Expert: Sony Negligent In PSN Security

An expert has given testimony to the US House of Representatives Subcomittee on Commerce, Manufacturing, and Trade during its commencement on hearings on the “unauthorized intrusion” on Sony’s PlayStation Network and Qrocity service, stating Sony knew that their security software was dated and lacked any sort of firewall against hacking.

Cybersecurity expert Dr. Gene Spafford’s testimony stated that security experts discovered discussions on forums that talked about how the PSN’s security was lacking. The threads revealed that the network was using old versions of the Apache Web server software, which “was unpatched and had no firewall installed.”

Worse, two to three months before the attack, the vulnerability was reported “in an open forum monitored by Sony employees,” but the company took no action to rectify the situation. If the testimony is accurate, Sony could be slapped with a serious criminal negligence charge.

The Sony intrusion alone compromised 100 million accounts both on the PSN and its Qriocity service, according to Spafford. He also cited the total cost of the breach to Sony, credit card companies, and other outfits, at $21 billion. Thieves in credit-card theft forums actually complained that the PSN breach was so great that it was depressing the price of such information by a “factor of five or 10” on the black market.

Spafford didn’t reserve his accusations for Sony, either. He stated that law enforcement is ill-equipped to handle cyberterrorism and cyberthieft. Additionally, most companies are not equipped with enough security measures because “investing in security measures affects the bottom line. They don’t understand the risks involved by not investing in security. … So when they are hit, they pass that cost along to their customers, and to the rest of society.” In other words, a classic case of being penny wise and pound foolish.

Spafford’s proposed solution to future security is to limit the amount of data kept by companies such as Sony and to “age the data” so it expires after a certain time.

C-Span posted the video of the testimony here.

(Thanks, GameSpot.)

0 thoughts on “Expert: Sony Negligent In PSN Security”

  1. One of the better pieces on the PSN fiasco that I’ve read, congrats Jonah!

    I had two jobs as a programmer; in both cases, interacting with the IT department felt more like interacting with Dilbert’s “Information prevention department”, ran by Catbert. They even wanted (and succeeded in one place) to push a “Service Level Agreement”: it’ll take two days to create a new password for this, seven days to do that etc.
    They just don’t put enough heart in it.

    To be fair, my very first job though was … in the IT department of my college! IT work is hard. If you screw up (and we did screw up sometimes), you could kiss your weekend goodbye . Usually, we’d investigate the issue that very evening, then tried to implement it either during the next day, or, at worst, if the computers we’d want to alter were being in use, in the weekend.
    The lessons I learned there is that: (1) you must react quickly and (2) if you put a bit of your heart into your work, you can get surprisingly good results.

    Nice find on the “depressing the price of such information by a “factor of five or 10? on the black market”. I guess the PSN issue is the equivalent of flooding the market with products 🙂

    @” limit the amount of data kept by companies such as Sony and to “age the data””
    This is security basics. If you don’t want to be responsible for safekeeping secret information, then don’t store secret information on your servers. Period.

  2. One of the better pieces on the PSN fiasco that I’ve read, congrats Jonah!

    I had two jobs as a programmer; in both cases, interacting with the IT department felt more like interacting with Dilbert’s “Information prevention department”, ran by Catbert. They even wanted (and succeeded in one place) to push a “Service Level Agreement”: it’ll take two days to create a new password for this, seven days to do that etc.
    They just don’t put enough heart in it.

    To be fair, my very first job though was … in the IT department of my college! IT work is hard. If you screw up (and we did screw up sometimes), you could kiss your weekend goodbye . Usually, we’d investigate the issue that very evening, then tried to implement it either during the next day, or, at worst, if the computers we’d want to alter were being in use, in the weekend.
    The lessons I learned there is that: (1) you must react quickly and (2) if you put a bit of your heart into your work, you can get surprisingly good results.

    Nice find on the “depressing the price of such information by a “factor of five or 10? on the black market”. I guess the PSN issue is the equivalent of flooding the market with products 🙂

    @” limit the amount of data kept by companies such as Sony and to “age the data””
    This is security basics. If you don’t want to be responsible for safekeeping secret information, then don’t store secret information on your servers. Period.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

MGS4 Quickly Falls of Top Titles, NCAA Football 09 Takes LeadMGS4 Quickly Falls of Top Titles, NCAA Football 09 Takes Lead

The month, June 2008, Metal Gear Solid 4 takes number one on the NDP figures with 774,600 individual units (over 1-million if you include bundles), in July… they didn’t even make the top ten figure. What the heck?

NCAA Football 09 for the Xbox 360 took number one with 397,600 games sold, nothing close to MGS4’s figures form last month but still took the first position. Wii Fit took number two position, up from its fourth position in June showing lasting appeal or the ability for gamers to purchase the rare to find game set.

Wii Play still sits in the top ten titles along with Mario Kart and Rock Band (for the Wii). As a matter of fact, four out of the top ten titles are Wii games. One for DS (Guitar Hero: On Tour), two for Xbox 360 and two for PlayStation 3.

How is it possible for Wii Play and Wii Fit to hold top positions for so long while a game like MGS4 dies off so rapidly? More than likely this is the impact from having such great console sales that even a low attach rate (games to consoles) is significant enough when millions upon millions of consoles have been sold.

If the PlayStation 3 had more units in the hands of gamers, would their top tier titles like MGS4 hold top spot for more months? Presumably yes, another negative impact from being third in the race it seems.

(Thanks, 1up)

2008: The Year of Sequels? Too Much Risk?2008: The Year of Sequels? Too Much Risk?

While compiling a list of games to respond to a user question on the TD Gaming Podcast, I’ve noticed something about this years gaming lineup: their mainly all sequels! Are there any new franchises taking a risk in the market or just more of the same? Some are not really “sequels” but spin-offs of the same franchise.

A few examples of some October time frame titles: Fable 2, Far Cry 2, Gears of War 2, Rock Band 2, C&C: Red Alert 3, Saints Row 2, Rayman Raving Rabbids 3, Tekken 6, Call of Duty 5, Guitar Hero World Tour, Tom Clancy End of War, Sing Star Vol 2 and others.

There are a few original titles: Afrika for the PlayStation 3, Little Big Planet (PS3) and Huxley (360 and PC). Most of the original franchise creations seem to be PlayStation 3 related, probably because the console needs some major hits to spur more sales.

Is the market so competitive and risky that new franchises are becoming a rare breed? Last year we saw Assassin’s Creed and before that Viva Pinata and Gears of War exclusive on the Xbox 360. Consider Viva Pinata a “slight” failure in terms of excitement and Gears of War a success, that’s 50/50 in terms of risk vs. reward.

(more…)

Episode 272: Whinny 8Episode 272: Whinny 8

This week’s Gaming Podcast deals with Jordan Lund discussing how much negative flak Windows 8 has been getting, Daniel Quick being his usual Canadian self, Paul Nowak returning triumphantly, and Jonah Falcon just taking infamy in stride. This week’s Gaming Flashback is the derided Super Pitfall! for the NES.

As far as the news:

  • “Super-slim” PS3 will be a no-show at Gamescom
  • UbiSoft claims lack of new consoles penalizes creativity
  • Diablo III ‘God mode’ exploit for Wizard discovered
  • EA: Nintendo “on track to become primarily a software company”
  • Electronic Arts settles in Madden and NCAA monopoly suit

There is no Question of the Week – rather, the crew is waiting to hear your questions for them instead.