Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sony Targeted Yet Again; Thwarts Attackers This Time

Unknown Lamer posted more than 2 years ago | from the script-kiddies-gone-wild dept.

Security 68

alphadogg writes with an excerpt from a Network World article: "Sony suspended 93,000 user accounts on several of its gaming and entertainment networks after unauthorized login attempts on those accounts. The attempts occurred on the PlayStation Network, Sony Entertainment Network, and Sony Online Entertainment, and the company says that login information likely acquired from other sources was tested en masse on the networks. Only a 'small number' of the attempts were successful, and no credit card information was leaked. ... Sony Chief Information Security Officer Philip Reitinger said that 'less than one tenth of one percent' of the networks' users may have been affected."

cancel ×

68 comments

Don't read this... it is a curse... (-1)

Anonymous Coward | more than 2 years ago | (#37689018)

In 2008, a little boy named Erin was relaxing on the beach in the middle of the day. Whilst doing so, he spotted a small lizard beanie baby about 6 meters away, stood up, and then called out to it. After the lizard asked him what he wanted, Erin said in a confident manner, "I betcha can't lick my buttcheeks!" The lizard replied, "I bet I can!" and stuck out its tongue a few inches. Confident of the lizard's impending failure, Erin laughed. However, he discovered that his confidence was misplaced right as he heard the sound of the lizard's invisible tongue slapping his buttcheek!

Angry, Erin yelled, "I betcha can't lick my buttcrack!" The lizard replied the same way, and then once again stuck out its tongue a few inches. And, once again... Erin heard the sound of an invisible tongue slapping against something, but this time it violated his buttcrack. Furious, he screamed, "I betcha can't lick my butthole!" The lizard replied the same way, stuck out its tongue a few inches, and the exact same thing happened.

For Erin, that was the last straw. He was so furious that he ran up to the lizard beanie baby and tried to stomp on it. However, it somehow managed to crawl up his left pant leg and appeared to be crawling towards his bootyass! In his desperation, he attempted to stop it by blocking it with his hand. He quickly realized that that would not be effective when the lizard merely crawled under his hand. The lump in his pant leg continued onward towards his bootyass. After trying and failing to take off his pants, Erin gave up all hope and began screaming for help. Once the lizard reached Erin's precious bootyasscheekcrackhole, it began crawling on top of it in a square pattern, stopping and continuing every few seconds. Whenever the lizard moved, the sound of a snake was heard many times in a short amount of time. This inflicted tremendous amounts of tickle on Erin's bootyass!

Now that you have read this (even a single word of it), the lizard will crawl on your bootyasscheekcrackhole in a square pattern, inflicting extreme amounts of tickle upon it! To prevent this from happening, post this curse as a comment three times.

Re:Don't read this... it is a curse... (0)

maxwell demon (590494) | more than 2 years ago | (#37689440)

You hit the Anonymous Coward.
The Anonymous Coward turns to flee!
You see here a -1 cursed Slashdot post.
You pick up x - a -1 cursed Slashdot post.
What do you want to read? (slx*?)
You feel that your are wasting your time.

93 million accounts? (1)

vlm (69642) | more than 2 years ago | (#37689038)

"Sony suspended 93,000 user accounts

'less than one tenth of one percent' of the networks' users

Sony has over 93 million accounts?
As far as I know only about 50 million PS3s have been sold, some to upgraders / replacers / theft or fire insurance claims, so there's probably less than 50 million PS3 user accounts.
The other 50 million or so accounts are ... ?

Re:93 million accounts? (1)

Anonymous Coward | more than 2 years ago | (#37689054)

Can't more than one person have an account on a single PS3?

Re:93 million accounts? (-1, Troll)

Trulyness (2483090) | more than 2 years ago | (#37689164)

Don't read this... it is a curse...

In 2004, a little boy named Jimmy was sleeping in his bed. He then woke up and walked in front of his laundry room and spotted a glass antique doll with blond hair on the laundry room window ledge. He glared at the doll and screamed, "Whore! Slut! The sandwich that never knew bread!" Jimmy immediately regretted his decision as the doll glared at him and jumped off the window ledge. Jimmy ran outside faster than he thought possible and shut the front door behind him, leaving the doll trapped in the living room.

However, once he ran off of his porch, his clothing vanished and he was sucked bootyass-first into the sky at the speed of light. Once he reached space, his bootyass naked bootyass crashed through the floor in his living room. His bootyass was sticking out of the floor in his living room whilst the rest of his body was trapped underneath his house. He couldn't even move a single cheek!

Then, his vision somehow transported into his living room, and he became a mere perspective. It was as if he was looking at himself through a security camera. He saw the doll slowly approach his bootyass, put its head on his bootyasscheekcrackhole, and then scream, "Your scourning parading, matched! No more truly will away!" Immediately afterwards, the doll let loose a high-pitched screech that sounded like the scream of a little girl. This act inflicted extreme amounts of tickle upon Jimmy's bootyass!

Now that you have read this, the very same doll will screech on your bootyasscheekcrackhole and inflict major tickle upon your bootyass! To prevent this from happening, post this curse as a comment three times.

Re:93 million accounts? (0)

Anonymous Coward | more than 2 years ago | (#37689488)

One thing I find interesting when random numbers are presented in news is the ask myself if it seems likely that the number is correct. Not only if it is possible that it is correct but if it actually seems likely that it is.
To do this one can do as GP did and compare it to the number of PS3s sold.
So while it is possible for more than one person to have an account on a single PS3 and even likely that this is fairly common. Do you think it is likely that the average is close to two accounts per PS3?
With 50 million units sold I would have expected the number of accounts closer to 60 million.
Perhaps there are some persons that have multiple accounts too but the number still seems a bit high.

Re:93 million accounts? (2)

Gription (1006467) | more than 2 years ago | (#37691400)

In Grand Tourismo 5 there is a feature where the game gives you a "birthday gift car" that was produced in the year of your birth. Lots of people were making multiple fake accounts to try and get really rare and expensive cars. Once they got the car they would give it as a gift to their main account.
(PSN patched the game so people couldn't trade expensive cars any more so that glitch is gone.)

I could easily believe there are lots of fake accounts out there for similar reasons.

Re:93 million accounts? (0)

Anonymous Coward | more than 2 years ago | (#37692284)

Yes, and unlike XBL I believe PSN you can't change your account name. So if you're tired of one account name you have to make a new account.

Additionally, some content can only be purchased with 1 region account, so to buy JPN content you need a JPN account separate from your US or HK or UK account.

Re:93 million accounts? (1)

Mordermi (2432580) | more than 2 years ago | (#37689070)

Just to note: Some people may have multiple accounts. I know people with 2+ PSN accounts.

But it is also for two other divisions of their network, not just PSN.

Re:93 million accounts? (0)

Anonymous Coward | more than 2 years ago | (#37689270)

Plus families share consoles. Two teens and a dad will each have their own PSN accounts.

Re:93 million accounts? (1)

Sockatume (732728) | more than 2 years ago | (#37689082)

During the hacking fiasco, the press was reporting that there were 100m PlayStation Network accounts, which covers both the PS3 and the PSP. That gives us a total of around 75m units. While many of the remaining 25m will be dummy accounts used to download items from the regional PSN stores (which was quite popular in the early days), I'm sure that the majority are simply friends, family members etc.

Re:93 million accounts? (0)

Anonymous Coward | more than 2 years ago | (#37689094)

The summary does mention Sony Online Entertainment, which runs or ran several MMOs (Everquest, Star Wars Galaxies, I think there were others?) So that might be possible...

Re:93 million accounts? (1)

scdeimos (632778) | more than 2 years ago | (#37689104)

SOE does online PC games too, you know.

Re:93 million accounts? (1)

mitashki (1116893) | more than 2 years ago | (#37689122)

Sony has over 93 million accounts?

It is only 265510(oct) or 16B48(hex) accounts

Re:93 million accounts? (1)

Anonymous Coward | more than 2 years ago | (#37689324)

Sony has over 93 million accounts?

It is only 265510(oct) or 16B48(hex) accounts

You've tried to be clever, but fucked up by a considerable margin. Try again. Clue: 10^6 not 10^3.

Re:93 million accounts? (1)

msauve (701917) | more than 2 years ago | (#37689134)

"Sony has over 93 million accounts?"

Right on this page - Related Links - "77 Million Accounts Stolen From Playstation Network [slashdot.org] ." And, as the summary says, this is about more than that - "PlayStation Network, Sony Entertainment Network, and Sony Online Entertainment."

So, yes, 93 million accounts is reasonable, based solely on information found on the same page you posted to.

Re:93 million accounts? (1)

maxwell demon (590494) | more than 2 years ago | (#37689602)

Ok, 77 million accounts were stolen, and now 93 million accounts are left. Therefore before the theft, there have been 170 million accounts. Right? :-)

Re:93 million accounts? (1)

diersing (679767) | more than 2 years ago | (#37689142)

From the Sony Online Entertainment and Sony Entertainment Network?

His blog post breaks them down as - (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000)

Re:93 million accounts? (0)

Anonymous Coward | more than 2 years ago | (#37689152)

FTFA :

The attempts occurred on the PlayStation Network, Sony Entertainment Network, and Sony Online Entertainment

Re:93 million accounts? (1)

pnewhook (788591) | more than 2 years ago | (#37689216)

Wow 50 million PS3s? Increase that by another 50% and it's getting close to the number of Blackberry subscribers...

Re:93 million accounts? (1)

Hyppy (74366) | more than 2 years ago | (#37689782)

Wow 50 million PS3s? Increase that by another 50% and it's getting close to the number of Blackberry subscribers...

Which is, what, about 1.5% of cell phones?

Re:93 million accounts? (1)

pnewhook (788591) | more than 2 years ago | (#37690984)

Of all worldwide cellphones yes, but for smartphones they are #2 in the world, right behind Nokia (android), and ahead of Apple. Although why anyone wants to buy an Android and give their money to Microsoft is beyond me.

Re:93 million accounts? (0)

Anonymous Coward | more than 2 years ago | (#37695432)

Of all worldwide cellphones yes, but for smartphones they are #2 in the world, right behind Nokia (android), and ahead of Apple.

Uh, Nokia have never made (and will probably never make) an Android phone.

You mean Nokia (Symbian). (The number of Maemo and Meego phones is tiny, and I say that as someone who has one of each).

Re:93 million accounts? (1)

pnewhook (788591) | more than 2 years ago | (#37700190)

Ok thanks. Nokia is the #1 smartphone maker in the world and Android is the #1 smartphone OS. I just assumed they were related. I actually don't know anyone with an Android phone myself.

Re:93 million accounts? (1)

Verunks (1000826) | more than 2 years ago | (#37689300)

Sony has over 93 million accounts? As far as I know only about 50 million PS3s have been sold, some to upgraders / replacers / theft or fire insurance claims, so there's probably less than 50 million PS3 user accounts. The other 50 million or so accounts are ... ?

I have 5 accounts myself, iirc 2 europeans, 1 american, 1 japanese, 1 hong kong, I bet others have more than one account too

Re:93 million accounts? (1)

xmousex (661995) | more than 2 years ago | (#37689514)

I have 8 accounts, and 0 PS3s.

Re:93 million accounts? (1)

Jeng (926980) | more than 2 years ago | (#37690010)

Current and past SOE customers for games such as Everquest and Star Wars Galaxies.

Re:93 million accounts? (1)

VGPowerlord (621254) | more than 2 years ago | (#37690606)

As far as I know only about 50 million PS3s have been sold, some to upgraders / replacers / theft or fire insurance claims, so there's probably less than 50 million PS3 user accounts.

As far as I know, PSN accounts are not tied to consoles, so why would upgraders / replacers / fire insurance claims have anything to do with this?

Re:93 million accounts? (0)

Anonymous Coward | more than 2 years ago | (#37690880)

Sony has over 93 million accounts?
As far as I know only about 50 million PS3s have been sold, some to upgraders / replacers / theft or fire insurance claims, so there's probably less than 50 million PS3 user accounts.
The other 50 million or so accounts are ... ?

The quoted article states not just PSN, but Sony Entertainment network and SOE (MMO PC gaming) networks also. Besides the fact that one PS3 owner can have many accounts for family members.

Re:93 million accounts? (1)

Sir_Sri (199544) | more than 2 years ago | (#37691122)

SOE (EQ, SWG, whatever that star wars adventure kids game is), the PSP, qirosity or however their marketing dipshit spelled it which is a mobile music service. Also, once you create an account it exists forever basically (I'm sure they *can* be deleted, but usually aren't).

The playstation network, and sony's network services in general are a whole lot bigger than just the PS3. There's a lot of overlap between PSP and PS3 owners probably, but the other services not necessarily. How many people played the Matrix onine, Clone wars adventures, vanguard and registered their PSP and Sony-Ericsson phone all using just one account? Most of those people don't overlap, so there' s a lot of accounts (some of which will be so outdated as to be useless).

Families often have more (1)

Quila (201335) | more than 2 years ago | (#37693526)

One for each parent, one for each kid. That way the trophies and such stay separate.

"Sony Chief Information Security Officer" (0)

bakuun (976228) | more than 2 years ago | (#37689132)

Ouch. That's not a particularly nice title to have these times...

Probably a more appropriate title these days... (1)

Viol8 (599362) | more than 2 years ago | (#37689214)

.. would be Security Officer - Sony.

(For headscratchers - think TLA).

Re:"Sony Chief Information Security Officer" (1)

elrous0 (869638) | more than 2 years ago | (#37689356)

Could be worse. Google hired a former TV psychic as head of their Apps security.

And, no, I'm not joking.

Re:"Sony Chief Information Security Officer" (2)

Viol8 (599362) | more than 2 years ago | (#37689384)

Well at least he could foresee what hacks were coming and when!

Couldn't he...? Whaddyamean no?

Re:"Sony Chief Information Security Officer" (2)

asylumx (881307) | more than 2 years ago | (#37689682)

So then he's "SCISO" right? (Schizo... )

Re:"Sony Chief Information Security Officer" (0)

Anonymous Coward | more than 2 years ago | (#37690602)

Ouch. That's not a particularly nice title to have these times...

They didn't have one before the first attacks. They created that position recently.

Re:"Sony Chief Information Security Officer" (0)

Anonymous Coward | more than 2 years ago | (#37690992)

Ouch. That's not a particularly nice title to have these times...

Not sure why not. Part of the title even states "...Thwarts attackers this time" Seems they are learning from their mistake and they did their job. Being attacked isn't the problem, letting them get in and get information is. But that didn't happen. Personally they might wear the title proudly considering this.

Numbers, please! (1)

aglider (2435074) | more than 2 years ago | (#37689146)

'less than one tenth of one percent'

Which means ... how many accounts?
Are you contacting the compromised account owners for assistance?

Re:Numbers, please! (1)

maxwell demon (590494) | more than 2 years ago | (#37689246)

Which means ... how many accounts?

Given that they suspended 93000 accounts (see the first line of the summary), Id expect that to be the number of compromised accounts.

Re:Numbers, please! (0)

Anonymous Coward | more than 2 years ago | (#37689410)

it tells you in the article. in fact, it tells you in the summary. you clearly know how to write, so i assume you know how to read as well?

Coincidence? (1)

maxwell demon (590494) | more than 2 years ago | (#37689174)

"login information likely acquired from other sources was tested en masse on the networks."
Acquired from other sources? Maybe from wine hq? [slashdot.org]

Decent Catch (0)

TheNinjaroach (878876) | more than 2 years ago | (#37689230)

Well, at least Sony made a decent catch. Perhaps for the first time in ten years.

Re:Decent Catch (0)

Anonymous Coward | more than 2 years ago | (#37690330)

I guess they're finally starting to learn to lock the flimsy screen door of their Fortress of Stupitude.

Re:Decent Catch (1)

wiedzmin (1269816) | more than 2 years ago | (#37692588)

Maybe. Except this wasn't really a hacking attempt... not even a brute-force password cracking attempt... more like an automated login script more or less. Wake me up when they catch an actual intrusion, through SQL injection or some perimeter vulnerability they may have. This here is a positive publicity stunt.

Didn't they say the same thing last time? (0)

elrous0 (869638) | more than 2 years ago | (#37689350)

IIRC, Sony denied anything had been compromised *last time* too. It was only days later that they admitted the scale of the attack and how successful it had been.

Re:Didn't they say the same thing last time? (4, Insightful)

Sockatume (732728) | more than 2 years ago | (#37689376)

No, last time they kept quiet about the scale, nature, and results of the attack, while this time they've announced the scale (90,000+ users), nature (user/password attempts), and results (some accounts are compromised) of the attack. It would appear that they have learned at least a little.

Re:Didn't they say the same thing last time? (0)

Anonymous Coward | more than 2 years ago | (#37690100)

LOL, rewriting history I see.. That's not how it happened... They reported they had been hacked pretty quickly after it occurred, but couldn't determine the scale of it until forensic analysis had occurred. This would have been true of anyone.. The only difference is that is was Sony, so it gave the Sony hating media a free card to criticise them over it.. It also gave Microsoft an opportunity to brainwash their fanboys with an alternative version of the truth.

"Sony Flips the Bird at Noggly Hax0rz" (1)

Gimbal (2474818) | more than 2 years ago | (#37689360)

...news at 4:11

"Now back to you, Bob"

All a ruse (0)

gearloos (816828) | more than 2 years ago | (#37689450)

Yeah, hacked, again... ok SONY. Yeah sure, I believe you. Oh and you bravely fought them off and stopped them in their tracks.. oh yeah, sure SONY. I believe you. So, to instill confidence back into the blubbering idiots that were/are SONY Security, they come up with this ruse, and use it to make you think they are actually competent.

Re:All a ruse (0)

Anonymous Coward | more than 2 years ago | (#37689998)

If your going to come up with a conspiracy, at least give us some proof.

Or... (0)

poofmeisterp (650750) | more than 2 years ago | (#37689524)

...It could be another PR stunt to make it look like they have the best security and tracking team on the planet.

I'd like to hear from one of the 93,000 people whose accounts were suspended. I'd like to know that these are actual accounts with real people.

Re:Or... (1)

Anonymous Coward | more than 2 years ago | (#37689916)

I noticed that I couldn't log in to EQ2 last night, but there was a post in the forums [sony.com] about SOE taking things offline for maintenance at 8PM PST (normally they do it at 7am PST). Then, I got this email in the morning:

We are writing to let you know that we have detected an unauthorized attempt to verify the validity of your Sony Online Entertainment ("SOE") Station Account name and password. We believe there was an attempt to use a scripted application of a large set of sign-in IDs and passwords against our network database. This attempt appears to include a large amount of data obtained from one or more compromised ID and password lists obtained from other companies, sites or other sources.

To protect you, we have locked your XYZ Station Account. To reopen the account, please contact SOE customer service at 1 (858) 537-0898 to verify your identity. We will walk you through the password reset process then.

Please note that your credit card number is NOT at risk. As a precaution, please review your account for unusual activity and please contact us at 1 (858) 537-0898; we will work with any users with whom we confirm have had unauthorized purchases with account wallet funds, and restore those funds.

We want to take this opportunity to remind our consumers about the increasingly common threat of account theft, as well as the importance of having a strong password and having a username/password combination that is not associated with other online services or sites. We advise you to create a new password that is strong, consisting of a combination of numbers, letters and special characters or symbols.
Thank you,
Sony Online Entertainment

Re:Or... (1)

poofmeisterp (650750) | more than 2 years ago | (#37690078)

Too bad that was anonymous.

Re:Or... (1)

Sockatume (732728) | more than 2 years ago | (#37690610)

You don't have to have "the best security and tracking team on the planet" to notice that someone's trying tens of thousands of usernames and passwords and failing. And it doesn't exactly scream competence when it turns out that user details your company failed to protect are now being actively used by fraudsters. It just compounds the original failure.

Re:Or... (1)

poofmeisterp (650750) | more than 2 years ago | (#37690840)

You don't have to have "the best security and tracking team on the planet" to notice that someone's trying tens of thousands of usernames and passwords and failing.

I didn't say that they ARE the best team. I said "PR stunt" which is targeted at the unknowing, not the most knowledgeable receiver.

And it doesn't exactly scream competence when it turns out that user details your company failed to protect are now being actively used by fraudsters. It just compounds the original failure.

I also mentioned the possibility that these users don't exist. "PR STUNT" - italicized and capped. I don't know how to make what I said more clear.

If you're one of the users of a company that releases that kind of information, and you aren't one of the "affected" people, it increases your feeling of safety and security. Simple logic, simple stunt. While they're at it, they may as well have people out on the 'net putting forth information that maintains the feelings of gravity and reality toward this situation that supposedly occurred (again, making others feel they "[weren't] the ones affected"). In fact, there was an anonymous comment in reply to mine where an anonymous commenter posted the notification they got from Sony. If it weren't an anonymous commenter, it would bear some weight. Anonymous = could be as false as the earth being the center of the universe.

I'm not saying that this IS what happened; I'm saying that it's odd that they are so publicly releasing information about it when, in fact, companies try to keep it as quiet as possible. And I'll balance your counterargument in advance - they also didn't say "we are dedicated to making people aware of the situation, and are striving to be more open than [competitors]."

If you're going to really play the game, play it through at the beginning to avoid losing customers' positive feelings.

Re:Or... (0)

Anonymous Coward | more than 2 years ago | (#37692580)

Just so I'm clear, you think that Sony PR people are posting misinformation on Slashdot, a web site that hasn't been relevant for almost decade now? I think you give this place way to much credit.

Re:Or... (0)

Anonymous Coward | more than 2 years ago | (#37695904)

You're one of those people who believe the Government COULD have blown up the World Trade Center in order to facilitate the invasion of Iraq in the interests of securing foreign Oil reserves, aren't you?

93,000 DoS'd accounts (2, Interesting)

sgt scrub (869860) | more than 2 years ago | (#37689674)

Sounds like the attack was successful to me.

Re:93,000 DoS'd accounts (1)

DigiShaman (671371) | more than 2 years ago | (#37690568)

Does SOE enforce password complexity requirements? If not, I'm guessing all these vulnerable accounts were using easy-to-guess passwords.

Re:93,000 DoS'd accounts (1)

sgt scrub (869860) | more than 2 years ago | (#37691704)

I don't know. I assume not. Enforcing complex passwords, IMHO, would be better than shutting down thousands of user accounts. Are people connecting to their Sony account and receiving the following message, "We are sorry. Your password sucked. Your account has been disabled. Please go fuck yourself. --Sony"?

Re:93,000 DoS'd accounts (1)

Rob Kaper (5960) | more than 2 years ago | (#37693204)

Assuming the compromised database had proper hashing with per-user salts, you are right. In any other case, the vulnerability here was the third-party storage and not the password strength. (On top of password re-use, of course).

Re:93,000 DoS'd accounts (1)

Solandri (704621) | more than 2 years ago | (#37693188)

If this is what I think it is, then the accounts DOSed themselves. Most people use the same username and password on different accounts. The spate of "hacked" gaming accounts I've read about recently were mostly due to people signing up for a gaming site or gold buying site. That site gets hacked or sells its username/password list to thieves, who then try the same usernames/passwords to login to various games.

If Sony detects this sort of login behavior (multiple failed login attempts to many different accounts coming from the same IP), the correct response is to lock the account with a message saying that their password has been compromised, and to request a password reset.

Re:93,000 DoS'd accounts (1)

sgt scrub (869860) | more than 2 years ago | (#37693368)

If Sony detects this sort of login behavior (multiple failed login attempts to many different accounts coming from the same IP), the correct response is to lock the account

This is essentially a vector for denial of service. Set up a brute force attack from a throw away ip address with one user:pass. Attack 2 then 3 then 4 then 5... accounts until you hit the sweet spot. Then whenever you wish to DoS Sony user accounts you hit Sony with a brute force attack above the known number of accounts. Or equally malicious, since you know the limit, you can truly use a brute force attack under the sweet spot to avoid detection.

Misleading Summary (2)

sangreal66 (740295) | more than 2 years ago | (#37690736)

The summary states that there 93,000 login attempts and that a small number of the attempts were successful. This is false. There was an undisclosed number of attempts, and 93,000 accounts were successfully compromised. From Sony's own statement:

There were approximately 93,000 accounts globally (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000) where the attempts succeeded in verifying those accounts’ valid sign-in IDs and passwords, and we have temporarily locked these accounts.

Re:Misleading Summary (0)

Anonymous Coward | more than 2 years ago | (#37693124)

This actually makes more sense. 93,000 accounts of failed users that had password 12345 or something similar.

At least Sony seemed to have improved their security instead of simply re-enabling the entire network in its failed state.

Re:Misleading Summary (0)

Anonymous Coward | more than 2 years ago | (#37693838)

@anonymous coward: "This actually makes more sense. 93,000 accounts of failed users that had password 12345 or something similar"

"given that the data tested against our network consisted of sign-in ID-password pairs" link [playstation.com]

'Thwarted'? Try 'tripped over'. (1)

microcentillion (942039) | more than 2 years ago | (#37694194)

93,000 compromised accounts. If they can tell that an account was compromised vs. a legitimate use, that means there was something unique to these logins. For the sake of argument, let's just say it was a browser-agent. Let's also make some baseline assumptions:
- Let's say that the 93,000 accounts only make up 10% of the total scope of the attack. 930,000 accounts hit, or 1% of the account-base (according to Sony).
- Let's say that only 1 attempt was ever made per account (the most difficult scenario to detect).
- Let's assume that across all the accounts on these systems, 1% of the logins are fat-fingered, and 50% of the user-base logs in per day: 2% average user error.
* These assumptions are very biased in Sony's favor.

If suddenly 930,000 of your accounts (2% of daily logins) had a 90% login failure rate across the board, that would be a terrifying moment for a sysadmin.
If suddenly 930,000 of your accounts started seeing logins from a uniquely distinguishable user-agent, that's a blatant attack.
If, with a dedicated security team, it takes you 3 days to notice that this is going on, there is undeniable incompetence.

Thwarted? No. It was probably some lone sysadmin scanning through the logs that said 'hey, this user-agent sure is showing up a lot...'.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...