XSS Vulnerability found on Sony PlayStation Store Website ~ THN : The Hackers News

XSS Vulnerability found on Sony PlayStation Store Website at https://store.playstation.com/ ,This Vulnerability is posted by someone on a Forum site. The XSS is working on Firefox Browser, Not applicable for Crome Browser. Here in Screenshot you can see that, The backlink Code behind “Back” button has been modified using XSS attack. 


Proof of Concept :
1.) Open Url in Firefox : Click Here
2.) Now Click on the Back Button shown at middle of the page. You will be Redirected to Google.com .


This XSS Vulnerability can be misused By hackers for Phishing or any Cyber Crime Activity. We have Notice that, almost 70% Sony’s websites are Vulnerable with various Flaws.


Sony Should Fix it as soon as possible, Before any next hack attack.
Thanks.

#Sony Reply to Congress : We Still Don't Know Who #Hacked Us ! ~ THN : The Hackers News

Updates from the latest answers submitted by PlayStation executive Kaz Hirai, responding to the House Energy and Commerce Committee’s subcommittee on Commerce, Manufacturing, and Trade. Hirai and this subcommittee last discussed PSN through letter writing in early May, not long after the attack took place, PSN went down, accounts were exposed and Congress started questioning.The letter is addressed for yesterday, May 26.

I would like to take this opportunity to express my sincere gratitude to the committee for its appreciation of the gravity of the situation that Sony faced and, accordingly, allowing Sony to defer an appearance before the Committee,” said Hirai. “Sony was unable to appear before the Committee due to exigent circumstancesSony was under attack and it was critically important that our key personnel remain available and ready to address critical issues as our network and game service operations were preparing to come back on line.”

As it stands, Sony cannot conclusively say who was behind the attack. It does believe the same hacker or hackers was also behind Sony Online Entertainment’s intrusion. The company continues to investigate, calling it an “ongoing criminal investigation,” but the individuals remain elusive.

We have not yet identified the individual or individuals responsible for the actual intrusion and breach into our systems,” said Hirai. “We are continuing to work with the FBI to apprehend those responsible.”

We have information that suggests what the hacker was accessing and what the hacker may have downloaded, but we are unable to determine conclusively whether information was actually taken from all orjust a portion of the user accounts,” said Hirai. “Unfortunately we cannot confirm whether the hacker was completely successful in taking all of that information off the servers, or just a subset of it; in an abundance of caution, Sony advised all of its customers that it believed that the data had been obtained.”

One final point the subcomittee was concerned about related to comments made by Sony CEO Howard Stringer about how it’s impossible to “guarantee” a network will ever be totally safe.

Mr. Stringer sought to emphasize that no individual, corporation, or government entity, standing alone, can truly guarantee security in a world of very sophisticated hackers, cyber attacks, and cyberterrorism,” said Hirai. “Sony is implementing betterand more robust security measures to protect our customers. But just as individuals and businesses have come to rely on multiple law enforcement agencies for physical protection, we believe the private sector will need the assistance and support of government and law enforcement to help secure e-commerce and lT systems to stay ahead of and curtail the activity of cyber criminals and cyber terrorists.

See the Letter Copy Below :


Infographic - The #Sony #PlayStation Hack ~ THN : The Hackers News

We were doing an expose on the ‘Sony Hack Fiasco’ and realized no infographic was done on the subject - at least none we can find. Considering how big the issue was for our readers, we decided to create an infographic to summarize the events. Our sources include news site and commentary pieces. Because the subject matter is so time sensitive, we decided to include minimal information to the graphic and get it out when it matters. We will, however, be updating it with the latest information as it comes through.

Source : http://www.creditcardfinder.com.au/the-sony-playstation-hack-what-it-means-outside-the-gaming-world.html

#Sony #PlayStation Network #hacked again, user passwords compromised ! - #PSN

With Sony’s PlayStation Network freshly back online, attackers have once again breached the system, this time going for a vulnerability with the system’s password reset.

This is getting (more) ridiculous. Not even two days after Sony restored its embattled PlayStation Network for most users worldwide, cyber criminals have once again launched an attack, this time going after the PSN’s password reset system. In order for users to reconnect to the PSN, they were required to reset their passwords. You know, for security reasons…

News of this third, most recent attack were originally reported on Nyleveia.com, which warned PSN users that “accounts are still not safe.”

“I want to make this clear to ALL PSN users. Despite the methods currently employed to force a password change when you first reconnect to the PlayStation network, your accounts still remain unsafe,” writes Nyleveia. “A new hack is currently doing the rounds in dark corners of the internet that allows the attacker the ability to change your password using only your account’s email and date of birth. It has been proven to me through direct demonstration on a test account, so I am without any shadow of a doubt that this is real.”

Following the Nyleveia post there was, in fact, some doubt that this was real. But further tests by Eurogamer proved that the breach was real, which caused prompt action from Sony. In response, the company has blocked PSN login access to a number of its site, and the PSN password reset site has also been taken offline.

Sony responded to the new attack, saying: “Unfortunately this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being.”

“This is due to essential maintenance and at present it is unclear how long this will take,” Sony added. “In the meantime you will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information.”

Fortunately, this round of breaches isn’t actually a “hack” in the true sense of the word — at least not if you want to be a stickler about it. The previous attacks on the PSN were true hacks in that someone broke into Sony’s network, and stole nearly 13 million credit cards, and the personal data of about 100 million people. This time, they just used some of the data that was already stolen to break into people’s accounts. Big difference, we know.

Still, this proven vulnerability is sure to give Sony more grief. Just yesterday, Sony CEO Howard Stringer defended his company’s handling of the April attacks, which resulted in the being turned off for a week before users were alerted to the data theft.

On Monday, Sony released the details of its user “Welcome Back” program, which includes free games, like ModNation Racers and Killzone Liberation, and free movie rentals. Perhaps this most recent breach will prompt them to toss in a few more options, just to keep users happy. Just a suggestion.

Sony Networks Lacked Firewall, Ran Obsolete Software: Testimony

Sony could have prevented the breach if they’d applied some fundamental security measures such as deploying network firewalls and using fully updated Web applications, according to testimony before a Congressional committee.

Sony failed to use firewalls to protect its networks and was using obsolete Web applications, which made the company’s sites inviting targets for hackers, a Purdue University professor testified May 4 to a Congressional committee investigating the massive data breach of the Sony game and entertainment networks.

Sony disclosed on April 26 that thieves had stolen account information of up to 77 million users on the PlayStation Network and Qriocity. A week later, the company admitted on May 2 that the Sony Online Entertainment gaming service had also been breached, affecting an additional 24.6 million users.

About 101 million user accounts have been compromised to date. The stolen data included names, addresses, email addresses and dates of birth. Some credit card information may have been stolen, but Sony claimed the numbers were securely saved as a cryptographic hash.

What happened and what Sony is doing about the security breach are the two main questions everyone is asking, from the irate users on forums and blogs, to the various state attorneys-general planning lawsuits, all the way to Congress where lawmakers are holding hearings.

Not only did Sony fail to use firewalls to protect its networks, it was using outdated versions of the Apache Web server with no patches applied on the PlayStation Network, according to Gene Spafford, a Purdue University professor of computer science who is head of the U.S. Public Policy Council of the Association for Computing Machinery and the executive director of the Center for Education and Research in Information Assurance and Security.

Sony also did not have a firewall running on PSN’s servers. These problems were flagged on security forums two or three months prior to the April data breach, Spafford told lawmakers. Because the forums were monitored by Sony employees, Sony was well aware of the problems, according to Spafford.

Sony was large enough that it could have afforded to spend an appropriate amount on security and privacy protections of its data, Spafford said at the hearing.

While Sony declined to appear before the May 4 hearing convened by the House Committee on Energy and Commerce, the company sent an eight-page letter detailing what it is doing to the Subcommittee on Commerce, Manufacturing and Trade.

Sony has improved levels of data protection and encryption in its database and added automated software monitoring and configuration management tools to help defend against new attacks, Sony Computer Entertainment chairman Kazuo Hirai wrote in the letter. The company has also enhanced its ability to detect software intrusions, unauthorized access and unusual activity patterns in the network. Finally, it has also implemented “additional” firewalls. Sony named three network forensics firms, Data Forte, Guidance Software and Protiviti, to investigate the breach.

The breach likely “started with an “oops” somewhere,” such as a mis-configured server or a malicious e-mail attachment sent to an administrator, Jon Heimerl, director of strategic security for managed security service provider Solutionary, told eWEEK. The fact the attack was “so successful” indicates an “apparently lack of maturity” in the internal network and security controls, according to Heimerl. “How much hardening, encryption, and monitoring were in place?” he asked.

“There are no consequences for many companies that under-invest in security,” Philip Lieberman, CEO of Lieberman Software, told eWEEK. No one is holding the CIO or CSO accountable for their poor decisions. The auditors who should have provided an accurate assessment of the risks Sony faced for not being up-to-date on its technology did not do their jobs, Lieberman said.

“I would love to know the name of the auditors responsible for the shoddy IT security audit of Sony,” Lieberman said. Publicly firing the auditor would be justice for Sony’s stockholders and customers, according to Lieberman.

While Sony will face financial consequences, such as the cleanup costs, lost customers and a damaged brand, it would be “nothing near” what the consequences are for their customers, Lieberman said. The loss of personal information will “most likely” be nothing more than a cost of doing business for Sony, according to Lieberman.

 “If you are a security expert looking for a job, I would keep my eyes on the Sony Website as clearly they have significant need for experts who understand defense in depth,” Randy Abrams director of technical education ESET, said.

IT managers and senior executives say they are concerned about security and about being attacked, but they aren’t actually doing anything about it, James Lyne, senior security strategist at Sophos, told eWEEK. Enterprises invest in various security products, but only 6 percent of the purchased technology is actually being used. “They don’t even get the basic things like patching right,” Lyne said.

There’s a lot of talking, but no one seems to really be doing anything to back up their words. Enterprise defenses have to be updated, as hackers cannot exploit a vulnerability that has been patched, Paul Henry, security and forensic analyst at Lumension, told eWEEK. Hackers know enterprises regularly patch only operating systems and a handful of applications and generally forget about other software, plugins and third-party applications, Henry said.

“The security industry is without a doubt stuck in a wash-rinse-repeat cycle, waiting for an attack to happen before anyone jumps into action,” Anup Ghosh, founder and chief scientist of Invincea, told eWEEK.

Confused About What To Believe Over The #Sony Attacks? Me Too. Read this Anyways (by Alex Poulos) - Relapse 2

There’s not many things I can really say anymore about who’s really behind the attacks on Sony. Honestly, I have no idea; there’s no telling what the case is anymore, all evidence against a few individuals that claim they are Anonymous have disappeared as well as whether it was an inside job at Sony’s homefront. One of the biggest misconceptions that the public has failed to see is that just because someone claims they are ‘Anonymous’ and leaves a file containing a tagline or a motto - doesn’t mean that it was truly any individual whom is ‘Anonymous’. From what I’ve learned and what I’ve been told by individuals that claim Anonymous - Anonymous isn’t a group, clan, organization or monarchy. Anonymous is more an idea and concept than a group of people. Of course there are people that claim the Anonymous tag and call themselves Anonymous, but at the same time that very claim becomes invalid because Anonymous truly means being Anonymous - No one takes credit, no one refuses credit, no one person is a hero or villain. Anonymous is Anonymous and should not be described in anyway shape or form as a whole sum of people.

Anonymouslogo


I think that’s for the most part what people are trying to get through to the public and the people that don’t seem to understand. Anonymous isn’t me, but is me, isn’t you, but is you - Everywhere and nowhere at the same time. When a person does an act similar to that of the attacks on Sony and claims to be Anonymous - it’s not to be considered Anonymous, due to the fact that Anonymous isn’t a group - and should therefore be claimed as “an individual claiming Anonymous” - which in part defeats their claim.

So I say to those of you who are putting the blame for the attacks on Sony onto ‘Anonymous’ - you fail to see that Anonymous isn’t a group as well is not a whole sum of people despite what you may see in the IRC channels and see posted on blogs. There are NO LEADERS - all that act are Anonymous individuals and not to be claimed as a group - but solely as individuals whom are Anonymous - concluding that the person or peoples that have attacked and stolen CC information along with personal information, who claimed to be ‘Anonymous’ as if were a group - should be instead seen as individuals CLAIMING to be Anonymous.

I hope this article has maybe opened some eyes and shined some neon light into your insight about what really is Anonymous - and that the opinions expressed in here are of my own, not to taken as fact or fiction, but as an opinion.

#Sony's #Anonymous claim: a health warning

    Sony's PlayStation Network has suffered a massive breach Sony’s PlayStation network has suffered a massive breach, allowing the theft of names, addresses and credit card data. Sony has implicated the ‘hacktivist’ group Anonymous in the security lapse. Photograph: Yuriko Nakao/Reuters

    This week, Sony Corporation claimed to Congress that its investigation of the breach by which millions of customers had their credit card numbers compromised had turned up a document left on the server in question entitled “Anonymous” and containing the phrase “We are Legion”, itself a fragment of our longtime slogan. Some have taken this as proof that Anonymous was responsible for the most significant online heists in memory. After all, the online activist movement has lately been engaged in a battle with Sony over its treatment of two individuals who taught others how to alter the PlayStation 3 in such a way as to install Linux OS on the gaming console, making Anonymous a natural suspect.

    But those observers who are most familiar with who Anonymous is – such as the dozens of journalists who have been free to watch us at work in our operational venues – tend to agree with us that the circumstances of this incident are highly suspicious, and that any investigation into the crime in question must take into account the natural question of who might benefit from such an act – in other words, a party or parties who would have an interest in smearing Anonymous.

    The perpetration of a crime for the purpose of framing another party and thereby damaging its reputation is hardly unusual. The FBI spent two decades operating a programme called COINTELPRO, by which agents would infiltrate “dangerous” groups, such as those advocating civil rights, and then promote violence by its members in order to discredit their cause in the eyes of the public and justify police crackdowns. A congressional committee that investigated the issue concluded that “the Bureau conducted a sophisticated vigilante operation aimed squarely at preventing the exercise of first amendment rights of speech and association.”

    Such practices continue today. It was only a few months ago that Anonymous’s counter-investigation into a group of federal contractors including HBGary Federal, Palantir and Belrico revealed that the three companies – collectively known then as “Team Themis” – had prepared a plan to attack WikiLeaks to submit to law firm Hunton & Williams (retained by Bank of America, panicked over the prospect of a leak concerning its executives). The scheme was to consist of such things as disinformation, placement of fake documents, clandestine operations against WikiLeaks supporter Glenn Greenwald, and “cyber attacks against the infrastructure to get data on document submitters”.

    Of course, Anonymous itself engages in attacks of that latter sort. On the other hand, Anonymous does so against dictatorships and corrupt institutions that engage in corruption alongside the state – and when we do, the FBI raids the homes of our alleged participants. Not being as respectable as our corporate counterparts, we are not permitted to act with seeming impunity.

    Now, having made enemies of the dozens of other firms whose wrongdoing we have exposed in the months since, by way of Operation Metal Gear and other crowdsourced investigations, Anonymous is accused of having committed a major crime entirely different from the campaigns of civil disobedience for which we are rightfully known. The evidence is a single document that helpfully names us as the perpetrators. Sony has thus managed to shift attention away from its own failure to protect client data, while federal agencies have been diverted into a pursuit of us, this time for a massive theft rather than popular acts of revolt. Presently, I have no proof that this action was taken by any of the powerful and sophisticated enemies we have made in the world of intelligence-contracting or law enforcement; but neither can they prove that Anonymous was responsible for this heist.

    At any rate, an investigation is being conducted by the usual people. Congress is now on the job. Even more heartening, Attorney General Eric Holder says that the justice department is taking this “very seriously”. It is good to see those two entities adopting a healthier work ethic: when, a few months ago, Representative Hank Johson called for Congress to look into the activities of Team Themis in coordination with Hunton & Williams, Representative Lamar Smith, a Republican from Texas, declined, asserting that this was the responsibility of the justice department. He did not seem to think it problematic that, as shown by the HBGary emails, it was the justice department itself that recommended Hunton & Williams to Bank of America.

    Eric Holder having presumably been too busy to investigate that particular matter, Anonymous is, of course, flattered to learn that criminal activity that allegedly involves us is a higher priority than dubious activity that definitely involved his own department. Or perhaps, there is some other explanation.

#Anonymous Response to #Sony : We didn't do it as we will never hurt the innocents !


Press Release as shown : Last month, an unknown party managed to break into Sony’s servers and acquired millions of customer records including credit card numbers. Insomuch as that this incident occurred in the midst of Anonymous’ OpSony, by which participants engaged in several of our standard information war procedures against the corporation and its executives, Sony and other parties have come to blame Anonymous for the heist. Today, in a letter directed to members of Congress involved in an inquiry into the situation, Sony claimed to have discovered a file on its servers, presumably left by the thieves in question, entitled “Anonymous” and containing a fragment of our slogan, “We are Legion.” In response, we would like to raise the following points:1. Anonymous has never been known to have engaged in credit card theft.2. Many of our corporate and governmental adversaries, on the other hand, have been known to have lied to the public about Anonymous and about their own activities. HBGary, for instance, was caught lying a number of times to the press, to the public, and to Anonymous itself (in this phone call, for instance, (http://tinyurl.com/68pbdj8) CEO Aaron Barr makes a number of untrue statements regarding the intent of his “research,” claiming for instance that he never tried to sell the information to the FBI when e-mails acquired soon showed that he had been set to do just that; executive Karen Burke was also caught lying to Bloomberg about having not seen an incriminating e-mail that she had in fact replied to just a few days before). The U.S. Chamber of Commerce lied about not having seen the criminal proposal created by them for Team Themis; Palantir lied about not having any idea what their employees were up to; Berico publicly denounced a plan that they had actively engaged in creating; etc. There is no corporation in existence will choose the truth when lies are more convenient.3. To the contrary, Anonymous is an ironically transparent movement that allows reporters in to our operating channels to observe us at work and which has been extraordinarily candid with the press when commenting on our own activities, which is why reporters prefer to talk to us for truthful accounts of the situation rather than go to our degenerate enemies to be lied to.4. Whoever broke into Sony’s servers to steal the credit card info and left a document blaming Anonymous clearly wanted Anonymous to be blamed for the most significant digital theft in history. No one who is actually associated with our movement would do something that would prompt a massive law enforcement response. On the other hand, a group of standard online thieves would have every reason to frame Anonymous in order to put law enforcement off the track. The framing of others for crimes has been a common practice throughout history.5. It should be remembered that several federal contractors such as HBGary and Palantir have been caught planning a variety of unethical and potentially criminal conspiracies by which to discredit the enemies of their clients. This is not a theory - this is a fact that has been reported at great length by dozens of journalists with major publications. Insomuch as that our enemies have either engaged in or planned to engage in false flag efforts, it should not be surprising that many of the journalists who have covered us, who know who we are and what motivates us - and who have alternatively seen the monstrous behavior of those large and “respectable” firms that are all too happy to throw aside common decency at the behest of such clients as Bank of America and the U.S. Chamber of Commerce - also have their suspicions that some capable party performed this operation as a means by which to do great damage to Anonymous in the public eye. Those who consider such a prospect to be somehow unlikely are advised to read about what was proposed by Team Themis in their efforts to destroy Wikileaks, and should otherwise take a few minutes to learn about COINTELPRO and other admitted practices by the U.S. intelligence community. The fact is that Anonymous has brought a great deal of discomfort to powerful entities such as Booz Allen Hamilton, Palantir, and much of the federal government; the Justice Department in particular is likely unhappy that our efforts revealed that it was they themselves who recommended the now-discredited “law firm” Hunton & Williams to Bank of America in order that the latter might better be able to fight back against Wikileaks. All of this is now public record, and anyone who finds it laughable that those or other entities may have again engaged in tactics that they are known to have engaged in in the past is not qualified to comment on the situation.Anonymous will continue its work in support of transparency and individual liberty; our adversaries will continue their work in support of secrecy and control. The FBI will continue to investigate us for crimes of civil disobediance while continuing to ignore the crimes planned by major corporations with which they are in league.We do not forget, even if others fail to remember.
We not forgive, even if others forgive our enemies for those things for which we are attacked.
We are legion, and will remain so no matter how many of our participants are raided by armed agents of a broken system.
We are Anonymous.

BBC News - Sony hires detectives after gamers lose personal data

Visitors play games on Sony PlayStation 3The Playstation Network lets game console owners downloads games and play against friends.
-

Sony has hired investigators after a breach of security, in which the personal data of more than 100 million online game users was compromised.

Cyber-security detectives from Guidance Software and Data Forte, among others, have been brought on board, said Sony.

The Playstation Network and Sony Online Entertainment have been taken offline.

Information including names, addresses and potentially even credit card numbers was stolen in the attack.

Officials from the US Federal Bureau of Investigation (FBI) said they were looking into the breach of data, which might include some credit card numbers.

‘Outdated database’

Last week, Sony said the personal details of 77 million Playstation users may have been stolen by hackers.

On Tuesday, it said a further 25 million gamers had their personal details stolen because of a security breach.

The company said credit card details and other personal information had been taken from an “outdated database”.

The new attack went beyond users of Playstation hardware, affecting PC and Facebook gamers.

Sony said direct debit information for about 10,700 customers in Austria, Spain, the Netherlands and Germany was stolen.

It also said credit or debit card details of some 12,700 non-US customers were compromised.

#Sony Confirms #Anonymous Has Not Been Implicated With #PSN Intrusion In Any Way

Just to make it clear tonight, the final question asked at the PSN press conference dealt directly with the subject of Anonymous.

A Japanese reporter asked what involvement, if any, this infamous group had with the latest PSN intrusions.

Kaz Hirai, Sony’s EDP and Ridge Racer‘s #1 fan responded stating that Anonymous has not been implicated in any way with the current attacks.

Anonymous themselves (whoever they are) have also denied any involvement in the recent attacks.  Does this rule them out completely?  Of course not, but it’s safe to say someone else was likely responsible.

Sony is currently working with the FBI and Department of Homeland security to find out who is responsible for the intrusion, but so far they have no reason to implicate Anonymous.

Stay tuned to RipTen as our coverage of PSNightmare 2011 continues, or until we get tired of reporting on this nonsense…

PS3 - It Only Does Identity Theft (by rickymachinima) - #lulz

PS3 Parody Ad…all in good fun.

Website used in vid: http://arstechnica.com

Source: youtube.com

Hacker Got #PlayStation 77 million #PSN customers Network Users info !

Hacker Got PlayStation 77 million PSN customers Network Users info !
Sony Corp. said Tuesday a hacker had obtained customer information, possibly including credit-card numbers, of members of its online PlayStation Network, a potential problem for the quickly growing field of online gaming.


The Japanese electronics giant said it is informing its 77 million PSN customers that personal information—including names, addresses, billing history and birthdays—was obtained by an “unauthorized person” following a hacking attack that prompted Sony to shut down its Internet gaming service last week.

Top