Sony has been accused of hosting it PlayStation Network on servers running out of date software with no firewalls, and of continuing to run them in this fashion even after being made aware of the problem.
In a recorded address to a House of Representatives committee hearing on cyber-security, considerable concern was expressed about Sony’s handling of PSN security.
In particular, Purdue University professor Dr. Gene Spafford claimed that “individuals who work in security and participate in the Sony network” had “months prior to the incident where the break-ins occurred” become aware that the PSN servers ran “very old versions of Apache software that were unpatched and had no firewall installed.”
Sony is said to have been made aware of these issues, but apparently took no action and continued running its servers with old software and no firewall.
Sony has not responded to the allegations, but its most recent statements to the US government and its users have admitted no error on Sony’s part and blamed everything on wicked cyber-criminal masterminds.
Regarding when the PSN will be coming back online, Sony still has not offered a timetable – its latest update only says the secure PSN is in “internal testing”:
“Today our global network and security teams at Sony Network Entertainment and Sony Computer Entertainment began the final stages of internal testing of the new system, an important step towards restoring PlayStation Network and Qriocity services.”
Presumably this included running “yum update apache2” and placing the servers behind a proper firewall…
Top 10 Most Anticipated Anime of Winter 2016
Splatoon “Super Play Time” Absolutely Cringe-worthy
Saijaku Muhai no Bahamut “Dragons & Mechs?”
Monster Hunter X Megaman Event Profusely Blue
Love Live! Sunshine!! MV “Will Brighten Up Your Day!”
Top 10 Best Anime Girls of 2015
Hai to Gensou no Grimgar “Has Oppai!”
Picking Up Japan Express Vol. 36 Worth a Pickup
Dimension W Out Of This World
Odin Sphere: Leifthrasir PV Certainly Nostalgic
One-Punch Man Soundtrack PV Packs A Wallop
XmasTrickStar “A White Christmas Indeed…”
Wo-Class Carrier Ero-MMD In Dire Straights
Voice Translation Tool Promotional Video “Inexcusable!”
Luck & Logic Far From Lucky
Yandere Simulator Possibly Headed to Kickstarter
Top 20 Recent Anime Most In Need Of A Sequel
Hyrule Warriors Legends PV Clashes Interminably
Akagami no Shirayukihime English Dub Surfaces
Koukaku no Pandora Really Opens That Box
Gothic Lolita Hatsune Miku Cosplay Busts Out
Delectable Dizzy Cosplay by Lechat
Dark Elf Cosplay by Non Very Dark Indeed
Titillating Tamako Cosplay Perfectly Pink
Goddess of 2ch: “Full of Lust & Urges (& Also Videos)!”
Raunchy Reisen Inaba Cosplay by Tsuyato
Haruhi Bunny Girl Cosplay Rocks Out
Youmu Ero-Cosplay by Madoka Adachi Deadly Sexy
Comiket 89 Cosplay Sickeningly Sweet
Comiket 89 Cosplay A Guilty Pleasure
>yum update apache2
lold
yum install apf
...
Or even better.. hardware firewall?
Update network is like OFW VS. CFW
Don't you mean "yum install apt"?
Let me suggest "wget [http://cdimage.debian.org/debian-cd/6.0.1a/i386/iso-cd/debian-6.0.1a-i386-netinst.iso]http://cdimage.debian.org/debian-cd/6.0.1a/i386/iso-cd/debian-6.0.1a-i386-netinst.iso"
Sony probally was thinking
If we never update it and nobody uses that version people will forget how to hack it XD
Like running Windows 3.1 and the viruses designed for newer stuff going what the **** is this XD
Yes.
And do not forget to add to the crontab every weekend to run automatically `apt-get update && apt-get upgrade -y`.
Posts by idiots that think one crontabs upgrades on production systems...
I think people should actually read into what happened instead of being the usual headless chicken on the internet. Gene Spafford has already been telling people that "journalists" have only taken choice quotes from his testimony and that he was only there to support speculation and has no real insight into the matter. Of course no one wants to update their reports since good news doesn't generate clicks.
Furthermore, the running version of Apache was only months old and they were already in the process of moving all their servers and info over to the new location with a new server distro in the wake of the attacks by Anon.
Also, I've been with Anon since the beginning, and I can tell you that some British kids aren't the voice of Anon (fuck your extra u's), and any "press releases" do not reflect on the actual workings of anyone claiming themselves to be Anonymous.
Still, this days, nobody plugs Apache directly to the net.
H/W firewall is a must for any large net. Or at least a good router which might serve as a firewall in case of emergency (or, if you are on budget, OpenBSD or Linux in transparent masquerading/NAT/etc mode; easy tutorials how to setup are plenty).
nginx (or some other alternative) are must as a caching front-end - right behind the firewall and just before the Apache.
Because for any high load job, you do NEVER plug Apache directly to the net. And even if you are an amateur, you still do not do it, because you ISP would do it for you.
But then, you are free to go on to make up excuses for the Sony. Fanbois are welcome here, you know :D
Apache that was unpached.
Funny huh?
"Apache server" actually means "A patchy server." Look up the history.
in the early 90's a 'patch' is what a 'plug-in' is called these days.
history lol
Not that I approve of their thievery, but these hackers basically did what any good security professional should. That is, they prompted a huge multi-national corporation to fucking GET THEIR SHIT TOGETHER.
Hot DAMN, people.
That's because Sony relied on the console's engine to process the encryption. That's why Sony defended the PS3 like it did, and why they removed OtherOS.
Getting everything back online will take a serious software overhaul, and (just hope that doesn't happen) probably change the security keys.
Just speculation, but if this turns out to be true, then Sony's network is compromised, unless is willing to take bold steps to finish this struggle.
Even if you rely on that, businesses should still create different networks and security layers amongst them. Running this large of a business the servers containing critical customer data (cc info, address, DOB, -anything not necessary for personalized interface settings-) should be kept on servers on a higher security level than the web servers... having everything on a level playing field means if 1 server gets compromised the rest are at that point more vulnerable as typically they are setup for ease of access within their own security layer.
With this information I feel that likely Sony didn't even do that. Now I know small companies probably do not; but they also don't have as large of a client base...
That is a piss poor way to be implementing things.
The PSN is connected to the internet so any security via locking the console down is worthless.
Apache is a Linux program run on PCs. Hacked PS3 systems had nothing to do with the attack. The hack to PSN effected not only PSN accounts, it effected Sony's other online services too, such as Everquest.
And, occurring to this article, happened because Sony FAILED to keep the software ran on their servers updated. In-other-words, it was a script kiddie using known exploits for the software Sony ran, that gained access to their database. Again, the hack was not something executed with a hacked PS3 system. You got that, kid?
You say it was easy to shit a brick at Sony's door. I won't argue with that as I have no knowledge.
However, is it the same to shit a brick and not get caught afterwards?
I guess that's the main difference between a script kiddie and an anonymos. Wheteher it was the first or the latter, we shall know in months.
And they point their finger to anonymous for hacking? i say sony is literally letting people hack them. Anyone with decent brain would think about protecting their own PC, let alone a network of 77M people. Great job Sony, will you be able to gain our trust ever again?
This is really bad newsss...
any day now they will fix this -_-
more like any month if they had months to fix it..
I would hope so. It's already been going on far too long, and a result of their own lackluster security precedures/measures.
If this is true Sony has screwed up big time. How much work is it to patch your servers from time to time and install a damn firewall.......
So wait................pretty much anyone could have done this then? The big surprise here is that this wasn't hacked sooner. And blaming Anonymous too? Sony is just messing up left and right.
So... at first I was willing to give them some leniency... seeing as even internet security firms have been hacked... but not keeping their servers up to date or using some of the most basic security technologies to keep them secure is silly...
Now I'm actually concerned about how secure they really consider "secure"...
Yeah, I've pretty much lost the remaining consideration I had for their side of things when I read this article...
Yikes Sony, Yikes...
I just want the Online back lol
Old news is old...
Like I said before, even Linux needs firewall! I just hope they will put a decent firewall with I/O control, and not just one of those tables with Port Open/Port Closed sections >_>
P.S.
>yum update apache2
lold2
Hope there'd be no trollers on this post
Better get Section Nine, and the Major on this!
you guys might want to look past the whole apache, patched/up to date versions, firewall thing btw.
the fact is, their security was previously breached, a few months before the current hacking took place. this was known to them, but ignored (here you can make the argument they should have implemented patching and firewalls at this point in time if applicable, howerver you seem to be arguing over the fact they should have had this in place from the begining, there is a big difference, as it means in one situation, they knew their servers were veneralble and specifically to what, where as the other case it means they should have just beefed up all sercurity to hopefully prevent all breaches which would be unknown). this former breach was not directly related to the current breach, however, the previous breach allowed hackers to work their way into the system, which led to the current breach (the one where ppl lost private info).
tl'dr there was a time period of a few months where there was a relatively minor breach in the system that led to the current breach in the system where info was stolen. they did nothing in responce to the minor breach, if they did, the current would most likely not have happened.
btw, this is old news, i read it around the time sony decleared info may have been stolen, they doubted cc info was stolen and started brining in external investigators.
I find it hard to believe there were no firewalls, the PSN would have been burned to the ground long ago if that were the case.
Seriously, there is only so much BS I can tolerate.
While I don't expect Reuter like report from here, journalistic integrity here is fast sinking into "utter complete BS" territory.
Combined with the overwhelming amount of (somewhat disgusting) ads ...
I don't really feel like visiting your site anymore.
We will see. I probably won't be visiting again. Consider this a farewell note if you will.
So technically Sony's been using old ass software to run the PSN along with no firewall to protect from outside attacks knowing damn well everyone must upgrade or change the software to a current up to date software that can prevent people from hacking into the server. But we see now that Sony's too effing lazy and cheap to use any up to date software for their servers yet they blame hackers for busting up the shit THEY should of been protecting. Hell, they had all this time to renew the software but instead they were too lazy to do so. That's hackers will always keep attacking dumbass companies like Sony. Well it's official, when Nintedo's next console comes out next year, I'm throwing out my PS3, period.
Come on sony this isn't china!
DAmn, its like Toyota all over again. Poor Japan. Its biggest companies seem to love cutting corners.
Lack of firewalls isn't necessarily a bad thing. A firewall won't protect an unpatched Apache server being hacked at all.
Firewalls don't do what 95% of people use them for. 9 times out of 10 a server farm doesn't need a firewall as enterprise switches can do IP access restriction which is what is really wanted to keep undesirables away from machines you don't want them on.
-SIMPLE VERSION FROM ANON TO ANON-
Lack of wall around your house isn't necessarily a bad thing. A wall won't protect your house from being burglarized at all.
Wall don't do what 95% of people use them for. 9 times out of 10 most people doesn't need a wall since they can just hire a guard to keep the people who robbed you before out of the house.
It's amazing on what rewording could do...
:P
Learn about computers before making such idiotic analogies.
The relation between a firewall and switch level blocks is the inverse of what you propose.
A firewall is like a guard, it inspects the messages sent to the system and blocks anything except communication to the configured applications. However firewalls can't really know what the application layer thinks so whatever they don't block, they relay to the application layer which handles security on their own.
A switch or router level block IS like a wall, in that nothing gets through, period.
replace 'guard' with 'door'
Actually, the Anonymous version of this is replace guard, with dog and curtains.
Reworded, but that doesn't mean the body guard couldn't do as much a good job as the wall. Sounds like they have their ups and downs.
So I was right about them running free av software and no firewalls in the 1st post about this story after all. Wonder how many other free to play games there are online that also have zero security. I know that SOE is a monthly sub but eq2f2p is still out there and also has our data at the SOE servers. But anyway, thats as lame as lame can be come the hell on, $15.00 a month from all those people and they cant buy a corporate nortons or bitdefender to protect our data? Sounds like they are liable to me.
I'm an IT specialist/network tech and I am laughing hysterically here...
I just wonder that not only the accounts, but maybe the software of PSN itself is being cloned. Maybe there are Open-Sourced PSN later on.
That would be sooooooo ironic.
No longer do you need a legitimate PS3, along with legitimate games, to play online. Cause now there will be the New Pirate Station Network (N-PSN) to play all your torrented games on your hacked PS3 online. XD
im pretty sure this has been debunk?
You think Sony would skimp on expenses like decent servers?
Yea...
Probably...
=_=
I heard a rumor that Sony's American Cockfags...Executives have been declared a flight risk because they might flee and avoid testifying. I don't know if that's true or not, but I hope it is. Just in case.
Should have used nginx.