Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sony Running Unpatched Servers With No Firewall

Posted by ryuzaki0 on from the oh-yeah-that'll-be-fine dept.

ewhenn writes "Security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which 'was unpatched and had no firewall installed.' The issue was 'reported in an open forum monitored by Sony employees' two to three months prior to the recent security breaches."

2 of 306 comments (clear)

  1. Re:Welp by akpoff · · Score: 5, Informative

    Quite possibly. Sony's responsibilities to their customers might not rise to the level of Fiduciary Responsbility but customers do have a reasonable expectation of due care, at least with their credit card information and likely with their account information.

    Further, to receive full indemnification from the payment-card industry against claims of fraud, you must be PCI compliant. Were Sony PCI compliant having un-patched software on public-facing servers? Doesn't seem like it. This could potentially open Sony up to all kinds of claims.

    Even if Sony somehow manage to escape civil and criminal justice ramifications, carelessness is no way to run a business. Sony's reputation is already tarnished in the tech world. They may finally get the public scrutiny and drop in reputation and market-share they've earned and so well deserve.

  2. VISA and MasterCard lower the hammer by Animats · · Score: 5, Informative

    It's likely that Sony went off-line not because they wanted to, but because VISA International and/or MasterCard Worldwide ordered them to. See my post on "What To Do if Compromised". The contract that merchants must sign to accept credit cards gives the credit card companies the right to send in a VISA fraud team, a Cardholder Information Security Team, and a computer forensics team. VISA can insist that compromised systems containing credit card data be taken off line until examined. For a big breach, VISA probably invoked their right to do all that.

    The process is expensive for the merchant who doesn't have the VISA-required security measures in place. They get hit with fines from VISA, the cost of the forensics work, and chargebacks from compromised credit cards. "If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident." Worse, from a business perspective, they can't accept credit cards again until VISA's team says they're secure.

    Then comes the "Account Data Compromise Recovery phase. For the next 13 months, the merchant gets hit with charges related to compromised credit cards.

    A merchant-side compromise of credit card data means the merchant gets stuck with all the costs of the breach.