Sony Running Unpatched Servers With No Firewall 306
ewhenn writes "Security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which 'was unpatched and had no firewall installed.' The issue was 'reported in an open forum monitored by Sony employees' two to three months prior to the recent security breaches."
So now security researchers are to blame? (Score:4, Informative)
Isn't that the typical response in situations like this, clearly the crackers figured it out because you mentioned that we're unpatched without a firewall.
Oh Yea...It was Anonymous` fault. (Score:1, Informative)
Re:I don't find this shocking (Score:5, Informative)
As someone who works in protecting a large environment, I would never allow a server to run "open" on the internet without restricting access to the machine via a firewall. Any exploit that works against the machine could give external users access to other ports - which with a firewall in place, wouldn't cause instant chaos. There are definitely other avenues that you could work against here - but by whitelisting only what's needed from outside to inside, you'll be an order of magnitude safer against attacks you may not be knowledgeable about.
Re:Welp (Score:4, Informative)
Re:Criminal Negligence? (Score:5, Informative)
In general, no. However, if you publish a privacy policy that you don't really follow, that's considered deception and it's possible to get in trouble for it.
The big issue here is that if they have credit card data, they're contractually bound by a private sector standard called PCI DSS, and Visa and Mastercard can impose penalties. They were blatantly out of compliance with rules in the standard requiring firewalls and a program of keeping up with patches.
Re:Welp (Score:5, Informative)
Quite possibly. Sony's responsibilities to their customers might not rise to the level of Fiduciary Responsbility [wikipedia.org] but customers do have a reasonable expectation of due care [thefreedictionary.com], at least with their credit card information and likely with their account information.
Further, to receive full indemnification from the payment-card industry against claims of fraud, you must be PCI compliant [wikipedia.org]. Were Sony PCI compliant having un-patched software on public-facing servers? Doesn't seem like it. This could potentially open Sony up to all kinds of claims.
Even if Sony somehow manage to escape civil and criminal justice ramifications, carelessness is no way to run a business. Sony's reputation is already tarnished in the tech world. They may finally get the public scrutiny and drop in reputation and market-share they've earned and so well deserve.
VISA and MasterCard lower the hammer (Score:5, Informative)
It's likely that Sony went off-line not because they wanted to, but because VISA International [visa.com] and/or MasterCard Worldwide ordered them to. See my post on "What To Do if Compromised" [slashdot.org]. The contract that merchants must sign to accept credit cards gives the credit card companies the right to send in a VISA fraud team, a Cardholder Information Security Team, and a computer forensics team. VISA can insist that compromised systems containing credit card data be taken off line until examined. For a big breach, VISA probably invoked their right to do all that.
The process is expensive for the merchant who doesn't have the VISA-required security measures in place. They get hit with fines from VISA, the cost of the forensics work, and chargebacks from compromised credit cards. "If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident." Worse, from a business perspective, they can't accept credit cards again until VISA's team says they're secure.
Then comes the "Account Data Compromise Recovery [visa.com] phase. For the next 13 months, the merchant gets hit with charges related to compromised credit cards.
A merchant-side compromise of credit card data means the merchant gets stuck with all the costs of the breach.
Re:Welp (Score:5, Informative)
A friend of mine used to sit on the PCI board. He linked me to this recently:
http://blog.imperva.com/2011/04/pcis-impact-on-security-quantified.html [imperva.com]
PCI is one of the most defined and effective standards I've ever seen. Compare that to other standards some companies tout like ISO27001 or SAS70, which are absolutely toothless. (Because they assess only what you SAY that access, as they are standards for evaluating your declared controls.)
PCI varies a lot depending on what tier the merchant is. If they are Tier 2 - Tier 4, the assessment is really only as good as their self-assessment/scan. The scan can be gamed simply by giving out a host or two which is properly locked down, and using that certificate. Tier 1 merchants (6 million+ transactions/year) have to undergo an audit with a certified assessor. I guess PSN doesn't do that many transactions per year? If the assessor does a bad job they will lose their certification.
Also, if Sony lied about the state of their compliance, then they are exposed to enormous amounts of liability.
Re:VISA and MasterCard lower the hammer (Score:5, Informative)
The time to short the stock is well past.
One shorts when public information is low and you have special knowledge of the situation, be that insider information, a unique knowledge of the industry, or particular experience.
Shorting Sony at this point in time, when all the smart money (which knows more than you) has already set a rational price based on reasonable odds is nothing more than tying your hands.
Unlike a traditional (long) position you would have locked yourself into a time window, preventing you from a full range of actions based on later information.