The Latest on the PSN Break-in and Service Restoration

There has been a whooooole lot that has gone on since the original news broke on the Sony Playstation Network data breach.

Among other things, there's been Congressional testimony, which should give some indication as to the seriousness of what has happened. In these testimonies, the Consumerist reports in a piece on the PSN breach that,

Dr. Gene Spafford of Purdue University [who in his testimony before Congress] said that Sony was using outdated software on its servers — and knew about it months in advance of the recent security breaches that allowed hackers to get private information from over 100 million user accounts.

And, that's not the least of it. It gets much worse. Spafford, the Consumerist piece goes on to say,

...Sony was using outdated versions of the Apache Web server software, which 'was unpatched and had no firewall installed.'

"The issue was 'reported in an open forum monitored by Sony employees' two to three months prior to the recent security breaches, said Spafford.

These accusations raise even more questions, like,

"Whodunnit?"

Reuters in their article on the Playstation Network data theft, Sony points the finger at the hacktivist group Anonymous, who, they say, bears indirect responsibility.

Daily Kos has posted the official, lengthy and articulate response from Anonymous about the PSN Break-in, wherein it says in part,

Whoever broke into Sony's servers to steal the credit card info and left a document blaming Anonymous clearly wanted Anonymous to be blamed for the most significant digital theft in history.

"No one who is actually associated with our movement would do something that would prompt a massive law enforcement response.

 "On the other hand, a group of standard online thieves would have every reason to frame Anonymous in order to put law enforcement off the track.  

 "The framing of others for crimes has been a common practice throughout history. 

In other words: Anonymous didn't do it.

So, back to the PSN and when it's coming back online.

Initially, there was discussion--and ultimately success--in bringing part of the Playstation network back online starting on May 14th, as reported by Joystiq.

It was short-lived though, when a lot of users (again as reported by Joystiq in a posted called PSN website sign-ins disabled) were greeted with a message on May 18th, telling them, The server is currently down for maintenance.

Perhaps most interestingly of all was that Sony wasn't given permission to restart services for the Playstation Network in Japan (where Sony is headquartered) 'til it met two conditions,

1. Preventative measures
2. Steps taken "..."regain consumer confidence over personal data such as credit card information."

Where does it stand now?

Accordingly to Engadget, which appears to have the latest as of May 18th, the PSN had to be taken offline again.

According to Sony's official blog response on the outage,

We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved.

"In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.

"Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3.

"Otherwise, they can continue to do so via the website as soon as we bring that site back up.

We're glad service has been restored and sorry to see it came to this.

All-in-all, the whole thing is ugly.

100 million accounts appear to've been compromised, Sony appears it may've been negligent, and definitely bears some blame here, and it has reached a point where both U.S. and Japanese agencies are getting involved at a high level.

What should consumers do? Is this even worth thinking about?

For starters, yes, it's worth thinking about.

Security experts are definitely very concerned about phishing--and more targeted spear-phishing--attacks coming from all the confidential data cleaned from the break-in.

The most obvious step would be to change your email address and close the old account, but let's be honest, that's impractical.

Short of that, the next smartest thing to do is to make sure your antivirus software is updated and your realtime protection and anti-phishing filters are turned on.

I certainly expect this data to be exploited. Practically speaking, it's a gold mine, and I for one don't believe it's a question of "if" attacks will happen but a question of "when."