Im going to recap some of the technical details from the Sony press conference last night. For context this is my twitter  http://twitter.com/#!/MrBob9000
The big news for affected consumers is the attack happened on US soil which may lead to a better qualified criminal investigation as well as restitution for affected users.

The Details of the attack itself were less then technical with a diagram depicting a generic web stack WWW server> App Server > DB server. The hacker('s?) created a tool that exploited the application server which allowed them access to the database and this is how they got the user info. The execs stated two things which would leave room to believe the credit card (CC) data is safe. First they said that the CC data was in a different part of the database and there had been no current evidence that this had been accessed. The second part was that the data was encrypted.

From my point of view with novice knowledge of computer systems and infosec I have some issues with this. Going back to their simple database diagram (sorry no screen shots) this did not divulge the structure of their network beyond the basic components. there is not one web server, one application server or one database server. there is probably not on website, one application or one database. going back to the execs points about CC data being in a different location. does this mean it was in a different table? a different database? a different database on a separate server?

This is important since they had stated only the application had been compromised and not the entire server. this may not be the truth but lets go off what they had said. within the context of the compromised application the attacker may only have the data that application was configured to access. This is where the structure of the application and database come into play. was the CC data accessible from the compromised application natively? would the hackers have enough control to repoint application at the location of the CC data?

my second issue is using "encrypted" as a magical word that prevents any bad men from accessing highly sensitive customer data. as far as I know in the multiple press releases, blogs and the press conference was the algorithm used to encrypt or the type of database used. In the wide world of data encryption there are many methods to encrypt data some of them better then others, some completely broken that anyone with Google could crack. When I think about encryption algorithms I generally think of how long it would take to crack. with WEP wireless encryptions it can take less then five minutes if you can get the network chatty. others could take multiple decades being crunched on the most powerful of super computers.

At this point in the data breach game I feel that although Sony has had a major breach I believe them and their customers are in a far better position then other breaches such as Heartland, TJX, and HBGary. The attack happened on the 19th and they have come forward with tangible information and promises of coverage of CC reissue fees withing two weeks of the breach even without confirmed CC data breach. Heartland and TJX did not even know shit had gone down in their network for years before they noticed.

on a minor not there are 10 million PSN/Qiricity accounts with registered credit cards. there is a high probability in my mind that some people who are currently reporting fraud linking back to the PSN attack have actually had their info stolen by other methods previously. From what I know about CC theft the numbers are generally shuffled through black markets and used by buyers up too two years later from initial theft. Not saying this is impossible that fraud from this attack is happening this quickly but I believe it not to be likely.

I will probably buy Sony products again if the PR train keeps going from the station it left from last night.

Im going to recap some of the technical details from the Sony press conference last night. For context this is my twitter  http://twitter.com/#!/MrBob9000
The big news for affected consumers is the attack happened on US soil which may lead to a better qualified criminal investigation as well as restitution for affected users.

The Details of the attack itself were less then technical with a diagram depicting a generic web stack WWW server> App Server > DB server. The hacker('s?) created a tool that exploited the application server which allowed them access to the database and this is how they got the user info. The execs stated two things which would leave room to believe the credit card (CC) data is safe. First they said that the CC data was in a different part of the database and there had been no current evidence that this had been accessed. The second part was that the data was encrypted.

From my point of view with novice knowledge of computer systems and infosec I have some issues with this. Going back to their simple database diagram (sorry no screen shots) this did not divulge the structure of their network beyond the basic components. there is not one web server, one application server or one database server. there is probably not on website, one application or one database. going back to the execs points about CC data being in a different location. does this mean it was in a different table? a different database? a different database on a separate server?

This is important since they had stated only the application had been compromised and not the entire server. this may not be the truth but lets go off what they had said. within the context of the compromised application the attacker may only have the data that application was configured to access. This is where the structure of the application and database come into play. was the CC data accessible from the compromised application natively? would the hackers have enough control to repoint application at the location of the CC data?

my second issue is using "encrypted" as a magical word that prevents any bad men from accessing highly sensitive customer data. as far as I know in the multiple press releases, blogs and the press conference was the algorithm used to encrypt or the type of database used. In the wide world of data encryption there are many methods to encrypt data some of them better then others, some completely broken that anyone with Google could crack. When I think about encryption algorithms I generally think of how long it would take to crack. with WEP wireless encryptions it can take less then five minutes if you can get the network chatty. others could take multiple decades being crunched on the most powerful of super computers.

At this point in the data breach game I feel that although Sony has had a major breach I believe them and their customers are in a far better position then other breaches such as Heartland, TJX, and HBGary. The attack happened on the 19th and they have come forward with tangible information and promises of coverage of CC reissue fees withing two weeks of the breach even without confirmed CC data breach. Heartland and TJX did not even know shit had gone down in their network for years before they noticed.

on a minor not there are 10 million PSN/Qiricity accounts with registered credit cards. there is a high probability in my mind that some people who are currently reporting fraud linking back to the PSN attack have actually had their info stolen by other methods previously. From what I know about CC theft the numbers are generally shuffled through black markets and used by buyers up too two years later from initial theft. Not saying this is impossible that fraud from this attack is happening this quickly but I believe it not to be likely.

I will probably buy Sony products again if the PR train keeps going from the station it left from last night.