test content
What is the Arc Client?
Install Arc

you think Cryptic has problems?

SystemSystem Member, NoReporting Posts: 178,019 Arc User
edited May 2011 in Ten Forward
Hey everyone. Just thought I would pass some information that was delivered to me in an email from Sony.

Just when you thought Cryptic had problems, Sony is even worse. Let's view this of an example of what we don't want to happen to Cryptic. A learning example, if you will.

Below is an email from Sony, describing a internet hacker attack.
Customer Notification May 2, 2011


Dear Valued Sony Online Entertainment Customer:

Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems. We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack. Stolen information includes, to the extent you provided it to us, the following: name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed password.

Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained and we will be notifying each of those customers promptly.

There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment.

We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible.

We apologize for the inconvenience caused by the attack and as a result, we have:

1. Temporarily turned off all SOE game services;
2. Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3. Quickly taken steps to enhance security and strengthen our network infrastructure to provide you with greater protection of your personal information.


We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When SOE™'s services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your Station or SOE game account name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:

U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228.

We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a "fraud alert" on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.

Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013

Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241

TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

You may wish to visit the web site of the U.S. Federal Trade Commission at www.consumer.gov/idtheft or reach the FTC at (877) 382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from identity theft. Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone (877) 566-7226; or www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (888) 743-0023; or www.oag.state.md.us.


We are committed to helping our customers protect their personal data and we will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in regions in which such programs are commonly utilized.

We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at (866) 436-6698 should you have any additional questions.

Sincerely,
Sony Online Entertainment LLC

People have been trying to hack online games for years, how did this happen? And better yet, how can we prevent this from happening at Cryptic?
Post edited by Unknown User on

Comments

  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    To me it feels like Sony took a lot of care to protect their games from illegal tampering but forgot to do the same with their database.
    Assuming Cryptic/Atari is not that careless there shouldn't be a problem.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    Well thats what yah get if you have something for free, Sony network was free for the users if i'm not mistaken!
    so its more that sony is at fault here, free almost = low security, good security cost and if something is free then i bet the cost has to be low ... anyways this smells like an "inside job" someone that got fired! or wants to be :p
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    People forget that Xbox got TRIBBLE a few years ago too. People seem to have a short memory :p
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    Microsoft gets TRIBBLE a lot, guess what falls under that flag starts with a Big X and ends in a 0.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    Summit wrote: »
    People forget that Xbox got TRIBBLE a few years ago too. People seem to have a short memory :p

    Uh, no.

    Bungie.net was TRIBBLE, and some people had their Live information entered into said website.

    Do people have their Live accounts stolen? Sure, but mostly due to social engineering and the general stupidity of the public. The security of Live itself has never been compromised.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    No system is 'unhackable'......remember that,if people are determined to get in....they will find a way.

    But lets not make it easy shall we.;)
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    Noxsa wrote:
    Well thats what yah get if you have something for free, Sony network was free for the users if i'm not mistaken!
    so its more that sony is at fault here, free almost = low security, good security cost and if something is free then i bet the cost has to be low ... anyways this smells like an "inside job" someone that got fired! or wants to be :p

    Free does not have anything to do with security level. PSN connection is free, but the PSN is an extremely powerful revenue machine - their DLC sales rival Xbox Live (and remember aside from online play most XBL services are free to access), and it serves as the platform for some premium media services like Hulu.

    The issue emerging is that Sony appears to have not altered any security after the network was compromised a while back, and their security was already running under a scheme that had been broken.

    As for Microsoft getting TRIBBLE "all the time": Xbox live has never been compromised. Games for Windows Live has only been compromised in so far that its anti cheat measures have been occasionally bypassed. Windows Update has only beeh TRIBBLE in so far that copy protection has been occasionally bypassed (both of these are a client side hack), and the only time since that big denial of service in the 90's that a Microsoft service has actually been compromised by an external intrusion has been an idiot who kept using an unethical domain registrar to snipe hotmail.com in the 1 minute renewal window. The hack on Bungie was an interesting one because what information was made public strongly points to an inside helper which Microsoft and Bungie were deafeningly silent about.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    nevermind

    /10char
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    Hey everyone. Just thought I would pass some information that was delivered to me in an email from Sony.

    Just when you thought Cryptic had problems, Sony is even worse. Let's view this of an example of what we don't want to happen to Cryptic. A learning example, if you will.

    Below is an email from Sony, describing a internet hacker attack.



    People have been trying to hack online games for years, how did this happen? And better yet, how can we prevent this from happening at Cryptic?

    WE can't prevent this happening to Cryptic. CRYPTIC can prevent this happening to Cryptic.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    sorry i was too busy placing all of my money into sony's new bank to read the thread.

    what i miss.......
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    I have the same email too OP.....damn SWG :rolleyes:

    Easily ending my sub once the servers are online again....was planning to leave SWG anyway :rolleyes:
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    Funny thing I got the same email a few days ago relating to an old SWG account I hadnt used for over 5 years.
    Sony said that those 12700 people who they believe had their credit details stolen would be contacted again.
    The thing that really bothers me about this the original intrusion was weeks before the PSN shutdown they breached the system on the 16th from the reports and Sony didnt feel that there was any threat worth responding to. Then using the same techniques they assaulted the PSN database.
    All the info's there on the net the Congress investigation etc.
    Lets hope for Sonys sake as well as the 77million playstation users, of which I'm one, that the situation is resolved soon.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    At this point, unless Sony does something monumentally stupid like continue to use the same setup that's been breached three times now, it's pretty much over except for waiting for full service to be restored. Between Sony and banks notifying customers, free and even forced card reissues, there's no good reason for any of the stolen cards to still be valid. It's actually pretty impressive how few confirmed cases there were, too. Sony claims the number is 0, banks claim otherwise but still only a few thousand globally.

    Of course, if C-net is to be believed (or rather, if their source can be believed) the vulnerability is still there in other Sony networks and the same group is planning to take down additional services this weekend. If they do manage that, I'll count that as Sony doing something monumentally stupid.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    Summit wrote: »
    People forget that Xbox got TRIBBLE a few years ago too. People seem to have a short memory :p

    Yeah and did they close there network down, or keeping it going?
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011

    So according to your link, "Expert says Sony knew of PSN security weakness". What a bunch of TRIBBLE. No wonder why nothing ever works in their games, because they never bother to fix anything. I wonder why they're still in business for online games.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    If they never bothered to fix anything, they never would've shut down the system entirely to move it to a new system.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    BoredZero wrote: »
    If they never bothered to fix anything, they never would've shut down the system entirely to move it to a new system.

    examine the statement you just made. Switching to something new isn't fixing it, it's just making something new and hoping you don't run into the same problems.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    The reason for switching to the newer servers was because these new servers were hardened against cybernetic attacks. If you had read the news, you'd have known that. Just like how you'd know that Sony's going to be offering one year of ID theft services free.

    http://www.digitaltrends.com/computing/sony-offers-u-s-psn-and-qrirocity-users-free-identity-theft-protection-for-one-year/

    EDIT: Link to story about moving servers: http://arstechnica.com/gaming/news/2011/04/sony-kept-some-psn-data-encrypted-and-is-physically-moving-hardware.ars
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    BoredZero wrote: »
    The reason for switching to the newer servers was because these new servers were hardened against cybernetic attacks. If you had read the news, you'd have known that. Just like how you'd know that Sony's going to be offering one year of ID theft services free.

    http://www.digitaltrends.com/computing/sony-offers-u-s-psn-and-qrirocity-users-free-identity-theft-protection-for-one-year/

    EDIT: Link to story about moving servers: http://arstechnica.com/gaming/news/2011/04/sony-kept-some-psn-data-encrypted-and-is-physically-moving-hardware.ars

    No, I'm fully aware of the facts here. But being that I know about programming and have experience beta testing, presenting something new to the equation doesn't solve the problem. Every time you change the equation, the problem has to be re-evaluated.

    I'm telling you that switching to new servers isn't going to do anything.

    Your statements are obvious assumptions and doesn't really point out asignificantignicant.

    I've been a subscriber of sony online games since the vbeginningning, I know the company very well. I have a long history of watching them patch stuff and switch to new servers after repeated requests to fix things.

    Stuff like this is the reason why I won't play any online games from Sony anymore.

    And what idiot would use their ID Theft services, if they can't even mange their customer information responsibly in the first place.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    Of course they don't point out anything significant - the whole Sony issue's been discussed to death, and it doesn't matter what people try to do - determined hackers will manage regardless.

    Seriously.

    Not to mention this isn't the first time the Sony issue has been talked about on the forums.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    Uh, no.

    Bungie.net was TRIBBLE, and some people had their Live information entered into said website.

    Do people have their Live accounts stolen? Sure, but mostly due to social engineering and the general stupidity of the public. The security of Live itself has never been compromised.

    It was all over Recon Armor. I think in the end ultimately one person lost their account to someone wanting the profoundly ugly gear.

    You want to see a company that gets nailed a lot, try Comcast. They try so hard to hide it, but it's weekly with them.
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    It was all over Recon Armor. I think in the end ultimately one person lost their account to someone wanting the profoundly ugly gear.

    You want to see a company that gets nailed a lot, try Comcast. They try so hard to hide it, but it's weekly with them.

    Hillarious. LOL :D
  • Archived PostArchived Post Member Posts: 2,264,498 Arc User
    edited May 2011
    And what idiot would use their ID Theft services, if they can't even mange their customer information responsibly in the first place.

    It's not Sony's service, it's third party... though as of Friday Sony was not going to be providing ID theft insurance, only credit monitoring and protection. Anyone who actually loses money will not be reimbursed. Most of these services range from things you can do yourself to nothing at all unless you pony up extra for the insurance.


    Also, Sony's shiny new servers were breached already. Only thing there was some old archive of 2001 sweepstakes entries, a few thousand addresses that were probably in the 77 million from last month anyway, but the important thing is: this is Sony's "new" servers. Sony was warned last week that it's hardened servers were worthless, the vulnerability is in their old security scheme that was broken years ago and hasn't been supported by the developer in almost a decade, and which they planned to keep using.

    Now they're out a lot of money and will hopefully be going back to square one with a solution that would have saved them most of what they've paid to date. Their blog is talking like another week of downtime, but they've stepped up the offer: It's now 2 PS3 games and 2 PSP games of the user's choice, not Sony's (though Sony gets to shortlist the four games you can pick from).
Sign In or Register to comment.