So was the "credit card" table really encrypted?
Rumors are following thru various underground "credit card" trading forums, and on the new #psnhack twitter list that a large section of the PSN database containing complete personal details along with over 2.2million working credit card numbers with the much-needed CVV2 code are being offer up for sale to the highest-bidder, after the "hackers" tried to sell the DB back to Sony for a price, but they of course didn't answer!
The following information is from Kevin Stevens, Security Researcher in hostile times from his @killercube on Twitter:
Hackers offer to return DB containing 2.2million CC's to Sony for a price, they say NO!
Quote:
| Discussion about #psnhack and possible speculation about the hackers being from Europe Logs - efnet - #ps3dev - 2011-04-26 <Mathieulh>trixter, people I know had a shell on the psn servers <Mathieulh>did you know that sony didn't disable the function that sets the psn server under maintenance ? The hackers that hacked PSN are selling off the DB. They reportedly have 2.2 million credits cards with CVVs #psnhack Sony was supposedly offered a chance to buy the DB back but didn't #psnhack @mikkohypponen That is what is going around on some underground forums. The DB contains pretty much everything @the_pc_doc That is what I thought but the guys selling it say that they have CVV2 numbers @RiquezJP Well not properly securing your server breaks compliance as far as I know. @RangerRick Yeah, this information about the CVV2 numbers could be bogus. The guys selling the DB could just be making it up. Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date No, I have not seen the DB so I can not verify that it is true |
his just a "Europe" slice of the pie, or did the still unnamed 'hackers' target that country because of what Sony did to the 'scene' in regard to how they were handling the graf_chokolo case!
Sony admits that PSN personal data was NOT encrypted!
Sony decided to release more details on their blog, which allows us to make the following comments regarding the now over ONE week breakdown of the PSN network!
Point #1: -- They admit that PSN "personal data" was NOT encrypted!
Quote:
| All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack. breached in a malicious attack. |
Point #2 -- Now we know why it is taking so long to restore the PSN network!
Quote:
| We are initiating several measures that will significantly enhance all aspects of PlayStation Network’s security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway. |
external intrusion" just simply someone walking in and looking like a techie-person, and copying the data removing the need to break any security?
Rumor: We are in for big update, DLC wise, Game patch wise, firmware!
Reports are coming in from many mainstream blogs that a new firmware update will be released in May 2011 and that it will FORCE you to re-verify your complete PSN account, and you MUST create a new PASSWORD, and you WILL have to UPDATE to this new secure PS3 firmware if you wish to enjoy in the FUTURE newly released games!
There is also rumors that all licensed game developers are being shipped new SDK's, and that they are being forced to re-compile all the DLC addon's, and all their game patchs, before Sony will even think of turning on the new PSN network!
We Told You So! --- Seems Everyone Knew But Sony!
Code:
[user12] I also know that the server that does the x-i-5 tickets is a bit more tight about the ciphers than any other system in sonyland [user12] if sony is watching this channel they should know that running an older version of apache on a redhat server with known vulnerabilities is not wise, especially when that server freely reports its version and its the auth server [user2] its not old version, they just didnt update the banner [user12] I consider apache 2.2.15 old [user2] which server [user12] it also has known vulnerabilities [user12] auth.np.ac.playstation.net [user2] ya the displayed version u see via banner is not the real version [user12] unless they updated it in the last couple weeks [user12] I doubt that since its not trivial to change that [user12] its a bit more invasive than just setting it to Prod like they do on their other servers [user11] you know, watching this conversation makes me think about whether it was a good idea after all to buy a couple of games from psn using a visa card [user2] its just backported security patches [user11] i did remove all my info after downloading the games though [user12] that is just psn not the store [user12] they are running linux 2.6.9-2.6.24 on that box too [user12] that too is old [user2] lol @ buying on store [user11] yes, but their general attitude towards security just seems…ugh [user2] sony wont misuse the info i bet xD [user2] but just prevent using cfw’s of unknown ppl [user2] even better from ALL ppl [user2] make ur own lol [user12] so I doubt that they are spoofing the network stack on that box as well [user12] my guess is that it really is undermaintained “it works why change anything” [user2] could be [user12] sony really should update that stuff to something more current [user2] ya [user2] but imagine [user2] psn == 45 environments [user2] and for example [user2] every env has 50 subdomains [user2] to external machines [user2] its rly rly huge [user2] who wants to do this xD [user2] ppl r lazy [user2] wont change
Attached below is the full (nicknames-have-been-removed) IRC log from "Feb. 16th, 2011" that talks about how wide-open the PSN servers are!
Continue to hold onto that TOWEL, we are in for one HELL of a update! 
No comments:
Post a Comment