Situazione PlayStation Network post-conferenza di Tokyo
Console tribe news - Situazione PlayStation Network post-conferenza di Tokyo
di: Antonio "Difio" Di FinizioDefinito dalla stampa internazionale come PSN-Gate, ciò che è successo al PlayStation Network nell’ultimo periodo è stato forse il più tremendo fatto che il brand PlayStation ha dovuto attraversare dalla sua nascita ad oggi.
Riepilogando l’accaduto, per quello che sappiamo oltre una settimana fa il servizio online fornito con PlayStation 3 è stato bruscamente interrotto per una “intrusione esterna” conseguita dopo attacchi di hacker ai server che ospitano l’infrastruttura del PSN.
Dopo questo piccolo comunicato Sony per giorni non si è più espressa su quanto accaduto, dicendo esclusivamente agli utenti di rimanere pazienti senza però sapere per quanto tempo.
Nel frattempo gli hacker del gruppo Anonymous, responsabili di alcuni attacchi di tipo DDOS ai server del network a seguito delle azioni legali di Sony nei confronti di GeoHot, si sono dichiarati totalmente estranei a quanto accaduto rimandando la patata bollente in mano di uno o più hacker al momento ignoti.
Con il tempo la notizia si è diffusa a macchia d’olio sui giornali, telegiornali e siti internet e, con essi, sono iniziate a crescere le preoccupazioni dovute ad eventuali furti di identità o dati sensibili collegati ad ogni account del PlayStation Network.
Secondo alcune indiscrezioni nate sul web, i problemi potrebbero essere iniziati a seguito del rilascio di un particolare custom firmware per la console che avrebbe la caratteristica di trasformare una classica PlayStation 3 in una “debug”, ovvero quella fornita agli sviluppatori. Questo avrebbe forse garantito l’accesso ad alcune funzioni che hanno debilitato le difese del servizio riuscendo così a far breccia all’interno dei server. La cosa sembra essere stata confermata da un’azione di Sony, che ha praticamente mandato nuovi devkit, secondo Gamasutra, agli sviluppatori raccomandandosi di cambiarli prima che il PlayStation Network torni attivo. A detta del colosso giapponese, questi nuovi kit di sviluppo vantano dell’aggiunta di nuovi sistemi di sicurezza.
Nel frattempo, dopo alcuni giorni di silenzio, Sony ha confermato ufficialmente che gli hacker responsabili hanno prelevato un numero indefinito di informazioni dai server tra cui dati anagrafici e numeri di carte di credito. E’ stato comunque dichiarato dal colosso che i numeri di queste ultime risultavano criptati, ma nonostante questo ha consigliato di tenere sotto controllo i movimenti della carta per evitare qualunque tipo di problema.
Contemporaneamente alcuni utenti da tutto il mondo hanno cominciato a lamentare di piccoli pagamenti a carico della loro carta che avevano registrato nel PSN. Questo ha fatto pensare che fosse iniziato un circuito di vendite illegali di numeri di carta di credito a seguito di questa intrusione.
A questo punto sono cominciate a comparire come funghi class action e azioni legali contro Sony, supportate anche dal senatore americano Richard Blumenthal che si è fortemente lamentato del fatto che Sony non avesse comunicato ai suoi utenti con il dovuto anticipo la possibilità che la sicurezza dei loro dati personali fosse compromessa. Il senatore ha quindi mandato questa lettera a Tretton di SCEA.
“Dear Mr. Tretton:
I am writing regarding a recent data breach of Sony?s PlayStation Network service. I am troubled by the failure of Sony to immediately notify affected customers of the breach and to extend adequate financial data security protections.
It has been reported that on April 20, 2011, Sony?s PlayStation Network suffered an ?external intrusion? and was subsequently disabled. News reports estimate that 50 million to 75 million consumers ? many of them children ? access the PlayStation Network for video and entertainment. I understand that the PlayStation Network allows users to store credit card information online to facilitate the purchasing of content such as games and movies through the PlayStation Network. A breach of such a widely used service immediately raises concerns of data privacy, identity theft, and other misuse of sensitive personal and financial data, such as names, email addresses, and credit and debit card information.
When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised. Additionally, PlayStation Network users should be provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Sony. Affected individuals should also be provided with sufficient insurance to protect them from the possible financial consequences of identity theft.
I am concerned that PlayStation Network users? personal and financial information may have been inappropriately accessed by a third party. Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach. Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised. Nor has Sony specified how it intends to protect these consumers.
PlayStation Network users deserve more complete information on the data breach, as well as the assurance that their personal and financial information will be securely maintained. I appreciate your prompt response on this important issue.
Sincerely,
Richard Blumenthal
United States Senate”
Sony ha prontamente risposto che nemmeno loro inizialmente sapevano a quanto potessero ammontare i danni causati da questa intrusione, sapendo dire con certezza le cose solo dopo la conduzione di sistematiche investigazioni forensi.
Proprio a proposito di queste ultime, The Ponemon Institute ha dichiarato a Forbes che secondo le loro stime Sony avrebbe speso la bellezza di oltre 24 miliardi di dollari per condurre le investigazioni dovute (ogni account le sarebbe costato 318 dollari).
Tutte queste notizie, non certo positive, unite alla misteriosa diffusione di un presunto chatlog (che trovate qui sotto) degli hacker responsabili della trafuga di informazioni e dati, hanno fatto diminuire il valore delle azioni Sony. Questa settimana, infatti, si è registrato un crollo dell’8% del valore azionario.
[user1] xxx: I don’t think there are many people involved in circumventing PSN access in /this/ channel [ “application/x-i-5-ticket” reason=40 > PSN error 80710101 ]
[user2] talk about network stuff?
[user2] nice
[user2] i just finished decrypting 100% of all psn functions
[user3]
[user2] you can forget all the history wiper and log remove apps
[user2] theres a independant check
[user2] which transfers all games and their playtime
[user2] every time you login
[user2] you can modify it like the firmware version tho
[user2] it looks like:
[user2]
[user2] aswell they can detect backups this way
[user1] hash is eboot.bin to check for version?
[user2] if you use a backup it will look like this:
[user2] [user4] user2, is that in data sent to a0.[CC].np.communication.playstation.net
[user2] sec lemme check
[user4] im still collecting all the data
[user2] updptl.de.np.community.playstation.net/
[user2] thats the server
[user3] user2: what about Blu-ray Master Disc/BD Emulator ?
[user3] since, i use those features legitimately
[user2] on debug or retail?
[user2] i didnt check all on debug unit yet
[user2] so no clue if it sends discid for bdemu
[user2] but sony is the biggest spy ever lol
[user2] they collect so much data
[user1] true
[user2] all connected devices return values sent to sony server
[user2] example:
[user3] user2: Debug models of course
[user2] >32” TFT-TVOEMreleasecex
[user4] i cannot find my PS3 connect to host with ‘updptl’ in the name
[user2] returns tv, fw version, fw type, console model
[user2] also i found data it collects when i had usb device attached etc etc
[user2] so if they ever sue someone for psn stuff, they will be sued themselves as most of the data they collect is just not legal
[user4] user2, at what time does it connect to that host?
[user4] during the PSN logon?
[user2] sec i check
[user5] user2 how can you modify that data?
[user6] user2: do you now know enough to wipe all traces so that people who never had their consoles on the internet can avoid sending this information now?
[user4] no DNS request for a host with ‘updptl’ in the name in my packet captures :-
[user2] @user5: it sents directly after user profile load and sometimes; – it seams random, just when u play a game or anything
[user4] ohh
[user2] @xxxx: we could modify the data via proxy between the tunnels, like delete all data between the xml tags or somehow
[user5] oh so its not on the ps3 hdd itself?
[user6] user2: aha, so this information is actually encrypted?
[user2] ya
[user2] the list is stored online
[user2] and updated when u login psn and random
[user5] damn
[user6] but where is it stored before that? I have never been online with my ps3…
[user6] so it must be somewhere
[user5] was hoping it would be on the ps3 hdd
[user5] then lock it or so
[user1] the only avoidance is block all *.playstation.net
[user2] MAYBE – i rly dont know – it doesnt save it at all on hdd
[user2] so only transfers the games and stuff in one ps3 session when you go online
[user2] so if u have ps3 offline and play a game, then shutdown and turn on again
[user2] it MAY not transfer update
[user2] cuz i didnt find any info for that list on hdd
[user2] it could be that its used for online playtime or psn logged in playtime
[user2] aswell you should never ever install a CFW from someone unknown
[user2] cuz its way too easy todo scamming at this point
[user2] for example:
[user2] [redacted plain text code, includes false credit card number]
[user2] sent as plaintext
[user3] uh
[user3] did you censor that card?
[user2] ya its fake
[user3] good
[user1] wow, plaintext :S
[user5] plaintext wow
[user3] im never putting in my details like that
[user2] ya is all fake lol
[user2] i never used cc on ps3
[user2] normally you ATLEAST enccrypt the securtity code, even if its ssl
[user5] id hope sony would do such in a safe manner
[user5] psn cards probably plain text to then
[user2] fake certs are known since years as vuln so companies encrypt such data twice normally
[user2] but hey its sony –> its a feature
[user5] lol
[user7] lol
[user5] yeah if you go public with your info they either remove the store or psn all together
[user5] as an update
[user6] I doubt it
[user7] from all the actions they’ve taken the past years, we can only deduce that Sony don’t care about their customers
[user2] impossible
[user7]
[user2] they wont update their whole psn lol
[user6] but this should really get out there, but I guess it’s on psx-scene.com in a matter of minutes already
[user5] 3.60 removal of psn
[user2] i know a few guys who worked @ sony’s psn backend. just when the ps3 was released we talked bout the first psn, at this time ALL was http and unencrypted. so you could see userpass etc plain. i asked em why is it that way. lame answer was “we thought it was adressed.” – lol
[user2] sony qa –> trainees
[user8] that fits nicely into the “#define rand() 4” mentality.
[user2] yep
[user3] or more of
[user3] ECDSA_PRIVATE_KEY privateKey;
[user2] lol
[user3] and PrivateKey is in a header file
[user3] and it’s static
[user2] xD
[user3] and ECDSA_RANDOM in a header file
[user3] and so on
[user2] another funny function i found is regarding psn downloads
[user2] its when a pkg game is requested from the store
[user2] in the url itself you can define if you get the game free or not. requires some modification in hashes and so on tho
[user3] ..
[user2] is like
[user8]
[user3] my god
[user2] drm:off
[user5] lol
[user2] lol
[user1] :facepalm:
[user8] well, that’s one way to offload the server.
[user2] still wondering when the big ban wave arrives
[user1] if they ban everyone, even using backups legally in their country (but in their opinion a TOS violation), it will be a huge tsunami, not a wave
[user10] ask ur friends
[user2] prolly they take it like it is now, unstoppable anyways
[user2] new firmware to ban all further actions and done
[user4] an open psn would be nice
[user4] even if it was just a player matching service
[user2] ya
a PSN host by the community
[user3] that actually could be perhaps possible
[user3] if you can get auth working
[user3] and all
[user3] a new np environment
[user2] the friend list management is easiest
[user2] simple jabber server
[user11] don’t some games use their own servers?
[user1] some use p2p
[user11] which check from the official psn servers whether you’re logged in and who you are
[user2] imagine the traffic load
[user2] whod pay this xD
[user11] yes, but even p2p games do use publisher or sony provided servers for matchmaking
[user3] NpCommerce2
[user12] I am getting behind everything on doing my security analysis
[user12] started a couple months ago monitoring SSL stuff, and theen got distracted with blackops and havent pursed it, seems a lot of people are starting to take interest in it now
[user2] and regarding matchmaking and lobby systems
[user2] the functions built in firmware and/or game
[user2] how would you answer them
[user2] the server side code we dont know of
[user12] some stuff appears to be in lv2 and not in sprx for network stuff
[user2] so we can not create proper answers
[user12] you can try to analyze the protocol and say “if X then Y” type responses the problems come up when you get something you haveent seen before
[user12] that was done with counterstrike for example so that people could cheat
[user12] so its not entirely impossible although it is time consuming
[user12] sometimes its happy accidents, reason code 21 means bad cipher, 51 bad firmware version – for x-i-5 tickets for example
[user11] wasn’t cs/hl server software available for anyone to download even back then?
[user6] anyone found a way to change DVD region on ps3 yet, btw?
[user11] for psn you can’t even get binaries for the server side
[user5] user2 i remember some months ago you made a psntool with a psn messenger in it but not yet functional is that still being worked on?
[user12] but for stuff like that the ticket has to exist on the psn side of things because if I send my ticket to a vendor server they will validate it against psn and if its not there it will fail
[user1] xxx: wasn’t syscall 0×363 0×19004 3rd byte usefull for that?
[user2] @xxxx: at this time i could finish the tool yes but im not sure if it is useful at all
[user12] xxxx: no but you can monitor traffic, even send some “bad” things and watch the responses… I discovered x-i-5 reason code 21 by accident, I did not force my proxy to mirror the cipher that the ps3 presented
[user2] i mean why would someone want to chat with a someone on ps3
[user2] while any1 anyway have msn/icq/aol
[user12] know this, sony in realtime, monitors all messages over psn
[user12] I verified that, its part of my privacy threats thing I am doing
[user5] ok too bad id like the psn messenger on pc
[user12] the realtime monitoring is a bit bothersome to me
[user6] user1: such information is quite useless to me, as I’m not that into the technical stuff was more hoping someone had an easy way to do it.. like a DVD region changer or something.
[user2] @user12: the realtime jabber monitoring as most likely for realtime censor of messages
[user12] they appear to have at the very least keywords they look for, not sure just how invasive the whole thing is, but …
[user12] well they have osme odd things in there
[user11] yeah they have that dumb automatic word filter
[user4] the censor word-list is ridiculous
[user13] psn messenger would be helpful, just yesterday was killed 2 times when typing response on the message + its so slow loading
[user12] a psn code that is not really valid if you sent that via email it becomes valid but you cant add funds to your wallet. The fact that emailing that code to someone makes it valid for you is odd … why monitor that code?
[user11] which makes it much more difficult to have a sensible conversation in languages other than english
[user12] why change its state on sending it?
[user12] the censor words in home is on your system, it downloads a dict list of words
[user12] an empty file resolves that
[user2] tryin to find my jabber logs… >.< [user12] so it only censors on receipt not on transmission
[user12] dunno how the other stuff does it
[user12] mostly because I have yet to look
[user12] now you have me curious I am gonna go redo my network a little bit to start monitoring again
[user2] btw aswell a reason AGAINST pc to ps3 messenger is spam
[user2] cuz there actually is an easy way to get userlists
[user2] would fuck psn pretty hard if some skiddy releases a spam app
[user2] the highscore and matchmaking lobbies you can request per game id and get user mails for psn
[user13] ugh, yeah
[user2] huge list + spam app == sux
[user3] argghhhh
[user3] why do my trophies never sync to np
[user2] anyway sony just would have to open a port on the jabber server, so you could login with icq
[user5] lol
[user2] and we all know what happens if cool homebrew arrives, remember open remote play
[user2] sony just releases an official tool lol
[user12] thing is the more people do things and discuss what they do and explain how to do it the more likely sony will lock down psn in the future
[user2] psn is a core feature of ps3
[user12] making it harder and harder to do anything, like using older firmwares to log in, that will probably be the first to go away
[user2] they would be sued like with otheros
[user5] yeah but they also blocked open remote play
[user11] user12: that already went away, didn’t it
[user12] if you are not running current firmware you do not have a right to psn
[user11] user12: even for debug users
[user12] not really, not yet anyway
[user12] 3.56 did not break it but the next release might
[user12] especially because it stops people running backups and other stuff on psn
[user11] well i mean 3.41
[user2] ya would be all possible for them
[user12] not sure what, if anything, changed with 3.41
[user11] you used to be able to sign in on debug 3.41 until someone released that psn enabler hack
[user2] one way more difficult than the other so i think they first will go on with backup ban on psn
[user11] even though 3.42 and 3.50 had already been released
[user2] via playlists and stuff i meantioned before
[user2] a secure way to fix it would require firmware and server update tho
[user2] wondering what prevents em of this way
[user12] I just got a new ps3 yesterday, has 3.40, gonna put 3.55 on it and do my work
[user12] I *might* try with 3.40 and see if I can do enough of my work, that would make it somewhat harder though
[user1] banwave possibly, new FW + plus they still need to fix that 3.56-1st/2nd harddrive exchange bug in the next version
[user12] because my work is specialized and very limited in scopee
[user2] the psn has 45 environments all working independant
[user2] prolly that is the reason
[user2] we could just change to another environment
[user2] and they also need to have an eye to the official developers which use environments too
[user2] and the qa
[user2] which needs to work with older firmware sometimes
[user2] so they cant update all environments and block all
[user4] probably so much ITIL process management so they can’t fart without a work request
[user2] hehe
[user12] the way that people are getting on now is to change the user agent in the login request, well x-platform-version specifically. but if the x-platform-passphrase changes in how its constructed then its easy to detect people trying to use an older firmware
[user2] they can even without the xi
[user2] as the firmware version is in a lot more requests than the auth
[user4] version is sent to the getprof servers also
[user2] ppl change only the xi one atm
[user4] and ena.
[user2] but its in netstart, xi, game starts
[user12] I understand that part of it, I was just talking about x-i-5 auth stuff
[user2] many many functions send the real fw version
[user2] but only xi5 is checked
[user12] I realize that many functions send the fw version, anything that uses libhttp.sprx does
[user2] ya
[user12] remember I have been donig this for a couple months
[user12] even wrote software that lets me do the ssl parts on the fly instead of to a fixed server, mirroring the CN of the real server
[user4] what is the data in xi5 at 0xC0 ->EOF ? some crypto/salt ?
[user4] luckily they use CN=*.*.np.community.playstation.net which saves a bit of hassle, just calling openssl from your app user12 ?
[user12] openssl libs
[user12] not the app itself
[user12] and I do it for *ALL* ssl connections in realtime
[user12] so even if you use the webbrowser it will generate certs for that too
[user4] nice tool you made
[user12] it is similar in function to “sslsniff” but mine works with the ps3 and logs correctly
[user2] for the first i think ppl should use a replace of all 3.5.5 and 355 strings but regarding to the user agent, else psn wont load
[user2] user12 which certs u use?
[user2] only 05 i guess ?
[user2] CA i mean sorry
[user12] user2: I use them all
[user12] there is a place that the firmware version is in lv2 that is not a “string”
[user12] its ‘decimal’ “035500” not sure if its 32 or 64 bit in size though,
[user2] btw u know the login url for auth is like:
[user12] but that is not the ascii 3 its the decimal value
[user2] &serviceid=IV0001-NPXS01001_00&loginid=MYMAIL&password=MYPASS&first=true&consoleid=MYID
[user12] I have complete logs for the auth stuff
[user2] did u already change the “first” param?
[user2] i wonder what it does
[user12] first=true is only there if you had not previously loggged into psn
[user2] ah ok
[user12] its missing if you were previously logged in but you need a new ticet
[user12] ticket
[user14] hi
[user14] please not connect
[user14] to external dns ip
[user14] with your ps3
[user14] your passwords and email and other data is revealed on the external side
[user12] which you need for each service id that you need one for, meaning if you sync trophies you get 1 ticket, when you play a game you get a 2nd ticket, when you watch netflix you get a 3rd
[user14] spam people can use this info
[user12] most likely if they are mapping that host
[user12] if its just the firmware check then no, because there is nothing private sent in that http (cleartext) request
[user12] so it depends on what hosts they are looking at
[user14] to start a spamming attack
[user2] hm didnt check that ticket stuff yet
[user2] as when i used a ticket
[user2] for a test POST
[user2] i worked with 1 only
[user2] and always worked
[user2] prolly many to identify the service
[user12] the ticket is sent to say a game, netflix, etc. anythibng that uses psn. That way you do not send credentials to anyone but sony
[user2] if its like u say then this is another vuln lol
[user2] cuz as i tested if always first ticket works
[user2] you could hijack a session
[user2] the ticket and session i used didnt timeout
[user2] and if it always creates a new ticket as u say
[user2] there would be many sessions
[user12] I also haave yet to monitor how long the tickets are valid for, I know that the ps3 does not reuse them between apps but that could just be the way its coded (they might be valid even though a normal ps3 will never reuse)
[user2] for one user open
[user12] it may invalidate old ones on issuance of a new, I never looked
[user12] I just know that I saw it getting one at app launch
[user2] hm wierd with the tickets
[user2] i know the ticket is build outta few params
[user2] the serial
[user2] the userid
[user2] issueddare
[user2] service id
[user2] online id
[user2] many many
[user12] I also know that the server that does the x-i-5 tickets is a bit more tight about the ciphers than any other system in sonyland
[user12] if sony is watching this channel they should know that running an older version of apache on a redhat server with known vulnerabilities is not wise, especially when that server freely reports its version and its the auth server
[user2] its not old version, they just didnt update the banner
[user12] I consider apache 2.2.15 old
[user2] which server
[user12] it also has known vulnerabilities
[user12] auth.np.ac.playstation.net
[user2] ya the displayed version u see via banner is not the real version
[user12] unless they updated it in the last couple weeks
[user12] I doubt that since its not trivial to change that
[user12] its a bit more invasive than just setting it to Prod like they do on their other servers
[user11] you know, watching this conversation makes me think about whether it was a good idea after all to buy a couple of games from psn using a visa card
[user2] its just backported security patches
[user11] i did remove all my info after downloading the games though
[user12] that is just psn not the store
[user12] they are running linux 2.6.9-2.6.24 on that box too
[user12] that too is old
[user2] lol @ buying on store
[user11] yes, but their general attitude towards security just seems…ugh
[user2] sony wont misuse the info i bet xD
[user2] but just prevent using cfw’s of unknown ppl
[user2] even better from ALL ppl
[user2] make ur own lol
[user12] so I doubt that they are spoofing the network stack on that box as well
[user12] my guess is that it really is undermaintained “it works why change anything”
[user2] could be
[user12] sony really should update that stuff to something more current
[user2] ya
[user2] but imagine
[user2] psn == 45 environments
[user2] and for example
[user2] every env has 50 subdomains
[user2] to external machines
[user2] its rly rly huge
[user2] who wants to do this xD
[user2] ppl r lazy
[user2] wont change
Sony ha poi dichiarato che una volta che il PlayStation Network tornerà online, agli utenti sarà chiesto di cambiare necessariamente la password di accesso, giusto per evitare ulteriori furti di account. Nel contempo sono state lanciate delle FAQ su tutte le problematiche nate a seguito di questa situazione critica.
Sul PSN-Gate è stata aperta un’investigazione da parte dell’FBI e, più precisamente, dal Department of Homeland Security.
Nella giornata di ieri Sony ha poi annunciato che nella giornata avrebbe tenuto una conferenza presieduta da Kaz Hirai con la quale avrebbe fatto nuove comunicazioni.
I contenuti di questa conferenza stampa li potete trovare qui sotto. Come si può leggere Sony non sa ancora quando il PlayStation Network tornerà funzionante (si parla di un giorno non meglio specificato di questo mese), specialmente per quanto riguarda lo store. Tuttavia alcune funzionalità del servizio torneranno presto attive.
E’ stato poi previsto un risarcimento nei confronti degli utenti che consiste in un mese di PSN+ per tutti e un download gratuito al momento non definito (con molta probabilità un gioco).
Alcuni servizi PlayStation Network e servizi QRIOCITY disponibili da questa settimana
Graduale implementazione globale dei servizi con avvio territoriale; maggiore sicurezza del sistema per garantire una maggiore protezione dei dati personali.
Tokyo, 1 maggio 2011 ? Sony Computer Entertainment (SCE) e Sony Entertainment Network International (SNEI, l?azienda) ha annunciato che a breve inizierà un restauro graduale, per territorio, del PlayStation ® Network e dei servizi di Qriocity ?, cominciando da giochi, musica e video. La società ha anche annunciato una serie di misure immediate per migliorare la sicurezza in tutta la rete ed un nuovo programma di apprezzamento dei clienti per ringraziare i suoi clienti per la loro pazienza e fedelta?.
A seguito di un criminale cyber-attacco alla società di data center situato a San Diego, California, USA, SNEI ha rapidamente spento il PlayStation Network ed i servizi di Qriocity, ingaggiato la piu? esperta ditta di sicurezza delle informazioni, ed ha realizzato un?indagine approfondita del sistema.
Da allora, l?azienda ha implementato una serie di nuove misure di sicurezza per fornire una maggiore protezione dei dati personali. SNEI ed i suoi esperti di terze parti hanno condotto test approfonditi per verificare la forza della sicurezza del PlayStation Network e dei servizi di Qriocity. Con queste misure, SCE e SNEI hanno intenzione di intraprendere a breve un? implementazione graduale dei servizi per territorio. La fase iniziale del lancio includera?, ma non sara? limitata a, i seguenti:
- Restauro dell?online game-play attraverso PlayStation ® 3 (PS3) e PSP ® (PlayStation ® Portable)
- Titoli che richiedono la verifica on-line e giochi scaricati
- Accesso a Music Unlimited powered by Qriocity per PS3/PSP per gli abbonati attuali
- Accesso al conto di gestione e reimpostazione della password
- Accesso per scaricare film su PS3, PSP e MediaGo
- PlayStation Home
- Lista Amici
- Funzionalità di chat
Lavorando a stretto contatto con diverse società esterne di sicurezza, l?azienda ha implementato misure di sicurezza significative per individuare ulteriori attività non autorizzate e per fornire ai consumatori una maggiore protezione dei loro dati personali. La società sta inoltre creando la posizione di Chief Information Security Officer, a diretto rapporto di Shinji Hasejima, Chief Information Officer di Sony Corporation, aggiungendo una nuova posizione di competenza e di responsabilità per la protezione dei dati del cliente, e per completare l?attuale personale di sicurezza delle informazioni. Le nuove misure di sicurezza attuate includono, ma non sono limitate a, i seguenti:
- ? Aggiungere il controllo automatico del software e la gestione della configurazione per la difesa contro i nuovi attacchi
- migliorare il livello di protezione dei dati e crittografia
- Maggiore capacità di rilevare le intrusioni di software all?interno della rete, accesso non autorizzato e modelli di attività insolite
- Implementazione di firewall aggiuntivo
La società ha inoltre accelerato una mossa già prevista del sistema per un nuovo centro dati in una posizione diversa che è in costruzione e in sviluppo da diversi mesi. Inoltre, la PS3 avrà un forzato aggiornamento del software di sistema che richiedera? a tutti gli utenti registrati del PlayStation Network di cambiare le password del loro account prima di poter accedere al servizio. Come ulteriore livello di sicurezza, la password può essere modificata solo sulla stessa PS3 in cui è stato attivato l?account, o tramite e-mail di conferma convalidata, un passaggio fondamentale per contribuire a proteggere ulteriormente i dati dei clienti.
La società sta conducendo un?indagine approfondita e permanente con le forze dell?ordine per rintracciare e perseguire i responsabili dell?intrusione illegale.
?Questo atto criminale contro la nostra rete ha avuto un impatto significativo non solo per i nostri consumatori, ma anche sul nostro settore. Questi attacchi illegali, ovviamente, mettono in evidenza il diffuso problema della cyber-sicurezza. La sicurezza delle informazioni dei nostri consumatori ci sta molto a cuore e siamo impegnati ad aiutare i nostri consumatori per proteggere i loro dati personali. Inoltre, l?organizzazione ha lavorato giorno e notte per portare questi servizi di nuovo online, e stiamo facendo in modo di verificare un aumento dei livelli di sicurezza attraverso le nostre reti ?, ha dichiarato Kazuo Hirai, Executive Vice Presidente di Sony Corporation. ?Il nostro pubblico globale di PlayStation Network e dei consumatori Qriocity è stato interrotto. Abbiamo imparato lezioni lungo il percorso sul rapporto con i nostri consumatori, e a tal fine, ci sarà il lancio di un programma per l?apprezzamento dei clienti registrati, come modo di esprimere la nostra gratitudine per la loro fedeltà nel corso di questo periodo di inattività della rete, e lavoriamo per recuperare e riguadagnare la loro fiducia in noi e nei nostri servizi. ?
Offerta gratuita e Programma di Valutazione ?Welcome Back?
Anche se non vi è alcuna prova, in questo momento, che i dati delle carte di credito siano stati presi, l?azienda è impegnata ad aiutare i propri clienti per proteggere i loro dati personali e fornirà una offerta gratuita per assistere gli utenti ad iscriversi a servizi di furto di identità di protezione e / o programmi simili. La realizzazione sarà a livello locale e ulteriori dettagli saranno resi disponibili prossimamente in ogni territorio.
La società inoltre lancera? sul PlayStation Network e Qriocity il programma ?Welcome Back?, offerto in tutto il mondo, che sarà su misura per specifici mercati, per fornire ai nostri consumatori una selezione di opzioni di servizio e di contenuti premium come espressione di apprezzamento della società per la loro pazienza, il sostegno e la costante fedeltà: ?
- Ogni territorio avra? offerte selezionate di contenuti di intrattenimento Playstation disponibili come download gratuito. I dettagli specifici di questi contenuti saranno resi noti in ogni territorio al più presto.
- Tutti gli attuali clienti del PlayStation Network avranno 30 giorni di abbonamento gratuito al servizio PlayStation Premium Plus. Gli attuali membri del PlayStation Plus riceveranno 30 giorni di servizio gratuito.
- Music Unlimited powered per abbonati Qriocity (nei paesi dove il servizio è disponibile), riceveranno 30 giorni di servizio gratuito.
Ulteriori offerte di servizio ?Welcome Back? saranno implementate nelle prossime settimane, in quanto la società restituisce il PlayStation Network e servizi Qriocity agli utenti standard, cresciuti in qualita? e aspettative, cercando di potenziare ed incrementare il livello dei contenuti.
SNEI continuerà a rafforzare e verificare la sicurezza delle transazioni prima di riprendere il PlayStation ® Store e le altre operazioni di Qriocity in programma per questo mese.
Per ulteriori informazioni sulle intrusioni e sul riavvio del PlayStation Network e Qriocity, si prega di visitare http://blog.us.playstation.com o http://blog.eu.playstation.com/
A nome di tutti gli utenti e videogiocatori, ci auguriamo che la situazione si possa risolvere completamente nel più breve tempo possibile.