Sony Running Unpatched Servers With No Firewall

ewhenn writes "Security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which 'was unpatched and had no firewall installed.' The issue was 'reported in an open forum monitored by Sony employees' two to three months prior to the recent security breaches."

Welp

[dragonhunter21]

Well THERE'S your problem.

IANAL, but shouldn't users have the reasonable expectation that their data would be secured? Is there a suit here?

Re:Welp

[andrea.sartori]

I'm afraid stupidity is not a "suitable" (sorry...) offense. Maybe based on criminal negligence...

Re:Welp

[alta]

They are in gross violation of PCI. Criminal Negligence is "suitable"

They can be seriously damaged by this... I would love to see their ability to take credit cards revoked. That would put an end to their entire online business. Can you imagine Playstation Network if it was prepay, or paper billed only?

Re:Welp

[Ancantus]

From USLegal:

The civil standard of negligence is defined according to a failure to follow the standard of conduct of a reasonable person in the same situation as the defendant. To show criminal negligence, the state must prove beyond a reasonable doubt the mental state involved in criminal negligence. Proof of that mental state requires that the failure to perceive a substantial and unjustifiable risk that a result will occur must be a gross deviation from the standard of a reasonable person.

Bolding by me.

IANAL, but I think this is a clear case of criminal negligence. Any IT tech would know better than to leave a unpatched HTTP server without a firewall up to the internet. If you were told on open forums that this was happening, and then loose 2 million credit card numbers? Well if that isn't criminal negligence, I don't know what is!

Re:Welp

[g0bshiTe]

Any IT tech would know better than to leave a unpatched HTTP server without a firewall up to the internet.

Yet it still happens everyday.

Re:Welp

[JWSmythe]

  How the hell did they maintain PCI compliance? At very least that requires the self-evaluation, and an external scan by a 3rd party. The self-evaluation, they could have easily lied on. The external scan? No way. Well, unless they had the scan pointed at a dummy server. That happens a lot more than it should. For the money I'm sure Sony was pushing through, it should have rated an on-site inspection. One company I worked for only pushed through about $50 million/yr. We were self-eval with external scan. They did threaten physical inspections every quarter, but never showed up. I guess they could have pointed at any rack and said "this is the rack". The insecurity is pure stupidity. There are so many ways to secure the network, from free (iptables on the machine) to inexpensive (dedicated firewall machine running Linux), to expensive hardware solutions. There's no excuse for this.

Re:Welp

[akpoff]

Quite possibly. Sony's responsibilities to their customers might not rise to the level of Fiduciary Responsbility but customers do have a reasonable expectation of due care, at least with their credit card information and likely with their account information.

Further, to receive full indemnification from the payment-card industry against claims of fraud, you must be PCI compliant. Were Sony PCI compliant having un-patched software on public-facing servers? Doesn't seem like it. This could potentially open Sony up to all kinds of claims.

Even if Sony somehow manage to escape civil and criminal justice ramifications, carelessness is no way to run a business. Sony's reputation is already tarnished in the tech world. They may finally get the public scrutiny and drop in reputation and market-share they've earned and so well deserve.

Re:Welp

[HiredMan]

definitely shows that PCI is bullshit ;)

PCI certification is joke. It's in the best interests of all involved to severely limit the scope of the "certification" - due to cost, time, intrusiveness etc.- so only certain areas get tested. You can have your "certified" PCI system hooked up on a network to a botnet but insist that only your PCI computer get "certified". It's like going to doctor and telling him your arm hurts but he can only examine your arm. When it turns out to be a heart attack and you die the doctor only gets to say "His arm was fine when I checked it."

They like to brag that "no PCI certified system has ever been breached" but that's because when you're breached they forensically figure where you violated PCI and retro-actively revoke your certification. It's worse than bullshit it's an expensive fig leaf of security theater.

Re:Welp

Yet it still happens everyday.

But probably not on servers that are storing millions of credit card numbers. That's a key difference.

I do security audits for a living and I'll tell you that this is actually quite common. Most companies don't give two shits about your data if they don't have direct financial liability.

The servers that have serious security are the ones that store THEIR proprietary data (blueprints, special sauce, etc). Customer data, healthcare data... don't give two shits.

I have broken into customer or employee data in almost every company I've audited during the last 4 years.

I'll tell you also, that the PCI mandated "scans" are just that. Automated scans. They send you the PDF, you do trivial remediation and it's done. Even the biggest players seldom do more than that, and they make a concerted effort to do exactly the minimum amount, because anything more affects the quarterly profit margin.

So... still... we break into every place we visit...

And I'm not particularly super "leet"... I'm sure there are plenty of guys who could lay waste to these places I go to with far more ease, speed and stealth.

Re:Welp

[hawguy]

PCI certification is joke. It's in the best interests of all involved to severely limit the scope of the "certification" - due to cost, time, intrusiveness etc.-

You certainly can limit the scope to only those computers that have access to PCI protected data, but any computer that has access to that data or processes that data is in scope. I'm sure you can configure your network in such a way that allows a breach, but that's not really PCI DSS's fault - one standard can't be expected to provide complete security for all environments....they give you overall security recommendations, if your network allows access to the data by a botnet, then it's your job to fix it, don't think that just because you checked all of the checkboxes on the PCI-DSS checklist that your security job is done.

so only certain areas get tested.

If you're relying on testing to protect your data, you're doing it wrong -- PCI outlines best practices to protect your data, scanning is only one part of the larger picture.

They like to brag that "no PCI certified system has ever been breached" but that's because when you're breached they forensically figure where you violated PCI and retro-actively revoke your certification. It's worse than bullshit it's an expensive fig leaf of security theater.

I've never heard that "no PCI certified system has ever been breached" and I'm pretty skeptical since I know a few ways to get data out our PCI compliant systems. However, If they found that you violated PCI standards, then you weren't really PCI compliant, were you?

Re:Welp

[gblfxt]

nope, seems i was wrong:

"b. Complete and document all steps detailed in the Requirements and Security Assessment Procedures, including brief descriptions of controls observed in the “In Place” column, and noting any comments. Please note that a report with any “Not in Place” opinions should not be submitted to PCI SSC until all items are noted as “In Place.”"

Re:Welp

[MattW]

A friend of mine used to sit on the PCI board. He linked me to this recently:

http://blog.imperva.com/2011/04/pcis-impact-on-security-quantified.html

PCI is one of the most defined and effective standards I've ever seen. Compare that to other standards some companies tout like ISO27001 or SAS70, which are absolutely toothless. (Because they assess only what you SAY that access, as they are standards for evaluating your declared controls.)

PCI varies a lot depending on what tier the merchant is. If they are Tier 2 - Tier 4, the assessment is really only as good as their self-assessment/scan. The scan can be gamed simply by giving out a host or two which is properly locked down, and using that certificate. Tier 1 merchants (6 million+ transactions/year) have to undergo an audit with a certified assessor. I guess PSN doesn't do that many transactions per year? If the assessor does a bad job they will lose their certification.

Also, if Sony lied about the state of their compliance, then they are exposed to enormous amounts of liability.

So now security researchers are to blame?

[hedwards]

Isn't that the typical response in situations like this, clearly the crackers figured it out because you mentioned that we're unpatched without a firewall.

Re:So now security researchers are to blame?

[h4rr4r]

The Sony IT folks probably wanted too, but their idiot managers prevented them. Because if the update broke something or needed downtime they can't have that.

Re:So now security researchers are to blame?

[Calydor]

Sadly, 'taken action' in cases such as this usually involves post deletions and forum bans.

Updating and getting a firewall costs money, banning people from a forum doesn't.

Obviously it's better to treat the symptom than cure the disease.

Re:EPIC Fail

The problme was with unpatched Apache - maybe if they had been running IIS they would have been OK :)

But, but, but...

[Kamiza+Ikioi]

... I thought the super hackers at Anonymous are all to blame! I mean, sure, most members of Anonymous are the ones spending hours ENJOYING the PSN. But, you mean to tell me that Sony, a multinational corporation, covered up their own culpability and then lied and blamed it on an innocent (in this case) group of hacktivists? Like, Wooo, just like Cereal Killer from the movie Hackers told us!

Re:I don't find this shocking

[karnal]

As someone who works in protecting a large environment, I would never allow a server to run "open" on the internet without restricting access to the machine via a firewall. Any exploit that works against the machine could give external users access to other ports - which with a firewall in place, wouldn't cause instant chaos. There are definitely other avenues that you could work against here - but by whitelisting only what's needed from outside to inside, you'll be an order of magnitude safer against attacks you may not be knowledgeable about.

If they had cared enough...

[samjam]

Sony took more care to lock the customer out of equipment the customer owned on the customers premises to "protect Sony's IP" than they took to protect the customers data running only Sony's servers at Sony's premises.

Looks like they need to move their security staff to the hosting side.

Sam

Re:Criminal Negligence?

[Beryllium+Sphere(tm)]

In general, no. However, if you publish a privacy policy that you don't really follow, that's considered deception and it's possible to get in trouble for it.

The big issue here is that if they have credit card data, they're contractually bound by a private sector standard called PCI DSS, and Visa and Mastercard can impose penalties. They were blatantly out of compliance with rules in the standard requiring firewalls and a program of keeping up with patches.

Re:I don't find this shocking

[MobileTatsu-NJG]

Am the only one running apache without a firewall ?

No, we're all running your machine, too!

Re:EPIC Fail

[Mongoose+Disciple]

You laugh, but when you think about it and weigh PSN against XBox Live, Sony failed so hard they made Microsoft's security look good by comparison.

That's a special kind of failure. That's the full retard, if you will.

So...

[Capeman]

Everytime a new PS3 firmware comes out, with "security updates" you are almost forced to install it or you lose PSN, plus other features, but they don't care about updating and securing their servers?

VISA and MasterCard lower the hammer

[Animats]

It's likely that Sony went off-line not because they wanted to, but because VISA International and/or MasterCard Worldwide ordered them to. See my post on "What To Do if Compromised". The contract that merchants must sign to accept credit cards gives the credit card companies the right to send in a VISA fraud team, a Cardholder Information Security Team, and a computer forensics team. VISA can insist that compromised systems containing credit card data be taken off line until examined. For a big breach, VISA probably invoked their right to do all that.

The process is expensive for the merchant who doesn't have the VISA-required security measures in place. They get hit with fines from VISA, the cost of the forensics work, and chargebacks from compromised credit cards. "If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident." Worse, from a business perspective, they can't accept credit cards again until VISA's team says they're secure.

Then comes the "Account Data Compromise Recovery phase. For the next 13 months, the merchant gets hit with charges related to compromised credit cards.

A merchant-side compromise of credit card data means the merchant gets stuck with all the costs of the breach.

Re:VISA and MasterCard lower the hammer

[woolpert]

The time to short the stock is well past.
One shorts when public information is low and you have special knowledge of the situation, be that insider information, a unique knowledge of the industry, or particular experience.

Shorting Sony at this point in time, when all the smart money (which knows more than you) has already set a rational price based on reasonable odds is nothing more than tying your hands.

Unlike a traditional (long) position you would have locked yourself into a time window, preventing you from a full range of actions based on later information.

Re:Obvious to those who are in the system

[JWSmythe]

    Well, I know that when I had to go through it regularly, we did have to complain about some of the remote scanning.

    Here's a few of the BS items that we had been flagged with. These are from memory, so I may be wrong on some of the wording.

    The server does not respond to ICMP (red flag). Well, the server blocked all unexpected traffic, including ICMP. So we opened the firewall a little for that.

    They complained that they were not getting refused connection messages to known ports (telnet, SMTP, etc), so we were flagged for that. That's where I started complaining.

    They wanted the firewall completely opened for "testing". This was current production, so I refused. I told them I could allow a single IP for them to test with, but they wouldn't oblige. Since we were always under attack, their IP was one of several hundred during the period where they were most likely testing. 1 tester, and a few hundred attackers. Hmm, no.

    They proceeded to search the surrounding network. They red-flagged us for having a server on the network that responded to DNS requests. Oddly enough, that was a DNS server. Then they hit us for having a mail server that accepted mail. Sure, it accepted mail. It only relayed for us, but we did (oh my gosh) receive mail. They didn't receive an instant refusal, because we accepted and dropped those messages.

    I passed the word back through our accounting guy that they could go fuck themselves, and to give us a real auditor...

    The second auditor wasn't quite so bad. They hit us for not being able to fingerprint the OS. I congratulated them on that, and then told them specifically the OS, distro, and kernel version. They had a few yellow flags for non-broken stuff, such as not responding to ICMP. They didn't mark points against us on that one, it was just a mention. They questioned our remote access ability, since the only ports that responded were 80 and 443. I told them the port number (unusual port) and method, so they beat on that for a while and couldn't touch it. Then they gave us a pass.

    We were fully compliant. I wasn't hiding anything from them. I was hiding everything from the constant barrage of hackers who wanted in. People knew we made millions. They knew we had a whole bunch of machines on multiple GigE circuits. If they could compromise just one machine, they'd have a very fast platform to attack from, and I wasn't going to allow that.

    We were very successful in never losing any personal info, but we always maintained doing better than PCI compliance required.