Expert: Sony Negligent In PSN Security

An expert has given testimony to the US House of Representatives Subcomittee on Commerce, Manufacturing, and Trade during its commencement on hearings on the “unauthorized intrusion” on Sony’s PlayStation Network and Qrocity service, stating Sony knew that their security software was dated and lacked any sort of firewall against hacking.

Cybersecurity expert Dr. Gene Spafford’s testimony stated that security experts discovered discussions on forums that talked about how the PSN’s security was lacking. The threads revealed that the network was using old versions of the Apache Web server software, which “was unpatched and had no firewall installed.”

Worse, two to three months before the attack, the vulnerability was reported “in an open forum monitored by Sony employees,” but the company took no action to rectify the situation. If the testimony is accurate, Sony could be slapped with a serious criminal negligence charge.

The Sony intrusion alone compromised 100 million accounts both on the PSN and its Qriocity service, according to Spafford. He also cited the total cost of the breach to Sony, credit card companies, and other outfits, at $21 billion. Thieves in credit-card theft forums actually complained that the PSN breach was so great that it was depressing the price of such information by a “factor of five or 10” on the black market.

Spafford didn’t reserve his accusations for Sony, either. He stated that law enforcement is ill-equipped to handle cyberterrorism and cyberthieft. Additionally, most companies are not equipped with enough security measures because “investing in security measures affects the bottom line. They don’t understand the risks involved by not investing in security. … So when they are hit, they pass that cost along to their customers, and to the rest of society.” In other words, a classic case of being penny wise and pound foolish.

Spafford’s proposed solution to future security is to limit the amount of data kept by companies such as Sony and to “age the data” so it expires after a certain time.

C-Span posted the video of the testimony here.

(Thanks, GameSpot.)

0 thoughts on “Expert: Sony Negligent In PSN Security”

  1. One of the better pieces on the PSN fiasco that I’ve read, congrats Jonah!

    I had two jobs as a programmer; in both cases, interacting with the IT department felt more like interacting with Dilbert’s “Information prevention department”, ran by Catbert. They even wanted (and succeeded in one place) to push a “Service Level Agreement”: it’ll take two days to create a new password for this, seven days to do that etc.
    They just don’t put enough heart in it.

    To be fair, my very first job though was … in the IT department of my college! IT work is hard. If you screw up (and we did screw up sometimes), you could kiss your weekend goodbye . Usually, we’d investigate the issue that very evening, then tried to implement it either during the next day, or, at worst, if the computers we’d want to alter were being in use, in the weekend.
    The lessons I learned there is that: (1) you must react quickly and (2) if you put a bit of your heart into your work, you can get surprisingly good results.

    Nice find on the “depressing the price of such information by a “factor of five or 10? on the black market”. I guess the PSN issue is the equivalent of flooding the market with products 🙂

    @” limit the amount of data kept by companies such as Sony and to “age the data””
    This is security basics. If you don’t want to be responsible for safekeeping secret information, then don’t store secret information on your servers. Period.

  2. One of the better pieces on the PSN fiasco that I’ve read, congrats Jonah!

    I had two jobs as a programmer; in both cases, interacting with the IT department felt more like interacting with Dilbert’s “Information prevention department”, ran by Catbert. They even wanted (and succeeded in one place) to push a “Service Level Agreement”: it’ll take two days to create a new password for this, seven days to do that etc.
    They just don’t put enough heart in it.

    To be fair, my very first job though was … in the IT department of my college! IT work is hard. If you screw up (and we did screw up sometimes), you could kiss your weekend goodbye . Usually, we’d investigate the issue that very evening, then tried to implement it either during the next day, or, at worst, if the computers we’d want to alter were being in use, in the weekend.
    The lessons I learned there is that: (1) you must react quickly and (2) if you put a bit of your heart into your work, you can get surprisingly good results.

    Nice find on the “depressing the price of such information by a “factor of five or 10? on the black market”. I guess the PSN issue is the equivalent of flooding the market with products 🙂

    @” limit the amount of data kept by companies such as Sony and to “age the data””
    This is security basics. If you don’t want to be responsible for safekeeping secret information, then don’t store secret information on your servers. Period.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Sony, Next Big Software Company?Sony, Next Big Software Company?

Every day we’re hearing of a company running through a round of layoffs or going out of business, it’s really not a happy time. Sony is not immune to the economic troubles either. Sony is talking restructuring and that involves a potential head count reduction of 16,000 jobs due to plant closings.

floppyThis leaves Sony with some hard decisions. Restructuring can mean drastic changes that effect all their product lines. The PlayStation 3 isn’t currently a shining example of high profit margins. The console needs time to reduce its overall cost, chip sizes and bring profitability. Is it in danger?

“Sony’s not in a position to halt all domestic production but it has to do something that drastic,” said Mitsushige Akino, chief fund manager at Ichiyoshi Investment Management. “If it announces plans to move production overseas while keeping only planning and development functions in Japan, that would be a positive.” (gamestooge)

The yen is losing value in our global economy making it more difficult to export the product and build any type of profitability plan. “A source said this month the company will likely suffer an annual operating loss of about $1.1 billion, its first such loss in 14 years” (news.yahoo.com) All this noise is making CEO Howard Stringer contemplate Sony’s involvement as a “software only” company, making us recall the changes at SEGA to this same result.

The Financial Times reported Sony will unveil details of its restructuring steps on Wednesday or Thursday. It said Chief Executive Howard Stringer was meeting with resistance from some executives to shifting the company’s focus to software from hardware and cutting jobs in Japan. (news.yahoo.com)

Is this just a case of a fearful executive trying to lay plans for a more stable future? Software is easier to develop, pays for itself quickly and becomes pure profit as it ages. Hardware requires constant upkeep at manufacturing facilities, chip reductions and a boat load of quality planning for first shipment. Would Sony go full software?

Let’s face it, Sony isn’t SEGA, they’ve been developing hardware for consumers since anyone can remember and they’ve been doing it with quality and market penetration. It seems absurd to think they’d forgo hardware designs in replacement of a full software solution to the problem. In addition, Sony has already invested a large amount of cash into seeing PS3 through it’s 10-year plan and letting that die now is realizing a huge loss on investment.

If Sony pushes through the economic and maintenance course, the PS3 will become highly profitable, much like the PS2 last generation (with a slower ramp up for sales). Even if they break even after ten years it seems a lot better than throwing all the effort away.

Perhaps Howard Stringer is talking “software” for the next generation home console? You think Sony will create a PlayStation 4?

Wolfenstein for PC, Xbox 360 and PlayStation 3Wolfenstein for PC, Xbox 360 and PlayStation 3

When you hear the word Wolfenstein what game do you think of? Constantly, I recall Wolfenstein 3D and all the memorable times I had building my first person shooter fingers. From a new-generation FPS perspective, Return to Castle Wolfenstein for the PC back in 2001 was my last touch on a Wolfenstein game series. I enjoyed it a great deal and would love to see more out of the game series.

It seems Activision and Raven Software are working on a PC, Xbox 360 and PlayStation 3 game, currently titled Wolfenstein set to be released “when it is done.” The game follows the same concepts as most of the Wolfenstein titles of the past, a bit of dark science fiction and undead matched with World War II settings with Nazi’s and the main character BJ Blazkowicz.

This series seems to be full of re-hash and repeat with plots, characters and overall feel. Developers seem to favor re-makes over sequels to the famous franchise, eventually putting out one or two sequels of their re-make hits well with customers.

Is this the correct direction for the Wolfenstein franchise? In my humble opinion, it doesn’t really matter to me because I’m such a fan of the series. Perhaps they will continue to re-make the game until the larger demographic screams “Not again!”

(Thanks, Eurogamer)

Episode 232: Remember Pong?Episode 232: Remember Pong?

This week, there’s no Gaming Flashback or Gaming History, but there is a ton of news and Reader Feedback as Paul is finally present to react to some hate mail.

The news includes some huge items, like:

The Question of the Week: What was the very first home videogame you ever played?