Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sony Running Unpatched Servers With No Firewall

Posted by ryuzaki0 on from the oh-yeah-that'll-be-fine dept.

ewhenn writes "Security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which 'was unpatched and had no firewall installed.' The issue was 'reported in an open forum monitored by Sony employees' two to three months prior to the recent security breaches."

5 of 306 comments (clear)

  1. Re:Welp by alta · · Score: 5, Interesting

    They are in gross violation of PCI. Criminal Negligence is "suitable"

    They can be seriously damaged by this... I would love to see their ability to take credit cards revoked. That would put an end to their entire online business. Can you imagine Playstation Network if it was prepay, or paper billed only?

    --
    Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
  2. Re:Welp by Ancantus · · Score: 3, Interesting

    From USLegal:

    The civil standard of negligence is defined according to a failure to follow the standard of conduct of a reasonable person in the same situation as the defendant. To show criminal negligence, the state must prove beyond a reasonable doubt the mental state involved in criminal negligence. Proof of that mental state requires that the failure to perceive a substantial and unjustifiable risk that a result will occur must be a gross deviation from the standard of a reasonable person.

    Bolding by me.

    IANAL, but I think this is a clear case of criminal negligence. Any IT tech would know better than to leave a unpatched HTTP server without a firewall up to the internet. If you were told on open forums that this was happening, and then loose 2 million credit card numbers? Well if that isn't criminal negligence, I don't know what is!

    --
    Violence is the last refuge of the incompetent. -- Isaac Asimov
  3. Re:Welp by JWSmythe · · Score: 5, Interesting

      How the hell did they maintain PCI compliance? At very least that requires the self-evaluation, and an external scan by a 3rd party. The self-evaluation, they could have easily lied on. The external scan? No way. Well, unless they had the scan pointed at a dummy server. That happens a lot more than it should. For the money I'm sure Sony was pushing through, it should have rated an on-site inspection. One company I worked for only pushed through about $50 million/yr. We were self-eval with external scan. They did threaten physical inspections every quarter, but never showed up. I guess they could have pointed at any rack and said "this is the rack". The insecurity is pure stupidity. There are so many ways to secure the network, from free (iptables on the machine) to inexpensive (dedicated firewall machine running Linux), to expensive hardware solutions. There's no excuse for this.

    --
    Serious? Seriousness is well above my pay grade.
  4. Re:Welp by Anonymous Coward · · Score: 3, Interesting

    Yet it still happens everyday.

    But probably not on servers that are storing millions of credit card numbers. That's a key difference.

    I do security audits for a living and I'll tell you that this is actually quite common. Most companies don't give two shits about your data if they don't have direct financial liability.

    The servers that have serious security are the ones that store THEIR proprietary data (blueprints, special sauce, etc). Customer data, healthcare data... don't give two shits.

    I have broken into customer or employee data in almost every company I've audited during the last 4 years.

    I'll tell you also, that the PCI mandated "scans" are just that. Automated scans. They send you the PDF, you do trivial remediation and it's done. Even the biggest players seldom do more than that, and they make a concerted effort to do exactly the minimum amount, because anything more affects the quarterly profit margin.

    So... still... we break into every place we visit...

    And I'm not particularly super "leet"... I'm sure there are plenty of guys who could lay waste to these places I go to with far more ease, speed and stealth.

  5. Re:Obvious to those who are in the system by JWSmythe · · Score: 4, Interesting

        Well, I know that when I had to go through it regularly, we did have to complain about some of the remote scanning.

        Here's a few of the BS items that we had been flagged with. These are from memory, so I may be wrong on some of the wording.

        The server does not respond to ICMP (red flag). Well, the server blocked all unexpected traffic, including ICMP. So we opened the firewall a little for that.

        They complained that they were not getting refused connection messages to known ports (telnet, SMTP, etc), so we were flagged for that. That's where I started complaining.

        They wanted the firewall completely opened for "testing". This was current production, so I refused. I told them I could allow a single IP for them to test with, but they wouldn't oblige. Since we were always under attack, their IP was one of several hundred during the period where they were most likely testing. 1 tester, and a few hundred attackers. Hmm, no.

        They proceeded to search the surrounding network. They red-flagged us for having a server on the network that responded to DNS requests. Oddly enough, that was a DNS server. Then they hit us for having a mail server that accepted mail. Sure, it accepted mail. It only relayed for us, but we did (oh my gosh) receive mail. They didn't receive an instant refusal, because we accepted and dropped those messages.

        I passed the word back through our accounting guy that they could go fuck themselves, and to give us a real auditor...

        The second auditor wasn't quite so bad. They hit us for not being able to fingerprint the OS. I congratulated them on that, and then told them specifically the OS, distro, and kernel version. They had a few yellow flags for non-broken stuff, such as not responding to ICMP. They didn't mark points against us on that one, it was just a mention. They questioned our remote access ability, since the only ports that responded were 80 and 443. I told them the port number (unusual port) and method, so they beat on that for a while and couldn't touch it. Then they gave us a pass.

        We were fully compliant. I wasn't hiding anything from them. I was hiding everything from the constant barrage of hackers who wanted in. People knew we made millions. They knew we had a whole bunch of machines on multiple GigE circuits. If they could compromise just one machine, they'd have a very fast platform to attack from, and I wasn't going to allow that.

        We were very successful in never losing any personal info, but we always maintained doing better than PCI compliance required.

    --
    Serious? Seriousness is well above my pay grade.