Sony knew PSN 'had no firewall installed' - Expert

[UPDATE] Purdue University's Dr. Gene Spafford tells Congressional Subcommittee that the PlayStation Network's security was outdated--and Sony was aware of it.

774 Comments

This morning, the US House of Representatives' Subcommittee on Commerce, Manufacturing, and Trade began hearings on the threat of data theft to American consumers. Among those invited to testify was Sony Corp. executive vice president Kaz Hirai on the recent PlayStation Network outage and data breach. Hirai declined, instead sending a detailed account of the cyberattack to Subcommittee chairwoman Mary Bono Mack (R-CA) in the form of a letter.

Cybersecurity expert Dr. Gene Spafford testified before Congress that Sony knew the PSN's security was outdated.
Cybersecurity expert Dr. Gene Spafford testified before Congress that Sony knew the PSN's security was outdated.

One person who did show up to testify was Dr. Gene Spafford of Purdue University, who is also head of the US Public Policy Council of the Association for Computing Machinery. According to Consumer Reports, the cybersecurity expert had some harsh words for Sony, saying that the company knew the PSN's defenses were outdated for months prior to the attack, which occurred from April 17 to 19.

Spafford testified security experts discovered discussions on forums that talked about how the PSN's security was lacking. He said that the threads revealed that the network was using old versions of the Apache Web server software, which "was unpatched and had no firewall installed." He also testified that two to three months before the attack, the vulnerability was reported "in an open forum monitored by Sony employees," but the company took no action.

"If Dr. Spafford's assessment is accurate, it's inexcusable that Sony not only ran obsolete software on servers containing confidential data, but also that the company continued to do so after this information was publicly disclosed," said Consumer Reports technology editor Jeff Fox.

As of press time, US Sony reps had not responded to requests for comments on Dr. Spafford's testimony. However, in its letter to Congress, the company outlined a number of measures it had taken to beef up security, including moving its servers to a new facility, adding additional firewalls, enhancing data encryption and protection, and increasing automated software monitoring. The company has also hired three outside data security firms to help with its ongoing investigation of the attack, which the Federal Bureau of Investigation and Department of Homeland Security are assisting in.

[UPDATE] Video of Dr. Spafford's testimony is now online, and his full quote on the PSN break-in is as follows (begins around the 55' mark):

"On a few of the security mailing lists that I read, there were discussions that individuals who work in security and participate in the Sony Network had discovered several months ago, while they were examining the protocols on the Sony Network to examine how the games worked, they had discovered that the [PlayStation] Network servers were hosted on Apache Web servers--that's that form of software. But they were running on very old versions of Apache software that were unpatched and had no firewall installed, and so these were potentially vulnerable. They had reported these in an open forum that was monitored by Sony employees, but had seen no response and no change or update to the software. … [And] that was two to three months from when the break-ins occurred."

The cybersecurity expert also said that the Sony intrusion alone compromised 100 million accounts both on the PSN and its Qriocity service. He also cited the total cost of the breach to Sony, credit card companies, and other outfits, which the Ponemon Institute estimated as being $24 billion, although he put the figure at $21 billion.

Spafford also cited postings in credit-card theft forums in which thieves of such information complained that the PSN breach was so great that it was depressing the price of such information by a "factor of five or 10" on the black market.

He also said that cybersecurity breach notification laws were good, but only "after the fact." The problem, according to Spafford, was that law enforcement was not adequately equipped to deal with the problem. He also said that most companies were not equipped with enough security measures because "investing in security measures affects the bottom line. They don't understand the risks involved by not investing in security. … So when they are hit, they pass that cost along to their customers, and to the rest of society."

Spafford thinks the solution is to limit the amount of data kept by companies such as Sony and to "age the data" so it expires after a certain time.

Got a news tip or want to contact us directly? Email news@gamespot.com

Join the conversation
There are 774 comments about this story
774 Comments  RefreshSorted By 
GameSpot has a zero tolerance policy when it comes to toxic conduct in comments. Any abusive, racist, sexist, threatening, bullying, vulgar, and otherwise objectionable behavior will result in moderation and/or account termination. Please keep your discussion civil.

Avatar image for UnderSeven
UnderSeven

85

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

@Guggu Everyone? When microsoft responded to the sony thing, they said they had no intrusions on their network and all they were using for security was standard practice. You know, like having firewalls and keeping security software up to date. I can tell you that cutting costs is no excuse when it comes to personal information, financial information. I'm glad you love your playstation so much, because if you used a credit card on PSN that ps3 could start costing you a lot more. I'm with Riariases, saying "no firewall" is not misleading. There is no way to mince that. Either you have a firewall or you don't, and not having one is #$#@ unheard of. Get real man.

Upvote • 
Avatar image for riariases
riariases

2335

Forum Posts

0

Wiki Points

0

Followers

Reviews: 6

User Lists: 0

If someone hotwires your car and drives off with it, you go to the insurance company and get some cash or a new vehicle. If you leave the keys in the ignition with the doors unlocked/ajar, the insurance company isn't gonna give you sh**. Sony, lock you f***ing network up or we're not giving you any sympathy.

Upvote • 
Avatar image for riariases
riariases

2335

Forum Posts

0

Wiki Points

0

Followers

Reviews: 6

User Lists: 0

@Guggu Don't be dumb. It's not about reporting that Sony made a bad move. It's about reporting the truth. "No firewall installed". So what if the reporter said that? You want him to mince the truth and say something besides the truth just so he can make blind fanboys happy? Get real, man.

Upvote • 
Avatar image for UntraceableHaze
UntraceableHaze

246

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Lemme guess, they wanted to save money

Upvote • 
Avatar image for Guggu
Guggu

300

Forum Posts

0

Wiki Points

0

Followers

Reviews: 1

User Lists: 0

I think it looks like the author of the article is deliberately trying to make Sony look even worse in regards to this security breach..."No firewall installed" among other things is very misleading. And to add to that: outdated security software is not anything new among these large corporations. Everyone is cutting costs where ever they can to save money these days. Outsourcing is very common now, and I'm not surprised that they have decided to put an update of security software on hold as that is a VERY expensive procedure to go through with. I'm pretty sure they regret that decision now and it is likely that people will lose their jobs over this, but they are not the only company in the world that holds back on upgrades as long as possible. One good thing that may come out of this whole ordeal, is that it has likely opened up the eyes of a lot of people who are more likely now, than before, to make upgrades to both outdated software & hardware, to avoid getting into the same kind of mess. Better safe than sorry, right?

Upvote • 
Avatar image for medic4hire
medic4hire

52

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Oldman54 is completely correct. This article is mostly fabrication. Shame on you gamespot.

Upvote • 
Avatar image for mortada92
mortada92

139

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

sony should have used norton antivirus :P Nintendo rules :D

Upvote • 
Avatar image for oldman54
oldman54

27

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Why don't you read Spafford's actual testimony before buying the bull this article is shoveling. Here is what Gene Spafford actually stated in his testimony: (look it up - Spafford testimony subcommittee - should work as a search phrase. "I have no information about what protections they had in place, although some news reports indicate that Sony was running software that was badly out of date, and had been warned about that risk." And the "they" he used in this sentence referred to a group of several companies that suffered data breaches in the months of March and April, not just Sony. The majority of his testimony addressed on-line security in general. This GS article is almost pure fabrication and a deliberate misinterpretation of the facts. Tor Thorsen indeed! It should be signed FUD Thorsen.

Upvote • 
Avatar image for Sahle123
Sahle123

115

Forum Posts

0

Wiki Points

0

Followers

Reviews: 3

User Lists: 0

This is only one guys assumption. I started to think Dr. Gene's allegations became a little farfetched when he claimed that sony knew about an online forum aware of sony's security compromised servers... Then again, he may be right. We'll wait and see.

Upvote • 
Avatar image for T03
T03

25

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Security is about trade-offs. You want security, you cut off the services provided. And the opposite. If you really want a secure server, you lock it in a safe underground. And even then, you can't be sure.(This I read in a IT security book somewhere.)

Upvote • 
Avatar image for deathknightleo
deathknightleo

274

Forum Posts

0

Wiki Points

0

Followers

Reviews: 1

User Lists: 0

the dudes old first off how i am suppose to trust the old dude

Upvote • 
Avatar image for kyzee_zul
kyzee_zul

64

Forum Posts

0

Wiki Points

0

Followers

Reviews: 1

User Lists: 0

pawned!!!!! :D :D

Upvote • 
Avatar image for WilliamRLBaker
WilliamRLBaker

28915

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

@EPaul No his claim was countered by even less believeable person.

Upvote • 
Avatar image for junor69
junor69

202

Forum Posts

0

Wiki Points

0

Followers

Reviews: 16

User Lists: 0

No mater how you look at this, stuff up like this is going to cost sony big time.

Upvote • 
Avatar image for Shahenshah-Adam
Shahenshah-Adam

27

Forum Posts

0

Wiki Points

0

Followers

Reviews: 25

User Lists: 0

From reading the comments on this I kind of think of Sony being even more stupid. Even WITH their security up to date they got pwned.

Upvote • 
Avatar image for LordRaymond
LordRaymond

561

Forum Posts

0

Wiki Points

0

Followers

Reviews: 15

User Lists: 0

Lol this is based on one guys reading and most of you are eating it up. From this article it seems he has low knowledge of secuity.

Upvote • 
Avatar image for EPaul
EPaul

9917

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

lol this guy claim has already been disproven already. Sony's security system was update to industry standards. but that will never stop a motivated group of hackers. Sony has some blame in this but saying their security has outdated to congress based on assumption is ridiculous

Upvote • 
Avatar image for coylenintendo
coylenintendo

13713

Forum Posts

0

Wiki Points

0

Followers

Reviews: 70

User Lists: 0

so they had outdated software? and no firewall installed? I'm sorry but this just keeps getting better and even more funny. it just goes to show how cheap they are when it comes to video games. they remake the Nintendo Wii remote and slap a boring name on it, aka Move. now they have free online play but make it incredibly easy for people to hack. they blame the hackers but left themselves wide open.

Upvote • 
Avatar image for s_h_a_d_o
s_h_a_d_o

1317

Forum Posts

0

Wiki Points

0

Followers

Reviews: 1

User Lists: 4

@the_real_VIP And you're doing nothing to help dispel the continuing spread of misinformation with the repetition of further speculative hearsay. The article you link to is already being debunked itself. Whilst I agree that the majority of media reportage has been irresponsibly sensationalist, Sony doesn't help matters (and do themselves no favour) with their perpetual reticence.

Upvote • 
Avatar image for the_real_VIP
the_real_VIP

3318

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Spafford has no knowledge AT ALL of Sony's network and only ASSUMED. From Spafford's testimony: " I have no information about what protections they had in place". Now, the media is to blame on how they bring information to the masses. See Toyota's break system which was found Toyota is not at fault but the media already "destroyed" the carmaker's reputation. Sony's network was up to date and had 3 firewalls: << LINK REMOVED >>

Upvote • 
Avatar image for djdanrobbins
djdanrobbins

40

Forum Posts

0

Wiki Points

0

Followers

Reviews: 2

User Lists: 0

@TheBlackEclipse - I never said it was ok.

Upvote • 
Avatar image for GSuser10
GSuser10

32

Forum Posts

0

Wiki Points

0

Followers

Reviews: 13

User Lists: 0

Besides stating the obvious and saying that the hackers are responsible..why can't Sony just say that they messed up and is at fault too by not having up to date software and whatever else and correct all this, so people can have PSN back WITH up to date protection.

Upvote • 
Avatar image for UrbanMessiah
UrbanMessiah

701

Forum Posts

0

Wiki Points

0

Followers

Reviews: 1

User Lists: 0

Sooo they can issue firmware after firmware update to save their software from pirates, but can't be bothered to update their security to safeguard sensitive consumer information? Niiiiiice...

Upvote • 
Avatar image for servb0ts
servb0ts

13118

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

call cancel your CC#, buy PSN cards, forgive Sony problem solved.

Upvote • 
Avatar image for dawnofhero
dawnofhero

1284

Forum Posts

0

Wiki Points

0

Followers

Reviews: 57

User Lists: 0

Sony, don't be so pathetic. I have the nerve to abandon your game systems if this half-ass behavior of yours isn't fixed before PSN is.

Upvote • 
Avatar image for mickey_mickey48
mickey_mickey48

529

Forum Posts

0

Wiki Points

0

Followers

Reviews: 6

User Lists: 0

hmm then what you're suffering now sony is very well deserved.

Upvote • 
Avatar image for KhanBloodsucker
KhanBloodsucker

220

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Yeah, because it being impervious to attack a few years ago means that it shouldn't be kept up to date...smh. Hubris once again sinks SCE.

Upvote • 
Avatar image for Apathetic_Prick
Apathetic_Prick

4789

Forum Posts

0

Wiki Points

0

Followers

Reviews: 1

User Lists: 0

[This message was deleted at the request of the original poster]

Upvote • 
Avatar image for BirgitteSilver
BirgitteSilver

26

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Nevermind that the "old" software has NO KNOWN VULNERABILITIES. Heaven forbid that crucial piece of information be posted here on Gamespot.

Upvote • 
Avatar image for master_foam
master_foam

85

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

sony...sony you make me more mad each article i read.. p!ss poor

Upvote • 
Avatar image for punksterdaddy
punksterdaddy

1410

Forum Posts

0

Wiki Points

0

Followers

Reviews: 35

User Lists: 0

This is what happens if you care so little about your own customers accounts, karma comes and bites you on the arse! I have no sympathy for Sony now after this article, this is a disgrace to all concerned and I bet they will be wanting to cut their losses now with the PS3, maybe?

Upvote • 
Avatar image for KimCheeWarriorX
KimCheeWarriorX

438

Forum Posts

0

Wiki Points

0

Followers

Reviews: 6

User Lists: 0

with this hacker attack fiasco, id be amazed if sony even nets a profit from the ps3 now. *braces himself from fanboy attacks*

Upvote • 
Avatar image for godzillavskong
godzillavskong

7904

Forum Posts

0

Wiki Points

0

Followers

Reviews: 20

User Lists: 0

Of course they did Dr. Gene! stfu! It's said and done, so we have to move on. They don't want my credit anyways!!lol

Upvote • 
Avatar image for smellyfeet
smellyfeet

158

Forum Posts

0

Wiki Points

0

Followers

Reviews: 1

User Lists: 0

My gawd, they didnt even have Zonealarm? ;)

Upvote • 
Avatar image for Thatonedude5432
Thatonedude5432

411

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

[This message was deleted at the request of the original poster]

Upvote • 
Avatar image for hasancakir
hasancakir

372

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

I thought so too. It is obvious the security wasn't enough. You don't need to be an expert to say that.

Upvote • 
Avatar image for kus3pt
kus3pt

25

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

microsoft would not lend any software to them xP (im a ps3 guy...not xbox fanboy)

Upvote • 
Avatar image for _Silent_Jay_
_Silent_Jay_

360

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

No, it's like removing all the windows and doors from your house while leaving a big sack of (not your) money sitting in your living room with a note attached to it saying "Please don't take me." Sure, it's awful that it happened, but what would you expect?

Upvote • 
Avatar image for Rikudo-Pein
Rikudo-Pein

1916

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

This is like saying 'It's your fault your house wasn't secure enough, therefore it's your fault you were robbed" - and the robber gets away with everything. But in this case it's the hacker.

Upvote • 
Avatar image for Lexaeus775
Lexaeus775

2521

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

i smh at you sony

Upvote • 
Avatar image for vanitas11
vanitas11

136

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

think about this. What if the old guy that helped develop the ps1 and just recently died hacked the psn, stole all those data, gave it back to sony and blamed anonymous?

Upvote • 
Avatar image for KrazzyDJ
KrazzyDJ

460

Forum Posts

0

Wiki Points

0

Followers

Reviews: 23

User Lists: 0

Even the firewall in my Desktop is up to date !!!

Upvote • 
Avatar image for nanorazor
nanorazor

89

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

I'm not going to make a large reaction. Sony you big bunch of disorganized people. Lets hope Sony learns a lesson from all this and build a new security. And reorganize the Company (mainly of the game sector). There no need for us customer to get angry (its proven to shorten our life span) we just need to act. It still hacker's fault but mainly Sony's fault by letting them in.

Upvote • 
Avatar image for Phatjam98
Phatjam98

677

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

LOL what is this amateur hour at Sony? Who builds a network without an updated firewall?

Upvote • 
Avatar image for face-exploder
face-exploder

106

Forum Posts

0

Wiki Points

0

Followers

Reviews: 2

User Lists: 0

I watched a good majority of the CSPAN video....And I do have to say that while being hacked was probably unavoidable, I do not think Sony should have saved all those 2007 credit card records ...especially if they did , in fact,use an outdated security system.

Upvote • 
Avatar image for voldalin
voldalin

121

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

so the guy read a few post on a forum. i dont call this proof enough. I'm sure Sony has nothing to worry about from this fat head. Everyone is getting hacked these days weather their security is good or bad. If Sony can fix it then let it be. Go after the hacker who actually broke the law.

Upvote • 
Avatar image for face-exploder
face-exploder

106

Forum Posts

0

Wiki Points

0

Followers

Reviews: 2

User Lists: 0

Wow, Sony....that's weak!

Upvote • 
Avatar image for TheBlackEclipse
TheBlackEclipse

196

Forum Posts

0

Wiki Points

0

Followers

Reviews: 1

User Lists: 0

@djdanrobbins Just because other companies have crappy security systems doesn't make it okay that Sony does too. This is a company that MAKES computers for God's sake, and they don't have the common sense to update their servers with the latest patches? That's outrageous. I guarantee that companies that store the credit card info of their customers have up to date security, it just makes sense. It's not even difficult to update servers. Sure, there'd be downtime while they updated the servers, but that's better than the potential identity theft of 70 million people.

Upvote • 
Avatar image for TheBlackEclipse
TheBlackEclipse

196

Forum Posts

0

Wiki Points

0

Followers

Reviews: 1

User Lists: 0

It's okay Sony. Firewalls are tough... You gotta click stuff AND type things in to set that stuff up on a server. Unless you've got brilliant minds from MIT, it's not easy.

Upvote • 
Avatar image for MrCoolGuy420
MrCoolGuy420

138

Forum Posts

0

Wiki Points

0

Followers

Reviews: 2

User Lists: 0

Why is it that everyone wants to sue sony now after these parasites hacked the PSN it's not sony's fault and they arent the ones who should be sued it's the hackers that stole everyones information they're the ones that shold pay the price not sony.Sony provides millions of people with free online services and I dont get why people use their credit cards online anywhere this is why companies like sony and microsoft have PSN cards and Microsoft points cards and website like paypal exist these were made for a reason as a safe alternative to using credit cards why cant people see that? I really dont understand it

Upvote •