Sony Running Unpatched Servers With No Firewall

ewhenn writes "Security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which 'was unpatched and had no firewall installed.' The issue was 'reported in an open forum monitored by Sony employees' two to three months prior to the recent security breaches."

Welp

[dragonhunter21]

Well THERE'S your problem.

IANAL, but shouldn't users have the reasonable expectation that their data would be secured? Is there a suit here?

Re:Welp

[andrea.sartori]

I'm afraid stupidity is not a "suitable" (sorry...) offense. Maybe based on criminal negligence...

Re:Welp

[alta]

They are in gross violation of PCI. Criminal Negligence is "suitable"

They can be seriously damaged by this... I would love to see their ability to take credit cards revoked. That would put an end to their entire online business. Can you imagine Playstation Network if it was prepay, or paper billed only?

Re:Welp

[Ancantus]

From USLegal:

The civil standard of negligence is defined according to a failure to follow the standard of conduct of a reasonable person in the same situation as the defendant. To show criminal negligence, the state must prove beyond a reasonable doubt the mental state involved in criminal negligence. Proof of that mental state requires that the failure to perceive a substantial and unjustifiable risk that a result will occur must be a gross deviation from the standard of a reasonable person.

Bolding by me.

IANAL, but I think this is a clear case of criminal negligence. Any IT tech would know better than to leave a unpatched HTTP server without a firewall up to the internet. If you were told on open forums that this was happening, and then loose 2 million credit card numbers? Well if that isn't criminal negligence, I don't know what is!

Re:Welp

The UK Data Protection Act includes clauses to the effect of requiring the data collector to ensure all the collectee's data is sufficiently secure. I'd say there's a pretty strong case to be made that the security Sony had was nowhere near sufficient. Seeing as how I'm one of SOE's UK customers and they've just informed me my credit card details "may" have been stolen, I'm p*ssed enough to get legal on their asses at the moment.

I'm just not rich enough.

Re:Welp

[g0bshiTe]

Any IT tech would know better than to leave a unpatched HTTP server without a firewall up to the internet.

Yet it still happens everyday.

Re:Welp

[JWSmythe]

  How the hell did they maintain PCI compliance? At very least that requires the self-evaluation, and an external scan by a 3rd party. The self-evaluation, they could have easily lied on. The external scan? No way. Well, unless they had the scan pointed at a dummy server. That happens a lot more than it should. For the money I'm sure Sony was pushing through, it should have rated an on-site inspection. One company I worked for only pushed through about $50 million/yr. We were self-eval with external scan. They did threaten physical inspections every quarter, but never showed up. I guess they could have pointed at any rack and said "this is the rack". The insecurity is pure stupidity. There are so many ways to secure the network, from free (iptables on the machine) to inexpensive (dedicated firewall machine running Linux), to expensive hardware solutions. There's no excuse for this.

Re:Welp

[akpoff]

Quite possibly. Sony's responsibilities to their customers might not rise to the level of Fiduciary Responsbility but customers do have a reasonable expectation of due care, at least with their credit card information and likely with their account information.

Further, to receive full indemnification from the payment-card industry against claims of fraud, you must be PCI compliant. Were Sony PCI compliant having un-patched software on public-facing servers? Doesn't seem like it. This could potentially open Sony up to all kinds of claims.

Even if Sony somehow manage to escape civil and criminal justice ramifications, carelessness is no way to run a business. Sony's reputation is already tarnished in the tech world. They may finally get the public scrutiny and drop in reputation and market-share they've earned and so well deserve.

Re:Welp

[sribe]

Yet it still happens everyday.

But probably not on servers that are storing millions of credit card numbers. That's a key difference.

Re:Welp

[kelemvor4]

That would not happen, they'd just contract with a third party to take payments.

Re:Welp

[Mongoose+Disciple]

Hey, there's an optimist left on /.!

Re:Welp

[nschubach]

I know I wouldn't use it... my Credit Cards give me a layer of protection and a buffer. So does Prepay (layer of monetary protection), but those are often a PITA to get and there are usually fees involved in getting them. (Unless I'm totally wrong here. I remember Prepay cards that you had to get at the store and are charged a percentage more than the value of the card. This usually involves predetermining that you need the card while you are at the store or making a special trip.)

Paper bill I guess I could handle, but that's also a huge pain and involves me checking my mail more than once every 2 months to clean out the garbage coupons. (Ah, the joys of online banking!)

Re:Welp

[Ancantus]

But probably not on servers that are storing millions of credit card numbers. That's a key difference.

Exactly! Although it is never good to leave something exposed to the Internet unprotected, if its small there is very little risk (I have always been taught to assume that your system is constantly being attacked, better to be secure than sorry). But its entirely unacceptable to be so lax on security for something having access to their credit card database. I hope other companies that store credit card data are double-checking their security. If Sony made this mistake, others have as well.

Re:Welp

[sxpert]

definitely shows that PCI is bullshit ;)

Re:Welp

[Svpernova09]

heh. I'd like to know who the company was that certified them. If they even were certified.

Re:Welp

[Chris+Mattern]

Is there a suit here?

Given the attitude of most suits on website security, almost certainly.

Re:Welp

[hawguy]

definitely shows that PCI is bullshit ;)

They weren't PCI compliant since part of compliance requires applying security patches to in-scope systems, and if credit card numbers were passing through Apache or the web app running on Apache had access to credit card numbers, it was definitely in scope. And of course, storing unencrypted credit card numbers also violates PCI, but even if they were encrypted, if the hackers had control of the application they could have had the decryption keys.

Re:Welp

[negRo_slim]

So does Prepay (layer of monetary protection), but those are often a PITA to get and there are usually fees involved in getting them.

Yeah such a pain in the ass that's why you would just buy prepaid game cards instead of a prepaid credit card, I mean they're only offered at every convenience store, grocery store and department store. From XBLA points to F2P MMO networks they're just about everywhere these days and I've never seen a fee on one. 20 bucks of credits is 20 bucks of credits is 20 bucks of credits.

Re:Welp

[jazzstep]

definitely shows that PCI is bullshit ;)

Its only BS for companies that do not comply. I work for a company that takes PCI very seriously, our customer data is protected quite well.

Re:Welp

[Wildclaw]

loose 2 million credit card numbers

It isn't like those numbers actually can be used for anything.

A number that people tell random merchants is obviously not something that is usable for any economic purposes. I can't imagine anyone using it to validate purchases as that would clearly be criminal negligence.

Re:Welp

[DeadCatX2]

The basis of this claim is Dr. Gene Spafford of Purdue University. He was giving testimony before Congress.

If you have proof that this man is lying, then let's see YOU go before Congress and testify.

Re:Welp

[HiredMan]

definitely shows that PCI is bullshit ;)

PCI certification is joke. It's in the best interests of all involved to severely limit the scope of the "certification" - due to cost, time, intrusiveness etc.- so only certain areas get tested. You can have your "certified" PCI system hooked up on a network to a botnet but insist that only your PCI computer get "certified". It's like going to doctor and telling him your arm hurts but he can only examine your arm. When it turns out to be a heart attack and you die the doctor only gets to say "His arm was fine when I checked it."

They like to brag that "no PCI certified system has ever been breached" but that's because when you're breached they forensically figure where you violated PCI and retro-actively revoke your certification. It's worse than bullshit it's an expensive fig leaf of security theater.

Re:Welp

[defaria]

Yeah sure. I have never, to my knowledge, purchased *anything* through Playstation Network! In fact I'm pretty sure they don't even have my credit card number at all and thus I'm not worried about these breaches personally. When I want to use my Playstation to play a games it's because I went to GameStop and purchased the medium there. I don't buy movies on PSN either - I stream them from my Linux systems that I get over the net and from Playon. And I don't purchase stupid avatars and other "virtual stuff". So when you say "can you imagine Playstation Network if it was prepay, or paper billed only?" my answer is that from my perspective, that's what they've always been.

Re:Welp

Yet it still happens everyday.

But probably not on servers that are storing millions of credit card numbers. That's a key difference.

I do security audits for a living and I'll tell you that this is actually quite common. Most companies don't give two shits about your data if they don't have direct financial liability.

The servers that have serious security are the ones that store THEIR proprietary data (blueprints, special sauce, etc). Customer data, healthcare data... don't give two shits.

I have broken into customer or employee data in almost every company I've audited during the last 4 years.

I'll tell you also, that the PCI mandated "scans" are just that. Automated scans. They send you the PDF, you do trivial remediation and it's done. Even the biggest players seldom do more than that, and they make a concerted effort to do exactly the minimum amount, because anything more affects the quarterly profit margin.

So... still... we break into every place we visit...

And I'm not particularly super "leet"... I'm sure there are plenty of guys who could lay waste to these places I go to with far more ease, speed and stealth.

Re:Welp

[gblfxt]

PCI Compliance only requires that you are showing progress towards security goals, not that you have all the items implemented.

Re:Welp

[Amouth]

PCI if followed is effective.. compliance in the marketplace is bull shit.. BUT there is one thing that i like about Sony failing.

If you claim to be PCI compliant but are not and you suffer a breach related to your failure to be compliant then you are liable for any fraud charges and cost to investigate and clean up said mess. Not to mention if it was a smaller out fit their ability to charge cards would be removed.

Re:Welp

[Alex+Pennace]

In Massachusetts, there most definitely is. After the TJX breach, there was a big push to get businesses that hold personal information to take appropriate precautions. This culminated in M.G.L. Chapter 93H and corresponding regulations, which among other things makes data breaches actionable if the business did squat all to prevent it.

Lately, our Attorney General has been doing everything she can to keep herself in the news, and I would not be surprised if she files suit against Sony post haste.

Re:Welp

[hawguy]

PCI certification is joke. It's in the best interests of all involved to severely limit the scope of the "certification" - due to cost, time, intrusiveness etc.-

You certainly can limit the scope to only those computers that have access to PCI protected data, but any computer that has access to that data or processes that data is in scope. I'm sure you can configure your network in such a way that allows a breach, but that's not really PCI DSS's fault - one standard can't be expected to provide complete security for all environments....they give you overall security recommendations, if your network allows access to the data by a botnet, then it's your job to fix it, don't think that just because you checked all of the checkboxes on the PCI-DSS checklist that your security job is done.

so only certain areas get tested.

If you're relying on testing to protect your data, you're doing it wrong -- PCI outlines best practices to protect your data, scanning is only one part of the larger picture.

They like to brag that "no PCI certified system has ever been breached" but that's because when you're breached they forensically figure where you violated PCI and retro-actively revoke your certification. It's worse than bullshit it's an expensive fig leaf of security theater.

I've never heard that "no PCI certified system has ever been breached" and I'm pretty skeptical since I know a few ways to get data out our PCI compliant systems. However, If they found that you violated PCI standards, then you weren't really PCI compliant, were you?

Re:Welp

[zerro]

Yes, they call this "Too big to secure..."

Re:Welp

[JamesP]

Really

I found impossible to run a server without even Fail2Ban without running into some serious issues

Rule 1 - Nothing should show up on a port scan besides HTTP/HTTPS and SSH (only if absolutely needed)
Rule 2 - Fail2Ban everything that looks funny
Rule 3 - nothing listens on 0.0.0.0 except as needed (even with a firewall)

And that's only the beginning

Re:Welp

[Reverand+Dave]

So does Sony now qualify for a massive government bailout and DOD level network securing?

Re:Welp

[UncleTogie]

PCI Compliance only requires that you are showing progress towards security goals, not that you have all the items implemented.

Comply, or comply not. There is no "try".

Got a citation for that?

Re:Welp

[NotAGoodNickname]

With prepay you are loaning the company money interest-free and guaranteeing them income whether you use the card or not. Its a great deal for companies, but a bad deal for you. Companies love pre-paid/gift cards because many of the cards never get used at all!

Re:Welp

[nschubach]

That was one of my points though. You get home, sit down, take off your shoes, maybe get comfortable and go look through the games available to buy online. You see one you really like and want to get it. Doh, I have to run to the store to get a card...

There's just a huge inconvenience in prepaid cards.

You could stock up on a bunch of cards anticipating that you will be buying a game, but what if you buy a card for $20 and the game is $18? Now there's $2 sitting on that card and you may just throw the card out because you would have to put that card plus another into the system next time you buy something. You just gave someone $2. What if you bought a $50 card and only bought that $21 game. Now there's $29 sitting on a card and you don't know when you're going to use it next. Free money for collecting interest for that bank!

Re:Welp

[gblfxt]

nope, seems i was wrong:

"b. Complete and document all steps detailed in the Requirements and Security Assessment Procedures, including brief descriptions of controls observed in the “In Place” column, and noting any comments. Please note that a report with any “Not in Place” opinions should not be submitted to PCI SSC until all items are noted as “In Place.”"

Re:Welp

[HAKdragon]

On top of that, if you have an account with Amazon, you can buy Microsoft Points (for Xbox 360) or Playstation Network Cards and they will just send you the code that you can redeem on the console (or through the web interface for your account).

Re:Welp

[jimicus]

When a small business such as you or I might run fails to keep systems in PCI compliance, the bank can revoke our ability to take cards and we are in trouble.

When a huge business such as Sony fails to keep systems in PCI compliance, the bank cannot revoke ability to take cards otherwise the bank's in trouble.

Re:Welp

Which is why you use public/private encryption with payment details, so only the public key is in the application, and the private key is in a DMZ system that handles the payments. For example when I had an online company (1999 to 2005) credit card payment details were secured with PGP, never hitting the system unencrypted - secure web form -> CGI -> PGP -> storage. The encrypted details were only decrypted on a different system. Hell, the database storing them could have had different accounts for read and write access, with the read access being limited to specific machines too.

However many people think that using database table encryption (available in Oracle, for example) is all you need. The joke being that this only protects the physical data on the disks if the disks are stolen, and then only if you don't steal the application as well that will have the means to access the database!

Re:Welp

[MattW]

A friend of mine used to sit on the PCI board. He linked me to this recently:

http://blog.imperva.com/2011/04/pcis-impact-on-security-quantified.html

PCI is one of the most defined and effective standards I've ever seen. Compare that to other standards some companies tout like ISO27001 or SAS70, which are absolutely toothless. (Because they assess only what you SAY that access, as they are standards for evaluating your declared controls.)

PCI varies a lot depending on what tier the merchant is. If they are Tier 2 - Tier 4, the assessment is really only as good as their self-assessment/scan. The scan can be gamed simply by giving out a host or two which is properly locked down, and using that certificate. Tier 1 merchants (6 million+ transactions/year) have to undergo an audit with a certified assessor. I guess PSN doesn't do that many transactions per year? If the assessor does a bad job they will lose their certification.

Also, if Sony lied about the state of their compliance, then they are exposed to enormous amounts of liability.

Re:Welp

You would think so. I'm building a site myself. I have scripts to build (from scratch) apache, mariadb, php, and mysql. They also build the suhosin hardening patch and module, secure socket layer libraries, apache mod_security2.5, gd, curl, freetype, apr, mcrypt, mlib, mhash, lua libxml2 plus odbc drivers and clients and drupal with uploadprogress (all started from one single line script, but it calls other scripts). It configures everything ready to go (all config files, php.ini, httpd.conf, httpd-vhosts.conf). And except for the database being created (which is also a one liner), everything is secure and ready to go. I add cryptography layers, secure sockets, patch against buffer overflows, sql injection, cross site request forgery, cross site scripting, clickjacking, clearjacking, cookie forgery, maintain hard passwords, don't allow remote administration and sanitize all inputs. And I'm just one guy. SONY is yelping about bad anonymous, but it could be any kindergardener punching wildly on her net connected speak-and-spell, and there is a good chance SONY's site will go down. I sure looks like SONY was willfully negligent in maintaining their site, and users private personal data. They blamed GeoHot for stumbling over the keys to the PS3, now they are blaming anonymous, but their site looks like a no-brainer to break. The question is: are they just really dumb, or are they trying to be professional accident victims?

Re:Welp

[cavreader]

I have never had a hard time challenging charges on any of my credit cards. It's only happened a few times but the CC company voided the charges and issued me a new card within 2 days. I think my bank also provides protection against online related fraud.

Re:Welp

[fuzzyfuzzyfungus]

Arguably, "PCI" the standard/set of requirements is bullshit either way: If a set of requirements designed to force security allows egregious mistakes to be made and/or egregious violators to slip through, it pretty much sucks.

I suspect that anybody who does a competent, good faith, implementation of PCI is at least part of the way toward a secure operation; but PCI isn't intended as polite good advice...

Re:Welp

[Furry+Ice]

They are only in violation of PCI requirements if the unpatched servers in question processed/handled credit card numbers. I could not glean from TFA if this is the case. It's bad practice to leave unpatched servers that don't process sensitive data, but it's not uncommon, unfortunately.

Re:Welp

[cstdenis]

A firewall isn't going to really help very much with the problem of an unpatched web server.

Either port 80/443 is open, or it's not. An IDS system may have helped but a standard firewall won't stop that exploit.

A restrictive firewall can make it more of a hassle for the hacker to get additional tools onto the server or data off, but it's not likely to stop them if they are skilled.

Re:Welp

[Yaa+101]

In real life everybody wants to be your whore if you got enough money, no matter what you fail.
As long as Sony has enough cash, most other companies will supply their services and look the other way when something nasty happens.
It's just how things in business land work, in the past, now and in the future.

Re:Welp

[HiredMan]

If you're relying on testing to protect your data, you're doing it wrong -- PCI outlines best practices to protect your data, scanning is only one part of the larger picture.

But they don't encourage the larger picture is my point. Their testing methodology encourages checklist thinking so you pass a limited test at 100% and you get your certification. Because you don't get any real protection from the certification - because they will retroactively deny your compliance after the fact - it becomes a necessary evil to be complied with not an active process. You're encouraged to think completely inside the box to get PCI certs but not rewarded in any way for taking a comprehensive security approach.

They will certify your computers as PCI compliant when they share domains with the unsecured network. Because you don't get any protection from PCI compliance and the testing is expensive the scope narrowed to computers themselves. Ignore the fact that I can steal credentials from the unsecured domain and then try them out on the secured PCI certified domain - to get the whole network certified is way too expensive so only do the minimum. And yes, I do know people who do exactly this kind of pen testing for PCI certified companies and that's exactly how you go about it. Your don't target the 5% PCI certified part of the network you look at the other 95% and work from there.

I've never heard that "no PCI certified system has ever been breached" and I'm pretty skeptical since I know a few ways to get data out our PCI compliant systems. However, If they found that you violated PCI standards, then you weren't really PCI compliant, were you?

They seem much more interested in maintaining the appearance of unbreakable security than actually creating a system than helps users the right thing. There is never 100% security, but rather than really help people achieve really good security they make you jump through hoops that encourage limited security scope examinations and then deny you any protection if you get breached. Their money would be much better spent on having a decent security over view of the entire network but instead they spend their money on a certification audit and then do a (worthless) internal "assessment" of the risks from the rest of the network.

It's like an ISO 9000 certification of a shitty product - they've certified that you have excellent management practices but your product is still shitty.

And back to something vaguely on topic I bet it was something like this at Sony. Their (criminally stupidly) unpatched public facing services probably didn't have any data they were worried about but they were connected to servers that did. If a simple network intrusion into an insignificant system yields a single login into a more important server that's all it takes. Major breaches are usually a chain of smaller security problems that get exploited in series until it actually adds up to something huge.

Re:Welp

Well if that isn't criminal negligence, I don't know what is!

It's quite simply really: if a big corporation does it, it's not. Don't even have to be a lawyer to know that.

Re:Welp

[grasshoppa]

Having been through a few PCI audits as the "Point man" on the technology, I can tell you that the external audits are a joke. The auditor is usually not a tech. Often, it's a peon with a clipboard. On this clip board are check boxes. He askes you "Do you do X"? You say "Yes", he ( or she ) checks the box. Meanwhile, your company continues to have horrible business practices.

This was a tier 1 audit too.

Re:Welp

[AttillaTheNun]

Either Sony is in gross violation of PCI or the credibility of the agency who certified them is in serious jeapardy. Both parties have some explaining to do. In the meantime, I should hope any credit agency takes serious notice and revokes any authorization for Sony to perform online payment processing until they can provide compliance.

Re:Welp

[DeadCatX2]

On that note, so is the United States executive branch.

After all, the only evidence they have on PFC Manning is...

A chat log.

Re:Welp

[kalirion]

Well THERE'S your problem.

Yes. Do not worry though, Sony is on top of the issue. I hear they are already deploying their most expensive lawyers to go after those irresponsible individuals who leaked information about the unsecured servers, so that this type of thing never happens again.

Re:Welp

[RubberDuckie]

The parent sums PCI up very nicely. My company is looking at the feasibility of implementing PCI vs outsourcing credit cards. Since we would be a Tier 4 vendor, we would be able to do a self assessment. Talking with other companies in Tier 4 uncovered a wide range of compliance from almost nothing to almost complete compliance. If the web site you're giving your credit card to is not a Tier 1 vendor, be very very afraid.

Re:Welp

[Rich0]

They like to brag that "no PCI certified system has ever been breached" but that's because when you're breached they forensically figure where you violated PCI and retro-actively revoke your certification. It's worse than bullshit it's an expensive fig leaf of security theater.

Sounds like post-claim underwriting. Collect premiums from a customer up until they file a big claim. Then carefully examine history to find some violation, and deny claim. Be sure to refund premiums without interest to be nice. Of course, what they don't do is carefully check the histories of customers who DON'T file claims to see if they're paying for invalid insurance and should get refunds as well. Since the whole nature of insurance is that most people don't file big claims, you can make money hand over fist this way.

Re:Welp

[bluefoxlucid]

Stupidity is in everything here. They're running vulnerable web servers with no firewalls. Firewalls are irrelevant: your web server is vulnerable, and your web server cannot be blocked by firewall. Firewalls are not security tools; they are administrative tools. A firewall prevents access to resources that shouldn't be accessed; it doesn't magically cast a shell of defense around your network. The shell it puts around your network has lots and lots of holes.

Re:Welp

[AK+Marc]

Depends on the firewall. There are some stateful firewalls that will inspect the commands sent to HTTP servers and verify that they are properly crafted. Blocking an improper message could prevent exploitation of a vulnerability.

But most large networks shy away from stateful inspection because it's more resource intensive. And a non-stateful could catch the same things, as long as the person sending the exploit doesn't figure out something as hard as fragmenting the packet to get it past. But then, if that's the case, you can try blocking any packet that is or was fragmented, but that may have other effects as well (people on dial-up with improper dial-up settings can end up getting fragmented going over the dial-up network so you'd end up cutting off a large number of dial-up customers). But I digress. The simple point was that you can have a firewall that's capable of increasing the protection for an unpatched system. You just need to make sure you get a good one for the job.

Re:Welp

[interkin3tic]

Well THERE'S your problem.

Ah, but see, Sony said it was Anonymous' fault.

Clearly, those evildoers at Anonymous haxored their way into Sony's Apache servers, removed the patches and the firewall, then stole all the credit card information.

(FYI: this post has been sarcastic)

Re:Welp

[egork]

Can it actually be big enough not to care about PCI at all, because with 70 mln accounts they could economically implement their own fraud detection system.

Re:Welp

[cusco]

Had an instructor whose day job was doing security audits and pen tests for financial institutions. He said that in the two years that he and his partner had been doing this work that they had never once failed to get through the customer's web-facing controls. Additionally, when they arrived at a site he would unpack their equipment while his partner started calling branch offices saying, "Hi, I'm Pherd from the IT department, and I need to fix something on the XYZ box in your office. Since security is SO important the only way to get in is with the branch manager's password. Can you please give me that?" Again, in two years they had not failed. Even worse, the only three or four times that someone tried to report it to IT they were blown off.

Re:Welp

[Nyder]

They are in gross violation of PCI. Criminal Negligence is "suitable"

They can be seriously damaged by this... I would love to see their ability to take credit cards revoked. That would put an end to their entire online business. Can you imagine Playstation Network if it was prepay, or paper billed only?

Sony Online Entertainment is down also. Like Everquest 2, which I prepay for.

So i'm not really sure what you are trying to say.

Sony fucked up, bad. And they are going to pay, probably with a slap on a wrist, since that is how it works unfortunately.

Re:Welp

[Nyder]

From USLegal:

The civil standard of negligence is defined according to a failure to follow the standard of conduct of a reasonable person in the same situation as the defendant. To show criminal negligence, the state must prove beyond a reasonable doubt the mental state involved in criminal negligence. Proof of that mental state requires that the failure to perceive a substantial and unjustifiable risk that a result will occur must be a gross deviation from the standard of a reasonable person.

Mental state? We are talking about a corporation here, does it even have a mental state? Or would it's mental state be, "We are Sony, We are Legion"? oops, i mean, "We are Sony, We Can do No Wrong".

Or the mental state of, "Shit, it's only our customers, we don't have to tell them anything right away"

Or the current mental state of, "Oh snap! We aren't able to get money if our servers are down!"

Because no where do I think the mental state is: "We are really sorry about this, we fucked up big time, and got owned for it, and we feel like crap. Let us take care of everything, please forgive us" like it should be, from a polite asian society.

Or is the polite asian stuff just propaganda we've been eating for years?

Re:Welp

[Khyber]

Plenty of action to be taken, and most attorneys in the UK will spy an easy target and likely handle this for free.

Re:Welp

[inject_hotmail.com]

definitely shows that PCI is bullshit ;)

100% agreed, and I RTFM (the PCI compliance manual). I do work for a company that suggested that they had a PCI audit, and that their system was found to be in compliance. I know for a fact that they are not, and will never be even remotely close to compliant. PCI compliance is FAR too restrictive for any company that doesn't spend
It's also clear to me that it's not even close to enforced by the processors. Once, during a phone conference with my client and their client, I suggested that PCI security should be considered during the programming of an application...my client told me, in short, to shut up about it.

Furthermore, the only reason the payment card industry has come up with this is to make it so that they could yank processing permission for anyone they want. If they -really- wanted to enforce PCI compliance, they would use any of the very public cases to terminate CC processing...but I haven't seen it done yet.

Truth is, enforcing PCI compliance would cost the processor more money than they would lose on fraud claims.

Re:Welp

[Billly+Gates]

Even average Joe's know to get a good firewall software package in addition to a hardware firewall router.

It is not like Sony is a small business with 1 IT person. A project like the PS Network should have been well planned with their own server rooms, servers, routers, software, and a train security staff complete with detailed blue prints and designs costings millions of dollars.

Yeah, this is terrible and the CIO and IT directory of the PS Network need to be fired ASAP! I surely would if I were the CEO

Re:Welp

[akc]

It appears the study you refer to says that even with PCI compliance, 30% of companies experienced some form of breach.

That is frightening. Do I missunderstand the figures?

Re:Welp

[chaostaco]

I have implemented PCI compliance solutions. 30% only means that the hackers are lazy. You should be more frightened.

Re:Welp

[alta]

I'm the single admin in a small shop. I'm responsible for the firewalls, the servers, the programming and.... PCI compliance. All I can tell you is, PCI compliance is on the honor system until you have an incident. You have to pass a scan from a 3rd party vendor (easy) and fill out a survey, just put yes in all the boxes.

Sorry, there are so many ways to fake the external scan if you want, it's so trivial.
1. Don't list all your IP's just use a clean server.
2. have your website send a different (simple) page when it see's the scanners IP.

We got the inspection twice. They called before coming of course. Here comes this person from an inspection service...
Do you have passwords? Yes.
Do people share computers? No.
Where's the firewall? There... Hu? That device? Oh, I usually inspect buildings, firewalls are something entirely different.
Ok, I'm going to take some pictures now.

Re:Welp

[alta]

Agreed, if the company in question (and WE DO) want to be in compliance, then it's a pretty good set of security rules to apply. It's a baseline, each operation has to have their own rules to go along with it.

But if a company wants to lie, and say they are (and it's easy to fake it) then it's usesless.

Re:Welp

[cant_get_a_good_nick]

Though i do think Cringely is a bit of a crackpot at times, and often broadly off the mark, he did have a point when he said Sony can try PayPal or something similar: http://www.cringely.com/tag/paypal/

This would be disruptive to the Credit Card companies, something sorely needed.

Re:Welp

[JWSmythe]

    Ya, I know. Some people take them as the easily circumvented jokes that they can be. I preferred to take it seriously. Since the external scan is rarely more than using a web based nmap, I prefer to try harder to break into my own equipment. :)

Re:Welp

[WorBlux]

Unfortuntately you can't throw a coporate person is jail.

Re:Welp

[y00nix]

Any "good" IT tech would not leave a unpatched HTTP server without a firewall up to the internet. Linux noobs you make us look bad, go back to using Windows.

Re:Welp

[MattW]

And, of course, there's no way to know. Ironically, in many cases it would be far better for a site to outsource cc processing... unless they are just "cheating" at compliance. (The rules of compliance apply to everyone regardless of tier; it's only the assessment that varies.) Compliance is a costly process that requires either a great deal of knowledge and effort if done in-house. And yet, Tier 2-3 merchants may not want to outsource because they don't want to look like a small company that "can't" do it internally. So for the appearance of being bigger, they may go it alone, but not have the expertise and so put end users at risk.

I used to do development at a Tier 2 merchant, and I lost a little sleep over credit cards. I was fully compliant (without gaming the system), and even implemented systems that go way beyond what PCI requires (for example, my first rev of cc processing included tokenization). And still, I was scared of persistent threats. Even though credit card processing was isolated, data transiently passed through main web servers (over ssl, of course) on the way to be tokenized. Which would mean that it would be possible to gain access to those servers, and graft something onto that channel.

If I had to do it over again, I'd recommend at least a 3-tier system with main web processing, a secure super-stripped, super-minimalized set of web services where consumers would add card data on a DMZ, and then a dropbox server that would give out tokens. I'd build the 2 tier cc-processing servers as vms and probably destroy them once a week and do rolling redeployments off a patched gold master.

I think that'd probably start to let me sleep a little better.

Truth is, I'm way more concerned with identity security than credit cards. It's pretty trivial to get fraudulent charges reversed and get new credit cards. Try getting your credit history fixed and get a new SSN/taxpayer id. And there's no PCI handling for SSNs.

Re:Welp

[MattW]

Security != Compliance. The encryption isn't meant to stop someone who roots the box from taking the card numbers, it's there to avoid side-leakage like backups, drives from failed systems that get refurbed, etc.

So now security researchers are to blame?

[hedwards]

Isn't that the typical response in situations like this, clearly the crackers figured it out because you mentioned that we're unpatched without a firewall.

Re:So now security researchers are to blame?

[h4rr4r]

The Sony IT folks probably wanted too, but their idiot managers prevented them. Because if the update broke something or needed downtime they can't have that.

Re:So now security researchers are to blame?

[kimvette]

they'd rather be hacked and incur weeks of downtime by doing the wrong thing,m rather than a couple of minutes of downtime doing the right thing.

This is typical Sony as of late. Why should their infrastructure management be any better than the way they treat customers?

Re:So now security researchers are to blame?

[Calydor]

Sadly, 'taken action' in cases such as this usually involves post deletions and forum bans.

Updating and getting a firewall costs money, banning people from a forum doesn't.

Obviously it's better to treat the symptom than cure the disease.

Re:So now security researchers are to blame?

Well yes. Thats management for you. It'll be the techies that take the hit for it as well, not the management that called for it. Sony has major management problems; and this is just another example.

Re:So now security researchers are to blame?

[h4rr4r]

Not just Sony. This is pretty common in corporate America, from what I have seen via consulting gigs.

Re:So now security researchers are to blame?

[sribe]

Isn't that the typical response in situations like this, clearly the crackers figured it out because you mentioned that we're unpatched without a firewall.

Of course, and "the gun dropped out of my pants and went off by accident" is also a typical response to certain other situations. Typical doesn't mean it will actually work as a defense ;-)

Re:So now security researchers are to blame?

[Mongoose+Disciple]

Yeah.

For a few years, a friend of mine had the kind of security consulting job wherein companies would hire him to try to compromise their systems and provide them with recommendations of what they needed to do to tighten up their security. I thought that sounded like a lot of fun when he first described it, but he then added that it was actually a really boring and depressing job most days because the same small handful of unpatched exploits would give him root or the equivalent on 95%+ of companies systems in under 5 minutes.

That was a couple years ago (he's since doing a different job) but I doubt things are much different.

Re:So now security researchers are to blame?

[h4rr4r]

For really depressing a typical cheap job (what these customers want) it starts with a OpenVas or similar scan, then you give them the print out and get to hear their sysadmins say that this is the same thing they already told their boss. Come back in 6 months, run the same scan and find the same vulnerabilities. Every time management acts shocked, sysadmins say "No Duh", rinse and repeat.

Security in typical companies is a last thought and overruled at every turn.

Re:So now security researchers are to blame?

[hedwards]

Indeed, I wasn't implying that it was a valid excuse, just that they'll use it and a lot of corporate apologists will buy into it because God forbid a corporation be forced to account for its own incompetence.

Re:So now security researchers are to blame?

[_Sprocket_]

There are, of course, systems that are neglected either due to being forgotten or being assigned to staff not up to the task. But I find that it's more often that one has agile systems and competent staff being bogged down by an increasingly cumbersome bureaucracy.

Re:So now security researchers are to blame?

[Mongoose+Disciple]

Security in typical companies is a last thought and overruled at every turn.

To be fair (and not with respect to patching in specific) I think it's hard to come up with a sensible corporate security policy that actually creates a reasonable level of security without getting in the way of the business.

At one place I worked, very rigorous security policies were in place around migrating programs and database changes into their production environment -- so rigorous, in fact, that the developers were forced to (long story short) architect their solutions in a much less secure way than they would like in order to meet their deadlines.

Re:So now security researchers are to blame?

[Nyder]

Having played Everquest 2 for 5+ years, I think i can safely say, at least, SoE (Sony Online Entertainment) has a history of releasing updates that break other stuff in the game.

And they say the apple doesn't fall that far from the tree...

Re:So now security researchers are to blame?

[astrodoom]

That argument never works. The people who originally found out were not informed by their own post, so it stands to reason that someone else can definitely figure it out as well.

This seems like a case for...

[xMrFishx]

Doing It Wrong!

Re:This seems like a case for...

[Verdatum]

I mean dear God, this isn't a case for Slashdot, it's a case for Failblog!

:facepalm:

[kiloechonovember]

Normally I would find it unbelievable but Sony continues to surprise me in all of the worst ways.

Criminal Negligence?

[chemicaldave]

Aren't there privacy laws in the US that mandate fines for this kind of incompetence?

Re:Criminal Negligence?

[xMrFishx]

Yeah but generally it's best if they're just put down. It prevents further incompetence in the future.

Re:Criminal Negligence?

[chemicaldave]

As a user of SONY products, I'd prefer if my purchases weren't totally in vain. Besides, all of those fired sysadmins would have to find jobs somewhere.

Re:Criminal Negligence?

[Verdatum]

"Curiously enough, an edition of the Encyclopedia Galactica that had the good fortune to fall through a time warp from a thousand years in the future defined the IT division of the Sony Corporation as 'a bunch of mindless jerks who were the first against the wall when the revolution came.' "

Re:Criminal Negligence?

[rubycodez]

"Put down" does not mean fired, guess again. Hint, it's a phrase for a specific action in farming and veterinary clinics for animals which are incurable or too expensive to cure.

Re:Criminal Negligence?

[Beryllium+Sphere(tm)]

In general, no. However, if you publish a privacy policy that you don't really follow, that's considered deception and it's possible to get in trouble for it.

The big issue here is that if they have credit card data, they're contractually bound by a private sector standard called PCI DSS, and Visa and Mastercard can impose penalties. They were blatantly out of compliance with rules in the standard requiring firewalls and a program of keeping up with patches.

Re:Criminal Negligence?

[g0bshiTe]

I say put the two together, and stream it. "Sony IT Admins put down via fire. LIVE STREAM".

Re:Criminal Negligence?

[the+eric+conspiracy]

Not really, but if you are going to get sued for damages in a multi-billion dollar class action law suit one of the key points is going to be negligence. If this story is true, establishing negligence is going to be easy.

Re:Criminal Negligence?

[desdinova+216]

mod parent up funny

Re:Criminal Negligence?

[Opie812]

eaten?

You want to eat Sony Server admins?

Re:Criminal Negligence?

[Rich0]

Only to an extent. I always see this argument but it doesn't usually apply unless the cost applies to everybody. Taxes usually are passed on. Fines usually are not.

The reason is simple - competition. If Sony raises their rates, and Microsoft does not, then people deciding on a console will be more inclined to pick the MS one.

Sony charges every dime the market will bear, and so does Microsoft. They don't charge cost+n% - they charge teenager-monthly-allowance+begging%. What they can charge doesn't change, and begging% is likely to drop when the parents have to get a new credit card and change all their recurring bills that hit the old card. Sony would see the money come out of their profits.

standard industry practice

[RichMan]

*SARCASM*

Sony's defense will be that this state is "standard industry practice" and to expect Sony to have taken more elaborate steps at being secure like updating the software or running firewalls and other protection services as well as things like honeypots and other intrusion detections measures is just not done by major internet service providers.

Re:standard industry practice

[ebuck]

It would work, if there wasn't already precedents that established "standard industry practice". It's the credit card companies who eventually set that bar, and Sony seemed to mistake the game for one of Limbo instead of Pole Vaulting.

Sony, how low did you go?

Re:EPIC Fail

The problme was with unpatched Apache - maybe if they had been running IIS they would have been OK :)

But, but, but...

[Kamiza+Ikioi]

... I thought the super hackers at Anonymous are all to blame! I mean, sure, most members of Anonymous are the ones spending hours ENJOYING the PSN. But, you mean to tell me that Sony, a multinational corporation, covered up their own culpability and then lied and blamed it on an innocent (in this case) group of hacktivists? Like, Wooo, just like Cereal Killer from the movie Hackers told us!

Re:But, but, but...

[LWATCDR]

I don't know if Anonymous is too blame for this. They are still after all a bunch if vindictive thugs and the Internet version of a street gang but that doesn't make them guilty of this.
But just because the door has a cheap lock on it doesn't mean the criminal isn't to blame.

Re:But, but, but...

[scot4875]

Just because the criminal did it doesn't mean that Sony's gross negligence is acceptable.

Your fanboyism and Sony defense is getting almost as bad as SuperKendall and MobileTatsu's Apple ass kissing.

--Jeremy

Re:But, but, but...

[LWATCDR]

Actually I am not a Sony fanboi at all. I think Sony was wrong for taking out the Other OS support, going after jailbreakers and console modders, and that root kit thing was just criminal. The only Sony console I own is a PS/2 and that is because they came out with Tourist TrophyTT and I am a motorcycle fan.
I am a justice fanboi. It is DISGUSTING to blame the target of a crime just because they didn't protect themselves well enough.
Of course Sony should have patched their servers but they are not more to blame or even as much to blame as the criminal that broke into there system.
That is the same kind of thinking that says a pretty woman is to blame if she gets raped or a victim of a bully is to blame because they didn't stand up to the Bully! Or even the victims of phishing attacks because they should have known better.
That kind of thinking is disgusting and frankly arrogant.
Should Sony have updated their software and have had better security? probably but I would love to have some facts like what version they where running and what does no firewall really mean before I make judgement on that.
Is Sony as responsible for being attacked as the person or group that made the attack? HELL NO!

Re:But, but, but...

[flimflammer]

It is DISGUSTING to blame the target of a crime just because they didn't protect themselves well enough.

You and I vary differently when we consider who the victims are here. I think the real victims are the millions of people who had their credit card numbers exposed. Sony abused the trust of every one of those individuals who had their information stolen because of their disgusting negligence.

There really is no excuse for what happened. Should Sony have updated their software and have better security? If your answer is anything other than "YES!" then you have no idea what you're actually talking about, which is evident by the very next line you spoke. Running a box open to the internet without a firewall is like pulling your dick out of your pants, cutting it a few times for good measure, and then sticking it into a whore you know has aids, herpes, and at least 20 other stds. It takes a really stupid individual to let that happen.

It's just sad that so many people are going to be paying for Sony's mistake.

Re:But, but, but...

[LWATCDR]

Of course Sony should have updated. You should lock your car, you should have dead bolts on your front door.
But if your care gets stolen because you forgot to lock it or your house gets robbed because didn't put on a dead bolt does not make as much to blame as the criminal.
I will skip your tasteless example.
Do you really lack the understand of the difference in responsibility between the failure to take precautions and committing a premeditated criminal act?
The fact that people are SO FREAKING STUPID to think that this has anything to do with being a fan of any company drivers me NUTs. If Sony was so careless then I am sure that they well end up paying out a lot of money. But that is a civil case and not a criminal case. But to call me a fanboi is just stupid. No this is about truth and justice. Frankly one of the reasons I don't own a PS/3 is all the evil stuff that Sony has done in the past. I really wanted one when I could put Linux on it because I really wanted to do some development using the cell and it was the cheapest platform I could get. I am glad I didn't now. But just because they have done evil things and frankly still do I will not lie and say that they are equally to blame for some commuting a criminal act targeting them. And I will not allow others to do the same with out speaking out.

Re:But, but, but...

[flimflammer]

First of all, I have no idea why you keep bringing up whether or not you're a fan. Frankly I don't care and never have. Nothing I said had anything to do with your position towards the company.

Secondly, there is simply no reasoning with you. You are acting like some sort of champion for Justice and yet you don't look beyond the black and white of "did Sony intentionally commit a criminal act." Negligence does not require that you do something with intent. No one here is dismissing the attacker as having committed a serious crime, but no one here is going to look at Sony as some sort of helpless victim as you are.

Had Sony not been notified of this extreme hole in their network long before the attack was commenced, had Sony taken even the most basic security precautions while storing the credit card information of millions of users, had Sony not neglected to report this even took place at all until days after this had actually happened so that people might be able to take steps to safeguard themselves, had Sony not tried to find whatever scapegoat they could to make themselves look better (calling Anonymous the attacker and then saying how it was a "well thought out, highly sophisticated, meticulous act" instead of "someone could probably just stumble into our network and steal our shit"), I might agree with you.

This was a ridiculous amount of negligence on the part of Sony. They must not be simply allowed to get away with it, and I'm not even talking about criminal charges. Just because they didn't shoot someone or try to steal something, that does not absolve them from being sued for negligence especially when it comes to the safeguarding of millions of users financial information. If nothing else, I hope they lose their ability to accept credit cards. No one should be allowed to store that kind of information if they're going to treat it so haphazardly.

Re:But, but, but...

[LWATCDR]

scot4875 accused me of being nothing but a sony fanboi. You replyed to my reply to him.
I never said that Sony was with out fault. I said that Sony was not as guilty or frankly guilty at on in this case. I am just sick of people shifting the blame from people committing criminal acts to those that they happen to feel didn't have as good of defense as they should. But there is so much Sony hate that people are just looking to dump all the blame on them.

Re:But, but, but...

[Khyber]

"It is DISGUSTING to blame the target of a crime just because they didn't protect themselves well enough."

What about if that target is committing worse crimes and a crime needs to be committed against it to bring the crimes to light?

Oh, how people fail to use their brains. This system is so geared to favor corporations that you have to do something illegal to bring their own illegal actions to light.

Re:But, but, but...

[lostfayth]

scot4875 accused me of being nothing but a sony fanboi. You replyed to my reply to him.
I never said that Sony was with out fault. I said that Sony was not as guilty or frankly guilty at on in this case. I am just sick of people shifting the blame from people committing criminal acts to those that they happen to feel didn't have as good of defense as they should. But there is so much Sony hate that people are just looking to dump all the blame on them.

(Emphasis mine.)

The first statement there directly contradicts the first, based on the way it is written. Yes, an unknown someone or someones committed a criminal act in the form of unauthorized access to systems containing sensitive information - everyone understands this, and many here (including myself) were directly affected by this. However, the second crime by parties unknown does not absolve Sony from blame - as they may well have been guilty of criminal negligence in allowing unsecured systems (or even known insecure systems) to house said sensitive information. They don't deserve all of the blame, as it still took a criminal to exploit the systems and gain access to the data, nor perhaps even the majority of the blame - again, a criminal was necessary for this to become a problem - but Sony does indeed share some of the blame, and that's what most people are saying here.

I've not heard one case yet based on my reading of the comments on these stories that said "let the criminal go, and hang all the Sony execs responsible." Perhaps the latter has come up a few times, but not attached to the former. :)

Re:But, but, but...

[LWATCDR]

You will see many people say that Sony is more to blame. Or that it is Sony's fault. And that is what I do not agree with. I also really want to see what the hack was and how long the vulnerably was known and patched. In a production server you don't just put the latest version of Apache up until you test it. Patch could have been being tested or worse Sony may have been using a custom version of Apache and had to port the patch. There is honestly too many questions to lay the blame on Sony.
And the defense of the cyber gang Anon does irk me. When people have to fear critical of a group that group is a treat to all of society. Frankly the actions of that group hurt freedom. They scare the crap out of average people and will help strengthen things like the DMCA and anti-console modding laws. I will say that I doubt that the majority of that group had anything to do with stealing the cards but what does it take to be a member? Someone left their calling card on the hacked server and is calling yourself a member enough to make you a member? If the group is as loose as they claim it is then no one and everyone is a member.

Re:But, but, but...

[sjames]

Nah, street gangs and thugs tend to be after cash and power. Anon seems more like fed up and pissed off villagers tarring and feathering the local bad guy who has the sheriff in his pocket.

Oh Yea...It was Anonymous` fault.

[__aavqan3009]

What a pile of tools. Ya know, Sony made a pile of money in the early sixtys ripping off German Reel to Reel tape machines. Yes, that`s counterfeiting.

Lawyers will have field day!

[peter303]

they can show there are some commonly accepted best practices

Wow lots of speculation but no proof.

[LWATCDR]

According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which "was unpatched and had no firewall installed."

Which version?
And what do they mean where not running a firewall? And this was reported on a forum?

You know that I heard that CmdrTaco is running Slashdot on an unpatched Windows 95 box using Boa 1.0 and isn't using a firewall.

Can we not repeat unsubstantiated rumors? I really hope this is just really bad reporting and our that Congress is not taking statements like "It was reported on a forum" as evidence. Now if they have proof that this is true and it was reported on a forum it is interesting but just reported a forum is junk.

Re:Wow lots of speculation but no proof.

[LWATCDR]

I do not know him. and everything you say may be true but I am going only by what is in the linked story and that had nothing of value. I do not think one should reward bad journalism with lots of pages hits do you?

Re:Wow lots of speculation but no proof.

[AtomicJake]

Can we not repeat unsubstantiated rumors? I really hope this is just really bad reporting and our that Congress is not taking statements like "It was reported on a forum" as evidence.

Hey! This is slashdot. We only repeat unsubstantiated rumors. Where would be the fun otherwise?

Re:Wow lots of speculation but no proof.

[Xacid]

My friend told me it was Windows 3.1 and the password was password.

Re:Wow lots of speculation but no proof.

[Gaygirlie]

According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which "was unpatched and had no firewall installed."

Which version?
And what do they mean where not running a firewall? And this was reported on a forum?

The forum in question is in use by Sony employees themselves and the fact that the Apache version was out of date for noticed not only by outsiders but by Sony employees themselves. It's all there on the forums if you wish to read. And yes, of course they tried to report the issue to Sony.

What they mean with the fact that there was no firewall is that there was no firewall between the server in question and the Internet or the server and the internal PSN network, which means it had full access to the whole network. Any IT administrator would know to limit the access to any internal networks for machines that act as servers on the Internet.

This ain't just "unsubstantiated rumors", no matter how you feel about using forum posts as evidence.

Re:Wow lots of speculation but no proof.

[LWATCDR]

But none of that detail is in the linked story.

Re:Wow lots of speculation but no proof.

[_egg]

How about a link to the forum and posts in question, then?

Re:Wow lots of speculation but no proof.

[Rich0]

He told you it was on the Internet. Come on, it is only 500 bytes of data on a 5 exabyte internet, you shouldn't have trouble finding it, right?

Re:Wow lots of speculation but no proof.

[Nyder]

...

You know that I heard that CmdrTaco is running Slashdot on an unpatched Windows 95 box using Boa 1.0 and isn't using a firewall.

...

You are going to get banned from here for that.

Re:Wow lots of speculation but no proof.

[Khyber]

PUBLISHED VULNERABILITIES.

Now how many hackers are out there finding the actual holes and keeping it a secret for future exploitation?

Plenty.

Re:Wow lots of speculation but no proof.

[Khyber]

Considering the internet is my personal storage ground, it takes almost no trouble.

http://www.theregister.co.uk/2011/05/01/psn_service_restoration/

"Sony’s Shinji Hasejima, Sony’s CIO, told Sony’s apologetic news conference that the attack was based on a “known vulnerability” in the non-specified Web application server platform used in the PSN."

Didn't take more than a couple of seconds of reading slashdot comments.

Re:I don't find this shocking

[karnal]

As someone who works in protecting a large environment, I would never allow a server to run "open" on the internet without restricting access to the machine via a firewall. Any exploit that works against the machine could give external users access to other ports - which with a firewall in place, wouldn't cause instant chaos. There are definitely other avenues that you could work against here - but by whitelisting only what's needed from outside to inside, you'll be an order of magnitude safer against attacks you may not be knowledgeable about.

Risky to use the same lock on all doors

[Coisiche]

Ok, so it was specifically in regard to their internet forums but it does tend to suggest a fair amount of complacency regarding security which would extend beyond those forums.

Well that would seem to be proven.

Elite Hackers.

[dadelbunts]

They first had to get around the impenetrable wall set up by sony. Then they had to find the data, which sony hid in the most secure place they could. What better place to hide something than right in plain sight labeled "Credit Card Info". Sony you sly fox, using reverse psychology on hackers.

Re:Elite Hackers.

[berashith]

I always hide information in a file called README. No one ever looks in there.

Re:Elite Hackers.

[SpeedyGonz]

Or EULA.txt....

If they had cared enough...

[samjam]

Sony took more care to lock the customer out of equipment the customer owned on the customers premises to "protect Sony's IP" than they took to protect the customers data running only Sony's servers at Sony's premises.

Looks like they need to move their security staff to the hosting side.

Sam

Re:If they had cared enough...

[Plekto]

This is absolutely typical for most large Japanese companies. The infrastructure is absolutely vertical and they admit to nothing. PR and the face that you present to the world is everything, and well, all of the rest is just stuff you should be a good worker and not ask about. Typical management is not too different than in the U.S. though, which is to tell the workers to "do it" and leave the rest of the thing to some guy five levels down the chain to make work. Just, that if there's a problem, the workers in this case never are really allowed to do more than to complain to their direct manager. And that's considered extreme. A famous saying in Japan (and they invented this phrase/proverb, mind you!) is "The nail that sticks up will be hammered down." (with an implied context of force-ably doing so). I have friends who are from the U.S. in Japan who tell me that co-workers actually worry over whether it's proper to raise a concern over something as minor as requesting more paper for the copy machine. Let alone butting heads with their bosses. To them, it's almost hilarious. To the typical Japanese worker, it's unfortunately all to real as a result of generations of top-down control and a "comply with society or die" type of attitude that's everywhere.

The typical email to the VP saying that "our internet security is a problem and we need to fix it (ie - $$$ to do so)" by your head of local IT just never gets up the half a dozen levels to anyone in upper management. We saw this with the Toyota debacle. I'm positive that some engineer said that there was a potential problem and their immediate manager overruled them and said that it wasn't worth worrying about such an incredibly rare issue. End of story, worker drone goes back to their desk. Oh , and you also saw it with the way they handled the nuclear mess as well. "No problem" until the entire world is pretty much forcing them to admit weeks later what we all know would be the likely outcome within 24 hours of the incident.

And Sony is also in the same pattern, now. "No Problem" and blame others until they are forced to admit that they made a mistake.

Re:I don't find this shocking

[somersault]

Are you also not keeping it up to date? It's the combination that makes it really bad.

Boy

[jimmerz28]

This just keeps getting better and better!

Re:EPIC Fail

my firewall log would beg to disagree

Oblig

[ctrimm]

Hack the planet!

Re:Oblig

[Kamiza+Ikioi]

Better watch out for Agent Gill with comments like that.

Lemme guess what the response was

[Opportunist]

The thread was deleted for "security reasons" and nothing else happened.

No, I did not read TFA, but I know Sony.

Re:I don't find this shocking

[MobileTatsu-NJG]

Am the only one running apache without a firewall ?

No, we're all running your machine, too!

Re:no security == no security breaches

[somersault]

If your house is holding many people's credit card details, and more, in a supposedly secure fashion, then it makes you look a bit more than foolish.

Re:EPIC Fail

[Bobfrankly1]

The problme was with unpatched Apache - maybe if they had been running IIS they would have been OK :)

I thought Apache was only meant for casino websites ran off the reservation.

Re:I don't find this shocking

[g0bshiTe]

A whitelist that protects what's needed from outside to inside, does nothing against an exploit that spawns an internal shell listening from inside to out. Even then depending on the configuration and the level that the server was compromised a web page with a pass-through script will run most anything from within a web browser and the Apache server on port 80 again useless firewall.

Re:no security == no security breaches

[nanospook]

Did you say LOL just in case some tool took your statement seriuosly :P

Re:EPIC Fail

[MobileTatsu-NJG]

I mean who puts servers using any operating system public facing to the internet without a firewall..

FTFY.

Surely Sony Server Software Shall Stay Secure

[glittermage]

Right now I am glad that I don't use PS3, PSN, or SOE products or services as I am a computer gamer & wasn't interested in SOE games. I don't use Sony hardware in my PC since the Sony rootkit issue. I did have some respect for the Sony brand when it came to electronics and non-PC hardware but after this fiasco I will take my money elsewhere. As I register my products I don't want a company with lax security & little respect for my information to handle my any of my data. The only way for Sony to make a little face is to terminate all employees (individual contributor & management) who had a part in securing systems with user data. That would mean all the way up the management chain if high level execs had a part, even a small part.

Don't forget

[drb226]

it's Anonymous's fault! Hacking poor Sony's vulnerable servers...the gall! [/sarcasm]

Re:Hardly possible

[LearnToSpell]

Lemme know when you graduate high school, and you're looking for a sysadmin job, so I don't hire you.

Re:EPIC Fail

[Mongoose+Disciple]

You laugh, but when you think about it and weigh PSN against XBox Live, Sony failed so hard they made Microsoft's security look good by comparison.

That's a special kind of failure. That's the full retard, if you will.

This could be a cover-up.

[flogger]

About a year ago, My credit card was billed 150$ for Playstation repairs by Sony. I don; town a playstation. The only credit card info Sony had on me was for an everquest account that I had.

I contacted Sony and let them know that I did not pay for repairs as I do not own a playstation. I was told that they would not remove the charge and that I would have to contest it thought the credit card company. They also informed me that if the charge was contested, they (Sony) would cancel the playstation network account associated with the playstation that was repaired.

I contested the charge through the credit card company and went through the whole hassle of changing ALL credit cards and notifying all business that I do transactions with.

Maybe Sony is charging people for 150 here and there to pay for their lawyers. Now that people are calling Sony on the fraudulent charges, they can say that they were hacked....

(Yea, I know, Who would steal credit card numbers from Sony and use the same info to buy Sony stuff.)

I had stopped buying everything sony, cancelled my EQ, etc when the Rootkit fiasco hit and I was burned by that for putting a CD in my computer.

Bastards.

Re:This could be a cover-up.

[CrimsonAvenger]

I contacted Sony and let them know that I did not pay for repairs as I do not own a playstation. I was told that they would not remove the charge and that I would have to contest it thought the credit card company. They also informed me that if the charge was contested, they (Sony) would cancel the playstation network account associated with the playstation that was repaired.

Actually, this sounds perfectly reasonable.

Sony has no way of knowing whether you are the person who put the charge on the card or not (or even whether you're the owner of the card), and should not be expected to cancel the charge on their own.

By requiring you to go through your credit card company, they leave the problem of verifying your identity to someone who should have a bit more information to use to validate it.

And telling you they'll cancel the network account associated with the playstation means that if you are trying to scam them, you'll lose your PS network account, but if you are NOT trying to scam them, then whoever DID try to scam them (using your card number) will lose their PS network account.

Looks like a win for everyone, really.

Note, by the way, that if your normal process for dealing with unusual/unexpected charges on your cards is anything other than "go through the whole hassle of changing credit cards and notifying businesses that you do transactions with", then you're doing it wrong.

Qualifier to above: if you have children, your first reaction should be to call the children down and ask if any of them put anything on your credit card without asking. My eight-year-old did that once. Just once.

Discovery

[Oxford_Comma_Lover]

> You realise the basis for this claim is an IRC chat log...
> Hardly a reliable source of information..... Slashdot epic fail....

If anyone takes them to court--almost impossible if they wrote their agreements well, but possible, perhaps for family members' whose credit cards were used without having signed the agreements or the like--they can get much better proof in discovery.

> I have to wonder, are ALL Americans as dumb as the poster of this "news"?

TFA points to Congressional testimony. Even if it was based on what a security expert mentioned in an IRC channel--or is even more remote than that--that doesn't make it wrong. Also, TFA doesn't mention an IRC channel, so whoever posted the slashdot article can hardly be called a dumb American for posting it, even if we were to grant that having IRC as a source necessarily makes posting a story dumb, AND even if we were to take for granted that doing something dumb makes a person necessarily dumb.

So...

[Capeman]

Everytime a new PS3 firmware comes out, with "security updates" you are almost forced to install it or you lose PSN, plus other features, but they don't care about updating and securing their servers?

Re:So...

[phek]

yes. they have proven that they only care to protect their own intellectual property not the intellectual property they force their users to give them.

VISA and MasterCard lower the hammer

[Animats]

It's likely that Sony went off-line not because they wanted to, but because VISA International and/or MasterCard Worldwide ordered them to. See my post on "What To Do if Compromised". The contract that merchants must sign to accept credit cards gives the credit card companies the right to send in a VISA fraud team, a Cardholder Information Security Team, and a computer forensics team. VISA can insist that compromised systems containing credit card data be taken off line until examined. For a big breach, VISA probably invoked their right to do all that.

The process is expensive for the merchant who doesn't have the VISA-required security measures in place. They get hit with fines from VISA, the cost of the forensics work, and chargebacks from compromised credit cards. "If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident." Worse, from a business perspective, they can't accept credit cards again until VISA's team says they're secure.

Then comes the "Account Data Compromise Recovery phase. For the next 13 months, the merchant gets hit with charges related to compromised credit cards.

A merchant-side compromise of credit card data means the merchant gets stuck with all the costs of the breach.

Re:VISA and MasterCard lower the hammer

[Rick+Bentley]

If Sony could really be responsible for all the losses created by all the breached credit card information, it might be a good idea to short Sony stock. Think about it, 77M credit cards, $100 average hit, is $7.7B (with a "B") dollars...

Re:VISA and MasterCard lower the hammer

[xero314]

It's actually 12 million credit cards, and many of those have probably been canceled before any fraud was able to appear. Never mind the fact that not a single cause of fraud has been associated with the intrusion, and with 12 million cards you would think a pattern of fraud would start to appear pretty quickly. That's not to say it won't happen, or that people should not take the necessary precautions, just that so far there have been no incidents, so shorting a valuable stock is probably not the wisest idea.

Re:VISA and MasterCard lower the hammer

Unfortunately, in a situation where a corporation gets stuck with extra costs, it almost NEVER happens that they eat those costs. They just pass it along to the customers. Future Sony customers will essentially be paying the fines for Sony's incompetence.

And for those who think that Sony's business is at risk because of this issue...spend a week in a major city in Japan. Sony is somewhat like a demi-god there. They own parts of nearly EVERY sector of industry as well as the government. They may lose some US business because of this, but to their core (Japanese) market, they could practically slaughter dozens of puppies on live TV and still do no wrong. It's kinda scary, and honestly felt a bit like some nation-wide cult when I was there. =P

Re:VISA and MasterCard lower the hammer

[woolpert]

The time to short the stock is well past.
One shorts when public information is low and you have special knowledge of the situation, be that insider information, a unique knowledge of the industry, or particular experience.

Shorting Sony at this point in time, when all the smart money (which knows more than you) has already set a rational price based on reasonable odds is nothing more than tying your hands.

Unlike a traditional (long) position you would have locked yourself into a time window, preventing you from a full range of actions based on later information.

Re:VISA and MasterCard lower the hammer

[asdf7890]

Never mind the fact that not a single cause of fraud has been associated with the intrusion, and with 12 million cards you would think a pattern of fraud would start to appear pretty quickly.

It could be that the negotiations for fencing the data along the chain are not going smoothly. Large scale crime is often a quite compartmentalised business these days and the people taking large amounts of personal data or financial information are often not the same people who end up using it for nefarious means.

Re:VISA and MasterCard lower the hammer

[david_thornley]

Let's assume that Sony is setting its prices rationally. That means a maximum of revenue minus per-sale costs. Then they can't collect more money from the customers by raising prices. If they could have gotten more money out of raising prices, they already would have.

Individual companies hit with extra costs in a somewhat competitive market simply can't pass those costs on to the customer, because there's no way to do so.

Re:VISA and MasterCard lower the hammer

[xero314]

This would be true if time were not of the utmost importance when it comes to credit card fraud against people who are aware that there cards are compromised. Every other details that was in the data that may have been compromised is a mater of public knowledge for most people. Names, address and date's of birth are part of many vital, and public, records. I guess some of their security questions may have revealed other details, but in most cases who your childhood hero was, is not useful for identity theft (and also why I never answer those questions with anything that even looks like a valid answer personal). The only thing this compromised data has done is collect the data in one place. Data that is soon going to be protected by an id theft prevention service (if it's not already), or otherwise invalid do to canceled cards and such.

Every day this information goes unused, and unsold, the value drops. Again this is not to say that we should count on this to keep us protected, just saying that there is no reason to believe at this point that any real damage to individual consumers will come of any of this.

Never mind the fact that simple data mining of Facebook would get more useful identity information.

Re:VISA and MasterCard lower the hammer

[keith_nt4]

They could use a cheaper 3rd party vendor with lower quality standards for productions in China and charge the same amount retail. Same price, lower quality in other words. That's what a lot of companies in other markets are doing right now: same price for a bottle of shampoo, 2 or 3 oz less in the bottle...

Re:VISA and MasterCard lower the hammer

[Animats]

Never mind the fact that not a single cause of fraud has been associated with the intrusion...

We don't know that. In fact, Sony wouldn't know that unless VISA International tells them.

The fraud may have taken place before the Sony break-in was discovered. It takes a billing cycle or two before phony charges become clear, as customers complain. Somewhere in VISA International, claims from consumers to their banks about false charges are being correlated against the list of compromised cards. Sony will be getting a bill.

Re:VISA and MasterCard lower the hammer

[xero314]

In fact, Sony wouldn't know that unless VISA International tells them.

Most of the major credit card suppliers have already stated that there has been no fraud associated with this attack. I admit I have not yet read a statement from VISA, but I'm fairly certain VISA would have notified people if there was a pattern and this would have hit the news already.

It takes a billing cycle or two before phony charges become clear, as customers complain.

This is complete bullshit. Credit Card companies can detect fraud within moments of the transaction taking place unless the charges somehow look similar to the customers usual spending habit, which is very rarely the case. The majority of credit card fraud cases are caught by he banks and card companies, not by the consumers.

There will be fraud on some of these cards following the intrusion, but unless that number is higher than the expected case for 12 million cards, then Sony will not be held responsible. So far I have read three claims of fraud, which seems pretty low for the typical fraud rate on 12 million cards.

But as I have said many times, I'm not saying it won't appear, just saying that so far it has not, and the longer it goes the less likely it will appear.

Re:VISA and MasterCard lower the hammer

[thsths]

> but I'm fairly certain VISA would have notified people if there was a pattern

Notify 10 million customers and upset them? I envy your trust in large companies, but I really wonder where you got it from. It can't be recent history...

Anyway, VISA is just a clearance house nowadays. The risk is mainly with the banks issuing the cards...

Re:VISA and MasterCard lower the hammer

[xero314]

The risk is mainly with the banks issuing the cards...

Correct, and so far none of those banks have issued any statements regarding any connection between fraud and the PSN intrusion. Many of the major card providers have specifically stated that there has been no pattern. My point still stand.

PCI Compliance is basically a cover up.

[mysqlbytes]

PCI compliance can be a cover up, and a cover story over many troubled companies. I work at one, where I was instructed to be creative when it came to giving answers. Patching was always an annual affair, generally before the auditor came onsite. As for external pens tests, they can be faked. At one stage we pointed the pen testers at a non-production test system, with a completely different version of software. Thank god I am out of that sector now. Sony are liable for costs from the Credit card companies. I was told it was $100 an exposed card number. So they could be liable for billions.

Re:PCI Compliance is basically a cover up.

[phek]

why would you even hire pen testers to point them at systems that don't contain the same software as your production? it's not like that's part of pci. As for the cost I can't really find anywhere that gives any cost of fines (though i have seen $500,000 per incident). I did however find an article saying it costs businesses on average $204 per customer for a data breach in the US (ranges from $750,000 to $31 million for total costs to companies).

http://www.securityprivacyandthelaw.com/2010/05/articles/cybersecurity-cybercrime/ponemon-study-finds-average-cost-of-data-breach-was-34-million-in-2009/

Re:PCI Compliance is basically a cover up.

[thsths]

> You can literally lie your way through, with fabricated evidence.

Of course you can. You can also earn money with credit card fraud. Neither is honest work.

Re:PCI Compliance is basically a cover up.

[phek]

section 6.6 isn't a penetration test. section 6.6 requires an automated scan of your network to find out what software and version is running and verify that there are no listed vulnerabilities for that version of the software in nvd. As for sony, i've heard people say that prior to this whole fiasco, their card wouldn't go through on PSN because the credit card company had them on the list of untrusted merchants. This would mean that sony probably wasn't pci certified.

Re:Hardly possible

[nedlohs]

A month ago Sony could also say no intrusions had occured user data was safe.

Re:Hardly possible

[ace123]

I wish things were as you say. However, many applications written in e.g. LAMP stacks allow the web server full read access on the entire database, and often even write access.

I would hope Sony isn't so stupid, but for example you will often find a configuration file which contains this username/password and can connect to the database. This file often needs to permit read access by the webserver because the application itself needs this access. Hence, given access to the webserver, it would be fairly trivial to gain access to the entire database on such a simple setup. This is sadly true in just about every PHP application you can install, as well as every custom-made software stack I have seen used in small organizations.

However, note that I said small organizations. Having a single database server in a company as large as Sony would make sense, so they would have to design a better system. Plus, sending SQL over the clear in a large network is a horrible idea. I would expect better security, in which access to the webserver would only compromise transactions going through that system and not the whole database (you would steal 100 credit card numbers, not 10 mil). For example, using a very narrow layer between the webserver (which is accessible to the outside) and the database service, where you only have commands for valid actions, e.g. "purchase(sessionID, game)" or "login(username, password)"

Furthermore, using virtualization, user account isolation, and operating-system sandboxes like SELinux, you should be able to restrict any damage should the webserver itself be compromised. I would expect any large tech company to have this level of security.

No Firewalls

Web servers do not need firewalls. If your servers are only providing public facing services there is no need to firewall them. In fact, firewalling them can make them more vulnerable to DDoS attack.

Re:No Firewalls

[FreakyGreenLeaky]

ooooooo, DMZ. You must be an IT manager.

Re:No Firewalls

[AnEducatedNegro]

i actually don't like to take management positions because, even though they pay better, the lack of hands on work is extremely frustrating. here let me put it in technobabble for you: PUBLIC NETWORK or how about INTERNET FACING SYSTEMS or maybe you like EXTERNAL

you must be from the helpdesk ;)

Re:No Firewalls

[F.Ultra]

Exactly, the problem here is of course the unpatched bit. No firewall can help there.

Re:No Firewalls

[Stray7Xi]

Web servers do not need firewalls. If your servers are only providing public facing services there is no need to firewall them.

No no no. Firewalls aren't just used to block insecure services. They're also used to block outbound connections or rogue listeners. A common scenario is a vulnerability that allows a shell command but doesn't return output of that command. A hacker could just start a listener to serve a command shell or connect back to their computer. Yes, you're still vulnerable with the firewall but it mitigates the damage. This is probably the type of "anomalous" behavior that lastpass detected.

But If you're going to believe your public services aren't vulnerable, you might be able to squeeze a slight bit of performance by getting rid of all encryption and storing passwords in plain text.

Obviously

[ThatsNotPudding]

They were depending on Anonymous to keep the servers patched, hence the blame. "Expect Us" was logicaly taken to mean "Expect us between 2 to 5 on Friday to apply the service packs".

Re:Obvious to those who are in the system

[Tool+Man]

The merchant's external ASV and internal vulnerability assessments should have had red flags all over them, so ignorance is certainly no excuse. The QSAs may never know the difference as you say, and it's up to the merchant to specify scope for the external scans. These things should make a large difference if followed in good faith.

Re:1 million $ per citizen terror savings awards

[DrgnDancer]

OK, I realize you're a tremendous troll, but for a lark I did the math. A million dollars for each citizen of just the US is 300 trillion dollars. That's about four times the GDP of the entire world. That's worlds away from the cost of every war, and bank bailout in US history combined. Possibly world history.

Sony, I am disappoint.

[eepok]

As a long-time subscriber to SOE games, I can say that I am just flat-out disappointed.

It's not just anger, it's not just disbelief... it's disappointment. As if I just found out that my kid is the bully at school, steals lunch money, and spouts hate speech.

I know that the people I know, personally, in SOE (devs, community relations) didn't have control over this, but some people at most levels had to know.

Ouch, guys. Ouch.

(http://t0.gstatic.com/images?q=tbn:ANd9GcQngiRrhTv_0WdVtJjX3aUV8a4o7zuyAY_CTUwHPpFdmtZ9_897&t=1)

You get what you pay for

[dachizzla]

This is exactly what you should expect from a free service. What where they thinking? The console cost at least $300. The games are $60, users would not mind paying the $50 a year to have a secure network. This is the direct result of "free" service. You get what you pay for....

Re:You get what you pay for

[JSBiff]

Yeah, see, the cost of running the network was already factored into the $300 + $60 * X. It was never a "free" service - it was just cheaper than Microsoft which charged you $300 + $60 * X + another $50/year * Y years.

I also feel confident in saying that even if Sony had charged, it wouldn't have changed the outcome, other than you'd have payed even more money for Sony to lose your data to the crackers.

Re:You get what you pay for

[Khyber]

Us not paying for a network service is the reason for them not following PCI-DSS? What are you smoking? I'd like to upgrade to that!

Re:Hardly possible

[phek]

if it was "unpatched" that generally means that there were security bugs in the version of apache that was running (otherwise they would have just said it wasn't up to date which wouldn't matter). If this web server was within the same scope as their cc processing system that would probably be a pci failure (not sure what vulnerability was). No one is saying that this was some vulnerability that would have allowed an attacker to run arbitrary code as root on the server however it may have given an attacker information on how their network was set up allowing them to find a more dangerous security vulnerability. Also apache httpd server doesn't have a good record of being immune to attacks, it's just not known to have more than expected.

The following is a list of security vulnerabilities that have been fixed in just apache httpd server 2.2
http://httpd.apache.org/security/vulnerabilities_22.html

Re:who to blame?

[bravo_2_0]

The Sony executives can't have things both ways. They are quick to put themselves forward as the reason for the companies successes so conversly they must also take the blame for the failures. While they weren't the ones who setup the servers they are the ones who hold the overall responsibility for safeguarding our personnal information.

Marketing!

[Platinum+Dragon]

The ad for a free copy of "Vulnerability Management for Dummies" that appeared beside this article when I first clicked on it was a nice touch.

I just want to scream

[bravo_2_0]

In a letter to the committee, Sony said it has added automated software monitoring and enhanced data security and encryption to its systems in the wake of the recent security breaches.

After reading the above I just wanted to scream! All of those things should have been setup to begin with not added after a breach. What they should be doing now is firing all of their admins and hiring some who actually know what they are doing rather than people they found wandering around the local Walmart.

Re:Is this really relevant for PSN itself?

[phek]

it shows that the company wasn't concerned with security. If a company was doing everything in it's power to keep it's networks/data secure it would be hard to fault them... if there is proof that they knowingly ignored security problems then they would have more liability for any security failures.

Re:I don't find this shocking

[karnal]

I apologize, I should also state there are explicit rules inside to outside too. Businesses should not run their servers like a home network to where the server has unfettered access outbound - or to other network areas, if necessary. Also - deep packet inspection on the firewall can nail a lot of what could be seen as unexpected protocols running across common ports (someone attempting ftp/SMB over port 80 for instance.)

Re:who to blame?

[Anomalyst]

Far more likely is some beleaguered sysadmin made pointed comments and emails to management who were too "busy" with their "meetings" at the 19th hole to act on. A sysadmin can only do what his PHB's give him/her time and budget to accomplish. Been there, done that, got the T-shirt and the other kitsch. Lemme say, I don't miss the having my name associated with such idiocy.

Re:I don't find this shocking

[eulernet]

And it was a genius idea to put the credit cards on a webserver !

You never expose your important data.
If you really need to store credit cards, you put them on your local network, and provide web services to validate the data, but never store anything on the web server.

Re:EPIC Fail

[guspasho]

Everybody knows you never go full retard.

Sony: It was Anonymous, honest guv

[David+Gerard]

GUTEN TAG, Wii Gehts, Wednesday (NTN) — Sony has revealed that the Playstation Network security breach, which compromised 24.6 million credit cards, was entirely the work of evil hackers from Anonymous, and nothing to do with their own incompetence, honest.

"We discovered a file making a clear reference to 'Username unknown,'" the company said in a letter to the US Congress on Wednesday, "and a blank user icon which therefore was anonymous. D'you see what that means? It means George Hotz and his hacker friends are loathsome criminal masterminds! So obviously we can't be held liable for negligence in the face of forces like these. In conclusion, give us money."

The letter details the company’s actions over the past two weeks. It says Sony acted with "care and caution" in deciding how to act and how long it thought it could get away without telling anyone. "We did not want to cause confusion and cause customers to take unnecessary actions, such as stopping their credit card payments to us."

"We have suffered a very carefully planned, very professional, highly sophisticated criminal cyberattack, which has led to people committing the heinous hate crime of jailbreaking their PS3s. In accordance with our campaign contributions, we ask that you impose the death penalty for such offenses."

The letter concluded that the breakin was quite definitely the work of Anonymous. "We were going to blame Al-Qaeda, but we figured after Monday that you probably wouldn't buy that."

Re:Obvious to those who are in the system

[JWSmythe]

    Well, I know that when I had to go through it regularly, we did have to complain about some of the remote scanning.

    Here's a few of the BS items that we had been flagged with. These are from memory, so I may be wrong on some of the wording.

    The server does not respond to ICMP (red flag). Well, the server blocked all unexpected traffic, including ICMP. So we opened the firewall a little for that.

    They complained that they were not getting refused connection messages to known ports (telnet, SMTP, etc), so we were flagged for that. That's where I started complaining.

    They wanted the firewall completely opened for "testing". This was current production, so I refused. I told them I could allow a single IP for them to test with, but they wouldn't oblige. Since we were always under attack, their IP was one of several hundred during the period where they were most likely testing. 1 tester, and a few hundred attackers. Hmm, no.

    They proceeded to search the surrounding network. They red-flagged us for having a server on the network that responded to DNS requests. Oddly enough, that was a DNS server. Then they hit us for having a mail server that accepted mail. Sure, it accepted mail. It only relayed for us, but we did (oh my gosh) receive mail. They didn't receive an instant refusal, because we accepted and dropped those messages.

    I passed the word back through our accounting guy that they could go fuck themselves, and to give us a real auditor...

    The second auditor wasn't quite so bad. They hit us for not being able to fingerprint the OS. I congratulated them on that, and then told them specifically the OS, distro, and kernel version. They had a few yellow flags for non-broken stuff, such as not responding to ICMP. They didn't mark points against us on that one, it was just a mention. They questioned our remote access ability, since the only ports that responded were 80 and 443. I told them the port number (unusual port) and method, so they beat on that for a while and couldn't touch it. Then they gave us a pass.

    We were fully compliant. I wasn't hiding anything from them. I was hiding everything from the constant barrage of hackers who wanted in. People knew we made millions. They knew we had a whole bunch of machines on multiple GigE circuits. If they could compromise just one machine, they'd have a very fast platform to attack from, and I wasn't going to allow that.

    We were very successful in never losing any personal info, but we always maintained doing better than PCI compliance required.

Re:Firewall

[_0xd0ad]

No, because the firewall is obviously configured to allow incoming connections on port 80.

Re:EPIC Fail

[skudenfaugen]

Kirk Lazarus: Everybody knows you never go full retard. Ask Sean Penn, 2001, "I Am Sam." Remember? Went full retard, went home empty handed.

I wonder if Kirk has a newsletter that I can subscribe to... http://www.youtube.com/watch?v=SgHITc1OL-c

Re:Security devices

[asdf7890]

If the exploited flaw allowed arbitrary commands to be sent via Apache but did not result in output from Apache that was useful to the hacker (and needed to hack in further to get the target data, they would need to send the output by some other means. In this instance a firewall would be able to help by blocking outgoing connections that were not to a set whitelist of destinations.

While closing off all unneeded services does not protect you from many attack vectors without the need for a firewall, it is conceivable that there are a number that it would not necessarily block and a well configured firewall would. Single level security is more likely to fail, particularly in the presence of a previously unknown flaw though that is not the case here, than security in depth.

Security Through Obscurity

[hduff]

Until the recent hack of nearly 100 million accounts, no one had heard of Sony, so they were secure by being obscure. That's always a good IT decision.

PSN

[kat_skan]

IT
ONLY
DOES
'; union select cc_num from customers; -- (TM)

Re:PSN

[lennier]

Bobby Tables, VP of Network Security, Sony.

PCI compliance

[Ark42]

They likely could be PCI compliant by claiming that "old versions" were still secure and any "known" issues had their fixes backported. The whole PCI compliance thing is just a bunch of crap in my experience, where somebody magically decides that old versions are automatically vulnerable, so using the latest RHEL or CentOS won't automatically pass compliance. You have to file exceptions for everything saying fixes are backported. They just take your word for it and sign off, letting you basically claim compliance no matter what.

Corporate Death Penalty?

[Lilith's+Heart-shape]

Why am I not surprised? Incompetence of this nature seems like just cause to destroy the Sony corporation and liquidate its assets.

Re:EPIC Fail

[Deadplant]

people who can competently configure a server?

Re:Is this like.

[surgen]

Come on you guys, this is just crap meant to get site hits and nothing else. Do you really, honestly think a multi billion dollars worldwide company thats been around as long as sony would be running old software with no protection? Idiots.

Yes, we do. Because we've either witnessed it first hand or heard the reports of when it happens time and time again.

To get large and old, a company doesn't have to do anything other than keep costs significantly below revenue for a sustained length of time. Its possible to do that by without the boys in the basement being on top of their game.

Gross Negligence

[triso]

Sony has a terrible attitude toward its customers. We entrust Sony to protect our information and they leave it on the Internet, without a firewall and possibly even unencrypted. The corporate officers need to do much more than bow to restore our confidence. Do the right thing: åè....

Is this real?

[shadowfaxcrx]

Based on some past articles at Consumerist that were sensationalized lies, I'm always suspicious when they make a claim like this. Anyone got a more reliable source for this?

Firewall == False Security

[Blackknight]

Unless they're talking about an application level firewall like mod_security what the hell good is a firewall gonna do? As long as port 80 is open it's going to be exploitable.

Re:EPIC Fail

[Mia'cova]

Yea, it only has port 80 open.. until you're done hacking apache..

no firewall -- panic!!

[reasterling]

Soooo,

Sony should put a firewall on their web server to protect apache. How does this work?

Sony Exec: We are running old software that can be compromised what should we do?
Sony IT Manager: Lets put up a firewall and block users from port 80. That should fix it.

Seriously, did Sony's servers have other services running with ports exposed to the internet? Or is it really being suggested that Sony should have blocked the ports that were necessary for their customers.

Re:no firewall -- panic!!

[reasterling]

Security of this data should have been a serious priority

AMEN and AMEN

I was being sarcastic in my prior post. I do believe, however, that along with upgrading the apache software their database admins should have put safe guards in place wherein the machines that touch the internet do not have read access to information that is so sensitive. What good reason does a web server have display your credit card numbers. Showing the last 4 digits is enough to verify to the user that they are using the correct card. This kind of situation is best mitigated through a security in depth approach. Even though a decent enough firewall can help mitigate an attach it will never be enough and should only be a part of ones security. The fact that in the summery (I did not RTA) the lack of a firewall is put on par with running outdated software tells me that someone is accusing Sony of not setting up a cure all for web security.

Re:Hardly possible

[deek]

Thanks for that apache security vulnerability link. I went through each one listed. The majority cause crashes or denial of services, so we can rule those out. There were two vulnerabilities that allowed arbitrary code execution. One of these was patched in 2.2.3, so I don't think it applies. The other vulnerability was in the mod_isapi module, so it only affects windows versions of apache. This one, though, affected apache version 2.2.15, which seems to comply with reports of what Sony was running.

So, therefore, it seems likely that Sony were running apache on windows, and using isapi modules with it. I bet they're wishing they were running apache on linux instead.

Sorry for what I said

[LongearedBat]

The other day I posted this...

Though here's a question: How many other companies have the backbone to own up quite so readily, instead of trying to cover it up to save face?

what I am saying is that I generally don't trust businesses to keep secure personal and credit card information, which is why I didn't give Sony my credit card details (but sadly had to give my personal information.)

I still stand by that part, in that I expect that databases are cracked more often than we realise due to poor security, but that businesses keep dishonestly quiet about it.

But this part is such an understatement that I regret standing up for Sony at all...

it seems thay they're finally getting help to make their system more secure, implying that their efforts were not solid enough to start with

I mean, the sheer stupidity is astounding.

Typical Corporate Bureaucracy

[Vrtigo1]

Not say this isn't a dumb move on Sony's part, but in reality I think this is pretty common. I know that in some small - medium sized companies, there are miles of red tape in the form of change management processes that you have to go through in order to install software patches. You have to fill out the form, get it approved by your supervisor, then it goes up to the dept head and they sit on it for a month, then finally they send it back with a stupid question that you already addressed in your request, so then you point that out and it goes back up the chain and sits for another month. A lot of sysadmins may have the desire to install the latest patches, but their hands are tied by management that wants to have a nice paper trail that documents the justification for each and every system change. I think you'll continue to see stuff like this happen until someone can make the pencil pushers realize that it's not the sysadmins fault, it's their fault for making the patch process take two months.