PlayNoEvil - Game Security, IT Security, and Secure Game Design Services - Contact Us at ceo@secureplay.com

Go check out my new blog site and read more colorful commentary on Sony, passwords, and password recovery security. Please update your RSS feeds!!!

New entry posted in new blog tool. Eidos Hacked, Resumes and Emails compromised – Let’s Fix this with Separation! !.

Update your RSS feeds!

Read more at Just Stupid – Playdom’s $3 Million COPPA Violation – It could happen to you too.

Please update your RSS feeds and links to playnoevil.com.

I've posted a new article using my new blog tool: Get your Infant Seat Installation Inspection!

Please remember to update your RSS feeds to the new addresses. Visit playnoevil.com for details.

The article iPad Annoyance – Secure Home Router Connection Issues is at: http://playnoevil.com/2011/05/10/ipad-annoyance-secure-home-router-connection-issues/ .

Please go to playnoevil.com and change your RSS feed.

After years, I've decided to move from Serendipity to WordPress. My new home page is: playnoevil.com. There are new RSS feeds. RSS and RSS Comments.

Please stay with me. Hopefully, the ride will be smooth!

Sony reported another breach, this time at Sony Online Entertainment (SOE) of over 24 million accounts with 12700 confirmed credit cards lost (older ones from Europe, if that makes you feel better or worse).

The claim is that the attack took place between April 17th and 18th.

As I've noted, my suspicion is that the recent distributed denial of service attacks against Sony in the wake of the legal moves against the PS3 reverse engineer(er) resulted in a security audit which uncovered these attacks, it is almost certain (or at least my bet) that the attacks have been going on for quite some time and just didn't get detected (or, if detected, not noticed) until the recent events.

We shall see (or not).

A reader of this blog noted that SOE has a good number of children's accounts for Free Realms, which should add to the fun in this mix.

I think that Sony has successfully topped TJX for largest compromise of personal records, but I may be wrong. I'm pretty sure TJX "wins" on the number of credit cards lost as I'm sure Sony does not have payment cards for anywhere near all of its customers.

Don't worry, I'm SURE your data is safe with all of the other online game companies.

"Now SOE confirms data theft", http://www.mcvuk.com/news/44134/Now-SOE-suffers-data-theft

In case you've been living under a rock, your personal information is a target, and the folks who you are visiting online don't seem to care all that much (see Sony Playstation Network and Sony Online Entertainment... but don't think that they are alone. The only reason that this is coming out is because they were looking in the wake of the Anonymous Distributed Denial of Service attack is my guess... your other online services are probably comparably screwed).

What can you do? (and still enjoy all of the wonders of the Internet)

1. Protect your email password!

Everyone tells you to protect all of your passwords, but your email password is the way that people are really going to get you.

Forgotten password recovery systems are usually the easiest way to get you and ALMOST all of them use your email to send out the new password.

(Virtually) every site stores your email in the clear or the key is easily available.

And WAY TOO MANY sites are BOZOS and use your email address as your user name.

Just do a good job of protecting your email password and don't use it for any other sites.


2. Use pre-paid cards.

This is really going to hurt the computer games industry, but it is just flat out stupid to use a credit card with any online business that you have ANY doubts about.

Paypal is not a bad option, but giving ANYONE your credit card or debit card linked to your bank account is just begging for problems.

This is the credit card industry's own fault, by the way, a topic for another day.

At least in California, you can get your money back on some of these cards as stored value if you haven't spent everything. Yet another opportunity for Government to DO SOMETHING.

Don't post more funds to your account than you are willing to lose.

3. Protect your account password (and username, if you can)

It is still important to protect your password. If possible (and the IDIOTS don't use your email address as your user name) use a "good" username that no one knows and that you don't tell others.

IDEALLY, game operators should separate your "handle" (in-game/in-world name that people see) from your user name as well.

Beware fan sites, they are often targets for hackers and anything your share there is at real risk.

The bad guys are in it for the money. They can sell your accounts and loot for real money and no real legal risk.

Fun facts for the Sony Network Breach case as of today:

Sony: Credit card data was encrypted

Good News: Credit card data was encrypted.... I think this is required under PCI DSS, but I'd have to look at the standard again.

Bad News: Where is the key? After all, why store the data if you can't use it and to get to encrypted data, you need a key. This was not an attack on an encrypted hard drive being driven around, this is a live service which needs to do transaction (you know, like charge credit cards... which requires decrypting the data).

"PSN hack could cost Sony $24 billion"

Good News: As I noted earlier today, the actual cost may be much lower. If I was a betting man, I'd guess something like $100 Million, though we will never see that number. This figure is based on a study on the cost of a compromised record to a company. It may be higher or lower.

Bad News: So, let's run some math:

1. How many of those customers will not purchase anything further from Sony PSN? (remember, they are trying to sell you music, video, etc. - Hulu is apparently offering a week of compensation ... and they are probably hitting Sony with the bill.

2. What is the projected future value per customer?

3. How many people won't by a Playstation 3 or future PSN connected device, like their upcoming handheld?

Even if the number is around 5 percent of the current population, we are talking millions of consoles not sold, and more millions of games, etc. that will not be purchased through the platform.

PSN breach will impact wider digital games business

Good News: Probably Not. There are some allegations linking a minor phishing concern in Xbox Live to the PSN breach. Nonsense. The announcements are just coincidental. This is also not going to affect Steam, iTunes, app stores, or anybody else except PERHAPS (hopefully) inspire folks to take a closer look at their security so that they are not getting burned.

PSN data liability disagreement

Bad News: Sony may get nailed with some data disclosure fines in other countries (not the US).

Good News (for Sony anyways): These fines are pretty comically small. The maximum fine in the UK is apparently 500,000 pounds (around $830,000 US). Woop-Dee-Doo The PSN service apparently makes more than this each week in profit according to some estimates.

Playstation Network Hack Shows That Games And Their Problems Are Mainstream

Awesome News: My blog article yesterday got picked up by Kotaku.

Interesting News: A lot of people are conflating the breakdown in Sony's security for the PS3 itself with this breach. I am guessing that this is not the case. I suspect that this was an old-fashioned network penetration of an under-maintained, under-secured network and server infrastructure. If I was a betting man (IIWABM)?, I would GUESS that the recent "Anonymous" Distributed Denial of Service attack against the PSN triggered a security review that stumbled onto this breach.

First of all, let's get it clear, any network attack that causes ANY business to shut down for a week or more is very intentional, sophisticated, and severe.

The guys who did this were doing it for money. It was a grand identity theft / credit card theft scheme with some fun IP theft thrown in.

77 Million-ish customer records with nice extra information (Birthdays should be SWEET for helping bootstrap an identity theft effort!). If there is a "Secret Question" with your Mother's Maiden name or some such for password recovery, the information is almost certainly stored in clear next given the poor state of other security features (old authentication server and web server software and perhaps even cleartext password storage according to Eurogamer with information from hacker IRC discussions several months ago!)

AWESOME.

Get ready for some phun phishing attacks and other scams!

Given the pathetic state of US privacy laws, Sony is likely to only face fines of $0.10 per person or something like $3 Million if the TJX case a couple of years ago (if I remember correctly) is the model (see my article)... given the 30 Million odd US citizens whose data has been lost. If you are keeping score, the initial estimates were over $1 Billion in fines against, so watch the estimates.

Boy, I'd like to see some REAL identity protection - How about $100 per personal record compromised? That would get companies to spend some money on security and not store every bit of data that they can hoover up.

There are also allegations that the hackers were able to get into proprietary portion of the PlayStation Network and access games that they hadn't purchased.... something Sony is going to be having some interesting discussions about with its publisher and developer partners (not to mention the lost sales from the outage for DLC and digitally distributed games).

The lawsuits were inevitable. A class action suit has been filed against Sony over the network data breach, according to Information Week.

Very awkward (for Sony, that is). The challenge will likely be to show that Sony has not shown sufficient due diligence in its protection practices at the site. Any lack of documentation, evasion, or what have you is not going to help (ask PG&E here in California). It is guaranteed to be a PR nightmare, if nothing else.

As to the threat of credit card loss, the only saving grace may be the actual number of people who've provided a credit card to Sony (a number that Sony has been very reluctant to disclose).

The cost for responding to the California (and other US state) Data Disclosure laws is likely to be around $1 per person for the notification + the added bonus of paying for a year of credit monitoring (I'm not sure which data breach I got this compensation for)... say $10 per person, maybe less if you get a group discount.

So, we're looking at tens of millions of dollars just to get rolling and perhaps over $100 ($300?) Million to deal with the data disclosures in the US alone.

Europe and Asia have real privacy laws, so there may be more fun elsewhere.

Business losses? who knows... it may be a while before they are taking credit cards.

... and I sure hope they're preserving data as the FBI and others may be more than a bit interested.

As everyone else is warning... it you have a PSN account, make sure you don't use the same password elsewhere, change your secret question answers elsewhere, and watch your credit cards and emails for a fair length of time.

So, is anyone ready to start a pool on how much Sony is going to settle for per person (in the US and globally)?

Sony Sued Over PlayStation Network Hack, http://www.informationweek.com/news/security/attacks/229402362

"PSN: The Security Scandal", http://www.eurogamer.net/articles/digitalfoundry-psn-security-scandal

"Fraud body calms PSN identity theft fear"