Sony Running Unpatched Servers With No Firewall 306
ewhenn writes "Security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which 'was unpatched and had no firewall installed.' The issue was 'reported in an open forum monitored by Sony employees' two to three months prior to the recent security breaches."
Welp (Score:5, Insightful)
Well THERE'S your problem.
IANAL, but shouldn't users have the reasonable expectation that their data would be secured? Is there a suit here?
Re:Welp (Score:4, Informative)
Re:Welp (Score:5, Interesting)
They are in gross violation of PCI. Criminal Negligence is "suitable"
They can be seriously damaged by this... I would love to see their ability to take credit cards revoked. That would put an end to their entire online business. Can you imagine Playstation Network if it was prepay, or paper billed only?
Re:Welp (Score:5, Interesting)
How the hell did they maintain PCI compliance? At very least that requires the self-evaluation, and an external scan by a 3rd party. The self-evaluation, they could have easily lied on. The external scan? No way. Well, unless they had the scan pointed at a dummy server. That happens a lot more than it should. For the money I'm sure Sony was pushing through, it should have rated an on-site inspection. One company I worked for only pushed through about $50 million/yr. We were self-eval with external scan. They did threaten physical inspections every quarter, but never showed up. I guess they could have pointed at any rack and said "this is the rack". The insecurity is pure stupidity. There are so many ways to secure the network, from free (iptables on the machine) to inexpensive (dedicated firewall machine running Linux), to expensive hardware solutions. There's no excuse for this.
Re: (Score:2)
definitely shows that PCI is bullshit ;)
Re: (Score:3)
definitely shows that PCI is bullshit ;)
They weren't PCI compliant since part of compliance requires applying security patches to in-scope systems, and if credit card numbers were passing through Apache or the web app running on Apache had access to credit card numbers, it was definitely in scope. And of course, storing unencrypted credit card numbers also violates PCI, but even if they were encrypted, if the hackers had control of the application they could have had the decryption keys.
Re:Welp (Score:4, Insightful)
definitely shows that PCI is bullshit ;)
PCI certification is joke. It's in the best interests of all involved to severely limit the scope of the "certification" - due to cost, time, intrusiveness etc.- so only certain areas get tested. You can have your "certified" PCI system hooked up on a network to a botnet but insist that only your PCI computer get "certified". It's like going to doctor and telling him your arm hurts but he can only examine your arm. When it turns out to be a heart attack and you die the doctor only gets to say "His arm was fine when I checked it."
They like to brag that "no PCI certified system has ever been breached" but that's because when you're breached they forensically figure where you violated PCI and retro-actively revoke your certification. It's worse than bullshit it's an expensive fig leaf of security theater.
Re:Welp (Score:4)
PCI certification is joke. It's in the best interests of all involved to severely limit the scope of the "certification" - due to cost, time, intrusiveness etc.-
You certainly can limit the scope to only those computers that have access to PCI protected data, but any computer that has access to that data or processes that data is in scope. I'm sure you can configure your network in such a way that allows a breach, but that's not really PCI DSS's fault - one standard can't be expected to provide complete security for all environments....they give you overall security recommendations, if your network allows access to the data by a botnet, then it's your job to fix it, don't think that just because you checked all of the checkboxes on the PCI-DSS checklist that your security job is done.
so only certain areas get tested.
If you're relying on testing to protect your data, you're doing it wrong -- PCI outlines best practices to protect your data, scanning is only one part of the larger picture.
They like to brag that "no PCI certified system has ever been breached" but that's because when you're breached they forensically figure where you violated PCI and retro-actively revoke your certification. It's worse than bullshit it's an expensive fig leaf of security theater.
I've never heard that "no PCI certified system has ever been breached" and I'm pretty skeptical since I know a few ways to get data out our PCI compliant systems. However, If they found that you violated PCI standards, then you weren't really PCI compliant, were you?
Re: (Score:3)
If you're relying on testing to protect your data, you're doing it wrong -- PCI outlines best practices to protect your data, scanning is only one part of the larger picture.
But they don't encourage the larger picture is my point. Their testing methodology encourages checklist thinking so you pass a limited test at 100% and you get your certification. Because you don't get any real protection from the certification - because they will retroactively deny your compliance after the fact - it becomes a necessary evil to be complied with not an active process. You're encouraged to think completely inside the box to get PCI certs but not rewarded in any way for taking a comprehensive
Re: (Score:3)
They like to brag that "no PCI certified system has ever been breached" but that's because when you're breached they forensically figure where you violated PCI and retro-actively revoke your certification. It's worse than bullshit it's an expensive fig leaf of security theater.
Sounds like post-claim underwriting. Collect premiums from a customer up until they file a big claim. Then carefully examine history to find some violation, and deny claim. Be sure to refund premiums without interest to be nice. Of course, what they don't do is carefully check the histories of customers who DON'T file claims to see if they're paying for invalid insurance and should get refunds as well. Since the whole nature of insurance is that most people don't file big claims, you can make money han
Re: (Score:3)
PCI if followed is effective.. compliance in the marketplace is bull shit.. BUT there is one thing that i like about Sony failing.
If you claim to be PCI compliant but are not and you suffer a breach related to your failure to be compliant then you are liable for any fraud charges and cost to investigate and clean up said mess. Not to mention if it was a smaller out fit their ability to charge cards would be removed.
Re:Welp (Score:5, Informative)
A friend of mine used to sit on the PCI board. He linked me to this recently:
http://blog.imperva.com/2011/04/pcis-impact-on-security-quantified.html [imperva.com]
PCI is one of the most defined and effective standards I've ever seen. Compare that to other standards some companies tout like ISO27001 or SAS70, which are absolutely toothless. (Because they assess only what you SAY that access, as they are standards for evaluating your declared controls.)
PCI varies a lot depending on what tier the merchant is. If they are Tier 2 - Tier 4, the assessment is really only as good as their self-assessment/scan. The scan can be gamed simply by giving out a host or two which is properly locked down, and using that certificate. Tier 1 merchants (6 million+ transactions/year) have to undergo an audit with a certified assessor. I guess PSN doesn't do that many transactions per year? If the assessor does a bad job they will lose their certification.
Also, if Sony lied about the state of their compliance, then they are exposed to enormous amounts of liability.
Re: (Score:3)
The parent sums PCI up very nicely. My company is looking at the feasibility of implementing PCI vs outsourcing credit cards. Since we would be a Tier 4 vendor, we would be able to do a self assessment. Talking with other companies in Tier 4 uncovered a wide range of compliance from almost nothing to almost complete compliance. If the web site you're giving your credit card to is not a Tier 1 vendor, be very very afraid.
Re: (Score:3)
I suspect that anybody who does a competent, good faith, implementation of PCI is at least part of the way toward a secure operation; but PCI isn't intended as polite good advice...
Re: (Score:3)
When a small business such as you or I might run fails to keep systems in PCI compliance, the bank can revoke our ability to take cards and we are in trouble.
When a huge business such as Sony fails to keep systems in PCI compliance, the bank cannot revoke ability to take cards otherwise the bank's in trouble.
Re: (Score:3)
Having been through a few PCI audits as the "Point man" on the technology, I can tell you that the external audits are a joke. The auditor is usually not a tech. Often, it's a peon with a clipboard. On this clip board are check boxes. He askes you "Do you do X"? You say "Yes", he ( or she ) checks the box. Meanwhile, your company continues to have horrible business practices.
This was a tier 1 audit too.
Re: (Score:2)
PCI Compliance only requires that you are showing progress towards security goals, not that you have all the items implemented.
Comply, or comply not. There is no "try".
Got a citation for that?
Re: (Score:3)
nope, seems i was wrong:
"b. Complete and document all steps detailed in the Requirements and Security Assessment Procedures, including brief descriptions of controls observed in the “In Place” column, and noting any comments. Please note that a report with any “Not in Place” opinions should not be submitted to PCI SSC until all items are noted as “In Place.”"
Re: (Score:3)
The merchant's external ASV and internal vulnerability assessments should have had red flags all over them, so ignorance is certainly no excuse. The QSAs may never know the difference as you say, and it's up to the merchant to specify scope for the external scans. These things should make a large difference if followed in good faith.
Re:Obvious to those who are in the system (Score:5, Interesting)
Well, I know that when I had to go through it regularly, we did have to complain about some of the remote scanning.
Here's a few of the BS items that we had been flagged with. These are from memory, so I may be wrong on some of the wording.
The server does not respond to ICMP (red flag). Well, the server blocked all unexpected traffic, including ICMP. So we opened the firewall a little for that.
They complained that they were not getting refused connection messages to known ports (telnet, SMTP, etc), so we were flagged for that. That's where I started complaining.
They wanted the firewall completely opened for "testing". This was current production, so I refused. I told them I could allow a single IP for them to test with, but they wouldn't oblige. Since we were always under attack, their IP was one of several hundred during the period where they were most likely testing. 1 tester, and a few hundred attackers. Hmm, no.
They proceeded to search the surrounding network. They red-flagged us for having a server on the network that responded to DNS requests. Oddly enough, that was a DNS server. Then they hit us for having a mail server that accepted mail. Sure, it accepted mail. It only relayed for us, but we did (oh my gosh) receive mail. They didn't receive an instant refusal, because we accepted and dropped those messages.
I passed the word back through our accounting guy that they could go fuck themselves, and to give us a real auditor...
The second auditor wasn't quite so bad. They hit us for not being able to fingerprint the OS. I congratulated them on that, and then told them specifically the OS, distro, and kernel version. They had a few yellow flags for non-broken stuff, such as not responding to ICMP. They didn't mark points against us on that one, it was just a mention. They questioned our remote access ability, since the only ports that responded were 80 and 443. I told them the port number (unusual port) and method, so they beat on that for a while and couldn't touch it. Then they gave us a pass.
We were fully compliant. I wasn't hiding anything from them. I was hiding everything from the constant barrage of hackers who wanted in. People knew we made millions. They knew we had a whole bunch of machines on multiple GigE circuits. If they could compromise just one machine, they'd have a very fast platform to attack from, and I wasn't going to allow that.
We were very successful in never losing any personal info, but we always maintained doing better than PCI compliance required.
Re: (Score:2)
I know I wouldn't use it... my Credit Cards give me a layer of protection and a buffer. So does Prepay (layer of monetary protection), but those are often a PITA to get and there are usually fees involved in getting them. (Unless I'm totally wrong here. I remember Prepay cards that you had to get at the store and are charged a percentage more than the value of the card. This usually involves predetermining that you need the card while you are at the store or making a special trip.)
Paper bill I guess I c
Re: (Score:2)
So does Prepay (layer of monetary protection), but those are often a PITA to get and there are usually fees involved in getting them.
Yeah such a pain in the ass that's why you would just buy prepaid game cards instead of a prepaid credit card, I mean they're only offered at every convenience store, grocery store and department store. From XBLA points to F2P MMO networks they're just about everywhere these days and I've never seen a fee on one. 20 bucks of credits is 20 bucks of credits is 20 bucks of credits.
Re: (Score:2)
That was one of my points though. You get home, sit down, take off your shoes, maybe get comfortable and go look through the games available to buy online. You see one you really like and want to get it. Doh, I have to run to the store to get a card...
There's just a huge inconvenience in prepaid cards.
You could stock up on a bunch of cards anticipating that you will be buying a game, but what if you buy a card for $20 and the game is $18? Now there's $2 sitting on that card and you may just throw the ca
Re: (Score:2)
Re: (Score:2)
Really
I found impossible to run a server without even Fail2Ban without running into some serious issues
Rule 1 - Nothing should show up on a port scan besides HTTP/HTTPS and SSH (only if absolutely needed)
Rule 2 - Fail2Ban everything that looks funny
Rule 3 - nothing listens on 0.0.0.0 except as needed (even with a firewall)
And that's only the beginning
Re: (Score:2)
They are only in violation of PCI requirements if the unpatched servers in question processed/handled credit card numbers. I could not glean from TFA if this is the case. It's bad practice to leave unpatched servers that don't process sensitive data, but it's not uncommon, unfortunately.
Re:Welp (Score:4, Interesting)
From USLegal [uslegal.com]:
The civil standard of negligence is defined according to a failure to follow the standard of conduct of a reasonable person in the same situation as the defendant. To show criminal negligence, the state must prove beyond a reasonable doubt the mental state involved in criminal negligence. Proof of that mental state requires that the failure to perceive a substantial and unjustifiable risk that a result will occur must be a gross deviation from the standard of a reasonable person.
Bolding by me.
IANAL, but I think this is a clear case of criminal negligence. Any IT tech would know better than to leave a unpatched HTTP server without a firewall up to the internet. If you were told on open forums that this was happening, and then loose 2 million credit card numbers? Well if that isn't criminal negligence, I don't know what is!
Re:Welp (Score:4)
Yet it still happens everyday.
Re: (Score:2)
Yet it still happens everyday.
But probably not on servers that are storing millions of credit card numbers. That's a key difference.
Re: (Score:2)
Hey, there's an optimist left on /.!
Re: (Score:2)
But probably not on servers that are storing millions of credit card numbers. That's a key difference.
Exactly! Although it is never good to leave something exposed to the Internet unprotected, if its small there is very little risk (I have always been taught to assume that your system is constantly being attacked, better to be secure than sorry). But its entirely unacceptable to be so lax on security for something having access to their credit card database. I hope other companies that store credit card data are double-checking their security. If Sony made this mistake, others have as well.
Re: (Score:3, Interesting)
Yet it still happens everyday.
But probably not on servers that are storing millions of credit card numbers. That's a key difference.
I do security audits for a living and I'll tell you that this is actually quite common. Most companies don't give two shits about your data if they don't have direct financial liability.
The servers that have serious security are the ones that store THEIR proprietary data (blueprints, special sauce, etc). Customer data, healthcare data... don't give two shits.
I have broken into customer or employee data in almost every company I've audited during the last 4 years.
I'll tell you also, that the PCI mandated
Re: (Score:3, Funny)
loose 2 million credit card numbers
It isn't like those numbers actually can be used for anything.
A number that people tell random merchants is obviously not something that is usable for any economic purposes. I can't imagine anyone using it to validate purchases as that would clearly be criminal negligence.
Re: (Score:3)
But most large networks shy away from stateful inspection because it's more resource intensive. And a non-stateful could catch the same things, as long as the person sending the exploit doesn't figure out something as hard as fragmenting the packet to get it past. But then, if t
Re:Welp (Score:5, Informative)
Quite possibly. Sony's responsibilities to their customers might not rise to the level of Fiduciary Responsbility [wikipedia.org] but customers do have a reasonable expectation of due care [thefreedictionary.com], at least with their credit card information and likely with their account information.
Further, to receive full indemnification from the payment-card industry against claims of fraud, you must be PCI compliant [wikipedia.org]. Were Sony PCI compliant having un-patched software on public-facing servers? Doesn't seem like it. This could potentially open Sony up to all kinds of claims.
Even if Sony somehow manage to escape civil and criminal justice ramifications, carelessness is no way to run a business. Sony's reputation is already tarnished in the tech world. They may finally get the public scrutiny and drop in reputation and market-share they've earned and so well deserve.
Re: (Score:2)
Given the attitude of most suits on website security, almost certainly.
Re: (Score:2)
In Massachusetts, there most definitely is. After the TJX breach, there was a big push to get businesses that hold personal information to take appropriate precautions. This culminated in M.G.L. Chapter 93H and corresponding regulations, which among other things makes data breaches actionable if the business did squat all to prevent it.
Lately, our Attorney General has been doing everything she can to keep herself in the news, and I would not be surprised if she files suit against Sony post haste.
Re: (Score:3)
The basis of this claim is Dr. Gene Spafford of Purdue University. He was giving testimony before Congress.
If you have proof that this man is lying, then let's see YOU go before Congress and testify.
So now security researchers are to blame? (Score:4, Informative)
Isn't that the typical response in situations like this, clearly the crackers figured it out because you mentioned that we're unpatched without a firewall.
Re: (Score:2)
Isn't that the typical response in situations like this, clearly the crackers figured it out because you mentioned that we're unpatched without a firewall.
Of course, and "the gun dropped out of my pants and went off by accident" is also a typical response to certain other situations. Typical doesn't mean it will actually work as a defense ;-)
Re: (Score:3)
Indeed, I wasn't implying that it was a valid excuse, just that they'll use it and a lot of corporate apologists will buy into it because God forbid a corporation be forced to account for its own incompetence.
Re:So now security researchers are to blame? (Score:4, Insightful)
The Sony IT folks probably wanted too, but their idiot managers prevented them. Because if the update broke something or needed downtime they can't have that.
Re: (Score:3)
they'd rather be hacked and incur weeks of downtime by doing the wrong thing,m rather than a couple of minutes of downtime doing the right thing.
This is typical Sony as of late. Why should their infrastructure management be any better than the way they treat customers?
Re: (Score:2)
Re: (Score:2)
Not just Sony. This is pretty common in corporate America, from what I have seen via consulting gigs.
Re: (Score:3)
Yeah.
For a few years, a friend of mine had the kind of security consulting job wherein companies would hire him to try to compromise their systems and provide them with recommendations of what they needed to do to tighten up their security. I thought that sounded like a lot of fun when he first described it, but he then added that it was actually a really boring and depressing job most days because the same small handful of unpatched exploits would give him root or the equivalent on 95%+ of companies syste
Re: (Score:3)
For really depressing a typical cheap job (what these customers want) it starts with a OpenVas or similar scan, then you give them the print out and get to hear their sysadmins say that this is the same thing they already told their boss. Come back in 6 months, run the same scan and find the same vulnerabilities. Every time management acts shocked, sysadmins say "No Duh", rinse and repeat.
Security in typical companies is a last thought and overruled at every turn.
Re:So now security researchers are to blame? (Score:4, Insightful)
Sadly, 'taken action' in cases such as this usually involves post deletions and forum bans.
Updating and getting a firewall costs money, banning people from a forum doesn't.
Obviously it's better to treat the symptom than cure the disease.
This seems like a case for... (Score:2)
Re: (Score:3)
:facepalm: (Score:2)
Criminal Negligence? (Score:3)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
Lawyers will have field day! (Score:2)
Re:Criminal Negligence? (Score:5, Informative)
In general, no. However, if you publish a privacy policy that you don't really follow, that's considered deception and it's possible to get in trouble for it.
The big issue here is that if they have credit card data, they're contractually bound by a private sector standard called PCI DSS, and Visa and Mastercard can impose penalties. They were blatantly out of compliance with rules in the standard requiring firewalls and a program of keeping up with patches.
Re: (Score:2)
Not really, but if you are going to get sued for damages in a multi-billion dollar class action law suit one of the key points is going to be negligence. If this story is true, establishing negligence is going to be easy.
standard industry practice (Score:3)
*SARCASM*
Sony's defense will be that this state is "standard industry practice" and to expect Sony to have taken more elaborate steps at being secure like updating the software or running firewalls and other protection services as well as things like honeypots and other intrusion detections measures is just not done by major internet service providers.
But, but, but... (Score:5, Funny)
... I thought the super hackers at Anonymous are all to blame! I mean, sure, most members of Anonymous are the ones spending hours ENJOYING the PSN. But, you mean to tell me that Sony, a multinational corporation, covered up their own culpability and then lied and blamed it on an innocent (in this case) group of hacktivists? Like, Wooo, just like Cereal Killer from the movie Hackers [availableimages.com] told us!
Re: (Score:2, Insightful)
I don't know if Anonymous is too blame for this. They are still after all a bunch if vindictive thugs and the Internet version of a street gang but that doesn't make them guilty of this.
But just because the door has a cheap lock on it doesn't mean the criminal isn't to blame.
Re: (Score:2)
Better watch out for Agent Gill with comments like that.
Wow lots of speculation but no proof. (Score:3)
According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which "was unpatched and had no firewall installed."
Which version?
And what do they mean where not running a firewall? And this was reported on a forum?
You know that I heard that CmdrTaco is running Slashdot on an unpatched Windows 95 box using Boa 1.0 and isn't using a firewall.
Can we not repeat unsubstantiated rumors? I really hope this is just really bad reporting and our that Congress is not taking statements like "It was reported on a forum" as evidence. Now if they have proof that this is true and it was reported on a forum it is interesting but just reported a forum is junk.
Re: (Score:2)
I do not know him. and everything you say may be true but I am going only by what is in the linked story and that had nothing of value. I do not think one should reward bad journalism with lots of pages hits do you?
Elite Hackers. (Score:2)
Re: (Score:2)
I always hide information in a file called README. No one ever looks in there.
If they had cared enough... (Score:4, Insightful)
Sony took more care to lock the customer out of equipment the customer owned on the customers premises to "protect Sony's IP" than they took to protect the customers data running only Sony's servers at Sony's premises.
Looks like they need to move their security staff to the hosting side.
Sam
Re: (Score:3)
This is absolutely typical for most large Japanese companies. The infrastructure is absolutely vertical and they admit to nothing. PR and the face that you present to the world is everything, and well, all of the rest is just stuff you should be a good worker and not ask about. Typical management is not too different than in the U.S. though, which is to tell the workers to "do it" and leave the rest of the thing to some guy five levels down the chain to make work. Just, that if there's a problem, the
Lemme guess what the response was (Score:2)
The thread was deleted for "security reasons" and nothing else happened.
No, I did not read TFA, but I know Sony.
Don't forget (Score:2)
This could be a cover-up. (Score:3)
I contacted Sony and let them know that I did not pay for repairs as I do not own a playstation. I was told that they would not remove the charge and that I would have to contest it thought the credit card company. They also informed me that if the charge was contested, they (Sony) would cancel the playstation network account associated with the playstation that was repaired.
I contested the charge through the credit card company and went through the whole hassle of changing ALL credit cards and notifying all business that I do transactions with.
Maybe Sony is charging people for 150 here and there to pay for their lawyers. Now that people are calling Sony on the fraudulent charges, they can say that they were hacked....
(Yea, I know, Who would steal credit card numbers from Sony and use the same info to buy Sony stuff.)
I had stopped buying everything sony, cancelled my EQ, etc when the Rootkit fiasco hit and I was burned by that for putting a CD in my computer.
Bastards.
Re: (Score:2)
Actually, this sounds perfectly reasonable.
Sony has no way of knowing whether you are the person who put the charge on the card or no
So... (Score:5, Insightful)
VISA and MasterCard lower the hammer (Score:5, Informative)
It's likely that Sony went off-line not because they wanted to, but because VISA International [visa.com] and/or MasterCard Worldwide ordered them to. See my post on "What To Do if Compromised" [slashdot.org]. The contract that merchants must sign to accept credit cards gives the credit card companies the right to send in a VISA fraud team, a Cardholder Information Security Team, and a computer forensics team. VISA can insist that compromised systems containing credit card data be taken off line until examined. For a big breach, VISA probably invoked their right to do all that.
The process is expensive for the merchant who doesn't have the VISA-required security measures in place. They get hit with fines from VISA, the cost of the forensics work, and chargebacks from compromised credit cards. "If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident." Worse, from a business perspective, they can't accept credit cards again until VISA's team says they're secure.
Then comes the "Account Data Compromise Recovery [visa.com] phase. For the next 13 months, the merchant gets hit with charges related to compromised credit cards.
A merchant-side compromise of credit card data means the merchant gets stuck with all the costs of the breach.
Re: (Score:3)
Re: (Score:2)
Re:VISA and MasterCard lower the hammer (Score:5, Informative)
The time to short the stock is well past.
One shorts when public information is low and you have special knowledge of the situation, be that insider information, a unique knowledge of the industry, or particular experience.
Shorting Sony at this point in time, when all the smart money (which knows more than you) has already set a rational price based on reasonable odds is nothing more than tying your hands.
Unlike a traditional (long) position you would have locked yourself into a time window, preventing you from a full range of actions based on later information.
Obviously (Score:2)
Sony, I am disappoint. (Score:2)
As a long-time subscriber to SOE games, I can say that I am just flat-out disappointed.
It's not just anger, it's not just disbelief... it's disappointment. As if I just found out that my kid is the bully at school, steals lunch money, and spouts hate speech.
I know that the people I know, personally, in SOE (devs, community relations) didn't have control over this, but some people at most levels had to know.
Ouch, guys. Ouch.
(http://t0.gstatic.com/images?q=tbn:ANd9GcQngiRrhTv_0WdVtJjX3aUV8a4o7zuyAY_CTUwHPpFdm
Marketing! (Score:2)
The ad for a free copy of "Vulnerability Management for Dummies" that appeared beside this article when I first clicked on it was a nice touch.
Sony: It was Anonymous, honest guv (Score:3)
GUTEN TAG, Wii Gehts, Wednesday (NTN) — Sony has revealed that the Playstation Network security breach, which compromised 24.6 million credit cards, was entirely the work of evil hackers from Anonymous [newstechnica.com], and nothing to do with their own incompetence, honest.
[newstechnica.com]"We discovered a file making a clear reference to 'Username unknown,'" the company said in a letter to the US Congress on Wednesday, "and a blank user icon which therefore was anonymous. D'you see what that means? It means George Hotz and his hacker friends are loathsome criminal masterminds! So obviously we can't be held liable for negligence in the face of forces like these. In conclusion, give us money."
The letter details the company’s actions over the past two weeks. It says Sony acted with "care and caution" in deciding how to act and how long it thought it could get away without telling anyone. "We did not want to cause confusion and cause customers to take unnecessary actions, such as stopping their credit card payments to us."
"We have suffered a very carefully planned, very professional, highly sophisticated criminal cyberattack, which has led to people committing the heinous hate crime of jailbreaking their PS3s. In accordance with our campaign contributions, we ask that you impose the death penalty for such offenses."
The letter concluded that the breakin was quite definitely the work of Anonymous. "We were going to blame Al-Qaeda, but we figured after Monday that you probably wouldn't buy that."
Re:EPIC Fail (Score:5, Funny)
The problme was with unpatched Apache - maybe if they had been running IIS they would have been OK :)
Re: (Score:3)
The problme was with unpatched Apache - maybe if they had been running IIS they would have been OK :)
I thought Apache was only meant for casino websites ran off the reservation.
Re:EPIC Fail (Score:5, Funny)
You laugh, but when you think about it and weigh PSN against XBox Live, Sony failed so hard they made Microsoft's security look good by comparison.
That's a special kind of failure. That's the full retard, if you will.
Re: (Score:3)
I mean who puts servers using any operating system public facing to the internet without a firewall..
FTFY.
Re:I don't find this shocking (Score:5, Informative)
As someone who works in protecting a large environment, I would never allow a server to run "open" on the internet without restricting access to the machine via a firewall. Any exploit that works against the machine could give external users access to other ports - which with a firewall in place, wouldn't cause instant chaos. There are definitely other avenues that you could work against here - but by whitelisting only what's needed from outside to inside, you'll be an order of magnitude safer against attacks you may not be knowledgeable about.
Re: (Score:2)
Re: (Score:3)
I apologize, I should also state there are explicit rules inside to outside too. Businesses should not run their servers like a home network to where the server has unfettered access outbound - or to other network areas, if necessary. Also - deep packet inspection on the firewall can nail a lot of what could be seen as unexpected protocols running across common ports (someone attempting ftp/SMB over port 80 for instance.)
Re: (Score:3)
And it was a genius idea to put the credit cards on a webserver !
You never expose your important data.
If you really need to store credit cards, you put them on your local network, and provide web services to validate the data, but never store anything on the web server.
Re: (Score:2)
Are you also not keeping it up to date? It's the combination that makes it really bad.
Re:I don't find this shocking (Score:5, Funny)
Am the only one running apache without a firewall ?
No, we're all running your machine, too!
Re: (Score:3)
If your house is holding many people's credit card details, and more, in a supposedly secure fashion, then it makes you look a bit more than foolish.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
A month ago Sony could also say no intrusions had occured user data was safe.
Re: (Score:2)
OK, I realize you're a tremendous troll, but for a lark I did the math. A million dollars for each citizen of just the US is 300 trillion dollars. That's about four times the GDP of the entire world. That's worlds away from the cost of every war, and bank bailout in US history combined. Possibly world history.
Re: (Score:3)
Re: (Score:3)
While closing off all unneeded services does not protect you from many attack vectors without the need for a firewall, it is