Expert: Sony Negligent In PSN Security

May 6, 2011May 6, 2011| Jonah FalconJonah Falcon| 0 Comment| 12:22 am
Categories:

An expert has given testimony to the US House of Representatives Subcomittee on Commerce, Manufacturing, and Trade during its commencement on hearings on the “unauthorized intrusion” on Sony’s PlayStation Network and Qrocity service, stating Sony knew that their security software was dated and lacked any sort of firewall against hacking.

Cybersecurity expert Dr. Gene Spafford’s testimony stated that security experts discovered discussions on forums that talked about how the PSN’s security was lacking. The threads revealed that the network was using old versions of the Apache Web server software, which “was unpatched and had no firewall installed.”

Worse, two to three months before the attack, the vulnerability was reported “in an open forum monitored by Sony employees,” but the company took no action to rectify the situation. If the testimony is accurate, Sony could be slapped with a serious criminal negligence charge.

The Sony intrusion alone compromised 100 million accounts both on the PSN and its Qriocity service, according to Spafford. He also cited the total cost of the breach to Sony, credit card companies, and other outfits, at $21 billion. Thieves in credit-card theft forums actually complained that the PSN breach was so great that it was depressing the price of such information by a “factor of five or 10” on the black market.

Spafford didn’t reserve his accusations for Sony, either. He stated that law enforcement is ill-equipped to handle cyberterrorism and cyberthieft. Additionally, most companies are not equipped with enough security measures because “investing in security measures affects the bottom line. They don’t understand the risks involved by not investing in security. … So when they are hit, they pass that cost along to their customers, and to the rest of society.” In other words, a classic case of being penny wise and pound foolish.

Spafford’s proposed solution to future security is to limit the amount of data kept by companies such as Sony and to “age the data” so it expires after a certain time.

C-Span posted the video of the testimony here.

(Thanks, GameSpot.)

0 thoughts on “Expert: Sony Negligent In PSN Security”

  1. One of the better pieces on the PSN fiasco that I’ve read, congrats Jonah!

    I had two jobs as a programmer; in both cases, interacting with the IT department felt more like interacting with Dilbert’s “Information prevention department”, ran by Catbert. They even wanted (and succeeded in one place) to push a “Service Level Agreement”: it’ll take two days to create a new password for this, seven days to do that etc.
    They just don’t put enough heart in it.

    To be fair, my very first job though was … in the IT department of my college! IT work is hard. If you screw up (and we did screw up sometimes), you could kiss your weekend goodbye . Usually, we’d investigate the issue that very evening, then tried to implement it either during the next day, or, at worst, if the computers we’d want to alter were being in use, in the weekend.
    The lessons I learned there is that: (1) you must react quickly and (2) if you put a bit of your heart into your work, you can get surprisingly good results.

    Nice find on the “depressing the price of such information by a “factor of five or 10? on the black market”. I guess the PSN issue is the equivalent of flooding the market with products 🙂

    @” limit the amount of data kept by companies such as Sony and to “age the data””
    This is security basics. If you don’t want to be responsible for safekeeping secret information, then don’t store secret information on your servers. Period.

    Reply

  2. One of the better pieces on the PSN fiasco that I’ve read, congrats Jonah!

    I had two jobs as a programmer; in both cases, interacting with the IT department felt more like interacting with Dilbert’s “Information prevention department”, ran by Catbert. They even wanted (and succeeded in one place) to push a “Service Level Agreement”: it’ll take two days to create a new password for this, seven days to do that etc.
    They just don’t put enough heart in it.

    To be fair, my very first job though was … in the IT department of my college! IT work is hard. If you screw up (and we did screw up sometimes), you could kiss your weekend goodbye . Usually, we’d investigate the issue that very evening, then tried to implement it either during the next day, or, at worst, if the computers we’d want to alter were being in use, in the weekend.
    The lessons I learned there is that: (1) you must react quickly and (2) if you put a bit of your heart into your work, you can get surprisingly good results.

    Nice find on the “depressing the price of such information by a “factor of five or 10? on the black market”. I guess the PSN issue is the equivalent of flooding the market with products 🙂

    @” limit the amount of data kept by companies such as Sony and to “age the data””
    This is security basics. If you don’t want to be responsible for safekeeping secret information, then don’t store secret information on your servers. Period.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Sony, What Doesn’t Kill Them Makes Them StrongerSony, What Doesn’t Kill Them Makes Them Stronger

David Reeves, Sony Europe’s President said, “we simply have to suffer a little” when talking about the PS3, Europe and the competition. He was talking specifically about Sony’s loss of market share, mind-share and overall performance in the latest competitive console arena. While Sony’s president dismisses Nintendo as in a separate market, David Reeves said, “we’ve learned from Nintendo how to grow the market and move from hand-held device to device – they’ve done it brilliantly.”

Buster Douglas Takes Down Mike TysonWhat Sony may be dealing with is the fact that they’re not top dog in the latest battle for consoles. Europe has taken to the PlayStation 3 better than the United States and they’ve got plenty of fans in the region. There has been a recent upside to it all, some light at the end of the tunnel:

“PS3 games sales are up 53% and there’s a healthy 1.1m pre-order book for Killzone 2, the first of a new batch of IPs that Sony will be counting on.” (guardian.co.uk)

Although it’s reported the PSP says are down 15% and PS2 software sales are down 51%, at least the PlayStation 3 is filling in the gap for some of those losses. At some point you’d expect the PlayStation 2 to decline, gamers are probably migrating over to the new hardware.

They’ve got some things to be proud of:

  • PlayStation Network increases revenues by 200% in 2008
  • 55% of all PlayStation owners are on PSN
  • 17.5 million PSN subscribers
  • 53% rise in software sales on PS3
  • Won HD format war

Unfortunately PS3 sales were down last quarter by about 9%, perhaps a response to the harsh economic times. And, of course, the fact that Sony’s VP’s are constantly defending their position in the market is a bit disconcerting. As David Reeves said:

“It’s like Ali v Foreman – go eight or nine rounds and let him punch himself out. We’re still standing, we’re still profitable and there’s a lot of fight in us. I don’t say we will land a knockout blow, but we’re there and we’re fighting.” (guardian.co.uk)

Sony is playing the defensive, guarding themselves against the punches of the competition. Nintendo making headlines for sales, Microsoft coming out of nowhere to try to build market share, while Sony holds out for the tenth round to win it in the end? We’re not yet sure if it’s Ali vs. Foreman or if Microsoft is the next Buster Douglas.

(Thanks, Guardian)

Read MoreRead More

Sony’s 10-Year Vision: Graphics or Games?Sony’s 10-Year Vision: Graphics or Games?

Microsoft, Sony and Nintendo have great visions for their consoles, they all strive to stand out from their competitors. Nintendo’s key initiative is to get non-gamers on board and provide the world with something a little different while Microsoft’s concept is to get a 360 into the hands of all gamers and build a huge community. Sony’s selling point? Graphics.

When it comes to standing out amongst the other consoles, Sony cannot compete with the Wii‘s quirky cuteness and Xbox 360‘s one-year lead on sales, games and overall functionality. They were late to the game because of technological advances in Blu-Ray and overall graphic horsepower. They’re providing a console that will still look “teh awesomes” ten years down the road, similar to the attack plan of the PS2 product which still sells today.

Sony’s Scott Steinberg, Vice President of Product Marketing for SCEA had nothing but great things to say about the console he’s marketing…

“I think that we’re seeing, graphically, PS3 games starting to create some distance and some of the other competitors are going to feel that they’re getting long in the tooth, looking quite dated, because they haven’t created that ten-year vision from a horsepower standpoint” (psu.com)

Really? Does anyone look at the Xbox 360 and say “this thing looks dated.” Each new title release continues to look more advanced and more graphically appealing than the last. Sure, Resistance 2 looked graphically epic, but the title isn’t on the shelves yet. As a matter of fact, very few PS3 titles are on the shelves when it comes to graphically appealing titles everyone wants.

As Nintendo has proven, it’s not always about the advanced graphics but the fun value and access to many titles across many genre’s of gaming. We’re happy about a nice 10-year vision but there is a reason classic games like Pac-Man, Missile Command and Galaga are still talked about and played by gamers: simple and fun.

Microsoft may not have a ten year vision, this is true, but I’d rather have a hot console I can play for the next six years than own a more expensive console with few games until its third year of life. The PlayStation 3 has been beating the Xbox 360 sales in 2008, is this too surprising given the fact that the Xbox 360 was out a year ahead? Sales aren’t always going to be rosy and over the top (unless it’s the Wii).

Rather than concentrate on how many more consoles the PS3 has sold compared to the 360, look at how many Wii consoles have sold to the graphically superior PS3. Perhaps Sony should speak less to the gamers about how awesome their console is and speak more to the developers so we can get titles worth buying for the console. Gamers only win when a console has games for them to play.

Read MoreRead More

PlayStation 3 Online Community Matches 360PlayStation 3 Online Community Matches 360

Although PlayStation 3 is still third in worldwide sales, behind the Xbox 360 by about 5-million units, the PS3 community services now have as many online gamers as Xbox 360 says Sony. Sony posted on their blog saying, “with 14 million active accounts and 273 million pieces of content downloaded, we know that you’re thirsting for this digital entertainment.”

Although US sales of the 360 are killing the PS3, the community membership does give gamers a reason to get online with the PS3. Nobody wants to buy into a console that has very few active online games or an easy way to find friends (*cough* Wii). Having 14-million users helps them bridge the sales gap by building gamer confidence. Social networking is the new term; gamers want to socialize with each other online and with their consoles.

Microsoft recently announced their 14-million subscriber base and continue to update folks when they hit big milestones. The main difference, LIVE is a subscription system — those 14-million gamers are also paying for the service (we’re not sure if silver memberships count in that figure) and this means income for Microsoft while Sony does their service for free.

Although Microsoft is making money on their service, no doubt Sony will bypass their total membership because it has no cost barriers to play. The biggest cost barrier to get on Sony’s network is the PS3 itself and many gamers hold out for price drops which aren’t coming anytime soon (so says Sony). However, building a larger community on a free network allows Sony to siphon gamers to buy downloadable content, games, music, movies and all the goodies that go with these services.

It seems a better idea to triple your audience with a free service knowing a large amount of “hardcore gamers” attach themselves to the easy to buy content on said service. So, is it better to make US $50.00 a year on half the population or give triple that population an opportunity to spend more money on content?

“Thanks to all of you, PS3’s momentum is stronger than ever. There are nearly 17 million PS3 systems around the world, and in the United States, PS3 hardware sales are up nearly 100 percent from where we were at this time last year. Software sales have tripled from a year ago. Yes, we’re proud about everything we’ve accomplished, and we’re even more psyched about where we’re going with our holiday software lineup” (playstation.com)

Eventually gamers may have access to Sony’s Home project, which could raise the community figures and give Xbox 360 something less to brag about. Although, we’re sure Sony would rather be boasting “number one” console again, at least they’ve finally got a win on their side because 14-million users is only the beginning for them.

Plus, it’s hard to argue free.

Read MoreRead More