Sony's Private Key Files

Maybe a discussion for the Agile blog, to talk about what we can do to be safe(r) with situations like the one Sony has found itself in. As far as I've read, they haven't revoked the certificates of their potentially compromised key files, possibly opening up users of their software to attack. With so much of our lives dependent on how others take care of our data (Apple, Google, Amazon) it almost seems dauntingly hopeless to stay ahead of trouble these days, secure passwords or not.

Comments

  • It's generally best to include a link to what you're talking about to avoid confusion.
    Are you talking about the incident from 3 years ago or is this something new?

  • Sorry I didn't add any links. Here's one and here's another.

    I don't know anything about Sony three years ago.

    Maybe it's all overblown, I don't know.

  • If I've read it correctly then there's really not a lot we can do in situations like this other than avoid using Sony services until they've revoked and re-issued keys.

  • So is there anything I can reason about these certificates? I really don't understand this part at all. Is it something like a certificate that lets my computer know it's a trusted program to download? So of these hackers have the ones that Sony has, people will download stuff they think it from Sony and it can be malware?

  • @prime, possibly although the linked article didn't seem to mention code signing keys. It appeared to be mostly remote access authentication keys controlling access to Sony's business systems. Let's just hope that their SSL keys weren't compromised.
    Hard to rule anything out though without more info.

  • BenBen AWS Team

    Team Member

    Without knowing exactly what was stolen it is difficult to speculate what possible damage there could be in the fallout of this attack. There are already reports that Sony's stolen certificates are being used to validate malware:

    That said, if you don't use Sony software, or software claiming to be from Sony, I haven't seen reports of other difficulties for end users. Difficulties for Sony? Yes. Difficulties for you and I? Not as likely.

  • That said, if you don't use Sony software, or software claiming to be from Sony, I haven't seen reports of other difficulties for end users. Difficulties for Sony? Yes. Difficulties for you and I? Not as likely.

    Remember there's also the potential that malware could be distributed via the PlayStation Network so it's not necessarily just Sony software, although granted, it is a Sony platform.

  • BenBen AWS Team

    Team Member

    Excellent point. :)

This discussion has been closed.