Sony Ignored Reports of Server Vulnerability

[Ares]

Dr. Gene Spafford a professor of Computer Science at Indiana’s Purdue University and Cyber-security expert testified before the U.S. House of Representatives’ Subcommittee on Commerce, Manufacturing and Trade alleged that Sony ignored reports of vulnerabilities to its servers.

“On a few of the security mailing lists that I read, there were discussions that individuals who work in security and participate in the Sony network … had discovered that the network servers were hosted on … very old versions of Apache software that were unpatched and had no firewall installed,”

“These were potentially vulnerable, and that they had reported these in an open forum that was monitored by Sony employees, but had seen no response and no change or update to the software.”

Asked when this took place, Spafford answered “two to three months prior to the incident where the break-ins occurred”.

Dr. Gene Spafford testimony starts at 55min 24sec into the video

 

[jnelson88]

Wouldn't surprise me, most large companies like that are reactive instead of pro-active.

 

[j_garcia]

It was only a matter of time. Even if they had typical security, it isn't like this is isolated. LARGE numbers of large companies have recently been hacked. I have gotten emails from at least 8 major companies saying that email info had been compromised in that recent hacking event, so all these companies CAN do is react when things like this happen. However, the difference is that Sony didn't adequately protect their network.

 

[Cmd Cheyd]

Sony is also trying to blame the hacking collective known as Anonymous, claiming they ran cover for the data compromise. Couldn't be further from the truth, and is completely irrelevant. Whether Anonymous was involved or not doesn't matter - Sony ignored the warnings of the people it pays to warn it and allowed customer data to fall into non-friendly hands.

If you want more info on the breach, Ars Technica has some good write ups on it.

 

[Ares]

Well I read an article from Ars Technica that made me laugh, Anonymous had their IRC servers hacked by one of their own.