Sony's Spanking New PSN Security Marred by Password Exploit
Days after Sony relaunched its supposedly fixed PlayStation Network, reports have surfaced concerning a new trick hackers can use to change a user's account password without his or her permission. The apparent exploit represents another pothole in PSN's long road to recovery, which started last month when Sony pulled the plug in response to a previous hack attack.
May 18, 2011 12:11 PM PT
Hackers have reportedly hit the PlayStation Network again, sneaking in another attack just days after Sony brought its video game network back online following its weeks-long outage -- which itself resulted from an attack last month.
This time, hackers can apparently change users' passwords on the network using only their victims' account email address and their date of birth.
Sony asked users to reset passwords after the PSN network was first infiltrated. Personal information on up to 100 million customers had apparently been compromised.
Sony's situation has drawn attention from Congress; Congresswoman Mary Bono Mack wrote Sony on April 29 and again on Tuesday asking for an explanation.
The company is looking into the reports of this more recent attack, Sony Computer Entertainment America spokesperson Karen Fujimoto told TechNewsWorld. She did not respond further by press time.
Sidestepping Sony's Password Reset
Eurogamer claims to have seen video evidence of the latest exploit affecting Sony's PlayStation Network.
That exploit lets hackers use PSN members' dates of birth and PSN account email addresses to change their victims' passwords.
Gaming site Nyleveia claims Sony took down its system 15 minutes after responding to its queries. It offered to conduct a live demonstration of the attack to prove it's real, and it warned PSN users to change their PSN email address and not use that email address for anything else.
"Users who reset their passwords in the short time that Sony was asking them to use compromised data probably have zero security," Randy Abrams, director of technical education at ESET, told TechNewsWorld.
"Right now there is little evidence to suggest that Sony has learned much about security," Abrams continued. "Asking people to change their passwords and prove their identity by using the same information compromised in the first breach still leaves users vulnerable."
If news that the password reset process is flawed is true, this "might cause more damage to the brand than the previous hack," warned Pietro Macchiarella, a research analyst at Parks Associates.
Where oh Where Is My PSN Gone?
The PSN login page has apparently been taken down and put up again a number of times. However, it's not clear whether the PSN network itself is fully functional yet.
"When I visited [the Sony PlayStation website] a few minutes ago, it said some services on PlayStation.com may be unavailable due to phased restoration of the PlayStation Network," ESET's Abrams said.
When TechNewsWorld visited the website at 10:31 a.m. PST, it was up and had a ribbon at the bottom that took visitors clicking on it to the PlayStation knowledge Center.
There it was stated that the PlayStation Network is back online and users have to download and install a firmware update before they can sign into their account. Once that update is installed, they'll be prompted to change their password.
PSN services are gradually being restored to different regions of the United States, the knowledge base states. It provides this link to a coverage map so users can see if the network is up in their region.
Ducking the Lawmakers?
The PSN network breaches have drawn the interest of Congress.
Congresswoman Bono Mack, chairperson of the United States House Subcommittee on Commerce, Manufacturing and Trade, recently wrote a letter to Kazuo Hirai, chairman of Sony Computer Entertainment America, on this topic.
Bono Mack pointed out that Hirai had not answered all the questions she had posed in a previous letter on the issue sent to him April 29.
She set a deadline of May 25 for Hirai to respond.
Is Sony Too Big for its Breaches?
Whether or not Hirai will respond remains to be seen.
Congresswoman Bono Mack's office did not respond to questions about what further action Congress will take if Sony fails to meet the May 25 deadline.
Meanwhile, it's not quite clear just how many people were impacted. Some estimates set the figure at 25 million, but Congresswoman Bono Mack's letter gives two figures -- 77 million and more than 100 million.
Perhaps it doesn't matter; the fallout could be pretty serious no matter which figure is correct.
"We could be seeing the end of the Sony network and perhaps the end of the PlayStation Network until Sony fixes this problem," Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.
"It's very clear that Sony's ecosystem is not up to where it needs to be to secure their customers," Enderle added. "They needed to fix that yesterday."