Sections

Security expert: PSN still isn’t safe

Friday, 3rd June 2011 12:24 GMT By Johnny Cullen

An ex-hacker turned security expert has claimed that the now fully-restored PlayStation Network is still unsafe from outside attacks from hackers.

Gregory Evans of Ligatt Security International, who served two years in federal prison whilst as a hacker, told IG that gamers could probably expect more hacks in the future.

“Even if Sony had never been hacked, when anybody goes online to do anything, play games, search the Internet… you’re always taking a risk that somebody might get your information. When you’re connected to your Wi-Fi and you’re playing online games it’s opening up hundreds of ports,” said Evans.

“Each one of those ports is like a door that a hacker can use to bypass your firewall and get into your computer. In the gaming community, most people don’t even know this is happening. They just think I’m going online to play games and everything’s fine.”

He continued further: “The problem remains that Sony and most big corporations have IT managers designing their networks and security. Even if these guys have a Master’s Degree or PhD from a school like MIT, that doesn’t make them a true security expert. It’s scary and these attacks will continue to happen.”

Evans’ remarks follows news last night that Sony Pictures website was hacked, with 1,000,000 passwords compromised by the external intrusion.

The group behind the hack, LuizSec, said that passwords weren’t encrypted, and were stored in plain text.

The Sony Pictures hack comes just a day after PSN was fully restored following an hacking which seen the service go down and personal data of 77 million users compromised.

Latest

48 Comments

  1. Gekidami

    Wonder how many idiots will just read the headline before commenting?

    What this guy is really saying:
    “No one, no company is safe from hackers no matter what they do”.

    What a headline needs to grab more attention:
    “LOOK!!! SONY STILL ARENT SAFE OMG!!!”

    Well done, VG247, i doubt Bill O’Reilly could’ve done a better spin job.

    #1 3 years ago
  2. earlyrock

    The whole Internet isn’t safe.

    #2 3 years ago
  3. Freek

    That is infact not what he is saying at all. You as a person can be hacked if you haven’t set up a proper firewall or router or use Wi-Fi, those things are open to atack.
    But that’s only your personal connection.

    Then he goes on to point out that allot of big coporations have people in charge of building their security systems that are not fully qualified to do the job.
    That’s not to say the whole interenet is unsafe, just the parts that aren’t properly secured by people who know what they are doing.

    But the guy is working in that sector, so all this could verry wel just be his sales pitch.

    #3 3 years ago
  4. DrDamn

    @1
    Yep – though they are just copying the headline from IG. The actual statement was …
    —————-
    IG: Sony has said they implemented new security. Do you believe PlayStation Network and Qriocity are hacker-proof now?

    No. And it’s not just Sony gamers that are at risk. It’s anyone who has any online gaming console like Xbox or Wii. Nothing’s 100 percent secure.
    —————-

    #4 3 years ago
  5. ManuOtaku

    #1 yes but i think the part that is key in this post is “He continued further: “The problem remains that Sony and most big corporations have IT managers designing their networks and security. Even if these guys have a Master’s Degree or PhD from a school like MIT, that doesn’t make them a true security expert. It’s scary and these attacks will continue to happen.”

    Therefore it might mean as a possiblity that the people in sonys security department doesnt know to much about hackers methods, even if they are profesionals in their respective field, sony tend to not contract ex hackers to do this, something that maybe microsoft does, and maybe for that is more secure than sony system, i agree with you that theres no safe company, but maybe some companys are a bit better prepare than others.
    P.S and the title of this post represents the words of Grefory evans so in my eyes it fits the content, he especifically mention sony IMHO

    #5 3 years ago
  6. get2sammyb

    Misleading headline, indeed.

    Try: “Security Expert: Internet Is Not Safe”.

    #6 3 years ago
  7. DrDamn

    @5
    He specifically mentioned the XBox and Wii too – even though the question was about Sony.

    #7 3 years ago
  8. mathare92

    @3 +1

    #8 3 years ago
  9. IHateTabloidJournalism

    I just created an account on the site to inform you that after reading this bullshit non-story F.U.D, I have removed your (once often visited) site from my bookmarks. Barrel scraping hacks. Go and get a job at “The Star”

    #9 3 years ago
  10. StolenGlory

    @9

    Classy Kerplunk, REAL classy.

    #10 3 years ago
  11. Mike

    @1 Calm down and drink your milk.

    #11 3 years ago
  12. Mike

    Also, considering Sony Corp. has just had millions of its users’ data compromised over the last few weeks, and the fact that another wing of the company has, again, been hacked, and that the data stolen was personal info in plain text format, I think that the headline is more than befitting.

    Basically, Sony doesn’t know its arse from its elbow and have been lax and arrogant; not just the PS division, but across the company, it seems.

    The PS3 was rushed out, the PSN was a rush job, everything about this gen from Sony is get it out there, doesn’t matter if it works or not, clean it up afterwards. It’s like Windows 98 all over again. But this time, people’s data was invaded.

    Not good enough.

    #12 3 years ago
  13. NeoSquall

    @6 Are you mad? That wouldn’t sell enough page views.

    @12 I, as a personal rule, tend to not believe what a criminal says about his victim.

    #13 3 years ago
  14. Cygnar

    Security firm official tells the media that another security firm isn’t as good as his.

    News.

    ๏̯͡๏)

    #14 3 years ago
  15. Mike

    @13: Well then you deserve everything coming to you.

    #15 3 years ago
  16. DSB

    It’s not real news, it’s 24 hour news.

    You have to fill it up with something, so you have to drastically lower your standards. And if you can make a minor thing sound big, all the better.

    All the big networks do the exact same thing. I believe CNN is singlehandedly ending world slavery at the moment. GLHF.

    #16 3 years ago
  17. Mike

    Everyone seems to think they’re got it all sussed out. Like there are meetings:

    “How can we increase traffic?!”

    “I know, let’s just distort stories to attract attention and create conflct when there isn’t one!”

    “Great idea.”

    “Hold on. What about our journalistic integrity? Won’t we turn more people away if we’re wrong.”

    “I don’t fucking care! It’s all about hits, hits, HITS!!!!”

    “Ok, let’s pick on poor, poor, recently hacked, victim, in-no-way-responsible, nor accountable, not guilty nor lazy and definitely not arrogant, Sony. That’ll drum up the traffic.”

    “Yeah. The kids love it.”

    If that’s the way, or even remotely like the way you think it goes down, well, then you need to stop judging people by your own standards.

    It really couldn’t be further from the truth.

    #17 3 years ago
  18. minxamo

    Well i saw a .txt file with thousands of emails and passwords posted on 4chan last night which was apparently from someone hacking PSN.
    I didn’t test any myself but people were saying that some of them worked, and they could sign into amazon and stuff.

    Could have been an old list, I don’t know, still pretty scary though.

    #18 3 years ago
  19. DaMan

    Unbookmarking the site from where you’ve been permabanned twice. Not cool.

    #19 3 years ago
  20. DSB

    @17 Nah, that impression is pretty much all on you.

    It’s simply taking what’s there to fill the air. No major considerations, and I think that’s people’s main point of contention.

    It’s business as usual and nothing to get your panties in a twist about, everybody does this sort of thing, but it’s hardly groundbreaking journalism.

    “Dude says gaming networks are unsafe because they don’t use people like him to secure them” – Stop the presses, man!

    #20 3 years ago
  21. Cygnar

    @17
    If you have a problem with blog commentators who make unsupported assertions and wave them around as though they are facts, I would refer you to post #12.

    Not even the FBI and Congress are satisfied that they have enough information to judge the adequacy of Sony’s security measures, but clearly you have pulled together enough information here and there to make much better judgments than professional investigators.

    If you are willing to criticize others for acting as though they have it “all sussed out” when the evidence is lacking or inconclusive as to their claims, then perhaps it would be more appropriate for you to hold your tongue when you are about to make the same mistakes.

    #21 3 years ago
  22. Gekidami

    “Ok, let’s pick on poor, poor, recently hacked, victim, in-no-way-responsible, nor accountable, not guilty nor lazy and definitely not arrogant, Sony. That’ll drum up the traffic.”

    Oh please, cry me a river. Maybe you should try putting your searing hate of Sony aside for a minute and actually read what people are saying.
    I dont see how Sony getting hacked, then another branch that has nothing to do with PSN getting hacked means that quote mining is suddenly ok.

    Fact is, this headline is quote mining what the guy actually said, It would be the same if it was about the 360 or Wii which is also mentions as not being safe to the same extent as PSN right now.

    But please, dont let facts get in the way of your vendetta against Sony.

    #22 3 years ago
  23. Erthazus

    This site is full of Sony fanboys. It’s a fact. Once you will write something bad about Sony, the thread is starting to hit the fan. I mean seriously.

    some of you guys need a doctor, because someone have some serious paranoia problems.

    #23 3 years ago
  24. Mike

    @21 I think Sony’s security measures “pre-hack” have all-but been documented. I can support every statement I made. So I really don’t know what you’re talking about.

    @20: Nah. Sorry. Doesn’t wash. These comments are rife with people saying the site is deliberately ignoring the fact and twisting the story to drum up traffic. But if you want to back out and try to now command an air of perspective, then fine. That’s why I posted what I did.

    #24 3 years ago
  25. Mike

    @Cry you a river?! lol Re-read your first post and wpe up the tears. then come talk me. Oh, and grow up a little while you’re it.

    My “vendetta against Sony” – that really says it all. You’re paranoid, coloured, delusional brain painting every criticism of your beloved brand as some kind of act of a rabid madman.

    You really need to grow up and realise that most adults share the same opinion as I do. How they behaved pre-hack is indefensible and really shouldn’t be forgotten so soon after the incident. Unless you’re you, of course.

    #25 3 years ago
  26. Mike

    @23 Too right.

    #26 3 years ago
  27. frostquake

    Nothing is 100% safe ever. The Goal is to get Better and more Secure Each day! I will say this, I have seen IT Departments, and one that I currently know, that is HORRIBLE. The IT “Guys” are complete idiots, and some don’t even have the basic understanding of Internet Security!!

    #27 3 years ago
  28. OlderGamer

    “This site is full of Sony fanboys. It’s a fact. Once you will write something bad about Sony, the thread is starting to hit the fan. I mean seriously.

    some of you guys need a doctor, because someone have some serious paranoia problems.”

    Very, very true.

    #28 3 years ago
  29. Gurdil

    @Johnny I think it’s LulzSec, not LuizSec. I might be wrong but I’m pointing it out just so you can check (I don’t know where to check cause I’ve seen articles with both names, so maybe there’s also a group that’s called LuizSec I don’t know about)

    #29 3 years ago
  30. frostquake

    @ 28 Older Gamer…PSN has a New Zen Pinball Table called the Sorcerers Lair!! Tempting isn’t it?? LOL

    #30 3 years ago
  31. NeoSquall

    @15 If I breach in your house, rob everything inside it and then the next day brag about it in your neighbourhood, saying your door was open, would you trust me?
    Would your neighbours trust what I say?

    #31 3 years ago
  32. StolenGlory

    @29

    It is LulzSec yep.

    #32 3 years ago
  33. OlderGamer

    Oh hell I have to pick that up, Frosty!

    Any idea if its headed to LIVE anytime soon? I have, to my knowledge all of the unique tables for both networks. I just hate to buy em twice, and we use xbox more.

    Gonna check into it, thnx for the info bud.

    #33 3 years ago
  34. Gekidami

    “You really need to grow up and realise that most adults share the same opinion as I do.”

    *reads through the comments*

    …Nope. But of course you’re the only “adult” here, right? Because the majority who think this article does indeed have a misleading title dont agree with you, therefore they’re ‘children’. lol Thats definitely how an “adult” would act, yep.

    Funny how people commenting on the headline of this article being misleading suddenly has you rambling on about people ‘defending’ Sony’s security. Seems you need to reevaluate who here really is “paranoid”. Or maybe you just wanted some strawman to go with your quote mining, i mean, why not?

    #34 3 years ago
  35. OlderGamer

    “@15 If I breach in your house, rob everything inside it and then the next day brag about it in your neighbourhood saying your door was open, would you trust me?
    Would your neighbours trust what I say?”

    Depends, did I taunt/challange you, by claiming that my house was unhackable and that no one could get into my house? Did I sue some neighborhood kid for looking into my windows(geohot)? Did the neighbors trust me with their personial bank accounts/life savings and other private info for me to stroe in my house? And then, why did I leave my door wide open and leave the house ungaurded to begin with?

    It was never as simple as some folks(on both sides of the fence) like to make it out to be.

    #35 3 years ago
  36. DSB

    @24 I’d need something to back out on, first.

    I don’t recall at any point cheering Sony on. I think they’re the current posterchild for gross corporate incompetence.

    I’m merely pointing out the fact that this is in no way news. It’s just pointless filler.

    #36 3 years ago
  37. Mike

    @34: Nice try, Geki. I’m sure you wouldn’ve whined just as loudly if the headline read: “Steam still not safe.”

    You just keep telling yourself that.

    …and yeah, apart from one or two people, I’m the only adult here.

    @35: Good post.

    #37 3 years ago
  38. Gurdil

    @32 Ok thanks for the confirmation :)
    @35 Couldn’t have said it better

    #38 3 years ago
  39. Cygnar

    @24
    These measures have been “documented” primarily by people who either not in a position to know, or who are not responsible for the accuracy of their claims. You are treating the adequacy of the previous security measures as though it is an open-and-shut case, when the reality of the ongoing investigation does not reflect your position.

    We know that the measures were not adequate to stop the successful attack. What we do not know is whether the measures were legally insufficient, whether they fell below industry standards, whether their implementation was “negligent,” or whether Sony bears any responsibility for the success of the attack.

    I understand that you are disappointed with this situation. But that does not change the fact that these sorts of claims require evidence, not accusations. Accusations abound, but the evidence is largely not available to the gaming press. We still do not know the nature of the intrusion, the putatively inadequate measure that allowed for the intrusion to occur, the identity of the person(s) who conducted the breach, what measures this party had to take in order to make the attack succeed, whether this party was an insider or outsider as to the network, and whether the breach would have occurred even if Sony’s security had been cutting-edge. These are very important facts, and while you and many others are eager to have an opinion about Sony based on the bare fact that the attack was successful, I don’t think it’s appropriate to rush to conclusions when we lack so much critical evidence.

    We have plenty of accusations from people who had no specific information about Sony’s network. We have IRC chat logs from dubious sources that are not responsible for the accuracy of their reports. We even have some opinions of Sony executives. But none of these sources, and indeed nothing we have at our disposal at this time, can tell us the important facts about the attack in question. That is precisely the reason why I think your claims are insufficiently grounded, and why I think you should hesitate to assert them as though they are facts.

    #39 3 years ago
  40. OlderGamer

    I should add, that with my abouve post and opinon being said, I do believe that Sony got caught in a “Perfect Storm”, and I also believe that it could have happened to a lot of other services out there. Maybe Nintendo. Maybe Microsoft.

    And I also believe that we are not done reading about this or that service being attacked. Cyber terrorism is prolly the biggest threat to our past time to come along. Esp as the industry evolves and moves into Cloud/streaming game services and other digital distrubution platforms. Heck I stoped playing WoW because of the account hacking.

    Its going to remain a very big problem.

    #40 3 years ago
  41. DSB

    @39 The fact that they lost all their accounts pretty much means that it was far below industry standards. That sort of thing could never happen with adequate protection.

    If you have millions of accounts being kept by your company, the first thing you do is make sure that you can never lose them all at once. You compartmentalize.

    That way you might lose one unit of accounts, but at that point you’ll be on full alert and able to protect the vast majority of remaining accounts.

    It’s more than folly to think that a company with adequate protection could ever lose all it’s information all at once.

    And you should probably take into account that Sony has done everything but confirm the fact that they were not on top of their game. From very senior executives no less.

    #41 3 years ago
  42. NeoSquall

    @35 Did you accidentally understand that I was referring to the last LulzSec attack on Sony Pictures, while you were over complicating the issue I raised with my post?

    I obviously wasn’t referring to the PSN hack.

    #42 3 years ago
  43. YoungZer0

    Sony really should just fire every single guy in the IT department and hire new stuff.

    #43 3 years ago
  44. Cygnar

    @41
    I reiterate, the identity of the attacker and what sort of access they had to the network is very important information. One of Sony’s reactions to the attack was to physically relocate the servers to a more secure location. This raises the question of whether physical access to the servers played a role in the attack at issue. If the attacker was, for example, someone who had physical access to the servers, he may have had security clearance such that compartmentalization of the data may not have prevented him from accessing whichever part of it he wanted. In this situation it could have been a case of Sony literally leaving the front door to its server building open.

    Remember also that the largest portion of the compromised information, the 77M PSN accounts, has not been published anywhere or actually used to commit fraud (assuming the banks are able to catch it all). What we know from Sony is that the attacker had access to all this data, not that he actually took all of it or was able to take all of it. The facts we know are consistent with Sony being unable to identify which portions of the data a hacker accessed, in which case the only safe assumption is that all the data is at risk.

    Regardless, DSB, you make a very good point. Information about whether the data was compartmentalized would be very helpful in determining whether the security measures in place before the attack were adequate. But I don’t think we know what the measures were in this regard, even with Sony’s statements that all of the information could have been taken.

    As far as executives go, however, their statements seem more like damage control to me. Sony did not keep its customers’ data safe from this attack, and the higher-ups recognize the fact that people will hold them accountable for Sony’s problems, even when these problems arise from circumstances beyond their control (but I will not assume that these circumstances really were outside of the company’s control). In the case of network security, however, executives are not technicians. I doubt Howard Stringer has ever had to set up a home network, let alone an international one. His statements say much more about the face Sony is trying to put on to the outside world than they do about whether people working beneath him were sleeping on the job. Maybe they were. Maybe I should wait for Congress to tell us what it thinks, and in the meantime see how to sign on with the class action lawsuit against Sony in case they really did screw this one up.

    #44 3 years ago
  45. The Evil Pope

    lol, Sony are a bunch of fuck-up’s.

    #45 3 years ago
  46. sg1974

    Oh dear another silly headline. vg247 is becoming the Daily Mail of the gaming world

    “This site is full of Sony fanboys. It’s a fact. Once you will write something bad about Sony, the thread is starting to hit the fan. I mean seriously…. some of you guys need a doctor, because someone have some serious paranoia problems.”

    But you choose to ignore that Sony articles seem to attract more trolls than articles on any other subject. There are plenty of 360 users or iUsers who love to troll Sony stories (which doesnt appear to bother you). ALL ‘sides’ are as bad as each other, if you don’t see that, maybe youre one of those trolls?

    #46 3 years ago
  47. sg1974

    While every one focus on this ongoing Sony hacks, hackers with more brains are going after all thiose other places with, no doubt, no more (or less) security than sony has, in order to steal our information. They must be laughing their assess off, what with 99% of the people commenting on this story really believeing the bullshit that Sony is lax and behind everyone else on internet security.

    If it is really about exposing lack of security

    1. why are they publishing the senstitve information on the net
    2. why dont they go after other comapnies

    Answer: because this is a childish vendetta by spoilt brats because someone dared hold one of their own to account for his actions. laugh all you want, gamers: one day it will be your bank account. That will wipe the smile from your smug, sanctimonious faces.

    #47 3 years ago
  48. Ralgor

    Gregory Evans of Ligatt Security?! Really vg247?! Please google guys you qote on your website before you repeate everything they say, because ths guy hasn’t the best reputation among security consultants….

    #48 3 years ago

Comments are now closed on this article.