Security Expert Testifies That Sony Knew Its Security Was Out of Date for 'Months'

  • 100 results
  • 1
  • 2
  • 3
Posted by Alex (2045 posts) -

During yesterday's hearings held by the Congressional House Subcommittee on Commerce, Manufacturing, and Trade on the subject of data theft--and, largely, the current situation with Sony and the PlayStation Network--the committee heard testimony from Dr. Gene Spafford, the executive director at Purdue University's Center For Education and Research in Information Assurance and Security. During his testimony, Spafford dropped a potentially damning piece of info regarding the Sony breach.

 Dr. Gene Spafford.
Specifically, Spafford claims that Sony employees were well aware that the company's security measures were out of date and vulnerable to attack. Spafford's claims come from an open Internet forum used by security experts, including several Sony employees. According to him, several people on those forums realized that Sony's systems were using "very old versions of Apache software that were unpatched and had no firewall installed." The issue was reported "two or three months" prior to the attack that brought down the PSN service. In that time frame, no acknowledgment of the report nor any visible updates to the systems came about from Sony.

Spafford himself was not a part of these original forum discussions. Rather, he cited reports from others reportedly involved in these security forum discussions. While that can lead to a bit of speculation on exactly how accurate his time line is, a statement like that under oath is still likely to add a great deal of fuel to the federal government's investigation, not to mention the various civil suits that have begun to spring up like wildfire since the scope and severity of the Sony attack became public.
Staff
#1 Posted by Alex (2045 posts) -

During yesterday's hearings held by the Congressional House Subcommittee on Commerce, Manufacturing, and Trade on the subject of data theft--and, largely, the current situation with Sony and the PlayStation Network--the committee heard testimony from Dr. Gene Spafford, the executive director at Purdue University's Center For Education and Research in Information Assurance and Security. During his testimony, Spafford dropped a potentially damning piece of info regarding the Sony breach.

 Dr. Gene Spafford.
Specifically, Spafford claims that Sony employees were well aware that the company's security measures were out of date and vulnerable to attack. Spafford's claims come from an open Internet forum used by security experts, including several Sony employees. According to him, several people on those forums realized that Sony's systems were using "very old versions of Apache software that were unpatched and had no firewall installed." The issue was reported "two or three months" prior to the attack that brought down the PSN service. In that time frame, no acknowledgment of the report nor any visible updates to the systems came about from Sony.

Spafford himself was not a part of these original forum discussions. Rather, he cited reports from others reportedly involved in these security forum discussions. While that can lead to a bit of speculation on exactly how accurate his time line is, a statement like that under oath is still likely to add a great deal of fuel to the federal government's investigation, not to mention the various civil suits that have begun to spring up like wildfire since the scope and severity of the Sony attack became public.
Staff
#2 Posted by drumpsycho89 (505 posts) -

ooooooooooooh

#3 Posted by BeefyGrandmole (348 posts) -

damn :)

#4 Edited by Skald (4367 posts) -
#5 Posted by Nadafinga (958 posts) -

Wait, this guy testified that he read something on the internet?

Huh?

#6 Posted by bretthancock (778 posts) -

You can insert this phrase for nearly every company that deals with internet services or hosting.  If it's related to the internet, it's security is probably out of date.  It's all of matter of who is targeted and the resources available to combat it.  That being said, step it up next time Sony.

#7 Posted by beej (1674 posts) -

Wow, this combined with not showing up when a congressional committee summons you? This is looking rough for Sony.

#8 Posted by ajamafalous (11964 posts) -

That seems potentially dealbreaking for Sony.

#9 Posted by lockwoodx (2479 posts) -

Sony made an open declaration for hackers to come at them so any compromise to the integrity of their system is 100% Sony's fault for not being "up to date" and prepared for said attack they instigated.

#10 Posted by Ontheocho (185 posts) -

That E3 Sony press conference is going to be so uncomfortable.  It's going to be like Pee Wee Herman's first stage appearance after his arrest.  It's going to be so cringe worthy, and I'm not going to miss a minute of it.

#11 Posted by Buscemi (1106 posts) -

OH SNAP

#12 Posted by Commisar123 (1791 posts) -

oh snap

#13 Posted by Burn1n9m4n (261 posts) -

If this is true then it opens the way for some criminal indictments of Sony's corporate ladder. It will also probably affect the way that corporations are treated in the future as all sorts of precedents are going to be set by this.

#14 Posted by Dtat (1623 posts) -

Surprise surprise surprise

#15 Posted by Legend (2658 posts) -

Sony is fucked.

#16 Posted by Afroman269 (7387 posts) -

Reminds me of all the other disasters that occur, people get lax with security and or protocol and eventually some shitstorm occurs. 

#17 Posted by Creamypies (4060 posts) -

Ehh, no doubt those fucking hackers will attack PSN again as soon as it's up again.

#18 Posted by SparkEngineer (69 posts) -

I would assume this is not true. Theres no proof. It's not an offical report from a company.

#19 Posted by Nomin (972 posts) -

That Dr. Spafford, rarin' to regulate with his BOWTIE! 

#20 Posted by N7 (3587 posts) -
@SRanker said:
" I would assume this is not true. Theres no proof. It's not an offical report from a company. "
But... Look at how old he is! Life is too short to tell lies!
#21 Posted by BraveToaster (12590 posts) -
@SRanker said:
" I would assume this is not true. Theres no proof. It's not an offical report from a company. "
Why would Dr. Spafford lie? Why did Sony refuse to comment after this was made public?
#22 Posted by WinterSnowblind (7615 posts) -
@SRanker said:
" I would assume this is not true. Theres no proof. It's not an offical report from a company. "
Sony aren't exactly going to come out and say "it happened because our security sucked".  That would be admitting to negligence and that's their biggest worry at the moment.
#23 Posted by KaosAngel (13765 posts) -

How many idiots are going to still say Sony did no wrong? 

#24 Posted by The_Laughing_Man (13629 posts) -
@alex said: 

I beat ya to the punch! Yay me...lol 
#25 Posted by KaosAngel (13765 posts) -
@WinterSnowblind said:
" @SRanker said:
" I would assume this is not true. Theres no proof. It's not an offical report from a company. "
Sony aren't exactly going to come out and say "it happened because our security sucked".  That would be admitting to negligence and that's their biggest worry at the moment. "
That also allows all open lawsuits for Sony to get hit with.  Sony would be fucked beyond belief they they admitted negligence for the information they stored.
#26 Posted by Vexxan (4620 posts) -

Old software and no firewalls? Great, just great....

#27 Posted by TOYBOXX (310 posts) -

There is no denying that Sony is boned here. And to protect them like a fanboy won't help anyone's case either so don't bother. I'm not sure if it was incompetence, or sheer arrogance, that prevented Sony from protecting itself and it's customers. I'd like to think that they didn't know what they were doing. But if that was the case then why are they in the online business in the first place? 


As a gamer I don't care how much free content Sony is willing to throw my way. I simply won't buy into that shit. My credit card information may have been compromised - I don't know. Even if the users personal information hadn't been stolen people still scrambled to protect themselves by any means possible. Knowing that gamers came to PSN for entertainment only to be fucked in the end is unforgivable. This could mess up a lot of gamers lives - or the lack thereof. 

Sony is going to need to do something to get me back on the Playstation with their next console. As of now with the PS3? I'm done. It's being packed up and sold along with the games.
#28 Posted by Renegade (374 posts) -
@Ontheocho said:
" That E3 Sony press conference is going to be so uncomfortable.  It's going to be like Pee Wee Herman's first stage appearance after his arrest.  It's going to be so cringe worthy, and I'm not going to miss a minute of it. "
Yup, the press conference may actually be interesting for once!
#29 Posted by MackJ (35 posts) -

The CSpan picture really threw me. For a second I thought I was reading Indecision Forever.

#30 Posted by Mesklinite (804 posts) -

Where there's smoke, there's fire!!!!
#31 Posted by Saga (181 posts) -

I have to say that I am very disappointed at Sony. They took 150+ hours to let customers know that their information was compromised. They throw $5.99 at customers so they can have access to PSNplus for a month. And now they are accused of using outdated security software (similarly to us using norton antivirus 2002 in our PCs)? I spend 50% of my gaming time playing Xbox and about 40% playing PS3. However, it looks like MS will be getting most of my money going forward. The only way that I can regain my confidence in Sony is if they start firing the executives that made the horrible decision to NOT invest in IT security and the ones that declared war on the hackers.


Until then, I'll be on Xbox live 75% of the time
#32 Posted by Matiaz_Tapia (261 posts) -
@N7 said:

But... Look at how old he is! Life is too short to tell lies! "
Made my day. Thank you.
#33 Posted by AuthenticM (3718 posts) -

BOOM

#34 Posted by PhatSeeJay (3322 posts) -

Of course shit hit the fan because they didn't play the "better be safe than sorry"-card! That's always the reason to a disaster where human engineering is involved. They could have figured that out once the PS3 got hacked, yet they didn't pull the plug on their network because it just "might" happen. That's not a reason strong enough to take such a drastic measure, yet here we are.

#35 Posted by Billychu (30 posts) -

Today I learned my porn cache is hundreds of times more secure than Sony's servers. Frightening.

#36 Edited by Goldanas (546 posts) -

@Nadafinga said:

" Wait, this guy testified that he read something on the internet?Huh? "

 It's worse than that. He's quoting something someone else read on the Internet.

I'm pretty sure this is hearsay and inadmissible. True or not, this doesn't even qualify as evidence.

The only things that have been swirling around about this whole mess is a bunch of rumors blasting Sony with no real proof. I know my name is blue, but can we please read the whole article or at least wait til' we have a conclusion before selling off our consoles?
#37 Posted by Bolgirk (23 posts) -

wired had an article similar with a guy who actually was hacking his ps3, and found out that their apache servers were out of date (he had the revision numbers) determined using packet sniffers on his network, and explained that they do not even attempt a firewall or VPN.

#38 Posted by N7 (3587 posts) -
@TOYBOXX said:
" There is no denying that Sony is boned here. And to protect them like a fanboy won't help anyone's case either so don't bother. I'm not sure if it was incompetence, or sheer arrogance, that prevented Sony from protecting itself and it's customers. I'd like to think that they didn't know what they were doing. But if that was the case then why are they in the online business in the first place? 

As a gamer I don't care how much free content Sony is willing to throw my way. I simply won't buy into that shit. My credit card information may have been compromised - I don't know. Even if the users personal information hadn't been stolen people still scrambled to protect themselves by any means possible. Knowing that gamers came to PSN for entertainment only to be fucked in the end is unforgivable. This could mess up a lot of gamers lives - or the lack thereof. 

Sony is going to need to do something to get me back on the Playstation with their next console. As of now with the PS3? I'm done. It's being packed up and sold along with the games.
"
Sony is also offering free Identity Theft Protection for all users of the Playstation Network in the United States, and is working right now on trying to get a service that would work in other territories and countries as from what I can tell, this one only works with the United States.

Link to the full thing: Derp
#39 Posted by fox01313 (5069 posts) -

0 surprise, strange how a tech giant like Sony would be so inept with the internet in many ways. Doesn't look good for them.

#40 Posted by Sevan (83 posts) -
@SRanker said:

" I would assume this is not true. Theres no proof. It's not an offical report from a company. "

...your not serious are you? Sony took a week to tell us something that could have potentially millions of people. Screw their official reports.
this is a man with a doctorate speaking officlally at a  Congressional House Subcommittee on Commerce hearing. This aint a discussion forum where any Jack@$$ can say whatever. you have to have some serious cred behind you to be allowed to talk at one of those.
 The proof will be looked into, but it has probably already been tampered with as much as possible by Sony. But technology is not an opinion. If a bunch of tech heads on a forum said "hey, this is old $#ity software... its old $#ity software.
  I figured Sony was cutting corners somwhere simply for economic reasons. They have a more expensive system that they wernt making money from for years, and a free (although not as good) online system with dozens of outside programs having access to it. Where more secure systems like xbox live and apple, there are very few programs that are allowed anything more than a shallow access into their systems, PSN just kinda let anyone do whatever. none of PSN's "Apps" have any of the trademarks of a program stripped down and rebuilt for security and efficiency on the network. IF Psn survives this, we'll start seeing more structure. But pretty much PSN was thrown together like the little rascals second race car... except it didnt win the race.
#41 Edited by Krakn3Dfx (2489 posts) -

I love how people throw around terms like "unforgivable" and phrases like "Sony is fucked".

Most people at this point just want the system back so they can get back to gaming online. Most, if not all of this was on Sony, yes, but for any company that has to deal with this, and there have been a lot, it's usually "lesson learned" and we're all better off for them having gone through it. You can bet it was a huge wake up call for a lot of other online service providers as well.  Sony likely was targeted because they pissed off hackers, but to believe this couldn't happen to just about any company these days is naive at best. The effectiveness of any security is only as god as the asshole standing outside the door's desire to get in.

If you're boxing up your PS3 to sell because this happened, please, fucking go.  Regardless of what's currently going on, there are a shit ton of awesome PS3 games coming out this year, and I personally will be playing the shit out of them (and I'll be playing Gears 3 and hopefully some new Zelda and whatever else great games come out on any system this year).

Also, it's not being a fanboy to be realistic about a situation. It's just common sense.

#42 Posted by EuanDewar (4899 posts) -

I can't wait for E3.

#43 Posted by Spiritof (2036 posts) -

Old guys be oldin'.

(I've never been prouder of my gray "neutral" status on a website before)

#44 Posted by Hexogen (766 posts) -

I'm no lawyer-man, but does saying IT'S TRUE CUZ I SAWS IT ON THE INTERWEBS have any legal backing whatsoever?

#45 Posted by TadThuggish (906 posts) -

hahahahaha r.i.p. sony whocares-2011

#46 Posted by Zor (654 posts) -
@N7 said:

Sony is also offering free Identity Theft Protection for all users of the Playstation Network in the United States, and is working right now on trying to get a service that would work in other territories and countries as from what I can tell, this one only works with the United States.


True, but from my understanding of Debix (the company that Sony has hired) is that they aren't that good. I remember last year when my health care provider got hacked, they offered the same service. So I went online to read up on the company, and a lot of people were posting about how they were ineffective. To the point where they were doing things with their own credit, and Debix didn't notice it (like getting loans, which should have sent up a red flare, but didn't).

So yeah, nice thought on Sony part, but it isn't going to help (assuming internet comments on the company are true).
#47 Posted by Billychu (30 posts) -
@Hexogen
I'm no lawyer-man, but does saying IT'S TRUE CUZ I SAWS IT ON THE INTERWEBS have any legal backing whatsoever?
It does when its a forum populated by security specialists INCLUDING SONY EMPLOYEES
#48 Posted by Feser (543 posts) -

@Goldanas:
You realize that forum discussion is not something that is exclusively on the internet, right? He's citing reports from discussions by those involved by in forum discussions initiated by Sony. There is a signifigant difference between that and some random forum on the internet (You really didn't think he was citing a internet forum, did you?).

#49 Posted by Xeiphyer (5602 posts) -

Not surprising.

Well, this is something we already knew, but the fact is that the people in charge of security answer to the people who have the money, and they don't always have a lot of say.

Spending a bunch of money to upgrade something that they just upgraded a few months ago probably seems insane to the admin/accounting people at Sony who don't understand how security works.


Also to anyone who is saying this is fake, firstly, why would this be fake? Its a doctor/professor talking to congress, that's pretty legitimate. Plus its been said many times by people who have examined Sony's security that they were using an older version of apache with known security flaws. Its been stated by many people in many places.

#50 Posted by MordeaniisChaos (5730 posts) -
@Hexogen said:
" I'm no lawyer-man, but does saying IT'S TRUE CUZ I SAWS IT ON THE INTERWEBS have any legal backing whatsoever? "
Yeah..... I dunno, I was about to stop backing Sony until I saw "forum post"

On top of that, a report of a reported forum by someone who never saw the forum? I don't trust that for a second, call me crazy.

This edit will also create new pages on Giant Bomb for:

Beware, you are proposing to add brand new pages to the wiki along with your edits. Make sure this is what you intended. This will likely increase the time it takes for your changes to go live.

Comment and Save

Until you earn 1000 points all your submissions need to be vetted by other Giant Bomb users. This process takes no more than a few hours and we'll send you an email once approved.