Slashdot Mirror
Sony Running Unpatched Servers With No Firewall
ewhenn writes "Security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which 'was unpatched and had no firewall installed.' The issue was 'reported in an open forum monitored by Sony employees' two to three months prior to the recent security breaches."
Well THERE'S your problem.
IANAL, but shouldn't users have the reasonable expectation that their data would be secured? Is there a suit here?
Sent from my CR-48
Isn't that the typical response in situations like this, clearly the crackers figured it out because you mentioned that we're unpatched without a firewall.
Normally I would find it unbelievable but Sony continues to surprise me in all of the worst ways.
Aren't there privacy laws in the US that mandate fines for this kind of incompetence?
*SARCASM*
Sony's defense will be that this state is "standard industry practice" and to expect Sony to have taken more elaborate steps at being secure like updating the software or running firewalls and other protection services as well as things like honeypots and other intrusion detections measures is just not done by major internet service providers.
The problme was with unpatched Apache - maybe if they had been running IIS they would have been OK :)
... I thought the super hackers at Anonymous are all to blame! I mean, sure, most members of Anonymous are the ones spending hours ENJOYING the PSN. But, you mean to tell me that Sony, a multinational corporation, covered up their own culpability and then lied and blamed it on an innocent (in this case) group of hacktivists? Like, Wooo, just like Cereal Killer from the movie Hackers told us!
I8-D
I mean dear God, this isn't a case for Slashdot, it's a case for Failblog!
According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which "was unpatched and had no firewall installed."
Which version?
And what do they mean where not running a firewall? And this was reported on a forum?
You know that I heard that CmdrTaco is running Slashdot on an unpatched Windows 95 box using Boa 1.0 and isn't using a firewall.
Can we not repeat unsubstantiated rumors? I really hope this is just really bad reporting and our that Congress is not taking statements like "It was reported on a forum" as evidence. Now if they have proof that this is true and it was reported on a forum it is interesting but just reported a forum is junk.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
As someone who works in protecting a large environment, I would never allow a server to run "open" on the internet without restricting access to the machine via a firewall. Any exploit that works against the machine could give external users access to other ports - which with a firewall in place, wouldn't cause instant chaos. There are definitely other avenues that you could work against here - but by whitelisting only what's needed from outside to inside, you'll be an order of magnitude safer against attacks you may not be knowledgeable about.
Karnal
They first had to get around the impenetrable wall set up by sony. Then they had to find the data, which sony hid in the most secure place they could. What better place to hide something than right in plain sight labeled "Credit Card Info". Sony you sly fox, using reverse psychology on hackers.
Sony took more care to lock the customer out of equipment the customer owned on the customers premises to "protect Sony's IP" than they took to protect the customers data running only Sony's servers at Sony's premises.
Looks like they need to move their security staff to the hosting side.
Sam
blog.sam.liddicott.com
Am the only one running apache without a firewall ?
No, we're all running your machine, too!
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
If your house is holding many people's credit card details, and more, in a supposedly secure fashion, then it makes you look a bit more than foolish.
which is totally what she said
The problme was with unpatched Apache - maybe if they had been running IIS they would have been OK :)
I thought Apache was only meant for casino websites ran off the reservation.
I mean who puts servers using any operating system public facing to the internet without a firewall..
FTFY.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
You laugh, but when you think about it and weigh PSN against XBox Live, Sony failed so hard they made Microsoft's security look good by comparison.
That's a special kind of failure. That's the full retard, if you will.
About a year ago, My credit card was billed 150$ for Playstation repairs by Sony. I don; town a playstation. The only credit card info Sony had on me was for an everquest account that I had.
I contacted Sony and let them know that I did not pay for repairs as I do not own a playstation. I was told that they would not remove the charge and that I would have to contest it thought the credit card company. They also informed me that if the charge was contested, they (Sony) would cancel the playstation network account associated with the playstation that was repaired.
I contested the charge through the credit card company and went through the whole hassle of changing ALL credit cards and notifying all business that I do transactions with.
Maybe Sony is charging people for 150 here and there to pay for their lawyers. Now that people are calling Sony on the fraudulent charges, they can say that they were hacked....
(Yea, I know, Who would steal credit card numbers from Sony and use the same info to buy Sony stuff.)
I had stopped buying everything sony, cancelled my EQ, etc when the Rootkit fiasco hit and I was burned by that for putting a CD in my computer.
Bastards.
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
"First things first -- but not necessarily in that order"
-- The Doctor, "Doctor
Everytime a new PS3 firmware comes out, with "security updates" you are almost forced to install it or you lose PSN, plus other features, but they don't care about updating and securing their servers?
It's likely that Sony went off-line not because they wanted to, but because VISA International and/or MasterCard Worldwide ordered them to. See my post on "What To Do if Compromised". The contract that merchants must sign to accept credit cards gives the credit card companies the right to send in a VISA fraud team, a Cardholder Information Security Team, and a computer forensics team. VISA can insist that compromised systems containing credit card data be taken off line until examined. For a big breach, VISA probably invoked their right to do all that.
The process is expensive for the merchant who doesn't have the VISA-required security measures in place. They get hit with fines from VISA, the cost of the forensics work, and chargebacks from compromised credit cards. "If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident." Worse, from a business perspective, they can't accept credit cards again until VISA's team says they're secure.
Then comes the "Account Data Compromise Recovery phase. For the next 13 months, the merchant gets hit with charges related to compromised credit cards.
A merchant-side compromise of credit card data means the merchant gets stuck with all the costs of the breach.
The merchant's external ASV and internal vulnerability assessments should have had red flags all over them, so ignorance is certainly no excuse. The QSAs may never know the difference as you say, and it's up to the merchant to specify scope for the external scans. These things should make a large difference if followed in good faith.
I apologize, I should also state there are explicit rules inside to outside too. Businesses should not run their servers like a home network to where the server has unfettered access outbound - or to other network areas, if necessary. Also - deep packet inspection on the firewall can nail a lot of what could be seen as unexpected protocols running across common ports (someone attempting ftp/SMB over port 80 for instance.)
Karnal
Far more likely is some beleaguered sysadmin made pointed comments and emails to management who were too "busy" with their "meetings" at the 19th hole to act on. A sysadmin can only do what his PHB's give him/her time and budget to accomplish. Been there, done that, got the T-shirt and the other kitsch. Lemme say, I don't miss the having my name associated with such idiocy.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
And it was a genius idea to put the credit cards on a webserver !
You never expose your important data.
If you really need to store credit cards, you put them on your local network, and provide web services to validate the data, but never store anything on the web server.
GUTEN TAG, Wii Gehts, Wednesday (NTN) — Sony has revealed that the Playstation Network security breach, which compromised 24.6 million credit cards, was entirely the work of evil hackers from Anonymous, and nothing to do with their own incompetence, honest.
"We discovered a file making a clear reference to 'Username unknown,'" the company said in a letter to the US Congress on Wednesday, "and a blank user icon which therefore was anonymous. D'you see what that means? It means George Hotz and his hacker friends are loathsome criminal masterminds! So obviously we can't be held liable for negligence in the face of forces like these. In conclusion, give us money."
The letter details the company’s actions over the past two weeks. It says Sony acted with "care and caution" in deciding how to act and how long it thought it could get away without telling anyone. "We did not want to cause confusion and cause customers to take unnecessary actions, such as stopping their credit card payments to us."
"We have suffered a very carefully planned, very professional, highly sophisticated criminal cyberattack, which has led to people committing the heinous hate crime of jailbreaking their PS3s. In accordance with our campaign contributions, we ask that you impose the death penalty for such offenses."
The letter concluded that the breakin was quite definitely the work of Anonymous. "We were going to blame Al-Qaeda, but we figured after Monday that you probably wouldn't buy that."
http://rocknerd.co.uk
Well, I know that when I had to go through it regularly, we did have to complain about some of the remote scanning.
Here's a few of the BS items that we had been flagged with. These are from memory, so I may be wrong on some of the wording.
The server does not respond to ICMP (red flag). Well, the server blocked all unexpected traffic, including ICMP. So we opened the firewall a little for that.
They complained that they were not getting refused connection messages to known ports (telnet, SMTP, etc), so we were flagged for that. That's where I started complaining.
They wanted the firewall completely opened for "testing". This was current production, so I refused. I told them I could allow a single IP for them to test with, but they wouldn't oblige. Since we were always under attack, their IP was one of several hundred during the period where they were most likely testing. 1 tester, and a few hundred attackers. Hmm, no.
They proceeded to search the surrounding network. They red-flagged us for having a server on the network that responded to DNS requests. Oddly enough, that was a DNS server. Then they hit us for having a mail server that accepted mail. Sure, it accepted mail. It only relayed for us, but we did (oh my gosh) receive mail. They didn't receive an instant refusal, because we accepted and dropped those messages.
I passed the word back through our accounting guy that they could go fuck themselves, and to give us a real auditor...
The second auditor wasn't quite so bad. They hit us for not being able to fingerprint the OS. I congratulated them on that, and then told them specifically the OS, distro, and kernel version. They had a few yellow flags for non-broken stuff, such as not responding to ICMP. They didn't mark points against us on that one, it was just a mention. They questioned our remote access ability, since the only ports that responded were 80 and 443. I told them the port number (unusual port) and method, so they beat on that for a while and couldn't touch it. Then they gave us a pass.
We were fully compliant. I wasn't hiding anything from them. I was hiding everything from the constant barrage of hackers who wanted in. People knew we made millions. They knew we had a whole bunch of machines on multiple GigE circuits. If they could compromise just one machine, they'd have a very fast platform to attack from, and I wasn't going to allow that.
We were very successful in never losing any personal info, but we always maintained doing better than PCI compliance required.
Serious? Seriousness is well above my pay grade.
If the exploited flaw allowed arbitrary commands to be sent via Apache but did not result in output from Apache that was useful to the hacker (and needed to hack in further to get the target data, they would need to send the output by some other means. In this instance a firewall would be able to help by blocking outgoing connections that were not to a set whitelist of destinations.
While closing off all unneeded services does not protect you from many attack vectors without the need for a firewall, it is conceivable that there are a number that it would not necessarily block and a well configured firewall would. Single level security is more likely to fail, particularly in the presence of a previously unknown flaw though that is not the case here, than security in depth.