Sony Fixes Another Security Vulnerability on Web Site
Barry Levine, newsfactor.com
The security hole enabled any user with the date of birth and e-mail address of an account holder to reset the password. Birth dates and e-mail addresses of up to a hundred million users were among the unencrypted data that Sony believes may have been stolen in the original break-in.
Accounts 'Unsafe'
After the first network breach, the company was criticized by industry observers and some members of Congress for not quickly revealing that users' personal data may have been taken. The initial breach was noticed by Sony on April 19, the PlayStation Network was shut down on April 20, and users were notified of the breach and possible loss of personal information on April 26.
A gaming site, nyleveia.com, first brought the most recent security issue to light in a posting on May 17. It said that "despite the methods currently employed to force a password change when you first reconnect to the PlayStation Network, your accounts remain unsafe."
The site reported that a hack exploiting this weakness was "currently doing the rounds in dark corners" of the Internet. By Thursday, Sony reported it had fixed the problem.
In a video recently posted on the PlayStation Blog, Sony executive Kazuo Hirai noted that, as a new security feature, all customers are required to change their passwords.
'Welcome Back'
Hirai said "aggressive actions" were being taken to address the vulnerabilities that led to the unprecedented network outage. The actions, he said, include advanced security technology, increased levels of encryption, additional firewalls, and early warning systems.
Some Sony watchers have contended that the company failed to keep up with the most recent software, leading up to the initial break-ins. The hacker collective Anonymous, some of whose members may have been involved in the attack -- although the group has denied responsibility -- has distributed server scan logs from Sony's networks.
The logs reportedly show that the company used version 4.4 of the OpenSSH software instead of the most recent version, 5.7. Additionally, Sony was apparently using an older version of the Apache server software.
The company has initiated a Welcome Back Appreciation Program in North America for all registered PSN and Qriocity users. Two free games will be available for 30 days after the PlayStation Store is restored and "can be kept forever," the company said on its PlayStation blog. The PlayStation Store is expected to be back online by May 24.
Five titles are offered for PSN, and four for PSP. Other features of the package include 30 days of free PlayStation Plus membership for non-Plus subscribers, 100 free virtual items, and other benefits.
0 Visitor Reactions & Comments:
Post a Comment