Sony has attempted to allay customer fears by stating that the credit card data has been encrypted, but the attackers claim already sell these online credit card data. One of these parties is stretching the truth or data encryption does not offer the level of protection, we believe that it is.
In a blog Q & A on missed the Playstation Network, Sony States, "the table of any credit card has been encrypted and we have no evidence that credit card data has been taken." Sony is going to argue that it never collects number CVV of three digits from the back of the map, but most later amended that claim to say that it collects that information, but it does not store it.
for sale on the black market forums online. One of these things is not like the others. It seems difficult, if not impossible - to justify how both parties can tell the truth.
Unfortunately, it is indeed possible that data may have been encrypted that any compromised Sony claims as alleged attackers. It all depends on how the data was encrypted, and how the attackers breached the Sony network.
AppRiver Troy Gill security analyst said that nothing is really known at this stage, but its added that if the data was encrypted that Sony claims, it is always possible that the attackers may have cracked the encryption now. "First of all, it depends on what hash function is used to encrypt the data, it is clear that if a lower level of encryption is used whereas it would be easy to break. The amount of resources, that hackers were using to break encryption could also a factor of time that should be. ?
Anton Chuvakin, expert in security and co-author of PCI compliance, notes to table of the database encryption is often poorly implemented. Organizations often use encryption keys hardcoded that an attacker can easily find once they have access to the network in the first place.
Tim "tk" Keanini, CTO of nCircle, says, "If the encryption key was stored non-encrypted somewhere convenient for the system he may also be convenient for the pirate." Keanini also stressed that all we really have to go right now are assumptions, but pointed out that even an unsophisticated attacker may find a way to circumvent or bypass weak security practices.
ANUP Ghosh, founder and Scientific Director of Invincea, explained that the fact is that the encrypted data even are consulted and used internally, and decryption happens generally harmoniously within authorized systems or users. Thus, while the encrypted data can be gibberish if extracted directly from the database, an attacker must only to find the right system on the network to be able to take information unencrypted in the database.
All these points address the feasibility or probability that Sony could be telling the truth on the encryption of data, and yet the data could be decrypted and available on the black market. However, we still have the issue of claiming Sony have not stored the CVV data the credit cards in all, and yet attackers claim to have essential much anticipated data as well.
If that proves to be true, Sony could be big disentangled with PCI - DSS powers in place. Chuvakin says that PCI - DSS guidelines are very clear about the CVV data-, the three digit from the back of the credit card code can never be stored in any form, whether encrypted or unencrypted. The attackers have can intercepted data CVV in transit rather than the acquisition of the database, but if this information is stored in the database, Sony has some explaining to do.
It seems, if Sony is the truth about the encryption of data, it is not encrypted very well. It is also possible that the attackers are bluff, or outright lie to try to find a sucker willing to pay for the data that they do really have. Future will tell.
No comments:
Post a Comment