PSN DOWN?
- Thread starter LEE-ZILLA 69
- Start date
This morning, the US House of Representatives' Subcommittee on Commerce, Manufacturing, and Trade began hearings on the threat of data theft to American consumers. Among those invited to testify was Sony Corp. executive vice president Kaz Hirai on the recent PlayStation Network outage and data breach. Hirai declined, instead sending a detailed account of the cyberattack to Subcommittee chairwoman Mary Bono Mack (R-CA) in the form of a letter.
Cybersecurity expert Dr. Gene Spafford testified before Congress that Sony knew the PSN's security was outdated.
One person who did show up to testify was Dr. Gene Spafford of Purdue University, who is also head of the US Public Policy Council of the Association for Computing Machinery. According to Consumer Reports, the cybersecurity expert had some harsh words for Sony, saying that the company knew the PSN's defenses were outdated for months prior to the attack, which occurred from April 17 to 19.
Spafford testified security experts discovered discussions on forums that talked about how the PSN's security was lacking. He said that the threads revealed that the network was using old versions of the Apache Web server software, which "was unpatched and had no firewall installed." He also testified that two to three months before the attack, the vulnerability was reported "in an open forum monitored by Sony employees," but the company took no action.
"If Dr. Spafford's assessment is accurate, it's inexcusable that Sony not only ran obsolete software on servers containing confidential data, but also that the company continued to do so after this information was publicly disclosed," said Consumer Reports technology editor Jeff Fox.
As of press time, US Sony reps had not responded to requests for comments on Dr. Spafford's testimony. However, in its letter to Congress, the company outlined a number of measures it had taken to beef up security, including moving its servers to a new facility, adding additional firewalls, enhancing data encryption and protection, and increasing automated software monitoring. The company has also hired three outside data security firms to help with its ongoing investigation of the attack, which the Federal Bureau of Investigation and Department of Homeland Security are assisting in.
[UPDATE] Video of Dr. Spafford's testimony is now online, and his full quote on the PSN break-in is as follows (begins around the 55' mark):
"On a few of the security mailing lists that I read, there were discussions that individuals who work in security and participate in the Sony Network had discovered several months ago, while they were examining the protocols on the Sony Network to examine how the games worked, they had discovered that the [PlayStation] Network servers were hosted on Apache Web servers--that's that form of software. But they were running on very old versions of Apache software that were unpatched and had no firewall installed, and so these were potentially vulnerable. They had reported these in an open forum that was monitored by Sony employees, but had seen no response and no change or update to the software. … [And] that was two to three months from when the break-ins occurred."
The cybersecurity expert also said that the Sony intrusion alone compromised 100 million accounts both on the PSN and its Qriocity service. He also cited the total cost of the breach to Sony, credit card companies, and other outfits, which the Ponemon Institute estimated as being $24 billion, although he put the figure at $21 billion.
Spafford also cited postings in credit-card theft forums in which thieves of such information complained that the PSN breach was so great that it was depressing the price of such information by a "factor of five or 10" on the black market.
He also said that cybersecurity breach notification laws were good, but only "after the fact." The problem, according to Spafford, was that law enforcement was not adequately equipped to deal with the problem. He also said that most companies were not equipped with enough security measures because "investing in security measures affects the bottom line. They don't understand the risks involved by not investing in security. … So when they are hit, they pass that cost along to their customers, and to the rest of society."
Spafford thinks the solution is to limit the amount of data kept by companies such as Sony and to "age the data" so it expires after a certain time.
Cybersecurity expert Dr. Gene Spafford testified before Congress that Sony knew the PSN's security was outdated.
One person who did show up to testify was Dr. Gene Spafford of Purdue University, who is also head of the US Public Policy Council of the Association for Computing Machinery. According to Consumer Reports, the cybersecurity expert had some harsh words for Sony, saying that the company knew the PSN's defenses were outdated for months prior to the attack, which occurred from April 17 to 19.
Spafford testified security experts discovered discussions on forums that talked about how the PSN's security was lacking. He said that the threads revealed that the network was using old versions of the Apache Web server software, which "was unpatched and had no firewall installed." He also testified that two to three months before the attack, the vulnerability was reported "in an open forum monitored by Sony employees," but the company took no action.
"If Dr. Spafford's assessment is accurate, it's inexcusable that Sony not only ran obsolete software on servers containing confidential data, but also that the company continued to do so after this information was publicly disclosed," said Consumer Reports technology editor Jeff Fox.
As of press time, US Sony reps had not responded to requests for comments on Dr. Spafford's testimony. However, in its letter to Congress, the company outlined a number of measures it had taken to beef up security, including moving its servers to a new facility, adding additional firewalls, enhancing data encryption and protection, and increasing automated software monitoring. The company has also hired three outside data security firms to help with its ongoing investigation of the attack, which the Federal Bureau of Investigation and Department of Homeland Security are assisting in.
[UPDATE] Video of Dr. Spafford's testimony is now online, and his full quote on the PSN break-in is as follows (begins around the 55' mark):
"On a few of the security mailing lists that I read, there were discussions that individuals who work in security and participate in the Sony Network had discovered several months ago, while they were examining the protocols on the Sony Network to examine how the games worked, they had discovered that the [PlayStation] Network servers were hosted on Apache Web servers--that's that form of software. But they were running on very old versions of Apache software that were unpatched and had no firewall installed, and so these were potentially vulnerable. They had reported these in an open forum that was monitored by Sony employees, but had seen no response and no change or update to the software. … [And] that was two to three months from when the break-ins occurred."
The cybersecurity expert also said that the Sony intrusion alone compromised 100 million accounts both on the PSN and its Qriocity service. He also cited the total cost of the breach to Sony, credit card companies, and other outfits, which the Ponemon Institute estimated as being $24 billion, although he put the figure at $21 billion.
Spafford also cited postings in credit-card theft forums in which thieves of such information complained that the PSN breach was so great that it was depressing the price of such information by a "factor of five or 10" on the black market.
He also said that cybersecurity breach notification laws were good, but only "after the fact." The problem, according to Spafford, was that law enforcement was not adequately equipped to deal with the problem. He also said that most companies were not equipped with enough security measures because "investing in security measures affects the bottom line. They don't understand the risks involved by not investing in security. … So when they are hit, they pass that cost along to their customers, and to the rest of society."
Spafford thinks the solution is to limit the amount of data kept by companies such as Sony and to "age the data" so it expires after a certain time.
PSN Restoration in the 'Final Stages'
Stringer: "In the coming days, we will restore service."
PlayStation Network will be returning soon. Sony said today internal testing of its new system is in the final stages. The company did not provide an window for when PSN will be operational, however. Sony said last month that certain PSN services would go live during the first week of May.
"Today our global network and security teams at Sony Network Entertainment and Sony Computer Entertainment began the final stages of internal testing of the new system, an important step towards restoring PlayStation Network and Qriocity services," corporate communications director Patrick Seybold said on the PlayStation Blog.
"As previously mentioned, we've been working around the clock to rebuild the network and enhance protections of your personal data. It's our top priority to ensure your data is safe when you begin using the services again.
"We understand that many of you are eager to again enjoy the PlayStation Network and Qriocity entertainment services that you love, so we wanted you to be aware of this milestone and our progress. We will provide additional updates as soon as we can."
A letter from Howard Stringer, president and CEO of Sony, said, "To date, there is no confirmed evidence any credit card or personal information has been misused, and we continue to monitor the situation closely."
He later continued saying, "In the coming days, we will restore service to the networks and welcome you back to the fun. I wanted to personally reach out and let you know that we are committed to serving you to the very best of our ability, protecting your information better than ever, and getting you back to what you signed up for – all the games and great entertainment experiences that you expect from Sony."
The company also said its providing a complimentary enrollment in an identity theft protection program for U.S. users, with plans to offer similar programs in other countries/territories.
Sony Computer Entertainment and Sony Network Entertainment International have made arrangements with Debix, Inc., one of the industry's most reputable identity protection firms, to offer AllClear ID Plus at no cost to PlayStation Network and Qriocity account holders for 12 months from the time an account holder registers for the program.
Please note that we will start sending out activation emails for this program over the next few days, and you will have until June 18th to sign-up and redeem your code. You will need to sign up directly through AllClearID, not on Sony's websites, and details, including step-by-step instructions for the program, will be emailed to United States PSN and Qriocity Account holders soon.
Stringer: "In the coming days, we will restore service."
PlayStation Network will be returning soon. Sony said today internal testing of its new system is in the final stages. The company did not provide an window for when PSN will be operational, however. Sony said last month that certain PSN services would go live during the first week of May.
"Today our global network and security teams at Sony Network Entertainment and Sony Computer Entertainment began the final stages of internal testing of the new system, an important step towards restoring PlayStation Network and Qriocity services," corporate communications director Patrick Seybold said on the PlayStation Blog.
"As previously mentioned, we've been working around the clock to rebuild the network and enhance protections of your personal data. It's our top priority to ensure your data is safe when you begin using the services again.
"We understand that many of you are eager to again enjoy the PlayStation Network and Qriocity entertainment services that you love, so we wanted you to be aware of this milestone and our progress. We will provide additional updates as soon as we can."
A letter from Howard Stringer, president and CEO of Sony, said, "To date, there is no confirmed evidence any credit card or personal information has been misused, and we continue to monitor the situation closely."
He later continued saying, "In the coming days, we will restore service to the networks and welcome you back to the fun. I wanted to personally reach out and let you know that we are committed to serving you to the very best of our ability, protecting your information better than ever, and getting you back to what you signed up for – all the games and great entertainment experiences that you expect from Sony."
The company also said its providing a complimentary enrollment in an identity theft protection program for U.S. users, with plans to offer similar programs in other countries/territories.
Sony Computer Entertainment and Sony Network Entertainment International have made arrangements with Debix, Inc., one of the industry's most reputable identity protection firms, to offer AllClear ID Plus at no cost to PlayStation Network and Qriocity account holders for 12 months from the time an account holder registers for the program.
Please note that we will start sending out activation emails for this program over the next few days, and you will have until June 18th to sign-up and redeem your code. You will need to sign up directly through AllClearID, not on Sony's websites, and details, including step-by-step instructions for the program, will be emailed to United States PSN and Qriocity Account holders soon.
THIRD ATTACK AGAINST SONY PLANNED
http://news.cnet.com/8301-31021_3-20060227-260.html
A group of hackers says it is planning another wave of cyberattacks against Sony in retaliation for its handling of the PlayStation Network breach.
An observer of the Internet Relay Chat channel used by the hackers told CNET today that a third major attack is planned this weekend against Sony's Web site. The people involved plan to publicize all or some of the information they are able to copy from Sony's servers, which could include customer names, credit card numbers, and addresses, according to the source. The hackers claim they currently have access to some of Sony's servers.
Should the planned attack succeed, it would be the latest blow in a series of devastating security breaches of Sony's servers over the past month. The failure of Sony's server security has ignited investigations by the FBI, the Department of Justice, Congress, and the New York State Attorney General, a well as data security and privacy authorities in the U.K., Canada, and Taiwan.
Several weeks ago the hacker group known as Anonymous targeted several Sony Web sites, including Sony.com and SonyStyle.com, with a distributed denial-of-service (DDoS) attack in retaliation for what its members saw as Sony's unfair legal action against hacker George Hotz. Two weeks ago Sony's PlayStation Network, along with its Qriocity service and Sony Online, were the target of an attack that exposed the personal information of more than 100 million Sony customers. Sony was forced to shut down PSN, Qriocity, and Sony Online, and is currently working to bring them back online after rebuilding the security of its servers.
Sony says it doesn't know who orchestrated what it's calling a "highly sophisticated, planned" attack, but it has dropped hints that the group Anonymous is involved. Kazuo Hirai, chairman of Sony Computer Entertainment, told a Congressional subcommittee in a letter yesterday that the intruders on its servers planted a file named "Anonymous" containing the statement "We are Legion," part of the group's tagline.
Anonymous issued a statement yesterday denying it was involved in the PSN breach. "While we are a distributed and decentralized group, our 'leadership' does not condone credit card theft," the statement said.
Now it seems the same group of hackers that was able to infiltrate the PSN servers is planning to hit back against Sony.
Sony did not immediately respond to a request for comment.
http://news.cnet.com/8301-31021_3-20060227-260.html
A group of hackers says it is planning another wave of cyberattacks against Sony in retaliation for its handling of the PlayStation Network breach.
An observer of the Internet Relay Chat channel used by the hackers told CNET today that a third major attack is planned this weekend against Sony's Web site. The people involved plan to publicize all or some of the information they are able to copy from Sony's servers, which could include customer names, credit card numbers, and addresses, according to the source. The hackers claim they currently have access to some of Sony's servers.
Should the planned attack succeed, it would be the latest blow in a series of devastating security breaches of Sony's servers over the past month. The failure of Sony's server security has ignited investigations by the FBI, the Department of Justice, Congress, and the New York State Attorney General, a well as data security and privacy authorities in the U.K., Canada, and Taiwan.
Several weeks ago the hacker group known as Anonymous targeted several Sony Web sites, including Sony.com and SonyStyle.com, with a distributed denial-of-service (DDoS) attack in retaliation for what its members saw as Sony's unfair legal action against hacker George Hotz. Two weeks ago Sony's PlayStation Network, along with its Qriocity service and Sony Online, were the target of an attack that exposed the personal information of more than 100 million Sony customers. Sony was forced to shut down PSN, Qriocity, and Sony Online, and is currently working to bring them back online after rebuilding the security of its servers.
Sony says it doesn't know who orchestrated what it's calling a "highly sophisticated, planned" attack, but it has dropped hints that the group Anonymous is involved. Kazuo Hirai, chairman of Sony Computer Entertainment, told a Congressional subcommittee in a letter yesterday that the intruders on its servers planted a file named "Anonymous" containing the statement "We are Legion," part of the group's tagline.
Anonymous issued a statement yesterday denying it was involved in the PSN breach. "While we are a distributed and decentralized group, our 'leadership' does not condone credit card theft," the statement said.
Now it seems the same group of hackers that was able to infiltrate the PSN servers is planning to hit back against Sony.
Sony did not immediately respond to a request for comment.
