Expert: Sony Negligent In PSN Security

An expert has given testimony to the US House of Representatives Subcomittee on Commerce, Manufacturing, and Trade during its commencement on hearings on the “unauthorized intrusion” on Sony’s PlayStation Network and Qrocity service, stating Sony knew that their security software was dated and lacked any sort of firewall against hacking.

Cybersecurity expert Dr. Gene Spafford’s testimony stated that security experts discovered discussions on forums that talked about how the PSN’s security was lacking. The threads revealed that the network was using old versions of the Apache Web server software, which “was unpatched and had no firewall installed.”

Worse, two to three months before the attack, the vulnerability was reported “in an open forum monitored by Sony employees,” but the company took no action to rectify the situation. If the testimony is accurate, Sony could be slapped with a serious criminal negligence charge.

The Sony intrusion alone compromised 100 million accounts both on the PSN and its Qriocity service, according to Spafford. He also cited the total cost of the breach to Sony, credit card companies, and other outfits, at $21 billion. Thieves in credit-card theft forums actually complained that the PSN breach was so great that it was depressing the price of such information by a “factor of five or 10” on the black market.

Spafford didn’t reserve his accusations for Sony, either. He stated that law enforcement is ill-equipped to handle cyberterrorism and cyberthieft. Additionally, most companies are not equipped with enough security measures because “investing in security measures affects the bottom line. They don’t understand the risks involved by not investing in security. … So when they are hit, they pass that cost along to their customers, and to the rest of society.” In other words, a classic case of being penny wise and pound foolish.

Spafford’s proposed solution to future security is to limit the amount of data kept by companies such as Sony and to “age the data” so it expires after a certain time.

C-Span posted the video of the testimony here.

(Thanks, GameSpot.)

0 thoughts on “Expert: Sony Negligent In PSN Security”

  1. One of the better pieces on the PSN fiasco that I’ve read, congrats Jonah!

    I had two jobs as a programmer; in both cases, interacting with the IT department felt more like interacting with Dilbert’s “Information prevention department”, ran by Catbert. They even wanted (and succeeded in one place) to push a “Service Level Agreement”: it’ll take two days to create a new password for this, seven days to do that etc.
    They just don’t put enough heart in it.

    To be fair, my very first job though was … in the IT department of my college! IT work is hard. If you screw up (and we did screw up sometimes), you could kiss your weekend goodbye . Usually, we’d investigate the issue that very evening, then tried to implement it either during the next day, or, at worst, if the computers we’d want to alter were being in use, in the weekend.
    The lessons I learned there is that: (1) you must react quickly and (2) if you put a bit of your heart into your work, you can get surprisingly good results.

    Nice find on the “depressing the price of such information by a “factor of five or 10? on the black market”. I guess the PSN issue is the equivalent of flooding the market with products 🙂

    @” limit the amount of data kept by companies such as Sony and to “age the data””
    This is security basics. If you don’t want to be responsible for safekeeping secret information, then don’t store secret information on your servers. Period.

  2. One of the better pieces on the PSN fiasco that I’ve read, congrats Jonah!

    I had two jobs as a programmer; in both cases, interacting with the IT department felt more like interacting with Dilbert’s “Information prevention department”, ran by Catbert. They even wanted (and succeeded in one place) to push a “Service Level Agreement”: it’ll take two days to create a new password for this, seven days to do that etc.
    They just don’t put enough heart in it.

    To be fair, my very first job though was … in the IT department of my college! IT work is hard. If you screw up (and we did screw up sometimes), you could kiss your weekend goodbye . Usually, we’d investigate the issue that very evening, then tried to implement it either during the next day, or, at worst, if the computers we’d want to alter were being in use, in the weekend.
    The lessons I learned there is that: (1) you must react quickly and (2) if you put a bit of your heart into your work, you can get surprisingly good results.

    Nice find on the “depressing the price of such information by a “factor of five or 10? on the black market”. I guess the PSN issue is the equivalent of flooding the market with products 🙂

    @” limit the amount of data kept by companies such as Sony and to “age the data””
    This is security basics. If you don’t want to be responsible for safekeeping secret information, then don’t store secret information on your servers. Period.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Episode 239: This Episode is DRM-freeEpisode 239: This Episode is DRM-free

This week, Paul is too busy unpacking in his new home in California, so it’s just Jonah and Jordan, as the news mainly deals with DRM. The Gaming Flashback this week is the Activision racer The Great American Cross-Country Road Race, while this week’s Gaming History doesn’t focus on a video game company or developer, but a fictional character instead, Mario’s favorite mount, Yoshi.

The news this week includes:

  • EA forum bans cause game bans
  • Research film states piracy’s up 20% in past 5 years
  • GOG sez customers hate DRM
  • Steam user database cracked
  • Uncharted 3 launches with 1.1M sold in first week

All that plus Reader Feedback and the Question of the Week, “What DRM would you tolerate?”

PlayStation 3, March 2009 Price Drop RumorPlayStation 3, March 2009 Price Drop Rumor

With so many people wishing Sony would cut the PS3 price to something more reasonable, it’s no big surprise we see constant rumors about potential “price cuts.” This time, a March 2009 rumor “supposedly” came out of the Sony Annual Briefing in London where a butt ton of information was “rumored” to be leaked.

The anonymous source is running around with a bunch of neat rumors, such as a LittleBigPlanet release on the PSP but the one that may hit home most with gamers is price cutting. The PS3 has been around for a few years now and hasn’t budged on the price tag; they’ve had fire sales on obsolete products (smaller disk drives mainly) but no official drops.

Sony won’t comment on speculation, of course, but we’re sure they want to catch Mr. Anonymous from hiding in their meetings and giving away their information… if it is real. D+Pad published the rumor-mongers message saying the “SCEE will be getting more competitive in price from March 2009 onwards.”

Easter would be a fine time for a price cut, if the speculation is real. This upcoming holiday would have made the most sense, to consumers, but Sony apparently has no plans to reduce the price around the time their sales will be increasing anyway. As the PlayStation 3 is doing okay in PAL territories Sony is relying on them, it would seem, to kick up the numbers and show Microsoft they’re not the only second-place game in town.

The Wii continues to dominate and we’re sure a PS3 price drop won’t impact Nintendo’s sales strategy or gamers decisions on one console versus the other as a price drop wouldn’t bring it to a competitive Wii price.

What is your magic number? What price would you buy a PS3 at if you don’t own one already. For us? Drop it a bit and throw in a free LittleBigPlanet.

Sony Should Buy Ubisoft and Here is WhySony Should Buy Ubisoft and Here is Why

Sony’s been putting a lot of effort (read: money) into the PlayStation 3 product line with very little impact in the market. They’ve got this “10 year plan” but haven’t really executed a strong plan for their first two years of said plan. Sony’s plan seems to be “outlive the competition’s technology” while all of its competition stomps on their sales and market share with older and a bit “outdated” products.

Thus far there have been five spins of the PlayStation 3 hardware with price cuts only coming as a result of a “fire sale” of old hardware revisions. Sony, like many, believes the Nintendo Wii isn’t a direct competitor in their space; the outstanding sales of the Wii probably haven’t impacted the PlayStation 3 sales too much. The Xbox 360, however, has definitely cut them deep in all regions of sales.

Microsoft has built some unexpected momentum in Japan with Square-Enix making them a few console seller titles and the price cuts in Europe boosted sales over 200% all while the US continues to buy into the 360 hardware despite its most obvious red-ringing flaws. Microsoft has great partnerships with some fabulous companies, Bungie and Epic for instance, to build them exclusives that move even more 360 units.

Motorstorm is one of the PlayStation 3’s best games, selling over 3-million copies. While, as of January 2008, Halo 3 sold 8.1 million units for the Xbox 360. Now, Metal Gear Solid 4 has sold roughly 3.94 million copies since August of 2008 yet unsubstantiated rumors exist stating MGS4 could make its way to the 360. Combined awesome titles for the PlayStation 3 may not even exceed one of the competitors best selling products; where is the PS3 excitement?

(more…)