Sony Knew About Old, Unpatched Server Software for Months: Researcher

Sony's PlayStation Network and Qriocity servers were apparently running obsolete, unpatched software, and had no firewall in place, both no-nos for any company, but definitely for a company as large as Sony, trying to run a cloud-based service.

In testimony in front of Congress on Wednesday, Dr. Gene Spafford of Purdue University said that security experts monitoring open Internet forums were aware months ago that Sony was using outdated versions of the Apache Web server software, which "was unpatched and had no firewall installed."

Not only that, Spafford added that the "oversights" were "reported in an open forum monitored by Sony employees" two to three months prior to the recent security breaches of Sony's PlayStation Network (PSN) and Qriocity services. Despite that, the warnings went unheeded.

Spafford is also Executive Director of the Center for Education and Research in Information Assurance and Security (CERIAS). His testimony, in PDF form, is here.

Sony was invited to attend the hearing, but declined. Instead, the company sent the letter (which we reported on earlier) explaining how the hacking of their systems, and promising that Sony's systems will be more secure in the future.
Via:  Consumerist
Tags:  Sony, PS3, Hackers, breach, SCEA
omegadraco 3 years ago

I smell a class action suit.

rrplay 3 years ago

Incompetent Negligence ! & no surprise .

jonation 3 years ago

just downright foolish and reckless.

VChertok 3 years ago

i remember the good old days when a modded ps1 let me play backed up games for a fraction of the price now people are modding their xboxs and burning backed up games i would switch to xbox for that feature but i play cod over and over so not much point i guess.

KStowe 3 years ago

Funny when I read the congressional record about what Dr. Gene Spafford says about sony it was exactly this

"I have no information about what protections they have in place, although some news reports indicate that Sony was running software that was badly out of date, and had been warned about that risk". So seems he was relying on the same avenues we were when he made his statement. He had no personal knowledge about what software just read "some news reports" How about you blogging idiots check your facts instead of just reposting other blogging idiots reposts.

Bodego Jackson 3 years ago

So its true after all that Sony was using an old OS an no firewall on their severs.

But guess what there is now a rumor that the unknown group hackers is preparaing a third attack.

Here is the details.

CNET web site reports that it had inquired to him into the plans of hackers by a source that was observing a channel of chat IRC, where was spoken of a third attack against the Web site of Sony, which is predicted for this weekend. One says that hackers has confirmed that has access to one of the servers of Sony and their objective is to obtain information and to publish it to the public. If is this true that could jeopardize the comapany.


CDeeter 3 years ago

Sorry, I don't mean to be rude but,


What does that last paragraph say?

Bodego Jackson 3 years ago

Apologize dude.

I found this article on this web site and I translate it because is in spanish, sometimes the translator doesn't get some sentences.

here is the link, I also made a correction on the last sentence of the article

Hope that helps.


3vi1 3 years ago

Let me speak frankly: "@#$% this company. Seriously, %$#@ them. Never do business with them again."

If they spent half as much money on security professionals as they did lawyers (who tell them its okay to distribute root-kits, remove console features, and sue their customers), all of us who did business with them would be 10x less screwed right now.

realneil 3 years ago

^^^what he said^^^

AKwyn 3 years ago

What I said before. I may not be a PSN user but I am pissed that Sony knew about these vulnerabilities, that they did not keep that data secure from the hackers who stole it and are selling it on the internet as we speak.

I wouldn't be surprised if more personal information got stolen and a class action lawsuit appears in the public; this is the company who thought putting root-kits on CD's was a good idea; and there is no excuse to treat those customers as mindless sheep. I mean they gave you money, they placed your trust in them and this is how Sony repays you, by letting the information get out?

I don't know how anybody could still buy a companies products after that but it's understandable; since they have their hands in mostly every industry. Hardware, software, movies, music; it's almost impossible to escape their grasp.

Bodego Jackson 3 years ago

Guess what guys Sony anunced that they delay the reactivation of PSN, Why? It seems they were attacked for third time and now they are securing all the severs they have to prevent more attacks.

Even Sony is offering a reward to the person who can give any kind of information about the hackers so they capture them. At this point Sony doesn't know who are they and Sony was undable to track them.

I think this war is far to end and the users from PSN will be very, very, very upset with this.

realneil 3 years ago

[quote user="Bodego Jackson"]users from PSN will be very, very, very upset[/quote]

I don't do anything with Sony because I don't like the way they roll. But the people who do use them, and have given over their personal data to them, rightfully expecting that it be handled in a professional way, have EVERY reason to be pissed at them. At this point Sony should purge all of the DATA they have on everyone on all of their servers (you know, to protect it) and make everyone sign up in a brand new way once they figure out how to do e-commerce online, securely. Blank servers can't give up data to hackers who own them from afar.

Sony's arrogance is legion.

fat78 3 years ago

The longer psn is down the more people will question why and soon sony is going to have to do more than give free music and game downloads to shut them up. Sony stock is in the crapper right now and only looks to be going down, hopefully this motivates sony to improve the way they treat customers.

(pretty sure if you have millions of people using your services you might want to protect them better)

SmogHog 3 years ago

I'm the proud owner of ZERO Sony products.

CDeeter 3 years ago

I think this borders on criminal malfeasance. No way Sony should be able to get away with just oops, sorry guys we screwed up. I doubt that Sony's techs were unaware of these vulnerabilities, much more likely is that management said "don't worry about it" and lost the gamble. After all why would anyone want to take down their beloved PSN.

At least they have had the sense to keep the service offline until they can secure it properly.these vulnerabilities

rrplay 3 years ago

The release statement from Sony with the 'thank you for your patience and understanding" etc. remarks a load of crap ! If they were actually concerned and diligent with PSN none of this would have occurred and remedied in the beginning.

Heck it took them a extra day to appear ,maybe it took an extra day to get the right 'spin'

Anyone going to consider purchasing a sony product ,like  one the 32 monitors mentioned previously here in HH and fill out a warranty card ?


Post a Comment
or Register to comment