Have a PlayStation 3?

27Apr/110

Have a PlayStation 3?

No one is safe from Cyber attacks

If you do then you should take some time to read this post. http://www.latimes.com/business/la-fi-ct-sony-hack-20110427,0,6751251.story

"Sony said it had 77 million accounts as of March 31 for its PlayStation Network, which links users via the Sony PlayStation 3 console to game downloads and online services such as Netflix Instant Watch video streaming service. Not all accounts are active, and it's possible that one person can have multiple accounts.

In a blog post, company spokesman Patrick Seybold said whoever gained access to personal information last week was able to steal the names, addresses, phone numbers, user names, birth dates, email addresses and passwords of registrants. The company acknowledged that it did not know whether credit card information was also stolen.

"While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility," Seybold wrote. "If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."

Sony last week shut down its PlayStation Network service, saying the service had been the target of an "intrusion," but did not release details until Tuesday."

- excerpt from LA Times

Sony’s PlayStation Network: Attacks, It’s been quite an eventful week so far for PlayStation owners and Sony. As I’m sure most of you are aware by now, an Internet activist group calling themselves “Anonymous” have declared war on Sony after claiming that the current lawsuit against George Hotz is wrong.

The cause of this latest attack?

Their campaign against Sony began the moment that the war was declared, with several Sony websites, including PlayStation.com, were attacked and taken offline as a result. The next day it had been made apparent that Anonymous had stepped up their game and begun digging into the personal lives of many Sony employeesand anyone involved in the lawsuit — posting said information onto public webpages, which even included their home addresses.

These attacks are still going on, and PlayStation Network users seem to be suffering from it. Users have lately taken to the official PlayStation forums and are, understandably, upset.

UPDATE: Anonymous has stated that it will stop the attacks on the PlayStation Network to not annoy those trying to enjoy its services:

“Anonymous is not attacking the PSN at this time. Sony’s official position is that the PSN is undergoingmaintenance. We realize that targeting the PSN is not a good idea. We have therefore temporarily suspended our action, until a method is found that will not severely impact Sony customers,” a statement on their official website read.

If you notice any suspicious activity on any of your other accounts, my advise would be to change passwords to a strong password. A strong password looks like this 16VD86i5Dr or even stronger like this rw)3k%u[-V A hacker would have a difficult time trying to crack a password of this complexity. It may be difficult to remember for awhile but you can try and make your own using these guidelines.

Common guidelines

Common guidelines for choosing good passwords are designed to make passwords less easily discovered by intelligent guessing:

Password length should be around 12 to 14 characters if permitted, and longer still if possible while remaining memorable
Use randomly generated passwords where feasible
Avoid any password based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past), or biographical information (e.g., dates, ID numbers, ancestors names or dates).
Include numbers, and symbols in passwords if allowed by the system
If the system recognizes case as significant, use capital and lower-case letters
Avoid using the same password for multiple sites or purposes
If you write your passwords down, keep the list in a safe place, such as a wallet or safe, not attached to a monitor or in an unlocked desk drawer

Additional guidelines

Double a character consecutively, to discourage shoulder surfing, the technique whereby someone observes the typing over a shoulder. Don't triple a character and don't double more than one character. If the typist is fast, it's hard to see how many times a key was consecutively pressed.

As a user might need access from a phone with a small keyboard, consider which nonalphanumerics appear on all models, if any do.

Individuals and businesses can also choose to use devices or cloud-based applications that generate a one-time password, which are functional for only one session or expire after a limited amount of time. One-time password generator solutions are available using cloud-based services, mobile phone applications, a security token and other methods.

Examples of weak passwords

As with any security measure, passwords vary in effectiveness (i.e., strength); some are weaker than others. For example, the difference in weakness between a dictionary word and a word with obfuscation (i.e., letters in the password are substituted by, say, numbers— a common approach) may cost a password cracking device a few more seconds– this adds little strength. The examples below illustrate various ways weak passwords might be constructed, all of which are based on simple patterns which result in extremely low entropy:

Default passwords (as supplied by the system vendor and meant to be changed at installation time): password, default, admin, guest, etc. All are typically very easy to discover.
Dictionary words: chameleon, RedSox, sandbags, bunnyhop!, IntenseCrabtree, etc., can be automatically tried at very high speeds.
Words with numbers appended: password1, deer2000, john1234, etc., can be easily tested automatically with little lost time.
Words with simple obfuscation: p@ssw0rd, l33th4x0r, g0ldf1sh, etc., can be easily tested automatically with little additional effort.
Doubled words: crabcrab, stopstop, treetree, passpass, etc., can be easily tested automatically.
Common sequences from a keyboard row: qwerty, 12345, asdfgh, fred, etc., can be easily tested automatically.
Numeric sequences based on well known numbers such as 911 ^{(9-1-1, 9/11)}, 314159... ^(pi), or 27182... ^(e), etc., can easily be tested automatically.
Identifiers: jsmith123, 1/1/1970, 555–1234, "your username", etc., can easily be tested automatically.
Anything personally related to an individual: license plate number, Social Security number, current or past telephone number, student ID, address, birthday, sports team, relative's or pet's names/nicknames/birthdays/initials, etc., can easily be tested automatically after a simple investigation of person's details.

There are many other ways a password can be weak, corresponding to the strengths of various attack schemes; the core principle is that a password should have high entropy (usually taken to be equivalent to randomness) and not be readily derivable by any "clever" pattern, nor should passwords be mixed with information identifying the user.

Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.

—Bruce Schneier 2005