Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sony Running Unpatched Servers With No Firewall

Posted by ryuzaki0 on from the oh-yeah-that'll-be-fine dept.

ewhenn writes "Security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which 'was unpatched and had no firewall installed.' The issue was 'reported in an open forum monitored by Sony employees' two to three months prior to the recent security breaches."

7 of 306 comments (clear)

  1. Re:EPIC Fail by Anonymous Coward · · Score: 5, Funny

    The problme was with unpatched Apache - maybe if they had been running IIS they would have been OK :)

  2. Re:Welp by alta · · Score: 5, Interesting

    They are in gross violation of PCI. Criminal Negligence is "suitable"

    They can be seriously damaged by this... I would love to see their ability to take credit cards revoked. That would put an end to their entire online business. Can you imagine Playstation Network if it was prepay, or paper billed only?

    --
    Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
  3. Re:Welp by JWSmythe · · Score: 5, Interesting

      How the hell did they maintain PCI compliance? At very least that requires the self-evaluation, and an external scan by a 3rd party. The self-evaluation, they could have easily lied on. The external scan? No way. Well, unless they had the scan pointed at a dummy server. That happens a lot more than it should. For the money I'm sure Sony was pushing through, it should have rated an on-site inspection. One company I worked for only pushed through about $50 million/yr. We were self-eval with external scan. They did threaten physical inspections every quarter, but never showed up. I guess they could have pointed at any rack and said "this is the rack". The insecurity is pure stupidity. There are so many ways to secure the network, from free (iptables on the machine) to inexpensive (dedicated firewall machine running Linux), to expensive hardware solutions. There's no excuse for this.

    --
    Serious? Seriousness is well above my pay grade.
  4. Re:Welp by akpoff · · Score: 5, Informative

    Quite possibly. Sony's responsibilities to their customers might not rise to the level of Fiduciary Responsbility but customers do have a reasonable expectation of due care, at least with their credit card information and likely with their account information.

    Further, to receive full indemnification from the payment-card industry against claims of fraud, you must be PCI compliant. Were Sony PCI compliant having un-patched software on public-facing servers? Doesn't seem like it. This could potentially open Sony up to all kinds of claims.

    Even if Sony somehow manage to escape civil and criminal justice ramifications, carelessness is no way to run a business. Sony's reputation is already tarnished in the tech world. They may finally get the public scrutiny and drop in reputation and market-share they've earned and so well deserve.

  5. Re:EPIC Fail by Mongoose+Disciple · · Score: 5, Funny

    You laugh, but when you think about it and weigh PSN against XBox Live, Sony failed so hard they made Microsoft's security look good by comparison.

    That's a special kind of failure. That's the full retard, if you will.

  6. So... by Capeman · · Score: 5, Insightful

    Everytime a new PS3 firmware comes out, with "security updates" you are almost forced to install it or you lose PSN, plus other features, but they don't care about updating and securing their servers?

  7. VISA and MasterCard lower the hammer by Animats · · Score: 5, Informative

    It's likely that Sony went off-line not because they wanted to, but because VISA International and/or MasterCard Worldwide ordered them to. See my post on "What To Do if Compromised". The contract that merchants must sign to accept credit cards gives the credit card companies the right to send in a VISA fraud team, a Cardholder Information Security Team, and a computer forensics team. VISA can insist that compromised systems containing credit card data be taken off line until examined. For a big breach, VISA probably invoked their right to do all that.

    The process is expensive for the merchant who doesn't have the VISA-required security measures in place. They get hit with fines from VISA, the cost of the forensics work, and chargebacks from compromised credit cards. "If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident." Worse, from a business perspective, they can't accept credit cards again until VISA's team says they're secure.

    Then comes the "Account Data Compromise Recovery phase. For the next 13 months, the merchant gets hit with charges related to compromised credit cards.

    A merchant-side compromise of credit card data means the merchant gets stuck with all the costs of the breach.