Sony Ran Obsolete Software Without Firewall

Sony failed to use firewalls to protect its networks and was using obsolete Web applications, which made the company’s sites inviting targets for hackers, a Purdue University professor testified May 4 to a Congressional committee investigating the massive data breach of the Sony game and entertainment networks.

Sony disclosed on April 26 that thieves had stolen account information of up to 77 million users on the PlayStation Network and Qriocity. A week later on May 2, the company admitted that the Sony Online Entertainment gaming service had also been breached, affecting an additional 24.6 million users.

Sony Hashed Credit Card Protection

About 101 million user accounts have been compromised to date. The stolen data included names, addresses, email addresses and dates of birth. Some credit card information may have been stolen, but Sony claimed the numbers were securely saved as a cryptographic hash.

What happened and what Sony is doing about the security breach are the two main questions everyone is asking, from the irate users on forums and blogs, to the various state attorneys-general planning lawsuits, all the way to the UK and EU Parliaments and Congress where lawmakers are holding hearings and asking for explanations.

Not only did Sony fail to use firewalls to protect its networks, it was using outdated versions of the Apache Web server with no patches applied on the PlayStation Network, according to Gene Spafford, a Purdue University professor of computer science who is head of the US Public Policy Council of the Association for Computing Machinery and the executive director of the Centre for Education and Research in Information Assurance and Security.

Sony also did not have a firewall running on PSN’s servers. These problems were flagged on security forums two or three months prior to the April data breach, Spafford told lawmakers. Because the forums were monitored by Sony employees, Sony was well aware of the problems, according to Spafford.

Sony was large enough that it could have afforded to spend an appropriate amount on security and privacy protections of its data, Spafford said at the hearing.

While Sony declined to appear before the May 4 hearing convened by the US House Committee on Energy and Commerce, the company sent an eight-page letter detailing what it is doing to the Subcommittee on Commerce, Manufacturing and Trade.

Sony has improved levels of data protection and encryption in its database and added automated software monitoring and configuration management tools to help defend against new attacks, Sony Computer Entertainment chairman Kazuo Hirai wrote in the letter. The company has also enhanced its ability to detect software intrusions, unauthorised access and unusual activity patterns in the network. Finally, it has also implemented “additional” firewalls. Sony named three network forensics firms, Data Forte, Guidance Software and Protiviti, to investigate the breach.

The breach likely “started with an ‘oops’ somewhere”, such as a misconfigured server or a malicious email attachment sent to an administrator, Jon Heimerl, director of strategic security for managed security service provider Solutionary, told eWEEK. The fact the attack was “so successful” indicates an “apparently lack of maturity” in the internal network and security controls, according to Heimerl. “How much hardening, encryption, and monitoring were in place?” he asked.

No Consequences For Poor Security

“There are no consequences for many companies that under-invest in security,” Philip Lieberman, CEO of Lieberman Software, told eWEEK. No one is holding the CIO or CSO accountable for their poor decisions. The auditors who should have provided an accurate assessment of the risks Sony faced for not being up-to-date on its technology did not do their jobs, Lieberman said.

“I would love to know the name of the auditors responsible for the shoddy IT security audit of Sony,” Lieberman said. Publicly firing the auditor would be justice for Sony’s stockholders and customers, according to Lieberman.

While Sony will face financial consequences, such as the cleanup costs, lost customers and a damaged brand, it would be “nothing near” what the consequences are for their customers, Lieberman said. The loss of personal information will “most likely” be nothing more than a cost of doing business for Sony, according to Lieberman.

“If you are a security expert looking for a job, I would keep my eyes on the Sony Website as clearly they have significant need for experts who understand defence in depth,” Randy Abrams director of technical education ESET, said.

Few Security Product Buys Are Installed

IT managers and senior executives say they are concerned about security and about being attacked, but they are not actually doing anything about it, James Lyne, senior security strategist at Sophos, told eWEEK. Enterprises invest in various security products, but only six percent of the purchased technology is actually being used. “They don’t even get the basic things like patching right,” Lyne said.

There is a lot of talking, but no one seems to really be doing anything to back up their words. Enterprise defences have to be updated, as hackers cannot exploit a vulnerability that has been patched, Paul Henry, security and forensic analyst at Lumension, told eWEEK. Hackers know enterprises regularly patch only operating systems and a handful of applications and generally forget about other software, plugins and third-party applications, Henry said.

“The security industry is without a doubt stuck in a wash-rinse-repeat cycle, waiting for an attack to happen before anyone jumps into action,” Anup Ghosh, founder and chief scientist of Invincea, told eWEEK.