Expert: Sony Negligent In PSN Security

An expert has given testimony to the US House of Representatives Subcomittee on Commerce, Manufacturing, and Trade during its commencement on hearings on the “unauthorized intrusion” on Sony’s PlayStation Network and Qrocity service, stating Sony knew that their security software was dated and lacked any sort of firewall against hacking.

Cybersecurity expert Dr. Gene Spafford’s testimony stated that security experts discovered discussions on forums that talked about how the PSN’s security was lacking. The threads revealed that the network was using old versions of the Apache Web server software, which “was unpatched and had no firewall installed.”

Worse, two to three months before the attack, the vulnerability was reported “in an open forum monitored by Sony employees,” but the company took no action to rectify the situation. If the testimony is accurate, Sony could be slapped with a serious criminal negligence charge.

The Sony intrusion alone compromised 100 million accounts both on the PSN and its Qriocity service, according to Spafford. He also cited the total cost of the breach to Sony, credit card companies, and other outfits, at $21 billion. Thieves in credit-card theft forums actually complained that the PSN breach was so great that it was depressing the price of such information by a “factor of five or 10” on the black market.

Spafford didn’t reserve his accusations for Sony, either. He stated that law enforcement is ill-equipped to handle cyberterrorism and cyberthieft. Additionally, most companies are not equipped with enough security measures because “investing in security measures affects the bottom line. They don’t understand the risks involved by not investing in security. … So when they are hit, they pass that cost along to their customers, and to the rest of society.” In other words, a classic case of being penny wise and pound foolish.

Spafford’s proposed solution to future security is to limit the amount of data kept by companies such as Sony and to “age the data” so it expires after a certain time.

C-Span posted the video of the testimony here.

(Thanks, GameSpot.)

0 thoughts on “Expert: Sony Negligent In PSN Security”

  1. One of the better pieces on the PSN fiasco that I’ve read, congrats Jonah!

    I had two jobs as a programmer; in both cases, interacting with the IT department felt more like interacting with Dilbert’s “Information prevention department”, ran by Catbert. They even wanted (and succeeded in one place) to push a “Service Level Agreement”: it’ll take two days to create a new password for this, seven days to do that etc.
    They just don’t put enough heart in it.

    To be fair, my very first job though was … in the IT department of my college! IT work is hard. If you screw up (and we did screw up sometimes), you could kiss your weekend goodbye . Usually, we’d investigate the issue that very evening, then tried to implement it either during the next day, or, at worst, if the computers we’d want to alter were being in use, in the weekend.
    The lessons I learned there is that: (1) you must react quickly and (2) if you put a bit of your heart into your work, you can get surprisingly good results.

    Nice find on the “depressing the price of such information by a “factor of five or 10? on the black market”. I guess the PSN issue is the equivalent of flooding the market with products 🙂

    @” limit the amount of data kept by companies such as Sony and to “age the data””
    This is security basics. If you don’t want to be responsible for safekeeping secret information, then don’t store secret information on your servers. Period.

  2. One of the better pieces on the PSN fiasco that I’ve read, congrats Jonah!

    I had two jobs as a programmer; in both cases, interacting with the IT department felt more like interacting with Dilbert’s “Information prevention department”, ran by Catbert. They even wanted (and succeeded in one place) to push a “Service Level Agreement”: it’ll take two days to create a new password for this, seven days to do that etc.
    They just don’t put enough heart in it.

    To be fair, my very first job though was … in the IT department of my college! IT work is hard. If you screw up (and we did screw up sometimes), you could kiss your weekend goodbye . Usually, we’d investigate the issue that very evening, then tried to implement it either during the next day, or, at worst, if the computers we’d want to alter were being in use, in the weekend.
    The lessons I learned there is that: (1) you must react quickly and (2) if you put a bit of your heart into your work, you can get surprisingly good results.

    Nice find on the “depressing the price of such information by a “factor of five or 10? on the black market”. I guess the PSN issue is the equivalent of flooding the market with products 🙂

    @” limit the amount of data kept by companies such as Sony and to “age the data””
    This is security basics. If you don’t want to be responsible for safekeeping secret information, then don’t store secret information on your servers. Period.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

The PSN FiascoThe PSN Fiasco

It’s now the US government’s turn to question Sony about its online security, which follows the UK government’s scrutiny into the company’s affairs.

In a letter addressed to PlayStation executive deputy Kaz Hirai, the Subcommittee on Commerce, Manufacturing, and Trade has prepared a list of questions related to the intrusion; the list can be downloaded from the New York Times here. The letter asks several questions that Sony has not disclosed to the public, such as:

  • How many PSN users had a credit card on file
  • Why Sony cannot determine if credit card was stolen.
  • What are Sony’s plans towards increasing its security in the future.

The Subcommittee’s press release states:

“Given the amount and nature of personal information known to have been taken, the potential harm that could be caused if credit card information was also taken would be quite significant. The Subcommittee on Manufacturing, and Trade has a longstanding interest in consumer privacy, identity theft, and industry efforts to address threats posed by unauthorized access to consumers’ personal information resulting from a data breach.”

The Subcommittee is requiring a reply by no later than May 6, as part of a privacy driven effort “to protect consumer information.”

Meanwhile, Kaz Hirai will be holding a press conference tomorrow from Sony Japan, to address the PlayStation Network hacking crisis.

(more…)

Are You An Okami Fan?Are You An Okami Fan?

PlayStation 2 fans may recall a little title called Okami, it’s an action adventure game developed by Clover Studios and published by Capcom. The original Okami title received fairly high reviews by many popular game sites, although there were a few flaws, the receiption seemed well received.

Clover Studios was closed after the release and all the intellectual properties went back to Capcom, the company that funded the studio, leaving Capcom responsible for future sequels.

Christian “Sven” Svensson said “I think we need a lot more people buying the current version before we seriously consider a sequel”. A harsh statement on the game’s combined sales figures, perhaps, but also probably an accurate one. (Kotaku)

This is the sound of a developer not so happy with prior performance and finding it too risky to try for a second title. Although many sequels outshine their parents there is some truth to the fact that slow selling parents will create slow selling sequels, there is something to be said about learning form past experiences.

The game had good reviews, isn’t it worth trying to make a second game based on that? Maybe people just aren’t jazzed about Japaense folklore, myths and legends as the basis for a game.

Final Fantasy XIII Demo For PS3 AnnouncedFinal Fantasy XIII Demo For PS3 Announced

The first demo for Final Fantasy XIII has been announced, but, it will only be available (right now) on the PlayStation 3. It will arrive as “bonus material” when you purchase Final Fantasy VII: Advent Children Complete because the game arrives on Blu-Ray and there is plenty of room for this additional content.

The game is scheduled to be released in March of 2009 in Japan, so the United States and other territories may not get an early demo of FFXIII. Does this give everyone a reason to purchase a PlayStation 3? Nothing says it won’t be available as a downloadable Demo on Xbox Live… because nobody’s really talked to that topic at all yet.

Square Enix has publically stated they’ll start the Final Fantasy XIII port to the Xbox 360 once it’s finished on the PlayStation 3, so presumably we won’t see a demo (or a final game) for some time to come. The end result, demo or no demo, is the same: a dual release on two of the big colorful platforms in the way of Xbox 360 and PlayStation 3 consoles.