Security Expert: Sony Knew Its Software Was Obsolete Months Before PSN Breach
From Consumerist.com:
In congressional testimony this morning, Dr. Gene Spafford of Purdue University said that Sony was using outdated software on its servers — and knew about it months in advance of the recent security breaches that allowed hackers to get private information from over 100 million user accounts.
According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which “was unpatched and had no firewall installed.” The issue was “reported in an open forum monitored by Sony employees” two to three months prior to the recent security breaches, said Spafford.
Tags: account security, compromised accounts
Trackback from your site.
Comments (6)
Jason S
| #
Funny. All of the sudden, the chances that it was a server side issue thatv allowed accounts to be hacked over the Holiday Season seems a bit more realistic. It was funny seeing all those people suggesting to those of us who waited over 3 weeks to a month to receive our items back, that we should consider improving our internet security protocol. Suddenly, people claiming Sony’s servers themselves were compromised, don’t seem so fantastically crazy anymore.
Having said that, what is currently happening to Sony and its customers is truly an eye opener. The shear magnitude of how many people are currently affected by this, coupled with the fact that Sony is not some backstreet company, is amazing! While I do think Sony/SoE dropped the ball big time on this, I don’t fully blame them however. No one could have seen this coming…
Either way, hopefully this pushes currently substandard Sony business practices in the right direction.
Reply
Aeyri
| #
While this is disappointing, I will say that what this update doesn’t report (but I have read elsewhere), is that Sony was using RHEL on its servers.
RHEL (Red Hat Enterprise Linux), as a commercial version of the Linux software, has a reputation as the standard distribution for businesses. I’ve worked at a company that would not consider running any other distro.
RHEL promotes itself as more stable and reliable than Windows or other distros of Linux. However, in my experience, this stability can come at a price. In order to ensure releases of only highly stable software with minimal changes, updates can come slowly. This means you may be stuck with outdated software for a while. I’ve run into this in the past with a software package that we knew had security vulnerabilities, but there was no RPM available for the latest version.
You are then stuck with either trying to build the package yourself from source, or searching the wilds of the Internet for someone who has already built an RPM for your version. “Hey, I found this RPM on someone’s website. Can we do a test install?” doesn’t fly in a corporate environment 😉 In the above-mentioned case, the lack of an RPM caused us to delay the update until we could find an acceptable alternate solution. In the interim, we were technically vulnerable. Thus, I am not much of a fan of Red Hat. Of course, YMMV.
Given how slowly I’ve seen corporations move, I wouldn’t be surprised if Sony had Apache on their queue of things to fix, but they were still weren’t ready to do it three months later. Excuse? No, not really. But I can understand their situation. I also always think there are two sides to every story.
Either way, I hope Sony learns from this experience and comes up with a better system for keeping their software up to date. While no security is 100% (and it becomes tougher the bigger of a target you are), they seem to know that they can do better, and are working to do so.
I don’t envy them at all, and am sure they are working their tails off currently.
Reply
jasonmicron
| #
I’m curious how one would install a firewall into a service. Please, Mr. “Security Expert”, please explain.
Sorry, that’s just a dumb comment, unless it was spoken in a manner that the masses would understand.
Also add that we don’t know how the network was compromised outside of the hacker gaining access to the network’s firewall and executing iptables chains to gain access to the network. For all we know, even if Apache wasn’t running the latest patches the breach would still have occured.
Yay for speculation!
And I wouldn’t exactly consider The Consumerist a viable news source. Just sayin’.
Reply
jasonmicron
| #
@Aeyri
If they were using RHEL then they don’t have to wait for Red Hat to approve releases. The EPEL repository exists just for this reason, plus DAG. If they were only patching packages released on RHN, which most people don’t because it is always outdated any way, then yea that’s a case of stupid with a capital S.
Also, to add on to your point about corporations moving slowly to patch services, I agree with you. However, for those out there that don’t know how major corporations work, they think they can just install any 0-day patch. It doesn’t work that way. It needs to be tested to see if it breaks anything else in their environment, what else it affects, etc. I’m sure you get that, but most people don’t.
Cheers.
Reply
Senya
| #
@jasonmicron
The testimony from Spafford was during a House hearing on data theft. You can see the testimony on cspan:
http://www.c-span.org/Events/Members-Look-at-Threat-of-Data-Theft/10737421279-1/
Reply
jasonmicron
| #
Cool, thanks Senya!
Reply