I didn’t want to blog about every single thing that was going on with Playstation network being hacked and the service being turned off. I’ve gone a head and put a timeline together of all the events that happened as well. I’ve also wanted to talk about PCI standards and my opinions on how Sony handled the situation.
What is PCI? The PCI Security Standards Council which is responsible for the development, management, education, and awareness of the PCI Security Standards including Data Security Standards, Payment Application Data Security Standards and PIN transaction Security requirements. Why is this important? Well because Sony stores sensitive data and credit card information on it’s servers. Basically they audit your servers, provide a list of recommendations that you should implement to protect your servers. After a company is audited it’s recommended that you look to implement the recommendations on your servers to make you more secure, rinse and repeat.
I’m curious to know when Sony’s last PCI audit happened, what recommendations came out of the audit, what did Sony fix and Sony didn’t fix?
To me, Sony handled this perfectly. They were hacked but didn’t know to what extent. They hired professionals to help and than once they realized the extent of the damage they informed the public.
Back to the Timeline:
April 3, 2011 – a group called “Anonymous” launches cyber attacks against various Sony websites because Sony was suing George “GEoHot” Hotz and Graf_Chokolo who hacked the PS3
April 11, 2011 – Sony settles with Hotz
April 19, 2011 – Sony’s Network team detects unauthorized activity in the PlayStation Network system
April 20, 2011 – Sony discovers unauthorized intrusion and that data had been taken off the PSN servers. Sony hires a forensic investigation team. They can’t determine what data was taken and the Playstation network was taken off line.
April 21, 2011 – Sony hires a second forensic team
April 25, 2011 – Forensics team determine the scope of personal data that was illegally taken from all PSN and Qriocity servers. No indication if credit cards where taken.
April 26, 2011 – Sony finally informs the public of the hack and notifies authorities of the attack
April 28, 2011 – Hotz denies any invovlement
April 29, 2011 – House of Representatives wants more information about the attack
April 30, 2011 – Kazuo Hirai speaks to the public for the first time about the attack and apologies to its customers. Hirai states that PSN should be back up a week and that network security has been beefed up.
- Restoration of Online game-play across the PlayStation®3 (PS3) and PSP® (PlayStation®Portable) systems -This includes titles requiring online verification and downloaded games
- Access to Music Unlimited powered by Qriocity for PS3/PSP for existing subscribers
- Access to account management and password reset
- Access to download un-expired Movie Rentals on PS3, PSP and MediaGo
- Friends List
- Chat Functionality
The new security measures implemented include, but are not limited to, the following:
- Added automated software monitoring and configuration management to help defend against new attacks
- Enhanced levels of data protection and encryption
- Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns
- Implementation of additional firewalls
Complimentary Offering and “Welcome Back” Appreciation Program
While there is no evidence at this time that credit card data was taken, the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in each region.
The company will also rollout the PlayStation Network and Qriocity “Welcome Back” program, to be offered worldwide, which will be tailored to specific markets to provide our consumers with a selection of service options and premium content as an expression of the company’s appreciation for their patience, support and continued loyalty.
Central components of the “Welcome Back” program will include:
- Each territory will be offering selected PlayStation entertainment content for free download. Specific details of this content will be announced in each region soon.
- All existing PlayStation Network customers will be provided with 30 days free membership in the PlayStation Plus premium service. Current members of PlayStation Plus will receive 30 days free service.
- Music Unlimited powered by Qriocity subscribers (in countries where the service is available) will receive 30 days free service.
Additional “Welcome Back” entertainment and service offerings will be rolled out over the coming weeks as the company returns the PlayStation Network and Qriocity services to the quality standard users have grown to enjoy and strive to exceed those exceptions.
May 1, 2011 – Sony finds files that says “Anonymous,” “We are legion.” That’s the slogan for the hacktivist group.
May 2, 2011 – Playstation blog update ” One other point to clarify is from from this weekends’ press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form.”
May 4, 2011 – Sony sends letter to Congress answering questions.
May 5, 2011 – Sony’s global network and security teams at Sony Network Entertainment and Sony Computer Entertainment began the final stages of internal testing of the new PSN system
May 6, 2011 – More testing
May 14, 2011 – PSN returns sort of? Video from Kazuo Hirai
PS3 software update announced – The update (v3.61) is mandatory and is available now
May 15, 2011 – users updating passwords, severs can’t handle the load, suspended servers to catch up. Sony recently had to turn off services for approximately 30 minutes to clear the queue.
May 16, 2011 – PSN FAQ – Restoration Questions Answered. Details for PlayStation Network and Qriocity Customer Appreciation Program in North America
May 18, 2011 – Sony temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.
May 24, 2011 – PSN down Maintenance
May 30, 2011 – Full PSN Services, including PlayStation Store, Return This Week
June 1, 2011 – Important PlayStation Network Maintenance,The server maintenance performed at this time represents a crucial step in the full restoration for PSN, including the PlayStation Store.
June 1,2011 – PSN STORE BACKONLINE!
June 3, 2011 – Welcome Back Program Available Now – Details Inside
Q: What’s in the Welcome Back Program?
A: To start, all PSN members who had signed up before the outage (April 20, 2011) will be able to select two games for the PS3 system and two games for the PSP system.
For PS3 owners, go to the ‘Welcome Back’ section in the PlayStation Store, and select 2 titles from the following list:
• Dead Nation
• Super Stardust HD
• Wipeout HD + Fury
For PSP owners, go to the ‘Welcome Back’ section of PlayStation Store on your PSP system and select 2 titles from the following list:
• LittleBigPlanet (PSP)
• ModNation Racers
• Pursuit Force
• Killzone Liberation
Massive PSN store update
June 4, 2011 – PlayStation Home Welcome Back Package Details
June 6, 2011 – PS3 System Software Update (v3.65)
Originally appeared on tehflakes.ca