Tim Armstrong looks at the timeline of the Sony breach and pieces together the relevant details at each point in time. He discusses the known facts of the case and the potential future fallout.

Today is May 17, almost exactly a month after the massive breach of Sony’s PSN network. If you live in North America then you may be pleased to know that the Playstation network has finally come back online. Due to the enormous amount of subscribers to the service, the restart has been a bit shaky, with reports of password reset emails clogging ISP mail servers. Despite the hiccups, it seems that the service is gradually returning.

If you are a customer of the Sony service, you will need to immediately change your password as well as install a firmware update to your system. Sony has pledged a much stronger security environment to its customers and partners, and this appears to be the beginning of many changes. Sony has previously stated that they have rebuilt the entire network from scratch and moved their PSN infrastructure to a new data center in an undisclosed location. I’m not sure why this emphasis on security wasn’t a focus of the original model, but maybe Sony can prevent future mishaps. Perhaps all the additional outside scrutiny will help, but only time will tell.

In the past few days we have read about how the Playstation Network has been hacked, and very sensitive information such as credit card information has been stolen. We are now seeing more activity in the underground community. According to a forum post at PSX-scene rumors are spreading that the stolen information also includes the CCV2 numbers. A user on the underground forum Darkode says that the format of the stolen data would supposedly be:fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date

But In a statement from Sony on their playstation-blog they write that the hacker does not have access to the CCV2 code, the statement follows:

“Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.”

The question is who is correct?

I would recommend everyone with a PSN account to request a new card from your bank, and if you use the same password for Facebook, MSN, email or forums that you used on the PSN I would recommend thatyou change it on those other sites.

After a long service black out Sony reported yesterday that their PSN gamer network has been compromised. Sony further admitted that all kinds of user data had become available to an unknown attacker.  Some of the personal details available to the attackers include your name, address, and email address, date of birth, PSN login name and password.  In fact even password security answers may have been obtained.  In addition to these items Sony stated “While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility."  Sony does not speculate on when their network may come back online but states that they are rebuilding it, and undergoing external security audits.

Modern game consoles are not only dedicated to gaming anymore, they rather offer a great variety of entertainment and many methods to support the whole gaming experience by offering platforms to meet other gamers from around the globe, share thoughts via private messages and status updates, a fully fledged browser to surf the web, media server capabilities and even online stores to buy games and additional game content via credit cards and gift coupons, which can be bought at shops if you're not having a credit card.

Does that remind you of something? Indeed, it's actually pretty similar to a social network - and it can also be connected to Facebook & Co. to keep your friends updated what trophies or achievements you just won.

In terms of security the vendors of these consoles did a pretty good job, all inner systems got hardened and signed installers made sure you can't install anything you want - which may annoy some people but keeps the system secure. But now it seems like the game has changed for the PS3. While it was possible to jailbreak the system with specially crafted USB sticks before, the first soft-mods are now available. The reason behind this? Four years after the release of the PS3 the master key was now found out by a group of modders. Many gamers now take their chance to individualize their system by installing a home-brew environment that allows to roll out programs unapproved by Sony.

So what are the consequences? First of all, many people will jailbreak the PS3 just for the sake of it, because it's considered fashionable as it is with the iPhone, as my colleague Costin points out in a recent issue of Lab Matters. Unfortunately most people are unaware that this might open the floodgates for malicious or unwanted software. Parallels to the Ikee worm on iPhones are inevitable. This worm spread itself only via jailbreaked iPhones - making apparent how many devices are actually jailbroken and how dangerous this can be. And now home-brew software variants for the Playstation 3 have been released and are spreading through the web over different sources. Who knows what's behind those offers? The original intention of the programs might be benign, but who knows if the installer package has been compromised and re-offered for downloading?

As pointed out before, buying games and related content from the online shop via credit card is popular and potentially dangerous if homebrew software is installed,as the software could carry out a man-in-the-middle attack or redirect to phishing sites. Alternatively, installed games or the respective game scores could be blocked and thus the software would act as ransomware or send out spam via the internal message system... There are many malicious possibilities that the bad guys can utilize for financial profit!

Are these scenarios realistic? -Unfortunately yes

Is it going to happen? -I hope not...

Malicious programs for computers have been around for more than 20 years. It was the birth of the Internet which really enabled these digital pests to make a breakthrough.

Until now, gaming consoles have been more or less immune to malware. Yes, there're been Trojans for the Nintendo DS console (Trojan.Nintendo.Taihen.a and .b) and for the Sony Portable Playstation (Trojan.PSP.Brick.a) but the number of victims has been small. This is because the user has to tweak the console in order for so-called homebrew software (i.e. software not certified by the console manufacturer) to run.

There's a Linux distribution available for the Sony Playstation 2 (which will also be available for Playstation 3) which just cries out for programming. However, any programs created will only run on Playstations which have the distribution installed.

Microsoft recently announced that in future, users will be able to purchase a development kit with a $99 a year registration fee - no Linux here. Programs developed using the kit will only run on Xboxes where the user has also paid the registration fee, and they can only be copied to another console as source code. From a security point of view, this is a wise decision.

I hope that things won't change much in the near future. If Sony, Microsoft , Nintendo or hackers made it possible to easily download programs developed by users via the Internet, Pandora's box would be opened. The combination of unprotected gaming consoles, the Internet and the possibility of previously unknown vulnerabilities would lead to gamers who had been immune to malware becoming a target for virus writers.

Trojans for gaming platforms are taking off - Sony PlayStation Portables last week, Nintendo DS - today. That takes care of two major handheld entertainment systems. MS Xbox next week?

So far the only result is broken consoles. And only for people who chose to download suspicious files or pirated games. However, any time virus writers break open a new platform, the community should take notice.

Anyway, now that our computer games have been violated, are fridges next?

By the way, we detect the Sony Trojan Trojan.PSP.Brick.a, and the Nintendo Trojan as Trojan.Nintendo.Taihen.a.