Sony Employing "Social Engineering" Tactics For PSN Security

I was proud of my programming classmates yesterday. As we were waiting for teacher, the Xbox vs PS3 debate came up and overwhelmingly the class asserted that PS3 was their preffered platform and many thought Xbox LIVE being $60/year - $12/month was a complete rip off. One guy tried claiming that LIVE's online play was better as he was talking out his butt. I spoke out against that ;)
But anyway, a good many did seem to be scared to put their CC information into PSN due to the hacker thing that happened last year. So hopefully SOny's efforts to regain consumer internet security trust succeeds. Anyway, it's good to know that in some public communities it's pro PS3 all the way =)

---

Last edited by Temjin001 on 3/15/2012 11:00:12 AM

5 up, 0 down

People should learn that putting their CC information into an online service (ANY online service) like PSN is like living in Tornado Alley. You live with the fear and certainty that a tornado will happen, but at the same time you know that the chances of any given town being hit are actually very small, and it's just as likely to hit the next town over as it is to hit yours. So year after year you live there, and each time there is a storm, you take care of yourself.

Online hacking is a fact of life. The PSN hack was most remarkable for the media coverage, not the data stolen, nor the consequences to individuals. To my knowledge not one consumer has had their money or identity stolen as a direct result of the PSN hack. Plenty of people have lost their money and identity due to numerous other hacks, including hacks of financial institutions. So like living in a tornado prone location, you know the risk you are taking and you take precautions against it. But you keep things in proportion.

9 up, 0 down

I agree.
Sony was far from the only target last year and it was blown way out of proportion.
Meanwhile so many people have been losing money through Live and MS claims it is due to fishing scams.
Many of the people were not even on Live for months and MS still blames Fifa!
The media tends to ignore when the big bad MS screws up but jumps all over Sony.

5 up, 0 down

Hehe - I liked that analogy, Highlander.

Still, if there is a chance for tornado, you *do* strengthen the roof of your house, just in case. :)

0 up, 0 down

Actually, the most effective strategy for tornadoes is to have a good warning system, radar and sirens, and to make sure that you have a safe place to go to. Usually a storm shelter (not just a basement) that is below ground and designed to withstand the storm. building a stronger house is no little use because a moderately strong tornado can tear anything apart. An EF5 can scour the road surface from the ground, so there will be little left of a home that is built to any standard except that of a bomb shelter.

In fact I think that the most effective security strategy for service providers like Sony is very similar. Your perimeter defenses must be strong enough to rebuff casual attempts at attack, but also smart and sensitive enough to detect any level of penetration of the security. They must provide the warning that radar and sirens provide with tornadoes.

Then, like the storm shelter, the network must be designed in layers with sensitive data stored more securely and in such a way that it's possible to decouple the sensitive data from the rest of the system in the case of a successful intrusion. just as you would with a significant tornado, when the siren sounds you check the radar and get in your shelter. If the storm actually tracks over your area, you slam the door closed and hang on to those that are most valuable to you. With a network, you slam the door closed if an intruder is working on the layered security around the secure data. The storm may destroy the house, but the valuable things - lives - are safe.

In many ways Sony did this with the PSN hack. They took the rather drastic action of downing the entire network in order to severe the attackers from the data. They slammed the door closed. Of course their warning system could have been better, but what they did was effective. What Sony needs to do in the future is have better perimeter defense, and detection. Along with a layered approach so that they can detect and terminate intrusions quickly. They must maintain more than one layer of security around sensitive data. Only if that storm comes right over the house (in other words an intrusion breaches multiple layers of security) would they need to close the door on the shelter. Even if attackers tore up the rest of the network's security, maintaining the security of the data is paramount. Just as in a tornado, the storm can completely destroy a home, but maintaining the safety of the residents is the most important thing.

1 up, 0 down

Ok so strengthen the roof wasn't the best of ideas then. :D

We don't have tornados here in Norway. I just imagine I've seen on the telly some shots about roofs flying off the buildings.

0 up, 0 down

Believe it or not, the roof flies off because the rest of the house implodes below it allowing the tornado to 'suck' the roof upwards.

You can build tornado resistant homes, but there's not a lot that can resist an EF5. Even a tornado resistant home is going to take damage to doors and windows, even if it remains structurally sound. The purpose of making them tornado resistant is to protect the occupants,not so much the home. It's been very educational living in a tornado prone area, I can tell you.

BTW, Norway and the UK do get tornadoes, they are just typically weaker, and often coastal. Usually they'll be termed water spouts because they occur over water. Sometimes tthey do happen on land, but it's far rarer than in places like Illinois, Arkansa, Missouri, Kentucky, Tennessee or Indiana.

0 up, 0 down

Any company on the planet can be social engineered. Until you remove the human component from the equation entirely, it's not going to go away. You can educate employees, put security policies into place, and even have an internal pentesting team, but all it takes is the one single user that is either to trusting or doesn't care and the keys to the kingdom are given out.

1 up, 0 down

Removing the human component simply exchanges one weakness for another. Defense in depth with appropriate precautions, procedures and layers of safeguards is what wins out.

0 up, 0 down

A good kingdom doesn't have just one gate with one key, Hypntick.

0 up, 0 down

I'd like to socially engineer hackers to get their heads out of their asses. Go expose something useful to mankind.

2 up, 0 down

I assure you, any engineering you or I would do to them given the chance would not likely be considered very "social"ly acceptable.

0 up, 0 down

I read an article quite a while back about using your credit card(s).

They said to get a card that only has a small amount on it.

I've done this for the PSN (SEN) as I just started using Music Unlimited in Canada and there isn't an option when you first sign up to use PSN cards(which I've been doing for some time now).

With a low limit card, if it does ever happen, not much is available to the person stealing the identity.

Most companies now a days check usage and if it's out of the norm, they'll contact you, or send you another card (this happened to me last year when I used a Japanese website to order....I received another card from my bank, stating the site had been previously compromised and just to be safe another card was issued to me).

0 up, 0 down