Posts Tagged ‘security’

Sony Services Still Down

Tuesday, May 10th, 2011

As you may be aware, Sony has recently been the victim of a hacker or group of hackers. Details have continued to come out over the last few weeks, and Sony is continuing to update its security while trying to determine what has gone missing. The hacker(s) have gained access to quite a bit of information from users of the PlayStation Network and Qriocity. Many people have been upset by the breach, and understandably so. I’ve been patiently waiting to get back on the PlayStation Network so I can go about updating passwords and secret questions and such, hopefully avoiding any further trouble, especially concerning credit card information that may or may not have been compromised. While I, for one, am not upset at Sony, I would very much like to know the full extent of the damage, and ultimately would like to resume using the PlayStation Network.

On April 26, customers affected by the breach received a letter, the contents of which were echoed across Sony’s web sites, blogs, and social media networks. Here are the basics, according to the e-mail.

“We have discovered that between April 17 and April 19, 2011,
certain PlayStation Network and Qriocity service user account
information was compromised in connection with an illegal and
unauthorized intrusion into our network. In response to this
intrusion, we have:

1) Temporarily turned off PlayStation Network and Qriocity services;

2) Engaged an outside, recognized security firm to conduct a full
and complete investigation into what happened; and

3) Quickly taken steps to enhance security and strengthen our
network infrastructure by rebuilding our system to provide you
with greater protection of your personal information.

We greatly appreciate your patience, understanding and goodwill
as we do whatever it takes to resolve these issues as quickly and
efficiently as practicable.”

As of May 10, the services are still down. As anxious as Sony fans are to get their services back, I would hope that we all recognize the importance of the security upgrades. Sony intends to do right by its customers, as expressed in communications over the last few weeks, and including a letter from Sir Howard Stringer. Here is the letter:

“Dear Friends,

I know this has been a frustrating time for all of you.

Let me assure you that the resources of this company have been focused on investigating the entire nature and impact of the cyber-attack we’ve all experienced and on fixing it. We are absolutely dedicated to restoring full and safe service as soon as possible and rewarding you for your patience. We will settle for nothing less.

To date, there is no confirmed evidence any credit card or personal information has been misused, and we continue to monitor the situation closely. We are also moving ahead with plans to help protect our customers from identity theft around the world. A program for U.S. PlayStation Network and Qriocity customers that includes a $1 million identity theft insurance policy per user was launched earlier today and announcements for other regions will be coming soon.

As we have announced, we will be offering a “Welcome Back” package to our customers once our PlayStation Network and Qriocity services are up and running. This will include, among other benefits, a month of free PlayStation Plus membership for all PSN customers, as well as an extension of subscriptions for PlayStation Plus and Music Unlimited customers to make up for time lost.

As a company we — and I — apologize for the inconvenience and concern caused by this attack. Under the leadership of Kazuo Hirai, we have teams working around the clock and around the world to restore your access to those services as quickly, and as safely, as possible.

I know some believe we should have notified our customers earlier than we did. It’s a fair question. As soon as we discovered the potential scope of the intrusion, we shut down the PlayStation Network and Qriocity services and hired some of the best technical experts in the field to determine what happened. I wish we could have gotten the answers we needed sooner, but forensic analysis is a complex, time-consuming process. Hackers, after all, do their best to cover their tracks, and it took some time for our experts to find those tracks and begin to identify what personal information had — or had not — been taken.
As a result of what we discovered we notified you of the breach. Our investigation is ongoing, and we are upgrading our security so that if attacks like this happen again, our defenses will be even stronger.

In the last few months, Sony has faced a terrible earthquake and tsunami in Japan. But now we are facing a very man-made event – a criminal attack on us — and on you — and we are working with the FBI and other law enforcement agencies around the world to apprehend those responsible.
In the coming days, we will restore service to the networks and welcome you back to the fun. I wanted to personally reach out and let you know that we are committed to serving you to the very best of our ability, protecting your information better than ever, and getting you back to what you signed up for – all the games and great entertainment experiences that you expect from Sony.

With best regards,
Howard Stringer”

As posted on the PlayStation Blog.

I am not sure what a free month of PlayStation Plus will do for those of us not using the service, but it looks like Sony is really trying to make up for the inconveniences suffered by the fans. I think that the identity theft insurance is critical here, so much more so than the free month of PlayStation Plus or the account credits for Qriocity or other subscribers. I personally have identity theft insurance, but it couldn’t hurt to have Sony’s policy backing me up too. As the letter notes, there have been no reports of credit vandalism since the potential loss of secured information. It looks like most of the lost credit card numbers were attached to non-American accounts. Purchase history and such in the network could pose a problem, but Sony is addressing it.

Once service is reinstated, you should immediately change your password and update your security questions. It would probably be a good idea to remove any saved credit card info as well. If you have used similar user names or passwords on other sites associated with your e-mail address, you should change all of those too.

While there is a lot of panic going around, I am not so worried. The internet itself is full of this type of activity. Using the internet is an acceptance of the inherent risks. This includes sensitive data stored on Facebook. Once you put something on the web, there is a chance malicious users will try to take advantage. This doesn’t mean you shouldn’t use the internet at all. You run similar risks using an ATM machine or banking by phone. I don’t think this was as much a blunder on Sony’s part as much as simply being a large target. Amazon and Microsoft have had their own issues to contend with, largely due to their popularity. Sony is a pretty big target.

Sony will sort this mess out, and will do its best to encourage users to continue using the services. I am among those committed to returning to business as usual. As things devlop I’ll post updates to this blog. You can read the various posts and press releases here

What are your thoughts? Do you still trust Sony? Are you willing to resume using the services as they are reactivated? Let me know in the comments.

Facebook and Privacy Page

Sunday, June 6th, 2010

I was doing an article review on security and privacy for my class, and naturally Facebook was an easy subject. I found an article on Enterprise Security Today called “Facebook Launches Privacy Page to Appease Critics“, by Jennifer LeClaire. In it I found something that I hadn’t noticed before, the launch of the “Facebook and Privacy” page on Facebook. It looks like the first Wall entry is on May 27, so the page is definitely something new.

The Facebook and Privacy page states its mission as follows:

To provide you with the information you need to control your sharing on Facebook, and to gather input from the Facebook community about privacy.

Apparently this is intended to be a resource site for future privacy bungles issues. It looks like Facebook wants you to “Like” this page so you will be kept informed on privacy, both on Facebook and elsewhere.

As you can see in the screenshot, the tabs on the page cover Resources, Experts, Photo, and Video. The Experts page has links to a number of different privacy advocates and government regulators. The Resources page looks much nicer, like Facebook was more interested in the look and feel of this page. There are links to videos, help content, privacy settings, and more. It looks like a one-stop shop for Facebook privacy needs.

I think this was a good move by Facebook. It has taken quite a beating in the school of public opinion. It can certainly take the beating, to be sure, as even a loss of 10 million users would be as noticeable as a fly landing on your arm. However, as is often quoted in Spider-Man, “With great power comes great responsibility”. Sure, Facebook wouldn’t notice 10 million people leaving. That doesn’t mean it should abdicate its responsibilities to the public. This was a good step. Let’s put aside our cynical natures and hope that Facebook is indeed moving in the right direction.

Update: The original feed from facebook can be found here.

Did Facebook Cross the Line?

Friday, April 23rd, 2010

Facebook news is all over the net today. It seems like Facebook has opened the door to a lot more of its users’ private data and a lot of people are upset about it. The rest are pretty-much unaware of the problem.

Facebook made some announcements at its F8 conference that has a lot of people worried. Users are now opted in to third-party sites automatically. The more tech-savvy among us have gone in and updated our settings or opted-out, but how many people know how to do that?

Click on the above image to enlarge it. This is how your privacy settings should look regarding 3rd-party apps. Click here to go to your privacy settings. If you aren’t logged into Facebook you will have to log in to see the page. The image above can be found by clicking the button for “What your friends can share about you.” As it is, even if you lock down your data, your friends can inadvertently opt you back in. Un-check all the boxes to disable their ability to do so.

Click the image above to enlarge it. The next area you need to change is the Instant Personalization. You can use the link above or go directly to it by clicking here. There is a checkbox on the bottom that should be un-checked. When you uncheck it, Facebook offers the following insight:

“Allowing instant personalization will give you a richer experience as you browse the web. If you opt-out, you will have to manually activate these experiences. Please keep in mind that if you opt out, your friends may still share public Facebook information about you to personalize their experience on these partner sites unless you block the application.”

. It then offers you a link to the FAQ telling you why you want to keep it. You can skip that page if you want and go here to see what data 3rd-party apps can see. If you are comfortable, fine. If not, you need to make sure you un-check the box from the above screenshot.

If you haven’t already done so, you should take this time to update your other Privacy Settings. You may be surprised when you see how much of your data is exposed.

Did Facebook cross the line? It looks like it, yes. This should have been an opt-in service. Google Buzz was blasted by bloggers and the television news for the appearance of a privacy breach. It really hadn’t done anything wrong and took steps to improve security settings anyway. Facebook has been largely ignored for its privacy violations. Let’s see if this makes it to the news media. Facebook lost a lot of tech-savvy customers. I wonder how many people remain. Probably most of them, but that is due in large part to the lack of awareness. If you know someone on Facebook who may not have updated their privacy settings, be sure to send them here or to any tech blog. There should be information on protecting yourself on most other sites right now.

Facebook is a useful website, and offers a great service. They really need to address their privacy issues though.