Expert: Sony Negligent In PSN Security

An expert has given testimony to the US House of Representatives Subcomittee on Commerce, Manufacturing, and Trade during its commencement on hearings on the “unauthorized intrusion” on Sony’s PlayStation Network and Qrocity service, stating Sony knew that their security software was dated and lacked any sort of firewall against hacking.

Cybersecurity expert Dr. Gene Spafford’s testimony stated that security experts discovered discussions on forums that talked about how the PSN’s security was lacking. The threads revealed that the network was using old versions of the Apache Web server software, which “was unpatched and had no firewall installed.”

Worse, two to three months before the attack, the vulnerability was reported “in an open forum monitored by Sony employees,” but the company took no action to rectify the situation. If the testimony is accurate, Sony could be slapped with a serious criminal negligence charge.

The Sony intrusion alone compromised 100 million accounts both on the PSN and its Qriocity service, according to Spafford. He also cited the total cost of the breach to Sony, credit card companies, and other outfits, at $21 billion. Thieves in credit-card theft forums actually complained that the PSN breach was so great that it was depressing the price of such information by a “factor of five or 10” on the black market.

Spafford didn’t reserve his accusations for Sony, either. He stated that law enforcement is ill-equipped to handle cyberterrorism and cyberthieft. Additionally, most companies are not equipped with enough security measures because “investing in security measures affects the bottom line. They don’t understand the risks involved by not investing in security. … So when they are hit, they pass that cost along to their customers, and to the rest of society.” In other words, a classic case of being penny wise and pound foolish.

Spafford’s proposed solution to future security is to limit the amount of data kept by companies such as Sony and to “age the data” so it expires after a certain time.

C-Span posted the video of the testimony here.

(Thanks, GameSpot.)

0 thoughts on “Expert: Sony Negligent In PSN Security”

  1. One of the better pieces on the PSN fiasco that I’ve read, congrats Jonah!

    I had two jobs as a programmer; in both cases, interacting with the IT department felt more like interacting with Dilbert’s “Information prevention department”, ran by Catbert. They even wanted (and succeeded in one place) to push a “Service Level Agreement”: it’ll take two days to create a new password for this, seven days to do that etc.
    They just don’t put enough heart in it.

    To be fair, my very first job though was … in the IT department of my college! IT work is hard. If you screw up (and we did screw up sometimes), you could kiss your weekend goodbye . Usually, we’d investigate the issue that very evening, then tried to implement it either during the next day, or, at worst, if the computers we’d want to alter were being in use, in the weekend.
    The lessons I learned there is that: (1) you must react quickly and (2) if you put a bit of your heart into your work, you can get surprisingly good results.

    Nice find on the “depressing the price of such information by a “factor of five or 10? on the black market”. I guess the PSN issue is the equivalent of flooding the market with products 🙂

    @” limit the amount of data kept by companies such as Sony and to “age the data””
    This is security basics. If you don’t want to be responsible for safekeeping secret information, then don’t store secret information on your servers. Period.

  2. One of the better pieces on the PSN fiasco that I’ve read, congrats Jonah!

    I had two jobs as a programmer; in both cases, interacting with the IT department felt more like interacting with Dilbert’s “Information prevention department”, ran by Catbert. They even wanted (and succeeded in one place) to push a “Service Level Agreement”: it’ll take two days to create a new password for this, seven days to do that etc.
    They just don’t put enough heart in it.

    To be fair, my very first job though was … in the IT department of my college! IT work is hard. If you screw up (and we did screw up sometimes), you could kiss your weekend goodbye . Usually, we’d investigate the issue that very evening, then tried to implement it either during the next day, or, at worst, if the computers we’d want to alter were being in use, in the weekend.
    The lessons I learned there is that: (1) you must react quickly and (2) if you put a bit of your heart into your work, you can get surprisingly good results.

    Nice find on the “depressing the price of such information by a “factor of five or 10? on the black market”. I guess the PSN issue is the equivalent of flooding the market with products 🙂

    @” limit the amount of data kept by companies such as Sony and to “age the data””
    This is security basics. If you don’t want to be responsible for safekeeping secret information, then don’t store secret information on your servers. Period.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Sony to Testify In Person Re: PSN OutageSony to Testify In Person Re: PSN Outage

Sony will finally be sending a high-level executive to testify before the US House of Representatives’ Committee on Energy and Commerce’s Subcommittee on Commerce, Manufacturing, and Trade on the three week outage of PlayStation Network and Sony’s slowness in informing its customers on the compromising of personal and credit card data.

Ken Johnson, an aide to subcommittee chairwoman Mary Bono Mack (R-CA), told The Atlantic Magazine that Tim Schaff, president of Sony Network Entertainment, would testify before the subcommittee next week:

“While Chairman Bono Mack remains critical of Sony’s initial handling of the data breaches, she also is appreciative that the company has now agreed to testify. The Chairman firmly believes that the lessons learned from…the Sony…experiences can be instructive and guide us as we develop comprehensive data protection legislation. We expect to introduce that legislation, which will provide new safeguards for American consumers, in the next few weeks.”

Previously, Sony’s Kaz Hirai had only sent his testimony in a letter to the Committee.

Australian PSN Restoration DelayedAustralian PSN Restoration Delayed

The Japanese government has not allowed PlayStation Network to be activated for Japanese gamers yet due to security concerns, and now an expert is advising Australia to follow suit.

Professor Bill Caelli told newspaper The Australian, “Why is it that in the IT industry enterprises certify themselves?” said Caelli, noting that PSN didn’t have the same restrictions, and added that the public has “no way of assessing the assurances given by the owners of the (PSN) system themselves”.

Reportedly, Australian privacy commissioner Timothy Pilgrim has been in contact with Sony, and has not judged yet whether Sony has given them enough information to restore PSN. His investigation will be an ongoing one as well, even after PSN is restored.

When it was discovered user information had been stolen during the PSN breach, the Australian federal government announced plans for a law forcing companies to disclose privacy breaches, although it was unclear when it might come into effect. Privacy minister Brendan O’Connor had stated:

“Sony isn’t alone. We’ve seen serious privacy-related incidents in recent months involving other large companies. All companies that collect customers’ personal information must ensure that the information is safe and secure from misuse.”

We’ll stay on this story as it develops.

Rock Band 2, Song Tracks and InstrumentsRock Band 2, Song Tracks and Instruments

The latest news on the Rock Band 2 front covers the instruments and a few confirmed song tracks. There have been rumors flying around the Internet about the “leaked song tracks” for the next release with absolutely no confirmation. Now, however, we have solid proof on some tracks and some equipment changes.

First, all instruments are backwards compatible. That’s key to the success of Rock Band because fans of the original ponied up a lot of bones to grab themselves the original Rock Band kit. However, there is an incentive to upgrade your equipment in some regards.

If you like the original Rock Band guitar you’re going to love the new one if only for the color updates, wood grain and actual look and feel of a real guitar not a “toy.” As you’d expect (or hope) the new guitar will be wireless, finally, and will have a sturdy strum bar with even quieter buttons. Wireless alone is a great selling point but quiet buttons is important for folks like me who play the guitar like it was a jackhammer and can easily interrupt the drummers concentration during a difficult set.

The drum kit has been improved as well, with a re-enforced foot pedal to avoid the ease of breaking the plastic “toy” version of Rock Band original. As a person who’s busted up their drum petal and forked out cash on eBay for a wood solution, this is more great news. The drum kit will also be wireless which is great for those of you, like myself, who have kids that run through your line of site or dance while you’re playing. Nobody likes their Xbox 360 being flung off the shelve due to tripped cords.

The drum kit will have quieter pads and a velocity sensor; again, your old kit is still usable without these enhancements but the desire to upgrade if you’re a dedicated fan will be high.

The song tracks currently confirmed:

  • “Panic Attack” — Dream Theater
  • “Chop Suey” — System of a Down
  • “Everlong” — Foo Fighters
  • “Kids in America” — The Muffs
  • “Give it Away” — Red Hot Chili Peppers
  • “Ace of Spades” — Motörhead
  • “Hello There” — Cheap Trick
  • “Pump it Up” — Elvis Costello
  • “Anyway You Want It” — Journey
  • “Pinball Wizard” — The Who

This is a great indication to where Rock Band 2 is going, mixing up a great selection of artists with classic hits like Anyway You Want It and Pinball Wizard to newer late generation X music like Give it Away and Chop Suey. Talented artists like Dream Theater are sure to keep Rock Band 2 a challenge to all gamers.

Other great improvements being a World Tour mode now accessible online and the removal of the “Band Leader” concept which always locked you into an instrument once you created a band.

NOTE: Xbox 360 will have a timed exclusive on Rock Band 2, arriving later in the year for the Nintendo Wii and PlayStation 3.

Checkout the full feature set so far explained at Kotaku.