Feeds

Sony: 'PSN attacker exploited known vulnerability'

Preps network for service restart

Internet Security Threat Report 2014

Sony is getting ready to return to service some PlayStation Network offerings, amid ongoing analysis to try and identify the source of the April attack on its San Diego data centre hosted in an AT&T network facility.

While maintaining that it has not yet seen any evidence that credit card data was compromised in the attack, Sony has said that where customers are charged a fee for reissuing credit cards, it will take responsibility for those charges. The company claimed in the press conference that credit card data was encrypted.

Executive deputy president Kazuo Hirai said that while 78 million accounts were compromised, the number of affected individuals is lower than that, since some people operate multiple PlayStation Network accounts. Of these, he said, Sony only held credit card information for around 10 million customers.

Sony’s Shinji Hasejima, Sony’s CIO, told Sony’s apologetic news conference that the attack was based on a “known vulnerability” in the non-specified Web application server platform used in the PSN. However, he declined to stipulate what platform/s were used or what vulnerability was exploited, on the basis that disclosure might expose other users to attack.

Hasejima conceded that Sony management had not been aware of the vulnerability that was exploited, and said it is in response to this that the company has established a new executive-level security position, that of chief information security officer, “to improve and enhance such aspects”.

Sony also said it has asked the FBI to investigate the attack.

The company’s new package of security measures will include relocating the data centre to a new facility that was already in build, and forcing password changes on PlayStation Network and Qriocity users. Password changes will need either to come from the same PS3 that the account was created on, or will have to be confirmed via e-mail.

Hirai said other protective measures will include additional firewalls, better confirmation management, and automated detection mechanisms designed to identify unusual network traffic.

To try and recover customer goodwill after the long shutdown of services, Sony announced a “welcome back” package that will include free access to premium services including movie and music downloads.

PlayStation Network and Qriocity services will be progressively restarted over the coming week. Users can track the progress of service restoration on the company’s US or European blogs. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.