Sony knew PSN 'had no firewall installed' - Expert

This morning, the US House of Representatives' Subcommittee on Commerce, Manufacturing, and Trade began hearings on the threat of data theft to American consumers. Among those invited to testify was Sony Corp. executive vice president Kaz Hirai on the recent PlayStation Network outage and data breach. Hirai declined, instead sending a detailed account of the cyberattack to Subcommittee chairwoman Mary Bono Mack (R-CA) in the form of a letter.

One person who did show up to testify was Dr. Gene Spafford of Purdue University, who is also head of the US Public Policy Council of the Association for Computing Machinery. According to Consumer Reports, the cybersecurity expert had some harsh words for Sony, saying that the company knew the PSN's defenses were outdated for months prior to the attack, which occurred from April 17 to 19.

Spafford testified security experts discovered discussions on forums that talked about how the PSN's security was lacking. He said that the threads revealed that the network was using old versions of the Apache Web server software, which "was unpatched and had no firewall installed." He also testified that two to three months before the attack, the vulnerability was reported "in an open forum monitored by Sony employees," but the company took no action.

"If Dr. Spafford's assessment is accurate, it's inexcusable that Sony not only ran obsolete software on servers containing confidential data, but also that the company continued to do so after this information was publicly disclosed," said Consumer Reports technology editor Jeff Fox.

As of press time, US Sony reps had not responded to requests for comments on Dr. Spafford's testimony. However, in its letter to Congress, the company outlined a number of measures it had taken to beef up security, including moving its servers to a new facility, adding additional firewalls, enhancing data encryption and protection, and increasing automated software monitoring. The company has also hired three outside data security firms to help with its ongoing investigation of the attack, which the Federal Bureau of Investigation and Department of Homeland Security are assisting in.

[UPDATE] Video of Dr. Spafford's testimony is now online, and his full quote on the PSN break-in is as follows (begins around the 55' mark):

"On a few of the security mailing lists that I read, there were discussions that individuals who work in security and participate in the Sony Network had discovered several months ago, while they were examining the protocols on the Sony Network to examine how the games worked, they had discovered that the [PlayStation] Network servers were hosted on Apache Web servers--that's that form of software. But they were running on very old versions of Apache software that were unpatched and had no firewall installed, and so these were potentially vulnerable. They had reported these in an open forum that was monitored by Sony employees, but had seen no response and no change or update to the software. … [And] that was two to three months from when the break-ins occurred."

The cybersecurity expert also said that the Sony intrusion alone compromised 100 million accounts both on the PSN and its Qriocity service. He also cited the total cost of the breach to Sony, credit card companies, and other outfits, which the Ponemon Institute estimated as being $24 billion, although he put the figure at $21 billion.

Spafford also cited postings in credit-card theft forums in which thieves of such information complained that the PSN breach was so great that it was depressing the price of such information by a "factor of five or 10" on the black market.

He also said that cybersecurity breach notification laws were good, but only "after the fact." The problem, according to Spafford, was that law enforcement was not adequately equipped to deal with the problem. He also said that most companies were not equipped with enough security measures because "investing in security measures affects the bottom line. They don't understand the risks involved by not investing in security. … So when they are hit, they pass that cost along to their customers, and to the rest of society."

Spafford thinks the solution is to limit the amount of data kept by companies such as Sony and to "age the data" so it expires after a certain time.