Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sony Running Unpatched Servers With No Firewall

Posted by ryuzaki0 on from the oh-yeah-that'll-be-fine dept.

ewhenn writes "Security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which 'was unpatched and had no firewall installed.' The issue was 'reported in an open forum monitored by Sony employees' two to three months prior to the recent security breaches."

15 of 306 comments (clear)

  1. Welp by dragonhunter21 · · Score: 4, Insightful

    Well THERE'S your problem.

    IANAL, but shouldn't users have the reasonable expectation that their data would be secured? Is there a suit here?

    --
    Sent from my CR-48
    1. Re:Welp by alta · · Score: 5, Interesting

      They are in gross violation of PCI. Criminal Negligence is "suitable"

      They can be seriously damaged by this... I would love to see their ability to take credit cards revoked. That would put an end to their entire online business. Can you imagine Playstation Network if it was prepay, or paper billed only?

      --
      Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
    2. Re:Welp by JWSmythe · · Score: 5, Interesting

        How the hell did they maintain PCI compliance? At very least that requires the self-evaluation, and an external scan by a 3rd party. The self-evaluation, they could have easily lied on. The external scan? No way. Well, unless they had the scan pointed at a dummy server. That happens a lot more than it should. For the money I'm sure Sony was pushing through, it should have rated an on-site inspection. One company I worked for only pushed through about $50 million/yr. We were self-eval with external scan. They did threaten physical inspections every quarter, but never showed up. I guess they could have pointed at any rack and said "this is the rack". The insecurity is pure stupidity. There are so many ways to secure the network, from free (iptables on the machine) to inexpensive (dedicated firewall machine running Linux), to expensive hardware solutions. There's no excuse for this.

      --
      Serious? Seriousness is well above my pay grade.
    3. Re:Welp by akpoff · · Score: 5, Informative

      Quite possibly. Sony's responsibilities to their customers might not rise to the level of Fiduciary Responsbility but customers do have a reasonable expectation of due care, at least with their credit card information and likely with their account information.

      Further, to receive full indemnification from the payment-card industry against claims of fraud, you must be PCI compliant. Were Sony PCI compliant having un-patched software on public-facing servers? Doesn't seem like it. This could potentially open Sony up to all kinds of claims.

      Even if Sony somehow manage to escape civil and criminal justice ramifications, carelessness is no way to run a business. Sony's reputation is already tarnished in the tech world. They may finally get the public scrutiny and drop in reputation and market-share they've earned and so well deserve.

    4. Re:Welp by MattW · · Score: 4, Informative

      A friend of mine used to sit on the PCI board. He linked me to this recently:

      http://blog.imperva.com/2011/04/pcis-impact-on-security-quantified.html

      PCI is one of the most defined and effective standards I've ever seen. Compare that to other standards some companies tout like ISO27001 or SAS70, which are absolutely toothless. (Because they assess only what you SAY that access, as they are standards for evaluating your declared controls.)

      PCI varies a lot depending on what tier the merchant is. If they are Tier 2 - Tier 4, the assessment is really only as good as their self-assessment/scan. The scan can be gamed simply by giving out a host or two which is properly locked down, and using that certificate. Tier 1 merchants (6 million+ transactions/year) have to undergo an audit with a certified assessor. I guess PSN doesn't do that many transactions per year? If the assessor does a bad job they will lose their certification.

      Also, if Sony lied about the state of their compliance, then they are exposed to enormous amounts of liability.

  2. Re:EPIC Fail by Anonymous Coward · · Score: 5, Funny

    The problme was with unpatched Apache - maybe if they had been running IIS they would have been OK :)

  3. But, but, but... by Kamiza+Ikioi · · Score: 4, Funny

    ... I thought the super hackers at Anonymous are all to blame! I mean, sure, most members of Anonymous are the ones spending hours ENJOYING the PSN. But, you mean to tell me that Sony, a multinational corporation, covered up their own culpability and then lied and blamed it on an innocent (in this case) group of hacktivists? Like, Wooo, just like Cereal Killer from the movie Hackers told us!

    --
    I8-D
  4. Re:I don't find this shocking by karnal · · Score: 4, Informative

    As someone who works in protecting a large environment, I would never allow a server to run "open" on the internet without restricting access to the machine via a firewall. Any exploit that works against the machine could give external users access to other ports - which with a firewall in place, wouldn't cause instant chaos. There are definitely other avenues that you could work against here - but by whitelisting only what's needed from outside to inside, you'll be an order of magnitude safer against attacks you may not be knowledgeable about.

    --
    Karnal
  5. Re:Criminal Negligence? by Beryllium+Sphere(tm) · · Score: 4, Informative

    In general, no. However, if you publish a privacy policy that you don't really follow, that's considered deception and it's possible to get in trouble for it.

    The big issue here is that if they have credit card data, they're contractually bound by a private sector standard called PCI DSS, and Visa and Mastercard can impose penalties. They were blatantly out of compliance with rules in the standard requiring firewalls and a program of keeping up with patches.

  6. Re:I don't find this shocking by MobileTatsu-NJG · · Score: 4, Funny

    Am the only one running apache without a firewall ?

    No, we're all running your machine, too!

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  7. Re:EPIC Fail by Mongoose+Disciple · · Score: 5, Funny

    You laugh, but when you think about it and weigh PSN against XBox Live, Sony failed so hard they made Microsoft's security look good by comparison.

    That's a special kind of failure. That's the full retard, if you will.

  8. So... by Capeman · · Score: 5, Insightful

    Everytime a new PS3 firmware comes out, with "security updates" you are almost forced to install it or you lose PSN, plus other features, but they don't care about updating and securing their servers?

  9. VISA and MasterCard lower the hammer by Animats · · Score: 5, Informative

    It's likely that Sony went off-line not because they wanted to, but because VISA International and/or MasterCard Worldwide ordered them to. See my post on "What To Do if Compromised". The contract that merchants must sign to accept credit cards gives the credit card companies the right to send in a VISA fraud team, a Cardholder Information Security Team, and a computer forensics team. VISA can insist that compromised systems containing credit card data be taken off line until examined. For a big breach, VISA probably invoked their right to do all that.

    The process is expensive for the merchant who doesn't have the VISA-required security measures in place. They get hit with fines from VISA, the cost of the forensics work, and chargebacks from compromised credit cards. "If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident." Worse, from a business perspective, they can't accept credit cards again until VISA's team says they're secure.

    Then comes the "Account Data Compromise Recovery phase. For the next 13 months, the merchant gets hit with charges related to compromised credit cards.

    A merchant-side compromise of credit card data means the merchant gets stuck with all the costs of the breach.

    1. Re:VISA and MasterCard lower the hammer by woolpert · · Score: 4, Informative

      The time to short the stock is well past.
      One shorts when public information is low and you have special knowledge of the situation, be that insider information, a unique knowledge of the industry, or particular experience.

      Shorting Sony at this point in time, when all the smart money (which knows more than you) has already set a rational price based on reasonable odds is nothing more than tying your hands.

      Unlike a traditional (long) position you would have locked yourself into a time window, preventing you from a full range of actions based on later information.

  10. Re:Obvious to those who are in the system by JWSmythe · · Score: 4, Interesting

        Well, I know that when I had to go through it regularly, we did have to complain about some of the remote scanning.

        Here's a few of the BS items that we had been flagged with. These are from memory, so I may be wrong on some of the wording.

        The server does not respond to ICMP (red flag). Well, the server blocked all unexpected traffic, including ICMP. So we opened the firewall a little for that.

        They complained that they were not getting refused connection messages to known ports (telnet, SMTP, etc), so we were flagged for that. That's where I started complaining.

        They wanted the firewall completely opened for "testing". This was current production, so I refused. I told them I could allow a single IP for them to test with, but they wouldn't oblige. Since we were always under attack, their IP was one of several hundred during the period where they were most likely testing. 1 tester, and a few hundred attackers. Hmm, no.

        They proceeded to search the surrounding network. They red-flagged us for having a server on the network that responded to DNS requests. Oddly enough, that was a DNS server. Then they hit us for having a mail server that accepted mail. Sure, it accepted mail. It only relayed for us, but we did (oh my gosh) receive mail. They didn't receive an instant refusal, because we accepted and dropped those messages.

        I passed the word back through our accounting guy that they could go fuck themselves, and to give us a real auditor...

        The second auditor wasn't quite so bad. They hit us for not being able to fingerprint the OS. I congratulated them on that, and then told them specifically the OS, distro, and kernel version. They had a few yellow flags for non-broken stuff, such as not responding to ICMP. They didn't mark points against us on that one, it was just a mention. They questioned our remote access ability, since the only ports that responded were 80 and 443. I told them the port number (unusual port) and method, so they beat on that for a while and couldn't touch it. Then they gave us a pass.

        We were fully compliant. I wasn't hiding anything from them. I was hiding everything from the constant barrage of hackers who wanted in. People knew we made millions. They knew we had a whole bunch of machines on multiple GigE circuits. If they could compromise just one machine, they'd have a very fast platform to attack from, and I wasn't going to allow that.

        We were very successful in never losing any personal info, but we always maintained doing better than PCI compliance required.

    --
    Serious? Seriousness is well above my pay grade.