Sony Ran Obsolete Web Apps, Lacked Firewall: Testimony

Sony failed to use firewalls to protect its networks and was using obsolete Web applications, which made the company’s sites inviting targets for hackers, a Purdue University professor testified May 4 to a Congressional committee investigating the massive data breach of the Sony game and entertainment networks.

Sony disclosed on April 26 that thieves had stolen account information of up to 77 million users on the PlayStation Network and Qriocity. A week later, the company admitted on May 2 that the Sony Online Entertainment gaming service had also been breached, affecting an additional 24.6 million users.

About 101 million user accounts have been compromised to date. The stolen data included names, addresses, email addresses and dates of birth. Some credit card information may have been stolen, but Sony claimed the numbers were securely saved as a cryptographic hash.

What happened and what Sony is doing about the security breach are the two main questions everyone is asking, from the irate users on forums and blogs, to the various state attorneys-general planning lawsuits, all the way to Congress where lawmakers are holding hearings.

Not only did Sony fail to use firewalls to protect its networks, it was using outdated versions of the Apache Web server with no patches applied on the PlayStation Network, according to Gene Spafford, a Purdue University professor of computer science who is head of the U.S. Public Policy Council of the Association for Computing Machinery and the executive director of the Center for Education and Research in Information Assurance and Security.

Sony also did not have a firewall running on PSN’s servers. These problems were flagged on security forums two or three months prior to the April data breach, Spafford told lawmakers. Because the forums were monitored by Sony employees, Sony was well aware of the problems, according to Spafford.

Sony was large enough that it could have afforded to spend an appropriate amount on security and privacy protections of its data, Spafford said at the hearing.

While Sony declined to appear before the May 4 hearing convened by the House Committee on Energy and Commerce, the company sent an eight-page letter detailing what it is doing to the Subcommittee on Commerce, Manufacturing and Trade.

For more, read the eWEEK article: Sony Networks Lacked Firewall, Ran Obsolete Software: Testimony.