Sony knew PSN 'had no firewall installed' - Expert

[UPDATE] Purdue University's Dr. Gene Spafford tells Congressional Subcommittee that the PlayStation Network's security was outdated--and Sony was aware of it.

This morning, the US House of Representatives' Subcommittee on Commerce, Manufacturing, and Trade began hearings on the threat of data theft to American consumers. Among those invited to testify was Sony Corp. executive vice president Kaz Hirai on the recent PlayStation Network outage and data breach. Hirai declined, instead sending a detailed account of the cyberattack to Subcommittee chairwoman Mary Bono Mack (R-CA) in the form of a letter.

Cybersecurity expert Dr. Gene Spafford testified before Congress that Sony knew the PSN's security was outdated.

One person who did show up to testify was Dr. Gene Spafford of Purdue University, who is also head of the US Public Policy Council of the Association for Computing Machinery. According to Consumer Reports, the cybersecurity expert had some harsh words for Sony, saying that the company knew the PSN's defenses were outdated for months prior to the attack, which occurred from April 17 to 19.

Spafford testified security experts discovered discussions on forums that talked about how the PSN's security was lacking. He said that the threads revealed that the network was using old versions of the Apache Web server software, which "was unpatched and had no firewall installed." He also testified that two to three months before the attack, the vulnerability was reported "in an open forum monitored by Sony employees," but the company took no action.

"If Dr. Spafford's assessment is accurate, it's inexcusable that Sony not only ran obsolete software on servers containing confidential data, but also that the company continued to do so after this information was publicly disclosed," said Consumer Reports technology editor Jeff Fox.

As of press time, US Sony reps had not responded to requests for comments on Dr. Spafford's testimony. However, in its letter to Congress, the company outlined a number of measures it had taken to beef up security, including moving its servers to a new facility, adding additional firewalls, enhancing data encryption and protection, and increasing automated software monitoring. The company has also hired three outside data security firms to help with its ongoing investigation of the attack, which the Federal Bureau of Investigation and Department of Homeland Security are assisting in.

[UPDATE] Video of Dr. Spafford's testimony is now online, and his full quote on the PSN break-in is as follows (begins around the 55' mark):

"On a few of the security mailing lists that I read, there were discussions that individuals who work in security and participate in the Sony Network had discovered several months ago, while they were examining the protocols on the Sony Network to examine how the games worked, they had discovered that the [PlayStation] Network servers were hosted on Apache Web servers--that's that form of software. But they were running on very old versions of Apache software that were unpatched and had no firewall installed, and so these were potentially vulnerable. They had reported these in an open forum that was monitored by Sony employees, but had seen no response and no change or update to the software. … [And] that was two to three months from when the break-ins occurred."

The cybersecurity expert also said that the Sony intrusion alone compromised 100 million accounts both on the PSN and its Qriocity service. He also cited the total cost of the breach to Sony, credit card companies, and other outfits, which the Ponemon Institute estimated as being $24 billion, although he put the figure at $21 billion.

Spafford also cited postings in credit-card theft forums in which thieves of such information complained that the PSN breach was so great that it was depressing the price of such information by a "factor of five or 10" on the black market.

He also said that cybersecurity breach notification laws were good, but only "after the fact." The problem, according to Spafford, was that law enforcement was not adequately equipped to deal with the problem. He also said that most companies were not equipped with enough security measures because "investing in security measures affects the bottom line. They don't understand the risks involved by not investing in security. … So when they are hit, they pass that cost along to their customers, and to the rest of society."

Spafford thinks the solution is to limit the amount of data kept by companies such as Sony and to "age the data" so it expires after a certain time.

Written By

Discussion

775 comments
UnderSeven
UnderSeven

@Guggu Everyone? When microsoft responded to the sony thing, they said they had no intrusions on their network and all they were using for security was standard practice. You know, like having firewalls and keeping security software up to date. I can tell you that cutting costs is no excuse when it comes to personal information, financial information. I'm glad you love your playstation so much, because if you used a credit card on PSN that ps3 could start costing you a lot more. I'm with Riariases, saying "no firewall" is not misleading. There is no way to mince that. Either you have a firewall or you don't, and not having one is #$#@ unheard of. Get real man.

riariases
riariases

If someone hotwires your car and drives off with it, you go to the insurance company and get some cash or a new vehicle. If you leave the keys in the ignition with the doors unlocked/ajar, the insurance company isn't gonna give you sh**. Sony, lock you f***ing network up or we're not giving you any sympathy.

riariases
riariases

@Guggu Don't be dumb. It's not about reporting that Sony made a bad move. It's about reporting the truth. "No firewall installed". So what if the reporter said that? You want him to mince the truth and say something besides the truth just so he can make blind fanboys happy? Get real, man.

Guggu
Guggu

I think it looks like the author of the article is deliberately trying to make Sony look even worse in regards to this security breach..."No firewall installed" among other things is very misleading. And to add to that: outdated security software is not anything new among these large corporations. Everyone is cutting costs where ever they can to save money these days. Outsourcing is very common now, and I'm not surprised that they have decided to put an update of security software on hold as that is a VERY expensive procedure to go through with. I'm pretty sure they regret that decision now and it is likely that people will lose their jobs over this, but they are not the only company in the world that holds back on upgrades as long as possible. One good thing that may come out of this whole ordeal, is that it has likely opened up the eyes of a lot of people who are more likely now, than before, to make upgrades to both outdated software & hardware, to avoid getting into the same kind of mess. Better safe than sorry, right?

medic4hire
medic4hire

Oldman54 is completely correct. This article is mostly fabrication. Shame on you gamespot.

mortada92
mortada92

sony should have used norton antivirus :P Nintendo rules :D

oldman54
oldman54

Why don't you read Spafford's actual testimony before buying the bull this article is shoveling. Here is what Gene Spafford actually stated in his testimony: (look it up - Spafford testimony subcommittee - should work as a search phrase. "I have no information about what protections they had in place, although some news reports indicate that Sony was running software that was badly out of date, and had been warned about that risk." And the "they" he used in this sentence referred to a group of several companies that suffered data breaches in the months of March and April, not just Sony. The majority of his testimony addressed on-line security in general. This GS article is almost pure fabrication and a deliberate misinterpretation of the facts. Tor Thorsen indeed! It should be signed FUD Thorsen.

Sahle123
Sahle123

This is only one guys assumption. I started to think Dr. Gene's allegations became a little farfetched when he claimed that sony knew about an online forum aware of sony's security compromised servers... Then again, he may be right. We'll wait and see.

T03
T03

Security is about trade-offs. You want security, you cut off the services provided. And the opposite. If you really want a secure server, you lock it in a safe underground. And even then, you can't be sure.(This I read in a IT security book somewhere.)

deathknightleo
deathknightleo

the dudes old first off how i am suppose to trust the old dude

WilliamRLBaker
WilliamRLBaker

@EPaul No his claim was countered by even less believeable person.

junor69
junor69

No mater how you look at this, stuff up like this is going to cost sony big time.

Shahenshah-Adam
Shahenshah-Adam

From reading the comments on this I kind of think of Sony being even more stupid. Even WITH their security up to date they got pwned.

LordRaymond
LordRaymond

Lol this is based on one guys reading and most of you are eating it up. From this article it seems he has low knowledge of secuity.

EPaul
EPaul

lol this guy claim has already been disproven already. Sony's security system was update to industry standards. but that will never stop a motivated group of hackers. Sony has some blame in this but saying their security has outdated to congress based on assumption is ridiculous

coylenintendo
coylenintendo

so they had outdated software? and no firewall installed? I'm sorry but this just keeps getting better and even more funny. it just goes to show how cheap they are when it comes to video games. they remake the Nintendo Wii remote and slap a boring name on it, aka Move. now they have free online play but make it incredibly easy for people to hack. they blame the hackers but left themselves wide open.

s_h_a_d_o
s_h_a_d_o

@the_real_VIP And you're doing nothing to help dispel the continuing spread of misinformation with the repetition of further speculative hearsay. The article you link to is already being debunked itself. Whilst I agree that the majority of media reportage has been irresponsibly sensationalist, Sony doesn't help matters (and do themselves no favour) with their perpetual reticence.

the_real_VIP
the_real_VIP

Spafford has no knowledge AT ALL of Sony's network and only ASSUMED. From Spafford's testimony: " I have no information about what protections they had in place". Now, the media is to blame on how they bring information to the masses. See Toyota's break system which was found Toyota is not at fault but the media already "destroyed" the carmaker's reputation. Sony's network was up to date and had 3 firewalls: http://bitmob.com/articles/detective-work-reveals-psn-servers-up-to-date

djdanrobbins
djdanrobbins

@TheBlackEclipse - I never said it was ok.

GSuser10
GSuser10

Besides stating the obvious and saying that the hackers are responsible..why can't Sony just say that they messed up and is at fault too by not having up to date software and whatever else and correct all this, so people can have PSN back WITH up to date protection.

UrbanMessiah
UrbanMessiah

Sooo they can issue firmware after firmware update to save their software from pirates, but can't be bothered to update their security to safeguard sensitive consumer information? Niiiiiice...

servb0ts
servb0ts

call cancel your CC#, buy PSN cards, forgive Sony problem solved.

dawnofhero
dawnofhero

Sony, don't be so pathetic. I have the nerve to abandon your game systems if this half-ass behavior of yours isn't fixed before PSN is.

mickey_mickey48
mickey_mickey48

hmm then what you're suffering now sony is very well deserved.

KhanBloodsucker
KhanBloodsucker

Yeah, because it being impervious to attack a few years ago means that it shouldn't be kept up to date...smh. Hubris once again sinks SCE.

Apathetic_Prick
Apathetic_Prick

[This message was deleted at the request of the original poster]

BirgitteSilver
BirgitteSilver

Nevermind that the "old" software has NO KNOWN VULNERABILITIES. Heaven forbid that crucial piece of information be posted here on Gamespot.

master_foam
master_foam

sony...sony you make me more mad each article i read.. p!ss poor

punksterdaddy
punksterdaddy

This is what happens if you care so little about your own customers accounts, karma comes and bites you on the arse! I have no sympathy for Sony now after this article, this is a disgrace to all concerned and I bet they will be wanting to cut their losses now with the PS3, maybe?

KimCheeWarriorX
KimCheeWarriorX

with this hacker attack fiasco, id be amazed if sony even nets a profit from the ps3 now. *braces himself from fanboy attacks*

godzillavskong
godzillavskong

Of course they did Dr. Gene! stfu! It's said and done, so we have to move on. They don't want my credit anyways!!lol

smellyfeet
smellyfeet

My gawd, they didnt even have Zonealarm? ;)

Thatonedude5432
Thatonedude5432

[This message was deleted at the request of the original poster]

hasancakir
hasancakir

I thought so too. It is obvious the security wasn't enough. You don't need to be an expert to say that.

kus3pt
kus3pt

microsoft would not lend any software to them xP (im a ps3 guy...not xbox fanboy)

_Silent_Jay_
_Silent_Jay_

No, it's like removing all the windows and doors from your house while leaving a big sack of (not your) money sitting in your living room with a note attached to it saying "Please don't take me." Sure, it's awful that it happened, but what would you expect?

Rikudo-Pein
Rikudo-Pein

This is like saying 'It's your fault your house wasn't secure enough, therefore it's your fault you were robbed" - and the robber gets away with everything. But in this case it's the hacker.

vanitas11
vanitas11

think about this. What if the old guy that helped develop the ps1 and just recently died hacked the psn, stole all those data, gave it back to sony and blamed anonymous?

KrazzyDJ
KrazzyDJ

Even the firewall in my Desktop is up to date !!!

nanorazor
nanorazor

I'm not going to make a large reaction. Sony you big bunch of disorganized people. Lets hope Sony learns a lesson from all this and build a new security. And reorganize the Company (mainly of the game sector). There no need for us customer to get angry (its proven to shorten our life span) we just need to act. It still hacker's fault but mainly Sony's fault by letting them in.

Phatjam98
Phatjam98

LOL what is this amateur hour at Sony? Who builds a network without an updated firewall?

face-exploder
face-exploder

I watched a good majority of the CSPAN video....And I do have to say that while being hacked was probably unavoidable, I do not think Sony should have saved all those 2007 credit card records ...especially if they did , in fact,use an outdated security system.

voldalin
voldalin

so the guy read a few post on a forum. i dont call this proof enough. I'm sure Sony has nothing to worry about from this fat head. Everyone is getting hacked these days weather their security is good or bad. If Sony can fix it then let it be. Go after the hacker who actually broke the law.

TheBlackEclipse
TheBlackEclipse

@djdanrobbins Just because other companies have crappy security systems doesn't make it okay that Sony does too. This is a company that MAKES computers for God's sake, and they don't have the common sense to update their servers with the latest patches? That's outrageous. I guarantee that companies that store the credit card info of their customers have up to date security, it just makes sense. It's not even difficult to update servers. Sure, there'd be downtime while they updated the servers, but that's better than the potential identity theft of 70 million people.

TheBlackEclipse
TheBlackEclipse

It's okay Sony. Firewalls are tough... You gotta click stuff AND type things in to set that stuff up on a server. Unless you've got brilliant minds from MIT, it's not easy.

MrCoolGuy420
MrCoolGuy420

Why is it that everyone wants to sue sony now after these parasites hacked the PSN it's not sony's fault and they arent the ones who should be sued it's the hackers that stole everyones information they're the ones that shold pay the price not sony.Sony provides millions of people with free online services and I dont get why people use their credit cards online anywhere this is why companies like sony and microsoft have PSN cards and Microsoft points cards and website like paypal exist these were made for a reason as a safe alternative to using credit cards why cant people see that? I really dont understand it

meister_209
meister_209

in the techage of hackism nothing seems real safe. as for sony i,m sure that they,ll bounce back in time hopefully with a clearer perspective of how vunerable their systems to which i must say that they unfortunately learned the hard way to save "face' with their customers.. as for xbox 360 be alert. STAY STRONG! SONY.