Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sony Running Unpatched Servers With No Firewall

Posted by ryuzaki0 on from the oh-yeah-that'll-be-fine dept.

ewhenn writes "Security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which 'was unpatched and had no firewall installed.' The issue was 'reported in an open forum monitored by Sony employees' two to three months prior to the recent security breaches."

8 of 306 comments (clear)

  1. Welp by dragonhunter21 · · Score: 4, Insightful

    Well THERE'S your problem.

    IANAL, but shouldn't users have the reasonable expectation that their data would be secured? Is there a suit here?

    --
    Sent from my CR-48
    1. Re:Welp by HiredMan · · Score: 3, Insightful

      definitely shows that PCI is bullshit ;)

      PCI certification is joke. It's in the best interests of all involved to severely limit the scope of the "certification" - due to cost, time, intrusiveness etc.- so only certain areas get tested. You can have your "certified" PCI system hooked up on a network to a botnet but insist that only your PCI computer get "certified". It's like going to doctor and telling him your arm hurts but he can only examine your arm. When it turns out to be a heart attack and you die the doctor only gets to say "His arm was fine when I checked it."

      They like to brag that "no PCI certified system has ever been breached" but that's because when you're breached they forensically figure where you violated PCI and retro-actively revoke your certification. It's worse than bullshit it's an expensive fig leaf of security theater.

      --
      Bill Gates - Creationist?!?
  2. If they had cared enough... by samjam · · Score: 3, Insightful

    Sony took more care to lock the customer out of equipment the customer owned on the customers premises to "protect Sony's IP" than they took to protect the customers data running only Sony's servers at Sony's premises.

    Looks like they need to move their security staff to the hosting side.

    Sam

    --
    blog.sam.liddicott.com
  3. Re:So now security researchers are to blame? by h4rr4r · · Score: 3, Insightful

    The Sony IT folks probably wanted too, but their idiot managers prevented them. Because if the update broke something or needed downtime they can't have that.

  4. Re:But, but, but... by LWATCDR · · Score: 1, Insightful

    I don't know if Anonymous is too blame for this. They are still after all a bunch if vindictive thugs and the Internet version of a street gang but that doesn't make them guilty of this.
    But just because the door has a cheap lock on it doesn't mean the criminal isn't to blame.

    --
    See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
  5. Re:So now security researchers are to blame? by Calydor · · Score: 3, Insightful

    Sadly, 'taken action' in cases such as this usually involves post deletions and forum bans.

    Updating and getting a firewall costs money, banning people from a forum doesn't.

    Obviously it's better to treat the symptom than cure the disease.

    --
    -=This sig has nothing to do with my comment. Move along now=-
  6. So... by Capeman · · Score: 5, Insightful

    Everytime a new PS3 firmware comes out, with "security updates" you are almost forced to install it or you lose PSN, plus other features, but they don't care about updating and securing their servers?

  7. No Firewalls by Anonymous Coward · · Score: 1, Insightful

    Web servers do not need firewalls. If your servers are only providing public facing services there is no need to firewall them. In fact, firewalling them can make them more vulnerable to DDoS attack.