Expert: Sony Negligent In PSN Security

An expert has given testimony to the US House of Representatives Subcomittee on Commerce, Manufacturing, and Trade during its commencement on hearings on the “unauthorized intrusion” on Sony’s PlayStation Network and Qrocity service, stating Sony knew that their security software was dated and lacked any sort of firewall against hacking.

Cybersecurity expert Dr. Gene Spafford’s testimony stated that security experts discovered discussions on forums that talked about how the PSN’s security was lacking. The threads revealed that the network was using old versions of the Apache Web server software, which “was unpatched and had no firewall installed.”

Worse, two to three months before the attack, the vulnerability was reported “in an open forum monitored by Sony employees,” but the company took no action to rectify the situation. If the testimony is accurate, Sony could be slapped with a serious criminal negligence charge.

The Sony intrusion alone compromised 100 million accounts both on the PSN and its Qriocity service, according to Spafford. He also cited the total cost of the breach to Sony, credit card companies, and other outfits, at $21 billion. Thieves in credit-card theft forums actually complained that the PSN breach was so great that it was depressing the price of such information by a “factor of five or 10” on the black market.

Spafford didn’t reserve his accusations for Sony, either. He stated that law enforcement is ill-equipped to handle cyberterrorism and cyberthieft. Additionally, most companies are not equipped with enough security measures because “investing in security measures affects the bottom line. They don’t understand the risks involved by not investing in security. … So when they are hit, they pass that cost along to their customers, and to the rest of society.” In other words, a classic case of being penny wise and pound foolish.

Spafford’s proposed solution to future security is to limit the amount of data kept by companies such as Sony and to “age the data” so it expires after a certain time.

C-Span posted the video of the testimony here.

(Thanks, GameSpot.)

0 thoughts on “Expert: Sony Negligent In PSN Security”

  1. One of the better pieces on the PSN fiasco that I’ve read, congrats Jonah!

    I had two jobs as a programmer; in both cases, interacting with the IT department felt more like interacting with Dilbert’s “Information prevention department”, ran by Catbert. They even wanted (and succeeded in one place) to push a “Service Level Agreement”: it’ll take two days to create a new password for this, seven days to do that etc.
    They just don’t put enough heart in it.

    To be fair, my very first job though was … in the IT department of my college! IT work is hard. If you screw up (and we did screw up sometimes), you could kiss your weekend goodbye . Usually, we’d investigate the issue that very evening, then tried to implement it either during the next day, or, at worst, if the computers we’d want to alter were being in use, in the weekend.
    The lessons I learned there is that: (1) you must react quickly and (2) if you put a bit of your heart into your work, you can get surprisingly good results.

    Nice find on the “depressing the price of such information by a “factor of five or 10? on the black market”. I guess the PSN issue is the equivalent of flooding the market with products 🙂

    @” limit the amount of data kept by companies such as Sony and to “age the data””
    This is security basics. If you don’t want to be responsible for safekeeping secret information, then don’t store secret information on your servers. Period.

  2. One of the better pieces on the PSN fiasco that I’ve read, congrats Jonah!

    I had two jobs as a programmer; in both cases, interacting with the IT department felt more like interacting with Dilbert’s “Information prevention department”, ran by Catbert. They even wanted (and succeeded in one place) to push a “Service Level Agreement”: it’ll take two days to create a new password for this, seven days to do that etc.
    They just don’t put enough heart in it.

    To be fair, my very first job though was … in the IT department of my college! IT work is hard. If you screw up (and we did screw up sometimes), you could kiss your weekend goodbye . Usually, we’d investigate the issue that very evening, then tried to implement it either during the next day, or, at worst, if the computers we’d want to alter were being in use, in the weekend.
    The lessons I learned there is that: (1) you must react quickly and (2) if you put a bit of your heart into your work, you can get surprisingly good results.

    Nice find on the “depressing the price of such information by a “factor of five or 10? on the black market”. I guess the PSN issue is the equivalent of flooding the market with products 🙂

    @” limit the amount of data kept by companies such as Sony and to “age the data””
    This is security basics. If you don’t want to be responsible for safekeeping secret information, then don’t store secret information on your servers. Period.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Five Dollars Gets You 55 Original Rock Band SongsFive Dollars Gets You 55 Original Rock Band Songs

If you’re into Rock Band and love the songs you’ve played, you may want to migrate them into Rock Band 2, correct? For the price of 400 Microsoft points ($4.99) you’re now able to download an export “patch” to allow exporting of 55 Rock Band songs into the next version of Rock Band.

There are a total of 58 songs in Rock Band, you can export 55 of them with the patch, left out (perhaps due to licensing issues) will be: Iron Maiden’s “Run to the Hills”, “Paranoid” by Black Sabbath, and Metallica’s “Enter Sandman.”

For five dollars this isn’t a bad deal, definitely worthwhile if you’re looking to have a huge library of rocking songs for Rock Band 2.

Today, we’ve learned the PlayStation 3 will get the same export feature as DLC, if you’re into the PS3 and plan to get Rock Band 2 you’re in luck. Also included in the PS3 patch, you’ll now have the ability to use your Guitar Hero 3 Les Paul Guitar with Rock Band. Excellent news.

(Thanks, 1up)

Mass Effect 3: What REALLY Went Wrong, And How To Fix ItMass Effect 3: What REALLY Went Wrong, And How To Fix It

NOTE: THIS ARTICLE DISCUSSES THE ENDING AND EVENTS OF MASS EFFECT 3. DO NOT READ IF YOU DO NOT WISH THE GAME TO BE SPOILED FOR YOU.

In this day and age, one learns to take internet outrage with a heavy dollop of salt. The videogame community tends to be reactionary in the worst way, for a few reasons: they tend to be young, they tend to express their immediate feelings almost as a stream of consciousness, and let’s face it, the Greater Internet Dickwad Theory comes into play as well.

When it comes to game endings, when I hear that the community is upset about a game’s ending, I almost always take that as a good sign that the ending is daring and provocative. For example, there was an outcry over the abruptness of the ending of Halo 2, which had the nerve to conclude with a cliffhanger. The 2009 Prince of Persia reboot ended with the player undoing all of the work to free an ancient evil god they’d just imprisoned.

So when I heard that there was a growing outcry about the endings of Mass Effect 3, my interest peaked, because invariably, that meant the story was provocative and daring, instead of predictable and boring.

(more…)

Episode 646: Late April Fool’sEpisode 646: Late April Fool’s

[This episode has been re-uploaded due to technical issues]

This week’s episode deals with the fact it was published on April Fool’s Fool’s Day, and discussion of the games that have been floating the hosts’ boats. This week’s Gaming Flashback is the magnum opus of Telltale Games: The Walking Dead. The guys also discuss the upcoming Kingdom Hearts 4 and whether anyone cares about it.

The news includes:

  • Digital games on PS3 and Vita are reportedly “expiring” and becoming unplayable
  • Ubisoft ends its NFT experiment in Ghost Recon Breakpoint
  • Konami details eFootball 2022 v1.0 update due next week
  • Blue Box: Abandoned has not been canceled

Let us know what you think.