Expert: Sony Negligent In PSN Security

An expert has given testimony to the US House of Representatives Subcomittee on Commerce, Manufacturing, and Trade during its commencement on hearings on the “unauthorized intrusion” on Sony’s PlayStation Network and Qrocity service, stating Sony knew that their security software was dated and lacked any sort of firewall against hacking.

Cybersecurity expert Dr. Gene Spafford’s testimony stated that security experts discovered discussions on forums that talked about how the PSN’s security was lacking. The threads revealed that the network was using old versions of the Apache Web server software, which “was unpatched and had no firewall installed.”

Worse, two to three months before the attack, the vulnerability was reported “in an open forum monitored by Sony employees,” but the company took no action to rectify the situation. If the testimony is accurate, Sony could be slapped with a serious criminal negligence charge.

The Sony intrusion alone compromised 100 million accounts both on the PSN and its Qriocity service, according to Spafford. He also cited the total cost of the breach to Sony, credit card companies, and other outfits, at $21 billion. Thieves in credit-card theft forums actually complained that the PSN breach was so great that it was depressing the price of such information by a “factor of five or 10” on the black market.

Spafford didn’t reserve his accusations for Sony, either. He stated that law enforcement is ill-equipped to handle cyberterrorism and cyberthieft. Additionally, most companies are not equipped with enough security measures because “investing in security measures affects the bottom line. They don’t understand the risks involved by not investing in security. … So when they are hit, they pass that cost along to their customers, and to the rest of society.” In other words, a classic case of being penny wise and pound foolish.

Spafford’s proposed solution to future security is to limit the amount of data kept by companies such as Sony and to “age the data” so it expires after a certain time.

C-Span posted the video of the testimony here.

(Thanks, GameSpot.)

0 thoughts on “Expert: Sony Negligent In PSN Security”

  1. One of the better pieces on the PSN fiasco that I’ve read, congrats Jonah!

    I had two jobs as a programmer; in both cases, interacting with the IT department felt more like interacting with Dilbert’s “Information prevention department”, ran by Catbert. They even wanted (and succeeded in one place) to push a “Service Level Agreement”: it’ll take two days to create a new password for this, seven days to do that etc.
    They just don’t put enough heart in it.

    To be fair, my very first job though was … in the IT department of my college! IT work is hard. If you screw up (and we did screw up sometimes), you could kiss your weekend goodbye . Usually, we’d investigate the issue that very evening, then tried to implement it either during the next day, or, at worst, if the computers we’d want to alter were being in use, in the weekend.
    The lessons I learned there is that: (1) you must react quickly and (2) if you put a bit of your heart into your work, you can get surprisingly good results.

    Nice find on the “depressing the price of such information by a “factor of five or 10? on the black market”. I guess the PSN issue is the equivalent of flooding the market with products 🙂

    @” limit the amount of data kept by companies such as Sony and to “age the data””
    This is security basics. If you don’t want to be responsible for safekeeping secret information, then don’t store secret information on your servers. Period.

  2. One of the better pieces on the PSN fiasco that I’ve read, congrats Jonah!

    I had two jobs as a programmer; in both cases, interacting with the IT department felt more like interacting with Dilbert’s “Information prevention department”, ran by Catbert. They even wanted (and succeeded in one place) to push a “Service Level Agreement”: it’ll take two days to create a new password for this, seven days to do that etc.
    They just don’t put enough heart in it.

    To be fair, my very first job though was … in the IT department of my college! IT work is hard. If you screw up (and we did screw up sometimes), you could kiss your weekend goodbye . Usually, we’d investigate the issue that very evening, then tried to implement it either during the next day, or, at worst, if the computers we’d want to alter were being in use, in the weekend.
    The lessons I learned there is that: (1) you must react quickly and (2) if you put a bit of your heart into your work, you can get surprisingly good results.

    Nice find on the “depressing the price of such information by a “factor of five or 10? on the black market”. I guess the PSN issue is the equivalent of flooding the market with products 🙂

    @” limit the amount of data kept by companies such as Sony and to “age the data””
    This is security basics. If you don’t want to be responsible for safekeeping secret information, then don’t store secret information on your servers. Period.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Firmware 2.40, Epic Failure?Firmware 2.40, Epic Failure?

After finally catching a break and making some strides in the sales of PlayStation 3 consoles, Sony stumbles over a major firmware update, v2.40, causing customers minor to extreme pain across the board. Some PlayStation 3 consoles are having small issues while others are simply locking up.

In the end, Sony has decided to pull the update from their site “temporarily” while they fix the glitches:

“UPDATE: 7/2/2008, the PlayStation 3 system software version 2.40 has been temporarily taken offline and will not be available for download as our engineers examine any possible issues with this update. The Knowledge Center will be updated with information as it becomes available; please check back here for further details.”

Sony’s only response is “we’re looking into it” while the only way a consumer of a fried box is to get back online is to format and start over (saving their content to some other media device first of course). Or, they can ship it back for a minor charge of $150.00. Or, they can do as others have been, light up the sony forums.

(Thanks, 1up)

Episode 232: Remember Pong?Episode 232: Remember Pong?

This week, there’s no Gaming Flashback or Gaming History, but there is a ton of news and Reader Feedback as Paul is finally present to react to some hate mail.

The news includes some huge items, like:

The Question of the Week: What was the very first home videogame you ever played?

New Castlevania Title For 360 and PS3: 2D or 3D?New Castlevania Title For 360 and PS3: 2D or 3D?

The Castlevania series was born in Japan on September 26th back in 1986. That knowledge in hand, you can imagine the demographic of 30+ year old gamers who would kill to get an old school franchise title on a new graphic intensive console.

We’ve had many new Castlevania releases since 1986 including releases on the Nintendo DS in 2006 with more titles arriving with the Castlevania branding. However, we’ve not seen a true “full blown” Castlevania title in some time. As a retro style gamer, I’d love to hear news that this would be a 2D game with “next generation” graphics.

There are far too few really great 2D side scrolling platformers for this generation of consoles. Outside of Nintendo, most side scroller systems become “arcade” titles in XBLA or PSN. Over the last fifteen years we’ve had plenty of 3D games with jumping and crazy camera work. Lately, we’ve had some new titles arriving that are 2D platformers like Little Big Planet and the recently released Mega Man 9.

More than likely, Konami will follow the flow and design yet another old franchise with new 3D graphics. Given the demographic for this franchise it would almost seem like a selling point to jump back to a 2D world view.

What would you like? A 3D or 2D Castlevania title on the Xbox 360 and PlayStation 3?