Sony Servers “Unpatched & Had No Firewalls”

sony-psn-logo-1

Sony has been accused of hosting it PlayStation Network on servers running out of date software with no firewalls, and of continuing to run them in this fashion even after being made aware of the problem.

In a recorded address to a House of Representatives committee hearing on cyber-security, considerable concern was expressed about Sony’s handling of PSN security.

In particular, Purdue University professor Dr. Gene Spafford claimed that “individuals who work in security and participate in the Sony network” had “months prior to the incident where the break-ins occurred” become aware that the PSN servers ran “very old versions of Apache software that were unpatched and had no firewall installed.”

Sony is said to have been made aware of these issues, but apparently took no action and continued running its servers with old software and no firewall.

Sony has not responded to the allegations, but its most recent statements to the US government and its users have admitted no error on Sony’s part and blamed everything on wicked cyber-criminal masterminds.

Regarding when the PSN will be coming back online, Sony still has not offered a timetable – its latest update only says the secure PSN is in “internal testing”:

“Today our global network and security teams at Sony Network Entertainment and Sony Computer Entertainment began the final stages of internal testing of the new system, an important step towards restoring PlayStation Network and Qriocity services.”

Presumably this included running “yum update apache2” and placing the servers behind a proper firewall…


    Post Comment »
    77 Comments
    Sort by: Date | Score
    Avatar of AnarchystBR
    Comment by AnarchystBR
    00:35 07/05/2011 # ! Quality (+1.0)

    >yum update apache2
    lold

    Avatar of SunnyJ
    Comment by SunnyJ
    00:47 07/05/2011 # ! Quality (+0.8)

    yum install apf
    ...
    Or even better.. hardware firewall?

    Avatar of Ota-Kool
    Comment by Ota-Kool
    20:02 07/05/2011 # ! Neutral (0)

    Update network is like OFW VS. CFW

    Avatar of yuriphoria
    Comment by yuriphoria
    02:21 07/05/2011 # ! Neutral (0)

    Don't you mean "yum install apt"?
    Let me suggest "wget [http://cdimage.debian.org/debian-cd/6.0.1a/i386/iso-cd/debian-6.0.1a-i386-netinst.iso]http://cdimage.debian.org/debian-cd/6.0.1a/i386/iso-cd/debian-6.0.1a-i386-netinst.iso"

    Comment by Anonymous
    06:33 07/05/2011 # ! Neutral (+0.4)

    Sony probally was thinking

    If we never update it and nobody uses that version people will forget how to hack it XD

    Like running Windows 3.1 and the viruses designed for newer stuff going what the **** is this XD

    Avatar of Dummy00001
    Comment by Dummy00001
    06:17 07/05/2011 # ! Neutral (0)

    Yes.

    And do not forget to add to the crontab every weekend to run automatically `apt-get update && apt-get upgrade -y`.

    Comment by Anonymous
    08:51 07/05/2011 # ! Neutral (0)

    Posts by idiots that think one crontabs upgrades on production systems...

    Comment by Anonymous
    05:25 07/05/2011 # ! Good (+0.6)

    I think people should actually read into what happened instead of being the usual headless chicken on the internet. Gene Spafford has already been telling people that "journalists" have only taken choice quotes from his testimony and that he was only there to support speculation and has no real insight into the matter. Of course no one wants to update their reports since good news doesn't generate clicks.

    Furthermore, the running version of Apache was only months old and they were already in the process of moving all their servers and info over to the new location with a new server distro in the wake of the attacks by Anon.

    Also, I've been with Anon since the beginning, and I can tell you that some British kids aren't the voice of Anon (fuck your extra u's), and any "press releases" do not reflect on the actual workings of anyone claiming themselves to be Anonymous.

    Avatar of Dummy00001
    Comment by Dummy00001
    06:27 07/05/2011 # ! Neutral (0)

    Still, this days, nobody plugs Apache directly to the net.

    H/W firewall is a must for any large net. Or at least a good router which might serve as a firewall in case of emergency (or, if you are on budget, OpenBSD or Linux in transparent masquerading/NAT/etc mode; easy tutorials how to setup are plenty).

    nginx (or some other alternative) are must as a caching front-end - right behind the firewall and just before the Apache.

    Because for any high load job, you do NEVER plug Apache directly to the net. And even if you are an amateur, you still do not do it, because you ISP would do it for you.

    But then, you are free to go on to make up excuses for the Sony. Fanbois are welcome here, you know :D

    Avatar of Riiku
    Comment by Riiku
    00:27 07/05/2011 # ! Good (+0.6)

    Apache that was unpached.

    Funny huh?

    Avatar of Dummy00001
    Comment by Dummy00001
    06:29 07/05/2011 # ! Neutral (0)

    "Apache server" actually means "A patchy server." Look up the history.

    Comment by Anonymous
    19:51 07/05/2011 # ! Neutral (0)

    in the early 90's a 'patch' is what a 'plug-in' is called these days.

    history lol

    Comment by Anonymous
    04:56 07/05/2011 # ! Neutral (+0.4)

    Not that I approve of their thievery, but these hackers basically did what any good security professional should. That is, they prompted a huge multi-national corporation to fucking GET THEIR SHIT TOGETHER.

    Hot DAMN, people.

    Comment by PhillB
    00:47 07/05/2011 # ! Good (+0.4)

    That's because Sony relied on the console's engine to process the encryption. That's why Sony defended the PS3 like it did, and why they removed OtherOS.

    Getting everything back online will take a serious software overhaul, and (just hope that doesn't happen) probably change the security keys.

    Just speculation, but if this turns out to be true, then Sony's network is compromised, unless is willing to take bold steps to finish this struggle.

    Avatar of SunnyJ
    Comment by SunnyJ
    00:57 07/05/2011 # ! Good (+0.4)

    Even if you rely on that, businesses should still create different networks and security layers amongst them. Running this large of a business the servers containing critical customer data (cc info, address, DOB, -anything not necessary for personalized interface settings-) should be kept on servers on a higher security level than the web servers... having everything on a level playing field means if 1 server gets compromised the rest are at that point more vulnerable as typically they are setup for ease of access within their own security layer.

    With this information I feel that likely Sony didn't even do that. Now I know small companies probably do not; but they also don't have as large of a client base...

    Comment by Anonymous
    03:21 07/05/2011 # ! Neutral (0)

    That is a piss poor way to be implementing things.
    The PSN is connected to the internet so any security via locking the console down is worthless.

    Comment by Anonymous
    02:28 07/05/2011 # ! Neutral (0)

    Apache is a Linux program run on PCs. Hacked PS3 systems had nothing to do with the attack. The hack to PSN effected not only PSN accounts, it effected Sony's other online services too, such as Everquest.

    And, occurring to this article, happened because Sony FAILED to keep the software ran on their servers updated. In-other-words, it was a script kiddie using known exploits for the software Sony ran, that gained access to their database. Again, the hack was not something executed with a hacked PS3 system. You got that, kid?

    Comment by Anonymous
    07:30 07/05/2011 # ! Neutral (0)

    You say it was easy to shit a brick at Sony's door. I won't argue with that as I have no knowledge.
    However, is it the same to shit a brick and not get caught afterwards?
    I guess that's the main difference between a script kiddie and an anonymos. Wheteher it was the first or the latter, we shall know in months.

    Avatar of Thomus
    Comment by Thomus
    00:45 07/05/2011 # ! Neutral (+0.2)

    And they point their finger to anonymous for hacking? i say sony is literally letting people hack them. Anyone with decent brain would think about protecting their own PC, let alone a network of 77M people. Great job Sony, will you be able to gain our trust ever again?

    Avatar of Alfredonm
    Comment by Alfredonm
    00:25 07/05/2011 # ! Neutral (+0.2)

    This is really bad newsss...

    Avatar of seka
    Comment by seka
    00:19 07/05/2011 # ! Neutral (+0.2)

    any day now they will fix this -_-

    Avatar of Mizushima 水島
    Comment by Mizushima 水島
    00:25 07/05/2011 # ! Good (+0.6)

    more like any month if they had months to fix it..

    Avatar of BlaqCat
    Comment by BlaqCat
    10:29 07/05/2011 # ! Neutral (0)

    I would hope so. It's already been going on far too long, and a result of their own lackluster security precedures/measures.

    Comment by Anonymous
    00:31 07/05/2011 # ! Neutral (+0.2)

    If this is true Sony has screwed up big time. How much work is it to patch your servers from time to time and install a damn firewall.......

    Comment by Anonymous
    00:34 07/05/2011 # ! Neutral (+0.2)

    So wait................pretty much anyone could have done this then? The big surprise here is that this wasn't hacked sooner. And blaming Anonymous too? Sony is just messing up left and right.

    Avatar of SunnyJ
    Comment by SunnyJ
    00:46 07/05/2011 # ! Neutral (+0.2)

    So... at first I was willing to give them some leniency... seeing as even internet security firms have been hacked... but not keeping their servers up to date or using some of the most basic security technologies to keep them secure is silly...

    Now I'm actually concerned about how secure they really consider "secure"...

    Avatar of Kitsunemimi6
    Comment by Kitsunemimi6
    01:40 07/05/2011 # ! Neutral (0)

    Yeah, I've pretty much lost the remaining consideration I had for their side of things when I read this article...

    Yikes Sony, Yikes...

    Avatar of Striker25
    Comment by Striker25
    05:23 07/05/2011 # ! Neutral (0)

    I just want the Online back lol

    Comment by Anonymous
    05:09 07/05/2011 # ! Neutral (0)

    Old news is old...

    Comment by Anonymous
    04:14 07/05/2011 # ! Neutral (0)

    Like I said before, even Linux needs firewall! I just hope they will put a decent firewall with I/O control, and not just one of those tables with Port Open/Port Closed sections >_>

    P.S.
    >yum update apache2
    lold2

    Comment by Wisteria Berlitz
    05:26 07/05/2011 # ! Neutral (0)

    Hope there'd be no trollers on this post

    Avatar of wargalley20011
    Comment by wargalley20011
    04:27 07/05/2011 # ! Neutral (0)

    Better get Section Nine, and the Major on this!

    Comment by Anonymous
    07:16 07/05/2011 # ! Neutral (0)

    you guys might want to look past the whole apache, patched/up to date versions, firewall thing btw.

    the fact is, their security was previously breached, a few months before the current hacking took place. this was known to them, but ignored (here you can make the argument they should have implemented patching and firewalls at this point in time if applicable, howerver you seem to be arguing over the fact they should have had this in place from the begining, there is a big difference, as it means in one situation, they knew their servers were veneralble and specifically to what, where as the other case it means they should have just beefed up all sercurity to hopefully prevent all breaches which would be unknown). this former breach was not directly related to the current breach, however, the previous breach allowed hackers to work their way into the system, which led to the current breach (the one where ppl lost private info).

    tl'dr there was a time period of a few months where there was a relatively minor breach in the system that led to the current breach in the system where info was stolen. they did nothing in responce to the minor breach, if they did, the current would most likely not have happened.

    btw, this is old news, i read it around the time sony decleared info may have been stolen, they doubted cc info was stolen and started brining in external investigators.

    Avatar of Sodium Chloride
    Comment by Sodium Chloride
    06:52 07/05/2011 # ! Neutral (0)

    I find it hard to believe there were no firewalls, the PSN would have been burned to the ground long ago if that were the case.

    Seriously, there is only so much BS I can tolerate.
    While I don't expect Reuter like report from here, journalistic integrity here is fast sinking into "utter complete BS" territory.

    Combined with the overwhelming amount of (somewhat disgusting) ads ...

    I don't really feel like visiting your site anymore.

    We will see. I probably won't be visiting again. Consider this a farewell note if you will.

    Avatar of Demi-Rebel 72
    Comment by Demi-Rebel 72
    05:36 07/05/2011 # ! Neutral (0)

    So technically Sony's been using old ass software to run the PSN along with no firewall to protect from outside attacks knowing damn well everyone must upgrade or change the software to a current up to date software that can prevent people from hacking into the server. But we see now that Sony's too effing lazy and cheap to use any up to date software for their servers yet they blame hackers for busting up the shit THEY should of been protecting. Hell, they had all this time to renew the software but instead they were too lazy to do so. That's hackers will always keep attacking dumbass companies like Sony. Well it's official, when Nintedo's next console comes out next year, I'm throwing out my PS3, period.

    Comment by Anonymous
    07:15 07/05/2011 # ! Neutral (0)

    Come on sony this isn't china!

    Comment by Anonymous
    02:42 07/05/2011 # ! Neutral (0)

    DAmn, its like Toyota all over again. Poor Japan. Its biggest companies seem to love cutting corners.

    Comment by Anonymous
    01:29 07/05/2011 # ! Neutral (0)

    Lack of firewalls isn't necessarily a bad thing. A firewall won't protect an unpatched Apache server being hacked at all.

    Firewalls don't do what 95% of people use them for. 9 times out of 10 a server farm doesn't need a firewall as enterprise switches can do IP access restriction which is what is really wanted to keep undesirables away from machines you don't want them on.

    Comment by Anonymous
    02:01 07/05/2011 # ! Neutral (+0.2)

    -SIMPLE VERSION FROM ANON TO ANON-

    Lack of wall around your house isn't necessarily a bad thing. A wall won't protect your house from being burglarized at all.

    Wall don't do what 95% of people use them for. 9 times out of 10 most people doesn't need a wall since they can just hire a guard to keep the people who robbed you before out of the house.

    It's amazing on what rewording could do...

    :P

    Avatar of yuriphoria
    Comment by yuriphoria
    02:31 07/05/2011 # ! Good (+0.4)

    Learn about computers before making such idiotic analogies.

    The relation between a firewall and switch level blocks is the inverse of what you propose.

    A firewall is like a guard, it inspects the messages sent to the system and blocks anything except communication to the configured applications. However firewalls can't really know what the application layer thinks so whatever they don't block, they relay to the application layer which handles security on their own.

    A switch or router level block IS like a wall, in that nothing gets through, period.

    Comment by Anonymous
    06:50 07/05/2011 # ! Neutral (+0.4)

    replace 'guard' with 'door'

    Comment by Anonymous
    08:16 07/05/2011 # ! Neutral (0)

    Actually, the Anonymous version of this is replace guard, with dog and curtains.

    Comment by Anonymous
    02:15 07/05/2011 # ! Neutral (0)

    Reworded, but that doesn't mean the body guard couldn't do as much a good job as the wall. Sounds like they have their ups and downs.

    Comment by Anonymous
    12:33 07/05/2011 # ! Neutral (0)

    So I was right about them running free av software and no firewalls in the 1st post about this story after all. Wonder how many other free to play games there are online that also have zero security. I know that SOE is a monthly sub but eq2f2p is still out there and also has our data at the SOE servers. But anyway, thats as lame as lame can be come the hell on, $15.00 a month from all those people and they cant buy a corporate nortons or bitdefender to protect our data? Sounds like they are liable to me.

    Comment by Anonymous
    04:49 08/05/2011 # ! Neutral (0)

    I'm an IT specialist/network tech and I am laughing hysterically here...

    Avatar of Sky Lau
    Comment by Sky Lau
    00:16 07/05/2011 # ! Neutral (0)

    I just wonder that not only the accounts, but maybe the software of PSN itself is being cloned. Maybe there are Open-Sourced PSN later on.

    Comment by Anonymous
    01:19 07/05/2011 # ! Neutral (0)

    That would be sooooooo ironic.

    No longer do you need a legitimate PS3, along with legitimate games, to play online. Cause now there will be the New Pirate Station Network (N-PSN) to play all your torrented games on your hacked PS3 online. XD

    Avatar of PrinceHeir
    Comment by PrinceHeir
    14:22 09/05/2011 # ! Neutral (0)

    im pretty sure this has been debunk?

    Avatar of S|e|7|e|N
    Comment by S|e|7|e|N
    00:34 07/05/2011 # ! Neutral (0)

    You think Sony would skimp on expenses like decent servers?

    Yea...
    Probably...
    =_=

    Comment by Anonymous
    12:59 08/05/2011 # ! Neutral (0)

    I heard a rumor that Sony's American Cockfags...Executives have been declared a flight risk because they might flee and avoid testifying. I don't know if that's true or not, but I hope it is. Just in case.

    Comment by Anonymous
    03:17 07/05/2011 # ! Neutral (0)

    Should have used nginx.





    Post Comment »

Popular

Recent News

Recent Galleries

Recent Comments