Linked by Thom Holwerda on Thu 5th May 2011 21:07 UTC, submitted by sawboss
Games There's fail, there's epic fail, and then there's Sony. You may've thought it wasn't possible, but Sony has just outdone itself on the fail scale, forcing us to add yet another notch. During the congressional testimony this morning, Dr Gene Spafford of Purdue University revealed just how badly Sony managed its Playstation Network servers. It's... Bad.
Order by: Score:
Comment by Kroc
by Kroc on Thu 5th May 2011 21:15 UTC
Kroc
Member since:
2005-11-10

They’ll just sue the security researchers for "illegally" publishing the info, leading to the breach.

When someone shows a stupid company how stupid they are for shooting themselves in the foot, they won’t stop shooting, they’ll start shooting the other guy too.

This isn’t even half over yet. The Sony train-wreck has just begun.

edit: +scarequotes.

Edited 2011-05-05 21:15 UTC

Reply Score: 7

RE: Comment by Kroc
by Thom_Holwerda on Thu 5th May 2011 21:18 UTC in reply to "Comment by Kroc"
Thom_Holwerda Member since:
2005-06-29

I was talking this over with one of my friends (while completing Dead Center in L4D2 on expert in 58 minutes), and we both agreed that this could very well have a MASSIVE negative impact on Sony's next console. Trust is completely gone now, and for once, this is not something only geeks talk about - this has hit ALL PS3 users. For now, XBL is still doing just fine (and I'm sure it's being probed like hell now), so it might as well be that the next time these people buy a console, they're going for the competition.

This is very, very, very bad for Sony.

Reply Score: 2

RE[2]: Comment by Kroc
by Beta on Fri 6th May 2011 12:16 UTC in reply to "RE: Comment by Kroc"
Beta Member since:
2005-07-06

I was talking this over with one of my friends (while completing Dead Center in L4D2 on expert in 58 minutes), and we both agreed that this could very well have a MASSIVE negative impact on Sony's next console. Trust is completely gone now, and for once, this is not something only geeks talk about - this has hit ALL PS3 users. For now, XBL is still doing just fine (and I'm sure it's being probed like hell now), so it might as well be that the next time these people buy a console, they're going for the competition.

This is very, very, very bad for Sony.


It's bad. Possibly very bad. Just not very very very bad. Please understand you have a bias whether you perceive it or not (as do I as a PSN user). The quantity of gleeful reporting of the PSN troubles by XBL subscribers saddens me - really, you were playing CO-OP L4D2 talking on in-game chat about how shit PSN is?!
It will have a massive outcome, mostly from the shit storm caused by people who ARENT members of it.

I've 'lost' my details 3 times in the last year from companies that I do paid business with, it rightly pisses me off and I would expect more from my local ombudsman.
To put it into scale, two of those sent me just an email apology days after I read about it on news site. One has had numerous blog posts, twitter updates and sent email.. I think Sony are doing fairly well on dealing with the problem and communicating it.

Whatever doesn't kill them and all that..

Reply Score: 3

RE[3]: Comment by Kroc
by Thom_Holwerda on Fri 6th May 2011 12:34 UTC in reply to "RE[2]: Comment by Kroc"
Thom_Holwerda Member since:
2005-06-29

really, you were playing CO-OP L4D2 talking on in-game chat about how shit PSN is?!


No, we were discussing this particular story since it came up on my phone while waiting for the next chapter to load ^^.

Reply Score: 1

jabbotts Member since:
2007-09-06

I am neither but as a security geek, this comes as yet another blatantly public desplay of Sony's neglegence. Sony's track record for consumer hostile and/or neglegent actions goes back a long way; even further than than delivering malware to music consumers.

Sony is also a big company; they'll take a beating and surivive. But will the actualy learn anything from it or will we be looking at yet another act of potentially criminal neglegence in another twelve to twenty four months?

I mean:

2000 - "We will develop technology that transcends the individual user.", they'll actively develop consumer hostile technologies

2001 - malware delivered intentionally on music disks in Europe and the US

2005 - rootkit malware being delivered intentionally is found and analyised by Mark Russinovich

2005+ - trojan malware delivered intentionally. Sony releases a program to "remove" the previously found rootkit. It only makes the rootkit visible to other software while installing yet more hidden malware

2005+ - when finally issuing a recal of all malware delivering music content, Sony ridicules the public including it's own customer base for taking issue with the installtion of rootkits and spyware; "Most people, I think, don't even know what a rootkit is, so why should they care about it?"

Yeah, it's not like anyone has ever been harmed by a rootkit when protected by "don't even know"-ing what a rootkit is.

If this had been an indavidual or lesser company there would be riots in the streets and "haxorses will be the end of civilization" headlines from every media outlet.. oh.. but it's a giant mega-corp who's primary function is to manufactur profits by robbing consumers.. so it's ok then.

Previous to that, we have Sony trying to sue caset player manufacturers for "steeling" the triangle, square and parallel lines now common for denoting play, stop, pause.

Recently we have Sony delivering a string of anti-consumer changes to the PS3 bate and switch con job. Not to mention litigating against the freedom of an owner to muck with there legally purchased property.

And now this neglegence.

- we may have let some PSN user details slip out but it should only be names, addresses, birthdays and account passwords.. no credit card numbers though and it's not like the details that did leak could be used to harm our consumers or commit fraud

- oh.. sorry, credit card numbers did get leaked so.. by the way, we stored those in plane text cause storing them properly behind encryption is just too hard for a mega-corp like us to just too much effort

- Sony Online Entertainment Network was not affected.. oh wait.. sorry.. it was affected.. our bad

- by the way, we didn't bother keeping the servers that hosted this up to date or secured to even the remotest minimum due dilligence.. but hey.. it wasn't our personal details on the servers

If it's Sony's information they'll send an army of lawyers after your sorry ass but customer information.. psh.. whatever.. they paid us money already so fk them

Seriously.. how many times does a company have to shit on one's face before they start caring?

Reply Score: 6

That's not the scary part
by orestes on Thu 5th May 2011 21:16 UTC
orestes
Member since:
2005-07-06

The scary part is how many of the *other* companies we do business with on a day to day basis could be just as criminally incompetent in their practices without us knowing it. Until something like this happens that is.

Reply Score: 9

Poor analogy
by jack_perry on Thu 5th May 2011 21:24 UTC
jack_perry
Member since:
2005-07-06

However, if Spafford's story is true, and you'd think that you wouldn't lie during a congressional hearing, you can easily argue that Sony are criminals as well. They were basically hiking up their skirts, battering their eyelashes, and making pouty lips to the criminal world.

Surely you don't mean that women who do this are criminals.

Reply Score: 5

RE: Poor analogy
by Thom_Holwerda on Thu 5th May 2011 21:30 UTC in reply to "Poor analogy"
Thom_Holwerda Member since:
2005-06-29

Mmmm upon re-reading after your comment... You have a point.

Fixing...

Reply Score: 1

RE[2]: Poor analogy
by Bill Shooter of Bul on Thu 5th May 2011 21:54 UTC in reply to "RE: Poor analogy"
Bill Shooter of Bul Member since:
2006-07-14

Not to mention just how offensive that analogy is, in general. Not Cool.

Reply Score: 5

RE[3]: Poor analogy
by seratne on Fri 6th May 2011 00:52 UTC in reply to "RE[2]: Poor analogy"
seratne Member since:
2005-07-06

Maybe remove the entire line completely, instead of just striking it out?

Insinuating women (or a man wearing a skirt) and rape might be a sensitive topic for some people.

Reply Score: 1

RE[4]: Poor analogy
by Savior on Fri 6th May 2011 06:26 UTC in reply to "RE[3]: Poor analogy"
Savior Member since:
2006-09-02

Jesus guys, PC should have its limits too. This is way over that.

Reply Score: 3

RE[5]: Poor analogy
by Bill Shooter of Bul on Fri 6th May 2011 14:00 UTC in reply to "RE[4]: Poor analogy"
Bill Shooter of Bul Member since:
2006-07-14

Its not about political correctness, its about Justice. I'm trying to keep my reply polite as this is a polite message board. But, if you think that's in any way acceptable, you must be fairly ignorant of sexual assault.

Reply Score: 1

RE[6]: Poor analogy
by Savior on Fri 6th May 2011 18:09 UTC in reply to "RE[5]: Poor analogy"
Savior Member since:
2006-09-02

But, if you think that's in any way acceptable, you must be fairly ignorant of sexual assault.


I am not ignorant of that; however, there is a difference between being assaulted and actively invoking it on yourself. The sentence in question brought an example of how stupid Sony's behavior would look like in another context.

We must accept that there are criminals on the internet, and it is dangerous not to protect yourself somehow, even if you are a regular user, in the same way as most cities have areas you should avoid at night. Disregarding this fact will only make a random user careless; but for a trillion-dollar enterprise, it is actively asking for trouble. Hence the analogy. Yes, this is the case where Sony was asking for it.

Reply Score: 2

RE[4]: Poor analogy
by anda_skoa on Fri 6th May 2011 07:58 UTC in reply to "RE[3]: Poor analogy"
anda_skoa Member since:
2005-07-07

Maybe remove the entire line completely, instead of just striking it out?


I concur. Even striked out and association with criminal behavior removed it still perpetuates the "she was asking for it" myth.

Reply Score: 1

RE[5]: Poor analogy
by Thom_Holwerda on Fri 6th May 2011 08:05 UTC in reply to "RE[4]: Poor analogy"
Thom_Holwerda Member since:
2005-06-29

"Maybe remove the entire line completely, instead of just striking it out?


I concur. Even striked out and association with criminal behavior removed it still perpetuates the "she was asking for it" myth.
"

Wait - you're linking this to rape? Wtf is wrong with you people?

Edited 2011-05-06 08:06 UTC

Reply Score: 3

RE[6]: Poor analogy
by Icaria on Fri 6th May 2011 09:26 UTC in reply to "RE[5]: Poor analogy"
Icaria Member since:
2010-06-19

You are kidding, right? Even if it didn't initially click, you'd have to be some kind of retarded not to see it now. The 'she was asking for it' attitude is still very prevalent and still a massive issue all over the world.

Upon reading, my mind immediately drifted to http://en.wikipedia.org/wiki/Uncovered_meat#Comments_concerning_dre...

Reply Score: 1

RE[7]: Poor analogy
by Thom_Holwerda on Fri 6th May 2011 09:32 UTC in reply to "RE[6]: Poor analogy"
Thom_Holwerda Member since:
2005-06-29

Honestly, this is getting way out of hand. This has absolutely nothing to do with rape or anything even remotely related to it. I'm sorry, but I can't help it that a story about a damn *lack of software security* somehow gets linked to *rape*. That's just *insane*. Maybe you guys should spend a little less time in /4chan/, and not link a completely unrelated and perfectly innocent line to something as horrible as rape.

What's next, no more winking smilies?

Reply Score: 1

RE[6]: Poor analogy
by sirspudd on Sat 7th May 2011 00:48 UTC in reply to "RE[5]: Poor analogy"
sirspudd Member since:
2010-10-13

Normally when I get angry at Europe, it is this hypersensitivity which I cite. If you come from an armpit of a country like me (South Africa) people tend to worry about real problems and therefor don't take all the joy out of a colorful analogy.

The only reason the character in this analogy is female is because Sony was penetrated, and traditionally this is the role of the woman. If we view the security flaws as protuberances, we can rehash it as:

Sony appeared to have gone looking in ever nook and craggy for a suitably shady glory hole to poke us (its customers) into. Repeatedly.

Reply Score: 1

RE[3]: Poor analogy - seems equal opertunity
by jabbotts on Fri 6th May 2011 13:34 UTC in reply to "RE[2]: Poor analogy"
jabbotts Member since:
2007-09-06

What's to say it wasn't some burly football player hiking his skirt, batting his eyes and making pouty lips?

(ok, bad joke.. but just try to get that image out of your head now.. ;) )

Reply Score: 2

RE[3]: Poor analogy
by Soulbender on Fri 6th May 2011 15:17 UTC in reply to "RE[2]: Poor analogy"
Soulbender Member since:
2005-08-18

Oh come on, he's dutch. "Amsterdam" ring a bell?

Reply Score: 2

RE[4]: Poor analogy
by WereCatf on Fri 6th May 2011 15:24 UTC in reply to "RE[3]: Poor analogy"
WereCatf Member since:
2006-02-15

Oh come on, he's dutch. "Amsterdam" ring a bell?


I don't understand what you're insinuating. Dutch people are just awesome and really, really friendly. I mean, every time I walk this beautifully-named street called red lights or something people are always greeting me so nicely, and some even wish to offer me money too.

Reply Score: 2

RE[5]: Poor analogy
by Neolander on Sat 7th May 2011 06:27 UTC in reply to "RE[4]: Poor analogy"
Neolander Member since:
2010-03-08

The paramount of 21th century psychology will be a universal method/device for making other people believe you have something to offer that greatly interests them (which may or may not be true).

Will make everyday social interaction significantly more friendly ;)

Reply Score: 1

RE[2]: Poor analogy
by YALoki on Thu 5th May 2011 21:54 UTC in reply to "RE: Poor analogy"
YALoki Member since:
2008-08-13

And maybe (even though it is all struck out) you should change battering to batting.

I was almost sick thinking about batter coated eyebrows.

Or severely bashed eyebrows.

Reply Score: 3

RE: Poor analogy
by sirspudd on Sat 7th May 2011 00:50 UTC in reply to "Poor analogy"
sirspudd Member since:
2010-10-13

Sony are criminals because it's not their vagina they just exposed to the criminal world. It's yours and mine and the man on the busses.

Reply Score: 1

No excuse but...
by mrhasbean on Thu 5th May 2011 21:38 UTC
mrhasbean
Member since:
2006-04-03

...I think it would surprise a lot of people just how many organisations of all sizes don't keep software up to date or run effective firewalls. While this is insanely stupid for a company the size of Sony, and they deserve every head bashing they get over it, I can guarantee they aren't on their own.

Downtime (cost), software compatibility (cost of upgrading) and cost of actually doing the job regularly are some of the major excuses I've had thrown at me in over 25 years of doing this stuff, and no amount of explaining how negative the consequences might or what the cost could be if they don't do it seem to work on some people. Way too many have the "It'll never happen to me" mentality. Windows and now Android are proof of that.

Edited 2011-05-05 21:39 UTC

Reply Score: 5

RE: No excuse but...
by ephracis on Thu 5th May 2011 22:18 UTC in reply to "No excuse but..."
ephracis Member since:
2007-09-23

Not only Windows and Android but iOS and Mac OS X as well.

Just about any software except "Hello, World!" is unsecure and probably being exploited for fun and profit as we speak.

Reply Score: 6

Hello World Exploits
by eMPee584 on Fri 6th May 2011 00:30 UTC in reply to "RE: No excuse but..."
eMPee584 Member since:
2007-01-29

Just about any software except "Hello, World!" is unsecure

For a large stock of 0day h3lL0 w0OrLd exploits, drop me a mail covertly. Surely we can find a suitable product matching your victim n0ob's language of choice.

Reply Score: 3

RE: No excuse but...
by SReilly on Thu 5th May 2011 22:57 UTC in reply to "No excuse but..."
SReilly Member since:
2006-12-28

Sadly I have to agree. I've yet to join a company that actually implements proper upgrade planning into their IT strategy. Some of my customers (mainly banks) have no problem implementing proper security procedures and making sure their systems are patched, port locked and behind firewalls so it's not impossible. Thing is, for a bank to get insurance, they need to be able to prove that they have taken all reasonable precautions, that is securing their systems one notch down from unplugging them from the network and locking them in a safe.

Explaining to a company the costs associated with the theft of potentially valuable data is far from easy. Many of the intermediary businesses working with the banks don't have anywhere near the security needed to deal with large transactions. Sometimes the thought of who has my personal information stored where keeps me up at night. :-(

Reply Score: 5

RE: No excuse but...
by toast88 on Fri 6th May 2011 06:47 UTC in reply to "No excuse but..."
toast88 Member since:
2009-09-23

Downtime (cost), software compatibility (cost of upgrading) and cost of actually doing the job regularly are some of the major excuses I've had thrown at me in over 25 years of doing this stuff, and no amount of explaining how negative the consequences might or what the cost could be if they don't do it seem to work on some people. Way too many have the "It'll never happen to me" mentality. Windows and now Android are proof of that.


Just to be clear. We're not talking about a 25 employee car repair shop which run one server to host their website, email and employee database (no offense meant against those people), but a multi-billion dollar company like Sony. They definitely have the manpower and financial means to build and maintain a secure and always up-to-date infrastructure.

And if Sony doesn't feel they can handle the server administration themselves, they can easily contract an external company to do that. For an online service like PSN where people's credit card information is hosted on the servers, a properly secured environment is not optional but mandatory.

Sorry, but there is NO excuse for that.

Adrian

Reply Score: 5

Run, Forrest, Run!
by fretinator on Thu 5th May 2011 21:53 UTC
fretinator
Member since:
2005-07-06

My momma always told me, "Stupid is as stupid does!"

Reply Score: 7

Wait a minute.
by Gullible Jones on Thu 5th May 2011 22:53 UTC
Gullible Jones
Member since:
2006-05-23

Just something to keep in mind: a lot of Linux distros ship "outdated" software with backported patches, so software being "obsolete" doesn't necessarily mean it lacks the latest security fixes.

Also, "firewall" could mean an actual firewall, or could mean a NIPS.

I do assume Spafford knows what he's talking about, but the details are not there; and while this is very much in line with the kind of poor security I've personally seen in corporate environments, I think I'll withhold judgment until I see something more... complete.

Reply Score: 2

RE: Wait a minute.
by orestes on Thu 5th May 2011 23:06 UTC in reply to "Wait a minute."
orestes Member since:
2005-07-06

The word "unpatched" was specifically used.

Reply Score: 5

RE: Wait a minute. uh.. patches..
by jabbotts on Fri 6th May 2011 13:55 UTC in reply to "Wait a minute."
jabbotts Member since:
2007-09-06

One example of older version numbers is Iceweasel (firefox 3.6.?) in Debian. However, one example of up to date patches is Debian patching Iceweasel (firefox) or the relevant affected library.

When we're talking security, it's not the latest bleeding edge version release but the latest patch level which is important. Actually, having the latest bleeding edge version usually puts you at greater risk. There is a very good reason why Debian Stable freezes it's list of package versions and just applies security and stability related patches.

And here's the kicker.. hard to keep up to date?

aptitude update && aptitude full-upgrade

tadaa.. now your up to the latest patch version.. "not a big deal" (tm)

.. and lacking packet filtering rules.. really? If it's a linux kernel, it has packet filtering (a firewall) by default in the kernel.. just friggin use it.. iptables is your friend. And as always, every network attached device should be running filtering rules in addition to any mid level or perimiter filtering (firwalls) implemented.

In security terms, Sony wasn't even up to the stage of colouring with crayons. They got caught eating the crayon label paper and sticking broken bits of wax up there nose.

Reply Score: 2

WereCatf Member since:
2006-02-15

.. and lacking packet filtering rules.. really? If it's a linux kernel, it has packet filtering (a firewall) by default in the kernel.. just friggin use it.. iptables is your friend.


Having ipfiltering on the same machine that is running Apache is pointless. If the attacker successfully breaks in there there is nothing stopping him from removing all the ipfilters, too. That's why you should always have a separate firewall that can only be managed from inside the internal network between Internet-side servers and the internal network.

Reply Score: 2

jabbotts Member since:
2007-09-06

I agree. A seporate appliance or server box between your server and the outside world is preferable. iptables on the local machine is still better than nothing though and head and sholders better than Sony seems to have done. All the mitigation in the world on top of your apache isn't going to be much good if iptables underneath your apache still leaves the system wide open (not to mention the number of services that use a loop back port but have no justification for being accessible from outside localhost).

Reply Score: 2

Snapper Member since:
2005-11-16

[quote]
Having ipfiltering on the same machine that is running Apache is pointless. If the attacker successfully breaks in there there is nothing stopping him from removing all the ipfilters, too. That's why you should always have a separate firewall that can only be managed from inside the internal network between Internet-side servers and the internal network.[/quote]

Nope, it is not pointless. It prevents the admin from making a mistake in opening another app by mistake or due to a problem with an update process.

It is another layer of defense. I you know your Apache box is only supposed to be listening on port 80/443 then put the IP filter in there. It may just protect you from an internal compromise.

Reply Score: 1

orestes Member since:
2005-07-06

Haven't done much work with corporate machines I take it. Sane admins don't go off installing updates without understanding what they'll do to the running systems. Admins who wish to remain employed also don't run around rebooting mission critical systems whenever updates pop up.

That doesn't excuse piss poor security practices, but there's a hell of a lot more to the process than aptitude update && aptitude full-upgrade

Reply Score: 2

*facepalm*
by poundsmack on Thu 5th May 2011 23:06 UTC
poundsmack
Member since:
2005-07-13

I can has walk into PSN server? I need to'z bord teh fail train...

"I chew chew choose you..."

good God Sony, are you even trying anymore? I once saw I guy go off a snowboard jump, fall 25 feet out of the air, land on his head, and now is just barely more functional than a vegetable and even HE has a firewall on his computer and runs the updates....

Reply Score: 5

lost dollars
by stabbyjones on Thu 5th May 2011 23:33 UTC
stabbyjones
Member since:
2008-04-15

I was just about to purchase a playstation phone, (when they came out) now I'm going with the HTC sensation.

I was just about to purchase a ps3 because my wife wanted one to play with her friends and i'd get to play the exclusives. I've told them all to get an xbox 360 instead.

This is so ridiculous it's not even funny. I was super super excited about the xperia play. Before my HTC hero, every phone i've owned has been sony-ericson.

Sony has gone out of their way to make me avoid them.
No money for you!

Reply Score: 2

RE: lost dollars
by WorknMan on Fri 6th May 2011 01:48 UTC in reply to "lost dollars"
WorknMan Member since:
2005-11-13

I was just about to purchase a ps3 because my wife wanted one to play with her friends and i'd get to play the exclusives. I've told them all to get an xbox 360 instead.


You know, I've heard that the best time to eat at a restaurant is right after they've been visited by a health inspector and have been cited for rats in the cooking area, slime in the ice machine, etc. Why? Cuz you know they're going to be clean after just having gotten their ass handed to them.

I would imagine Sony will be no different. When the PSN comes back online, I bet their shit is gonna be locked down tight and damn near impenetrable.

Note: I don't have a 360 or PS3, so I'm not speaking from personal bias. But if I were going to buy a PS3, I would not be put off because of this security breach.

Reply Score: 5

RE[2]: lost dollars
by QuiOui on Fri 6th May 2011 04:59 UTC in reply to "RE: lost dollars"
QuiOui Member since:
2011-05-06

I would imagine Sony will be no different. When the PSN comes back online, I bet their shit is gonna be locked down tight and damn near impenetrable.


One might assume that, but I am afraid Sony has already found a flaw in your statement as this is their second security breach.

Reply Score: 1

Comment by jaynet333
by jaynet333 on Fri 6th May 2011 01:28 UTC
jaynet333
Member since:
2011-05-06

This article is bogus. I looked at the testimony for Spafford via the source link given on the Consumerist article. There is no mention of the lack of a firewall, Apache issues, or specific software patches not being applied; at least not specific to the attack on Sony. There is only this quote from the testimony, which itself is mere speculation, "I have no information about what protections they had in place, although some news reports indicate that Sony was running software that was badly out of date, and had been warned about that risk.". The testimony also does not provide any sources regarding the alleged "news reports". Perhaps he was referring to bogus news reports like the one on The Consumerist?

Reply Score: 3

v THIS is where the GNU hits the fan!
by kaelodest on Fri 6th May 2011 01:55 UTC
Laurence Member since:
2007-03-26

Completely OFF Topic,


Agreed.

Particularly when you cite GNU yet the article isn't even about GNU software (Apache != GNU), so your tenuous link isn't even relevant.

Edited 2011-05-06 11:22 UTC

Reply Score: 2

Comment by Gone fishing
by Gone fishing on Fri 6th May 2011 05:30 UTC
Gone fishing
Member since:
2006-02-22

It's Sony's priorities, a company vastly more interested in controlling customers than protecting them.

Sony's attitude - Patch the web server, run a proper firewall, why bother that's not important. Someone wants to install another OS on their Playstation, or copy a CD - Call in the IT team, pour in the cash, call in the lawyers this is serious.

Reply Score: 6

Oh yes it was the anonymous ...
by Warnaud on Fri 6th May 2011 08:13 UTC
Warnaud
Member since:
2008-07-07

Just thanks again Sony for this demonstration of fake information.
So the vilain of anonymous did that? Really? Or did you left top security softwares/servers not up to date?

Reply Score: 1

Firewalls
by Neolander on Fri 6th May 2011 11:03 UTC
Neolander
Member since:
2010-03-08

Can someone with a security background explain me how exactly firewalls can improve the security of a computer ?

Reply Score: 1

RE: Firewalls
by WereCatf on Fri 6th May 2011 11:33 UTC in reply to "Firewalls"
WereCatf Member since:
2006-02-15

Can someone with a security background explain me how exactly firewalls can improve the security of a computer ?


Firewall may or may not be specifically such a great term, it depends, and may refer to firewall installed on the machine itself, or a firewall between the machine and the internal network (the latter is obviously the more secure choice). But the point is that the server had full access to the whole internal network, it was not restricted in any way or form. In a network of the size of PSN itself and especially when the server is also acting as a server to traffic from the Internet any IT admin worth his/her salt should limit the access such a machine has on the internal network. Ie. it should not be able to access everything, only the very specific machines that it needs to function, and only the kind of traffic that one should expect from it.

Giving complete, unrestricted access to the internal network the magnitude of PSN from a machine running outdated, unpatched server software is a failure of epic proportions.

Edited 2011-05-06 11:35 UTC

Reply Score: 2

RE[2]: Firewalls
by Neolander on Sat 7th May 2011 06:17 UTC in reply to "RE: Firewalls"
Neolander Member since:
2010-03-08

Thanks to everyone who replied !

So if I sum up correctly, there's more to firewall technology and its applications than the "let's close ports like crazy and break everything which might use them" side of it, which is commonly called a firewall on the desktop. (Yup, I really am a networking newbie)

The firewall term may also refer to restricting which machines in a corporate network may connect to a given other machine. Sort of like more advanced routing.

I'd spontaneously wonder how a random forum's server got physically connected to the Great PSN Database with full access to its data in the first place, but I guess for the first part it's easier to do this way and for the second part it's the security failure of epic proportions we're talking about. Unneeded security permissions are the root of all evil.

I didn't understand the part about apache's mod-security.

Reply Score: 1

RE: Firewalls - improvement
by jabbotts on Fri 6th May 2011 14:22 UTC in reply to "Firewalls"
jabbotts Member since:
2007-09-06

Considering the firewall in the general sense of network filtering on the server or infront of it on a seporate box; to access my httpd or sshd, you have to be coming from a valid remote location explicitly allowed in the firewall rules. This makes my machine more secure than one which accepts potential attack from any remote location in addition to valid ones.

Deny all, allow the minimum required.

We can also look at application level "firewalls" in the form of mod-security for apache. This sits between your webserver/website and the remote connection filtering out attempts to exploit flaws in your httpd or website code. Sony can afford to hire an admin to manage mod-security.

We could also seporate the database and web servers and have the database server only allow connections from the webserver. One must now break into the webserver before being able to start breaking into the database server. Should the first one be breached, what allowed a criminal to access the webserver's command line is not likely to be present on the database server. Monitoring of the webserver should make the breach evident; hopefully before the database server breach can be successful.

Reply Score: 2

RE: Firewalls
by Soulbender on Fri 6th May 2011 15:28 UTC in reply to "Firewalls"
Soulbender Member since:
2005-08-18

They don't, in general. It's perfectly possible to make a server secure, from the network perspective, without a firewall. In fact, if a firewall is necessary the person who installed the server didn't do his job. Almost all properly designed software has built-in features for configuring access (tcpwrappers, apache allow/deny etc) and those features should be used.
In a properly configured server the firewall is an optional layer that increases security but isn't a necessity for the secure operation of the server.

Sadly, a lot of people seem to think that a firewall is a magic bullet that will protect your server from all harm and that it is somehow essential.

Of course, application security is an entirely different ballgame.

Reply Score: 2

RE[2]: Firewalls
by WereCatf on Fri 6th May 2011 15:32 UTC in reply to "RE: Firewalls"
WereCatf Member since:
2006-02-15

They don't, in general. It's perfectly possible to make a server secure, from the network perspective, without a firewall. In fact, if a firewall is necessary the person who installed the server didn't do his job. Almost all properly designed software has built-in features for configuring access (tcpwrappers, apache allow/deny etc) and those features should be used.
In a properly configured server the firewall is an optional layer that increases security but isn't a necessity for the secure operation of the server.

Sadly, a lot of people seem to think that a firewall is a magic bullet that will protect your server from all harm and that it is somehow essential.

Of course, application security is an entirely different ballgame.


Installing a firewall is not about protecting the server per se, it's about protecting the network from the server.

Reply Score: 2

RE[3]: Firewalls
by Soulbender on Fri 6th May 2011 15:33 UTC in reply to "RE[2]: Firewalls"
Soulbender Member since:
2005-08-18

I was talking about host firewalls (which i think neolander was asking about) and not perimeter firewalls.

Reply Score: 2

Meh
by Sollord on Fri 6th May 2011 11:47 UTC
Sollord
Member since:
2006-01-05

From what I was able to read in the comments on /. the version Sony was running had/has no known external vulnerabilities so it's likely the website was not the point of intrusion. Now they probably had other services running that where exposed do to the lack of a firewall which were exploited but then again this is all based on comment on /. so grain of salt and all that

Reply Score: 1

Sounds FIshy To Me
by drcoldfoot on Fri 6th May 2011 11:56 UTC
drcoldfoot
Member since:
2006-08-25

Sounds like a troll to flesh out the culprit.

Reply Score: 1

You want to be scared?
by atari05 on Fri 6th May 2011 17:46 UTC
atari05
Member since:
2006-06-05

This is not news if you ask me. Most if not all LARGE (and something that controlls 77MILLION accounts will be large) networks like this are way behind in software release.

Hurdles for upgrading are certified releases, man power, process, lack of testing, and the list goes on and on.

Does it make it right? well no but Sony isn't the only suffering from lack of formal upgrades.

Reply Score: 1

The whole story is a FUD
by viton on Sun 8th May 2011 13:06 UTC
viton
Member since:
2005-08-09

http://forum.beyond3d.com/showpost.php?p=1549251&postcount=491

As it turns out, it is fairly simple to use Google's webcache to show what version of Apache the PSN servers were using back in March. According to a page request archived by Google on March 23, 2011, at that time Sony was running version 2.2.17 of the popular software. You can see from Apache's website 2.2.17 is the latest, stable version of the webserver available even today. This is a direct repudiation of the claims being made that Sony's webservers were out of date by as much as five years.

I have no information about what protections they had in place, although some
news reports indicate that Sony was running software that was badly out of date, and had
been warned about that risk.

Dr. Spafford

Reply Score: 2