Sony Takes Down PlayStation Network PassWord Reset Following Reported Hack6:39 PM EST Thu. May. 19, 2011
The vulnerability, first reported by U.K.-based gaming news blog Nyleveia.com, occurs in the way that the password reset form is implemented , which contains a glitch that fails to properly verify tokens. Hackers can subsequently launch an attack exploiting the vulnerability only by knowing users' date of birth and e-mail addresses in order to access their PlayStation Network accounts.
"I want to make this clear to ALL PSN users. Despite the methods currently employed to force a password change when you first reconnect to the PlayStation Network, your account still remains unsafe," according to Nyleveia.
Sony issued a statement following the news of the latest hack, alerting users that PlayStation Network login and password reset pages were offline, but denying that an external hack was involved.
"We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed," according to a Sony blog post. "Consumers who haven't reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the Web site as soon as we bring that site back up."
Researchers at Nyleveia reported that they "provided a detailed description" of the exploit to Sony as soon as it was detected, after which Sony immediately took down the login and password reset sites.
Sony took down PlayStation Network login and password sites just four days after the company fully recovered services following a massive external hack in April that compromised 77 million PlayStation Network and Qriosity user accounts. The hacked Sony database included scads of personally identifying user information, including date of birth, e-mail and home addresses and login credentials. Sony executives said it was unlikely , but did not rule out the possibility that users' credit card data was also exposed.
Nyleveia researchers said that "it's safe to assume that someone, somewhere, has access to a large number of users' details," according to the blog post. "This alone should be reason enough to change your e-mail."
Nyleveia recommended that users create a completely new e-mail account not used anywhere else, and switch their PSN account to the new e-mail in order to avoid become the target of a future malicious attack.
"You risk having your account stolen, when this hack becomes more public, if you do not make sure that your PSN account's e-mail is one that cannot be affiliated with or otherwise traced to you."
Meanwhile, Sony's prior breach and possibly its latest gaffe, have called into question the security posture of the electronics giant, and the safety of users' data stored remotely in private clouds.
NEXT: Cloud Security Not To Blame, Partner Says
However, at least one channel partner said that the recent hacks against Sony's databases underscore the growing prevalence of targeted attacks, in which hackers set their sights on one organization and then find the weaknesses in its security posture to obtain financial or other confidential information.
"When it comes down to a targeted attack, there's always a way in. There's no 100 percent secure best practice," said Koji Mori, director of network services for Torrance, Calif.-based CalSoft Systems. "They're going to find a hole."
Mori said that, as with most targeted attacks, the weak link typically occurs with the end users that fall victim to some kind of social engineering scheme. As such, the security posture of an organization would likely have to include education component about social engineering.
"Security has really extended beyond the world of technology. The vulnerability is the actual employee or team member rather than the lock on the door," he said, adding that the accelerated adoption of cloud technology would naturally elicit an outpouring of concern regarding its security.
"But it's not an issue of cloud versus any security asset that you need to protect. Anything valuable is going to be a target. In a targeted attack, the only way to protect those assets is to make sure your whole organization is working toward a culture of understanding what risk is, and putting natural protections in place."