Feeds

Sony: 'PSN attacker exploited known vulnerability'

Preps network for service restart

SANS - Survey on application security programs

Sony is getting ready to return to service some PlayStation Network offerings, amid ongoing analysis to try and identify the source of the April attack on its San Diego data centre hosted in an AT&T network facility.

While maintaining that it has not yet seen any evidence that credit card data was compromised in the attack, Sony has said that where customers are charged a fee for reissuing credit cards, it will take responsibility for those charges. The company claimed in the press conference that credit card data was encrypted.

Executive deputy president Kazuo Hirai said that while 78 million accounts were compromised, the number of affected individuals is lower than that, since some people operate multiple PlayStation Network accounts. Of these, he said, Sony only held credit card information for around 10 million customers.

Sony’s Shinji Hasejima, Sony’s CIO, told Sony’s apologetic news conference that the attack was based on a “known vulnerability” in the non-specified Web application server platform used in the PSN. However, he declined to stipulate what platform/s were used or what vulnerability was exploited, on the basis that disclosure might expose other users to attack.

Hasejima conceded that Sony management had not been aware of the vulnerability that was exploited, and said it is in response to this that the company has established a new executive-level security position, that of chief information security officer, “to improve and enhance such aspects”.

Sony also said it has asked the FBI to investigate the attack.

The company’s new package of security measures will include relocating the data centre to a new facility that was already in build, and forcing password changes on PlayStation Network and Qriocity users. Password changes will need either to come from the same PS3 that the account was created on, or will have to be confirmed via e-mail.

Hirai said other protective measures will include additional firewalls, better confirmation management, and automated detection mechanisms designed to identify unusual network traffic.

To try and recover customer goodwill after the long shutdown of services, Sony announced a “welcome back” package that will include free access to premium services including movie and music downloads.

PlayStation Network and Qriocity services will be progressively restarted over the coming week. Users can track the progress of service restoration on the company’s US or European blogs. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.