An observer of the Internet Relay Chat channel used by the hackers told CNET today that a third major attack is planned this weekend against Sony's Web site. The people involved plan to publicize all or some of the information they are able to copy from Sony's servers, which could include customer names, credit card numbers, and addresses, according to the source. The hackers claim they currently have access to some of Sony's servers.
In congressional testimony this morning, Dr. Gene Spafford of Purdue University said that Sony was using outdated software on its servers — and knew about it months in advance of the recent security breaches that allowed hackers to get private information from over 100 million user accounts.
According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which "was unpatched and had no firewall installed." The issue was "reported in an open forum monitored by Sony employees" two to three months prior to the recent security breaches, said Spafford.
I read that yesterday and couldn't believe it! They run a multi-million dollar network and can't keep it updated. I run a dumb little blog and check it daily for updates!
While I kinda agree with you, I also see big problems with the amount of testing and so on needed when you roll something out to the kinds of servers that Sony runs. That's still no excuse though to not at least have their firewalls configured.
Usually a network like that would have a test lab where they would test updates before rolling them out to live machines. It would only require a few physical machines or a virtual environment to do it.
I've done web work for Sony Music. They had staging servers to work on to ensure everything worked right before pushing it live. Only it never did, because the live servers had completely different configurations, versions of everything and security settings. I would imagine this sort of fuckwittedness infects the whole of Sony (and other big corps. Things were exactly the same on EMI, VMG and Warner).
When you say "staging servers to work on" ... well, you don't work on staging, you test on staging. Sounds more like shared development servers, which also implies a lack of proper version control?
How can a tech company the size of Sony be *so* bad and survive this long? :S
Reading more about the PSN debacle yesterday, and I came across an article (which I now can't find, of course) that revealed how developers could access the live PSN servers without any form of additional authentication beyond what was built into the PS3 dev-kits they bought from Sony.
This all sounds fine and dandy, using hardware as the authentication method. That is until some clever people work out that your random number generator you use for encryption isn't returning a random number at all and quickly realise how to put it to use to a) decrypt everything and b) turn a retail PS3 into a dev-kit.
Apparently this access included users account details including full names, addresses, etc. although not any payment details. I don't know if it's true, but from what you've said it certainly adds more weight to it being so.
I know but.. Sony..
Last place I used to work for had a dev environment synched daily from live more or l less - they had about 70 employees, so not exactly a big company, but having a good test environment was crucial.
Also, look out for more information on the rest of our Welcome Back programme, including which free content you will be eligible for. We will be offering PSN users the opportunity to select two PS3 games from a list of five, as well as offering PSP users the opportunity to choose two games from a list of four. We will let you know exactly what games are available very soon.
Me too. And that probably won't hit Sony that hard financially. If they end up with a fresh set of customers who have bought traded in PS3s it might even be good for them.
Roses are bollocks, Violets are crud, I hate bloody flowers, And much prefer mud.
