Sony execs follow the path of a hacker who changed the face of PlayStation
It is widely seen as the biggest data compromise of the digital age.
Since mid-April, Sony has been coming to terms with one irreversible fact: a lone hacker has tunnelled through the PlayStation Network’s security defences to access the sensitive details of over 77 million Sony customers.
How could this happen? Sony has been criticised for holding back information. Some say to save face, others suggest commercial pressures were in play, while many accuse Sony of company-wide incompetence.
On Sunday, Sony appeared to be making amends. At an emergency press conference, it offered to the world embarrassing details of its own failures.
The meeting, which lasted nearly two hours, saw Sony’s top executives detail how the network was compromised. This is their account.
Sony chief information officer, Shinji Hasejima, presented an illustration of how the PlayStation Network operated.
There are three layers, he said. At the front, a web server. Behind this, a web applications server. Behind it all, a database server that contains the personal information.
“There are firewalls installed in between each server,” Hesejima said.
“Only the minimum necessary authorised information only is communicated between each one,” he said.
With a three-layer defence, Sony had been confident that the bulk of defences were enough to prevent an intrusion – or at least enough to alert the company of any hack.
But on Sunday, Sony revealed that the hack itself, and any data retrieval, went undetected.
“We have not had previous attack like this,” Hasejima said.
“The breach was detected as a ‘normal transaction’, so it was not detected by any firewall. A certain command was sent… it was a very skilful approach… and the manipulation [of our network] was able to be done externally. So we were not able to detect it from the outside”.
He described it as “a highly sophisticated attack by a highly skilled intruder”.
Of Sony’s three servers, it is believed the weak link was the web applications server.
“We suppose the attacker might have succeeded invading the system by utilising vulnerabilities on the web application server,” Hasejima said.
“The attacker made it inside this server with inappropriate methods, and then got access [authority] to the database server”.
This is, according to Sony, why it cannot rule out data theft.
Rik Ferguson, both a PlayStation user and computer security expert at Trend Micro, said the web applications server was tied to rich content that PSN offers.
“The web applications server will be used to deliver a range of content to users,” he told Develop.
“This would include updates [DLC], digital and rich media content.”
Due to the hack, the details of 77 million customers were exposed. User names, security questions, passwords and other personal data could have been taken. Passwords were hashed and credit card data was encrypted, Sony said.
In what was an extraordinary admission, Hasejima said the shortcomings of its web applications server was known of.
“The vulnerability this time was a known vulnerability, one known of in the world. But Sony was not aware of it... was not convinced of it,” he said.
“We are now trying to improve aspects of it”.
Shiro Kambe, the senior vice president at Sony, made the apology unambiguous.
“We thought we had taken enough management and control measures [to ensure the network was secure], but looking back, there might have been room for further enhancement.
“We have to admit we were not fully sufficient.”
hi im a everyday user of the ps3 and wat has happened is unforgivable all our details comprimissed and yet you still havent come to a sollution of fixing this problem alot of my friends have left psn due to this matter all people want is a straight answer and your not giving it to us why not catch the criminal instead of making up excuses plus more to point dont you think yr server should of been unhackable before you got people joining its gonna cost the people money and alot of heartache if we have our credit cards crypted please can you atleast tell us a timeline this will be up or i may have to consider also leaving as i like my online gaming (ps3)
why dont u guys scan the hackers ps3 and find out were he lives
yes its taking far to long to sort this out,if you have found out how he got it,then surly you should of fixed it by now !!!
so get your finger out mr chinky and get me back ONLINE !!!!
The Sony attitude regarding knowing of the vulnerability of their servers but doubting it's effectiveness is a real concern. If their was even a small chance their could be a problem them the servers should of been taken down and only brought back up when the correct security measures had been applied. I for one, Feel a little disgusted regarding this "Let's keep our fingers crossed" approach with people's delicate personal information.
I've cancelled my cards, Boxed up my Ps3 and now enjoying my online gaming experience via Xbox Live.
Sony pull your finger out !
you guys have to wait for them, there doing what they can do fix this problem, give em a week or so and mabby it will be back up, i think they shouldint put it back because of you people talkin shit about sony. Its not just hurtin us, its hurtin sony the most . so give them time, go enjoy the spring
I wonder how many people's details have been compromised? Surely a hacker downloading the personal information of millions of people would have taken hours to download hundreds of gigabytes/terabytes of data - I dont know about anyone else, but when downloading anything from PSN, it seems to take a while. If no-one realised a whole lot of information was being downloaded to one server then there is a serious problem. Surely this kind of activity this would have been flagged whilst it was happening - and alerted some PSN Tech people???
Ah well, I guess we'll have wait and see if anyone identifies that their personal information is being used illegally...
There is no justification for blaming Sony for this. Some ***hole committed a serious crime. NO ONE should even consider a hack like this. To expect Sony to know how it was going to happen is unfair. I am a regular PSN user and I'm worried about my details and all but these people are human beings and you have to direct your anger towards the dickhead who did it not the company that's been providing you with free online gaming for years.
This is ridiculous i remember when my ps3 broke after 1 year and Sony gave me such a hard time replacing it telling me "It's your fault" I had to take it to a third party and have it repaired numerous times with second hand parts before they finally replaced it now we get hacked and Sony can't even give a straight forward answer? i don't feel safe giving Sony CC details or ANY of my details for that matter anymore. If this did happen AGAIN customers would be treated the same way AGAIN.
why cant sony give us a date when it will be back on ? or should i just buy an xbox ???
this has been a nightmare no online gaming for a fortnight cant wait till it back on hope it comes back better and they can stop all those hacking cunts.treyarch need 2 get there finger out and stop all those hacking pricks on black ops its fucking shocking they need a cheat 2 play the game.
im allways smart wen it comes to givin out personal details so wen i set up my psn a few years back i gave fake name n adress n stuff.n i only ever buy maps with voutchers n not on my card.i did think at one point.dam i smoke too much but now i know the paranoid tactics paid off.so i ent fussed bout the hack its the longness thats gettin to me.i thought japs were quick n clever,oviously not
i also heard there puttin the americans back online first..yeh i understand there the biggest market with around 31million psn accounts compared too britains 3million accounts..but the hacker was based in america sony have said,so if you put them back online first surely the hacker can pamper with accounts without any of us europeans even knowing.if this is true they clearly havent thought about this..
I'm not really blaming sony but they honestly should have cought on too it,someone downloading that much stuff should have come up flagged. Now ive been playing for years an i no people that have played for years an were debating to sell our systems because of this inconvenience.. But will see
One day, one day Sony.
I'm willing to wait for PSN to come back online mainly because I know that they will be implimenting further security measures...
As for jumping ship... I don't need to as I have owned both consoles for several years...
And for those who have... all I have to say is that I feel sorry for you...
As for the cnuts that did this... I hope that you burn in hell for what they have done... There is no excuse (and revenge following a lawsuit on a hacker is not FUCKING one of them!)
sony your a joke, how can you let this happen, over the years you have downgraded the ps3 with os removal and new anti copy softwere on ps3 blurray, puts watermarks on i have 2 ps3 but will b floging them you deserve everything you get, you have just shown how much you respect your loyal customers
And when Jesus asked my name, I replied: Legion, for we are many. Let this be a lesson to you all, once you let them in, not even the son of God can get them out.
@Nick : there are. It's up to Sony to properly protect their customers data. Relying on the morality of criminals to not do this is just plain silly.
You have a lock to your door, haven't you ? :)
I think that this is absolutely hilarious, now bare in mind I respect Playstation and thier works, I own a PS3, I own all of the exclusive titles, BUT it sit below my Xbox gathering dust because of this outage. The announce of the hack made my day, and continues to brighten my day, because of the PS3 fanboys. Fanboys are the worst thing in gaming, " OH HAHA, PS3 HAZ BETR GRAPHIX I R BETTER THAN XBAWKS HAH, XBAWKS SUCKS! " That is what kills gaming, the fanboys, PS3 fanboys who have never played Halo, or Gears of War one time in their life, and knock it down because it's on Xbox, if PS3 games were switched with Xbox games, it would be exactly the same, because people always find a way to hate each other no matter what the reason is. To all the upset fanboys out there, 3 weeks... and counting.
