There seems to be a lot of misinformation flying about what has actually happened with people jumping on the ITS HACKERS bandwagon pretty quickly but the actual reasons are pretty well known, they are just not being reported that much. I should pre-face this by saying I studied Computer Forensics for four years so know a little about information security and the law.
First thing to address is
why do hackers hack.
When the PS3 was first released it was a pretty open platform, Ever since the PS2 if you wanted to install Linux or whatever your flavour be on it then Sonys stance was it is your console do what you may with it. Not only that they actively encouraged it, using it in their marketing campaigns and giving the option to run it through live CD's, even putting an install option on the XMB.
But in 2009, after nine years of having the option to do this sony removed the feature due to 'security concenrs'. Linux is for Pirates you say? Well partly that was the case, and most likely the reason whoever made the decision at Sony used but this form of piracy was very finiky and required generally a hardware hack to get running. But having Linux installed had led to a lot of good things as well, the PS3 is a powerful system and could be used as a cheap alternative to a server farm. Folding@Home (A distributed computing project that creates models of protein folding to be used in scientific research) used Linuxed by many to provide valuable resources to the project, something Sony later brought back to the console but in a severely gimped way. Even the US Air force had been using PS3's for number crunching and as far as we know they still do to this day.
And thus the great debate began, the 'hackers' felt that it was
their console to do what they may with it and Sony was quite rightly concerned about possible piracy from the result of having an open system. But rather than try to tighten the security on their own end they drew the curtains and told everyone to go home
So How can they still hack
An entire sub-culture sprang up, the previously partly pirated PS3 became the focus of choice for hobbyist hackers and just people with a lot of know how want to send a big FU to Sony. When Sony Firmware 3.21 the hackers responded in kind and made their own Firmware.
Firmware is the software and datastructures on a device that basically make it tick. You IPod has firmware, you TV has firmware, even your washing machine.
What the hackers did next was creat their own Custom Firmware (CFW) and entered into a game of cat and mouse with Sony. Because of the great strides made by the hackers to gain access to the systems the PS3 became increasingly compromised. Before I continue it is worth noting that both the Xbox 360 and the Wii also have CFW available with varying degrees of complexity to install it. What made Sony different is that they took legal action against those responsible, this pissed of the hackers and made them redouble their efforts when Sony eventually made their previous hack null and void.
Piracy became the main source of all this knowledge now, a lot of people were disenfranchised with Sony and because it had become so easily to install the firmware due to the in-depth knowledge the hackers now had about the PS3's architecture.
And then geohot came along. Geohot is a 21 year old hacker from America who had previously been better known for his jailbreaking of the IPod. Now it is worth mentioning when he first started the PS3 was thought to be pretty unhackable, heck Sony even used to boast about it. So as enquiring minds that are pissed off go it was inevitable that someone was going to test their mettle against the system. What made Geohot famous was he discovered the proverbial keys to the castle in a key string that the PS3 used to authenticate all applications on their network. So using this it was possible to install linux right there on the XBM, you could trick the playstation into thinking any application was put there by Sony itself. This of course led to the natural leap that signing a pirated game with key would obviously also seem that it had been bought straight off the shelves. There was no need for a CFW.
But Sony got angry. Super angry. Law suits ensued, he was made into the proverbial lamb for the slaughter. The protest group Anonymous did not particularly like Sonys methods in their search for those responsible. They particularly were angry that sony was given a list of IP address of everyone who had visited Geohot's blog. Thus Operation Sony was launched. It was a declaration of open season to attack Sony's websites mainly through Denial of Service attacks DDoS. They met varying success, some outages but nothing major.
Those Darn Anonymous, they stole my data!
Actually no. This is where we get into unconfirmed but is known pretty widely this is what actually happened territory.
A new variant of the CFW was released named 'Rebug'. This particular variant was special in that it gave people access to the developer networks. The playstation network is accessed by the general public, but for testing purposes and almost mirror of PSN is kept by Sony so that developers can test their games.
When the word got around that you could do this people then realised that the dev's had full access to the PSN store and every single item on the PSN was available to download entirely for free. You see the network still asked for credit card information but it was never actually checked against any database of trusted accounts or banks. So Sony quickly pulled the plug on the network and set about trying to patch the holes that were in their network and remain a bit mysterious about just why the network was down.
What little media coverage there was at this point followed suit and immediately started asking if this was another anonymous attack. A perfectly reasonable question to which Sony would only reply with that an 'External Intrusion' caused the problem.
Phew, that does not sound so bad.
You would think so, Sony lost a little potential revenue and have some egg on their face. But no. It seems that Sony let the devs have access to your data as well. This data includes:
This is severely FU. It is also not just one unidentifiable hacker but potentially several hundred or even thousands of people have had access to this data.
It is ok, they might have access but they will never be able to read it. That is what encryption is for.
Wrong. Those who have had the firmware installed have reported that Sony stored all this personal information as Plain Text Yes. That is right. If your password was "BobbyMcBob" then your password as sat on their system was "BobbyMcBob".
It is industry standard that some form of encryption should be used when storing any kind of information like this.
So BobbyMcBob should sit on the PSN like 4e6e375e2980c02b37a8183e66cfd5a4 which would be much more difficult for a hacker to do anything with. (That is a MD5 hash which is not entirely secure in itself)
Not only this but it seems that not only do they have your current password stored in this way but also all your previous passwords as well. You know when you try to reset your password and it says "It is too close to your previous passwords" this is how they know.
To make matters worth is seems the Sony has been using GET requests when processing your personal information. Which look a little like this:
creditCard.paymentMethodId=VISA&creditCard.holderName=Max&creditCard.cardNumber=45581234567812345678&creditCard.expireYear=2012&creditCard.expireMonth=2&creditCard.securityCode=214&creditCard.address.address1=example street%2024%20&creditCard.address.city=city1%20&creditCard.address.province=abc%20&creditCard.address.postalCode=12345%20
Anyone sniffing on your network, or their network or anything in-between could have just plucked this out of the ether and used it. We know that Sony has shoddy data security practices, who is to say that this kind of data has been deleted from their logs even?
Is that even legal?
Pinch of Salt time, a lot of sources are saying this plain text thing is true but there is the tiniest chance that Sony were not that stupid, because legally they are screwed. Also I am not a lawyer so only use this as a general base on which to make any claims.
I am not going to get into the finer points of the Computer Misue Act here and argue if the hackers are legally covered or not.
There are two laws in the UK that should have prevented any company operating like Sony from storing your information in this way.
The Data Protection Act 1998 and the Data Protective Directive (Aka 95/46/EC)
First are SOE covered?, they are a company based in American after all. The DPA defines a party who has to comply as:
Part I section 5
(a)the data controller is established in the United Kingdom and the data are processed in the context of that establishment, or
(b)the data controller is established neither in the United Kingdom nor in any other EEA State but uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.
As the data controller, in this Sony, is established in the UK and the EU store is separate from the US store then they are required to comply to the act. (Under the Act personal information is not allowed to leave the EU)
So what have they done wrong: Part II section 10 (It's a bit long-winded and legalise so in summary)
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
This means that they should have had your information locked up all nice and tight in a lovely layer of encryption. Granted with a dataset of 70 million compromised accounts a brute force attack would render any encryption void eventually but it would not have been SOE's fault. They would have taken the correct measures to protect your data. But the Dev network should not have even had access to this information to begin with. When you sign the TOS with Sony you are entering into a two way agreement to not unlawfully access their systems and in return that your data will be safely held by them
The Data Protection Act also makes a provision for you if you have any problems due to any breach. Part II section 13:
(a) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
We are not just talking your credit card number here but also any identity fraud that occurs due to the people who have access to the data using it.
Unfortunately the DPA process is quite a drawn out one so any potential legal action will take a while to start up.
The Data Protection Directive offers much the same protection as the DPA does but on a europe wide level. Linky: http://en.wikipedia.org/wiki/Data_Protection_Directive
GAH, What can I do?
Luckily the Financial Fraud Authority has already stepped in and is compelling Sony to hand over the details of anyone in the UK's accounts that have potentially been compromised and this will be reported to the banks who will in turn will issue everyone with a new card automatically as is standard practice, you will incur no charge for this. Their current advice is to keep an extra watchful eye on your accounts at the moment and the second you see any kind of transaction that you did not authorise to contact your bank.
If somehow you fall through the net and you do not receive your new card within the next couple of weeks or simply don't trust a government body to get something right Money Saving Expert has a nifty little tool to work out what number you need to contact (It is for lost and stolen cards but I am sure they would be somewhat similar)
http://www.moneysavingexpert.com/cardsgone/
What is Sony doing?
This far? A whole not of nothing we can tell. It took them all this time because they had supposedly been working with a consultancy firm to find out what the scale of the breach had been but frankly with the kind of information even potentially compromised it should have been 1. never available in the first place 2. Told to us on the very first of the breach.
They have also gave us this FAQ going over some of the salient points along with a collection of phone numbers for you to make your anger known.
http://faq.en.playstation.com/cgi-bin/scee_gb.cfg/php/enduser/std_adp.php?locale=en_GB&p_faqid=5593