Sony surprised everyone and began restoring service to its Playstation Network and Qriocity services Saturday afternoon across the US and almost everywhere else. Sony announced on its Playstation blog that users could now update the firmware on their PS3 and change their passwords. However,
"Please note that these services will take a bit of time to be turned on and rolled out to the whole country. The process has begun and some states are being turned on now, so please be patient as we reach your city and state. We'll be updating the map below as service comes online in individual states. It will take several hours to restore PSN throughout the entire country, so please keep checking back for the latest updates. In the meantime, now’s a great time to get your PS3’s firmware updated, which is required to get online."
However, yesterday, so many PSN users tried to change their passwords, the company "had to turn off services for approximately 30 minutes to clear the queue."
Today, Sony put up a FAQ page on its blog site that answered a host of questions from what is working to what users can expect in the future. What is current working, Sony says, are the:
"Sign-in for PlayStation Network and Qriocity (including the resetting of passwords), online gameplay for PS3 and PSP, playback of rental video content on PS3 (if within rental period), Music Unlimited powered by Qriocity on PS3 (for current subscribers), access to services such as Netflix, Hulu, Vudu, and MLB.tv, "Friends" category on PS3 (including Friends List, Chat Functionality, Trophy Comparison, etc), in-game leaderboards, and PlayStation Home."
Other services, like all the features related to the PSN store, are yet to be fully restored, but are likely to be before the end of the month.
In a bit of a set back, however, according to a Nikkei.com report late today, Sony has been told by Japanese regulators that it won't be allowed to restart Playstation online game playing in Japan until the company has demonstrated that certain unnamed security issues have been indeed resolved. Playstation users may want to keep this news in mind before they rush back to start playing their games again.
In other Sony related news, apparently the Sony hacker(s) launched the attack from Amazon's Elastic Computer Cloud, or EC2. A story in Bloomberg News says that the hacker used a phony name to rent time on Amazon's cloud at less than $2.48 an hour to support his hacking activities; the hacker's account has now reportedly been closed.
The Bloomberg story states that:
"Signing up to the service requires a name, e-mail address, password, phone number, billing address and credit card information. Users get an automated call from Amazon and are asked to dial in a four-digit verification code to complete the registration process."
However, the story also says that Amazon doesn't have the resources to filter out a determined hacker who wants to spoof this registration process. It is doubtful any cloud provider does, which adds another security issue that cloud providers now must deal with (or ignore).
As a point of curiosity, I wonder whether the hack attack against Sony had been launched just a few days later whether it would have failed, given the problems Amazon had with its cloud service.
Anyway, there was also a Reuters story late Friday afternoon that stated that Sony's computer networks remain vulnerable to attack (which, I wonder, is why the Japanese regulators are currently reacting the way they are). The story said that:
"Security researcher John Bumgarner [chief technology officer for the U.S. Cyber Consequences Unit] discovered a potential bonanza for hackers by using little more than a web browser, Google's search engine and a basic understanding of Internet security systems."
Mr. Bumgarner pointed out numerous security gaps to Reuters who in turn asked Sony to comment about them. Sony apparently refused to talk to Reuters directly about the identified gaps but did quickly move to close them.
Just as Sony seemed to be getting out of its security tar pit, there were stories appearing in the Japanese press on Saturday that Square Enix Holdings Co., the Japanese video game company that created Final Fantasy, Deus Ex and Tomb Raider games had been hacked.
According to Square Enix's press statement (PDF) concerning the incident, the company confirmed that:
"... a group of hackers gained access to parts of our Eidosmontreal.com web site as well as two of our product sites. We immediately took the sites offline to assess how this had happened and what had been accessed, then took further measures to increase the security of these and all of our web sites, before allowing the sites to go live again."
The BBC reported that one of the product sites hacked was Deusex.com, a promotional site for the forthcoming game, Deus Ex: Human Revolution.
The Square Enix press release went on to state that:
"Eidosmontreal.com does not hold any credit card information or code data, however there are resumes which are submitted to the web site by people interested in jobs at the studio. Regrettably up to 350 of these resumes may have been accessed, and we are in the process of writing to each of the individuals who may have been affected to offer our sincere apologies for this situation. In addition, we have also discovered that up to 25,000 email addresses were obtained as a result of this breach. These email addresses are not linked to any additional personal information. They were site registration email addresses provided to us for users to receive product information updates."
There has been no evidence that anything has been done with the stolen information as of yet. However, those Canadian folks who had their resumes stolen face an increased risk of identity theft, which the company doesn't seem to be too concerned about, at least in its public statement.
The company concluded its statement by saying:
"We take the security of our web sites extremely seriously and employ strict measures, which we test regularly, to guard against this sort of incident."
Apparently, the "strict measures" employed weren't quite good enough this time.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.