Sony Running Unpatched Servers With No Firewall 306
ewhenn writes "Security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which 'was unpatched and had no firewall installed.' The issue was 'reported in an open forum monitored by Sony employees' two to three months prior to the recent security breaches."
Welp (Score:5, Insightful)
Well THERE'S your problem.
IANAL, but shouldn't users have the reasonable expectation that their data would be secured? Is there a suit here?
If they had cared enough... (Score:4, Insightful)
Sony took more care to lock the customer out of equipment the customer owned on the customers premises to "protect Sony's IP" than they took to protect the customers data running only Sony's servers at Sony's premises.
Looks like they need to move their security staff to the hosting side.
Sam
Re:So now security researchers are to blame? (Score:4, Insightful)
The Sony IT folks probably wanted too, but their idiot managers prevented them. Because if the update broke something or needed downtime they can't have that.
Re:But, but, but... (Score:2, Insightful)
I don't know if Anonymous is too blame for this. They are still after all a bunch if vindictive thugs and the Internet version of a street gang but that doesn't make them guilty of this.
But just because the door has a cheap lock on it doesn't mean the criminal isn't to blame.
Re:So now security researchers are to blame? (Score:4, Insightful)
Sadly, 'taken action' in cases such as this usually involves post deletions and forum bans.
Updating and getting a firewall costs money, banning people from a forum doesn't.
Obviously it's better to treat the symptom than cure the disease.
Re:Welp (Score:4, Insightful)
definitely shows that PCI is bullshit ;)
PCI certification is joke. It's in the best interests of all involved to severely limit the scope of the "certification" - due to cost, time, intrusiveness etc.- so only certain areas get tested. You can have your "certified" PCI system hooked up on a network to a botnet but insist that only your PCI computer get "certified". It's like going to doctor and telling him your arm hurts but he can only examine your arm. When it turns out to be a heart attack and you die the doctor only gets to say "His arm was fine when I checked it."
They like to brag that "no PCI certified system has ever been breached" but that's because when you're breached they forensically figure where you violated PCI and retro-actively revoke your certification. It's worse than bullshit it's an expensive fig leaf of security theater.
So... (Score:5, Insightful)
No Firewalls (Score:1, Insightful)
Web servers do not need firewalls. If your servers are only providing public facing services there is no need to firewall them. In fact, firewalling them can make them more vulnerable to DDoS attack.