which they did.but now its been out hand. its been almost a month and they are not fully recovered yet. i think they got hit the first time hardcore and then left alone but sony cannot get their stuff together.

 

[Juggs]

i think they did it also. but only the first time. you know when they "attack" a company they usually come out and say it, which they did.but now its been out hand. its been almost a month and they are not fully recovered yet. i think they got hit the first time hardcore and then left alone but sony cannot get their stuff together.

REY, can you remove one the

 

[Dark_Rob]

REY, can you remove one the 's from your sig? Thanks.[/QUOTE]

lol I was about to write the same thing Juggs. Good looking. Buts lets give Rey some credit for inventiveness as both his sigs are actually within the site limits lol. But Rey, you can only have ONE sig. haha. Very clever though.

 

[Dedemaru]

Anonymous really did a number on them. Oh well, they did tell Sony they were coming and Sony sat on they're asses and did nothing. Serves them right.
(Im well aware Anonymous has said they didnt do it, but trust me, they did. They are the only ones who could have.)

Sony did NOT deserve to be hacked. They probably had so many things going on to worry about some hack threats from some group of douches who can't get laid. They shouldn't have to worry about that. Anonymous are just a bunch of children. They won't admit blame because this has become a BIG deal. To say that Sony deserved it is just stupid and makes me lose respect for you.

 

[Dark_Rob]

Sony did NOT deserve to be hacked. They probably had so many things going on to worry about some hack threats from some group of douches who can't get laid. They shouldn't have to worry about that. Anonymous are just a bunch of children. They won't admit blame because this has become a BIG deal. To say that Sony deserved it is just stupid and makes me lose respect for you.

Why dont you try reading before you respond. I didnt say anything about them deserving to be hacked. I said they were stupid for not taking Anonymous's threats seriously. Given Anonymous track record for making good on they're threats, Sony should have taken them at they're word and at least tried to do something to shore up the security of they're systems.
If your warned days ahead of time that a hurricane is going to hit your area and you should evacuate and you decide to stay in your house, then its your own fault if the hurricane comes and brings your house down on your head. Anonymous gave them ample warning, and they did nothing. Like I said, serves them right.

 

[lobo]

sony deserved it 100%

you are completely missing the big picture and forgetting the reasoning behind this. Sony was suing hotz for using a machine he paid for to do what it was advertised to do. they were also subpoenaing website servers for IP info of thousands of visitors to hotz' site. if you do not see the implications of a foreign corporation gaining access to US citizens' browsing history and the blatant 4th amendment violations that it entails...well then i pity you.

sony deserved this big time. they still deserve MORE. it is too bad you can't go on that 9 thousandth zombie run or lag people to death with sheeva stomp X1000, but do you really value online gaming more than protecting your civil rights?

sometimes a good cause is worth making a trivial sacrifice like a month of PSN. go play offline for a change. fuck sony. fuck them hard.

 

[oZii]

I don't know how much people know about anonymous I don't know if they did it the second time. It could be apart of them who knows. I been doing alot of research on them the last few days. They seem to be pretty busy with other stuff. Like hacking the Iraninan Governement now they are about to attack Neo-Nazi Sites.

A little literature if anyone is interested.

A anoymous video

Anonymous support blog of what they are planning and about them.

http://anonops.blogspot.com/

There Current Operation

Neo-Nazis,

Your incomprehensible actions, and your reluctance to accept the Freedom and Equality that every single human being possesses by right from birth, causes the birth to hatred and worldwide Racism.

After the first World War, your ideology plunged the world into chaos. You took over a plague, known as anti-Semitism, and made sure that racism was drilled into our collective consciousness, in order for humanity to accept this crude ideas as given, mostly without ever questioning them.

Your misdirected politics and your hate filled crusade against humanity have not only blurred your perception, but also affected countries worldwide.You have robbed irretrievable evidences of history as well as valuable art objects and architectural structures which belong to mankind, or were part of the cultural heritage of humanity. You were anxious to cause trouble between continents, which involved a collapse of political dialogues. The result, the cold war, lasted for years and its voice still echoes today. The holocaust against the Jewish, the sinti and the roma, your so called "euthanasia" imposed on disabled people, all of them are considered the cruel climax of the Second World War, to a cost of 6.000.000 innocent people's lifes.You have combined the ideals of industrialization with the abomination of mass murder, a circumstance that led to destruction of human life, in a scale never seen before.
All this are known fact,s and yet you are still following and spreading such ideals, in order to enhance the symbolism of this despicable hate further. You are still causing injuries and killing people, people who have that done nothing against you, and yet you do it partly out of disgust or simply for your own personal pleasure.

You intimidate people that go on the streets protest for their ideals, and attack your political opponents, thus you deny them the right of free speech. Yet you hypocriticaly demand this exact same right of free speech for yourself, and throw the dirt in the form of agitations and "art arround you ". You attack journalists and the media in general, you attack members of the opposing parties and equally you attack refugees and immigrants, who live and work in your "home country". This people simply had to leave their native countries because of suppression and misery.

This behaviour can no longer be tolerated. You have convicted yourself to many crimes against humanity.With this hypocritical attitude and your drive to become a mirror of your inspirational criminals, you have brought the attention of the collective known as Anonymous upon yourself.

In this case, this attention implies the taken of crucial actions against your actions.

We are Anonymous.
We are Legion.
We do not Forgive.
We do not Forget.

Expect Us.

Their message about PSN

http://anonops.blogspot.com/2011/04/we-didnt-do-it-sony-incompetent.html#comments

 

[Dark_Rob]

sony deserved it 100%

you are completely missing the big picture and forgetting the reasoning behind this. Sony was suing hotz for using a machine he paid for to do what it was advertised to do. they were also subpoenaing website servers for IP info of thousands of visitors to hotz' site. if you do not see the implications of a foreign corporation gaining access to US citizens' browsing history and the blatant 4th amendment violations that it entails...well then i pity you.

sony deserved this big time. they still deserve MORE. it is too bad you can't go on that 9 thousandth zombie run or lag people to death with sheeva stomp X1000, but do you really value online gaming more than protecting your civil rights?

sometimes a good cause is worth making a trivial sacrifice like a month of PSN. go play offline for a change. fuck sony. fuck them hard.

Quoted for the muthafukin truth! Also lets not forget that Geohotz never even SIGNED UP FOR PSN. He never signed Sony's terms of agreement and was therefore not contractually bound to Sony in anyway whatsoever. Its no different than if PDP tried to sue me because I dual modded my stick to make it work on both systems.

 

[oZii]

If you check them out and there track record dating back all the way to 2008 they always I mean ALWAYS tell whoever it is they are going to attack that they are going to do. Not once have they ever said we didn't do it except this last attack against Sony.

 

[Dark_Rob]

If you check them out and there track record dating back all the way to 2008 they always I mean ALWAYS tell whoever it is they are going to attack that they are going to do. Not once have they ever said we didn't do it except this last attack against Sony.

Anonymous is a decentralized collective with many subsets. In other words, its quite possible that Anonymous's left hand did not know what its right hand was doing. One way or the other, Anon's are behind it. Even if it wasnt sanctioned by the collective as a whole.

 

[oZii]

Also a interesting Tid Bit for PSN users

As per the PSN EULA

Paragraph 1
We are not liable for any unauthorised use or sharing of your Sony Online Network account.

Paragraph 16
We exclude all liability for loss of data or unauthorised access to your data, Sony Online Network account or Sony Online Network wallet and for damage caused to your software or hardware as a result of using or accessing Sony Online Network.

If anyone is wondering XBL has none of that language in the EULA at all.

 

[oZii]

Anonymous is a decentralized collective with many subsets. In other words, its quite possible that Anonymous's left hand did not know what its right hand was doing. One way or the other, Anon's are behind it. Even if it wasnt sanctioned by the collective as a whole.

Yea that is what I am thinking. Just wanted to point that its possible that they didnt do it. I put that in my big post about anon that it might be a part of the group acting independently.

 

[Dark_Rob]

Also a interesting Tid Bit for PSN users

As per the PSN EULA

Paragraph 1
We are not liable for any unauthorised use or sharing of your Sony Online Network account.

Paragraph 16
We exclude all liability for loss of data or unauthorised access to your data, Sony Online Network account or Sony Online Network wallet and for damage caused to your software or hardware as a result of using or accessing Sony Online Network.

If anyone is wondering XBL has none of that language in the EULA at all.

lol. Shrewd Sony. Very shrewd.
shrewd (shrd)
adj. shrewd·er, shrewd·est
1. Characterized by keen awareness, sharp intelligence, and often a sense of the practical.
2. Disposed to artful and cunning practices; tricky.
3. Sharp; penetrating.

 

[lobo]

4. Covering your ass in business.