Submitted by There’s fail, there’s epic fail, and then there’s Sony. You may’ve thought it wasn’t possible, but Sony has just outdone itself on the fail scale, forcing us to add yet another notch. During the congressional testimony this morning, Dr Gene Spafford of Purdue University revealed just how badly Sony managed its Playstation Network servers. It’s… Bad.
What are the basic tenets of maintaining network-connected computers? Exactly – keep your software up to date, and use a firewall (or otherwise close and/or monitor your ports). These are such elementary rules it’s hard to imagine anyone would ignore them in this day and age. Sure, I can understand some grandma not running Windows Update properly on her 8 year old Windows XP machine, but professionals managing the world’s second most popular online gaming network?
Spafford states that security experts monitoring open internet forums had found out that Sony was running outdated versions of the Apache web server, with no patches applied. To make matters worse, Sony did not have a firewall installed. Topping it all off, these security experts reported these flaws months before the current breaches on security forums monitored by Sony employees. Wow.
“If Dr Spafford’s assessment is accurate, it’s inexcusable that Sony not only ran obsolete software on servers containing confidential data, but also that the company continued to do so after this information was publicly disclosed,” said Jeff Fox, Consumer Reports Technology Editor.
Let’s be clear here: the folks who stole the data are criminals and need to be apprehended. However, if Spafford’s story is true, and you’d think that you wouldn’t lie during a congressional hearing, you can easily argue that Sony are criminals as well. They were basically hiking up their skirts, battering their eyelashes, and making pouty lips to the criminal world. Poor analogy. Let me make it clear: they are acting like criminals themselves. This is going to cost them dearly in law suits and damages – and rightfully so.
This is what we call cosmic karma.
They’ll just sue the security researchers for “illegally” publishing the info, leading to the breach.
When someone shows a stupid company how stupid they are for shooting themselves in the foot, they won’t stop shooting, they’ll start shooting the other guy too.
This isn’t even half over yet. The Sony train-wreck has just begun.
edit: +scarequotes.
Edited 2011-05-05 21:15 UTC
I was talking this over with one of my friends (while completing Dead Center in L4D2 on expert in 58 minutes), and we both agreed that this could very well have a MASSIVE negative impact on Sony’s next console. Trust is completely gone now, and for once, this is not something only geeks talk about – this has hit ALL PS3 users. For now, XBL is still doing just fine (and I’m sure it’s being probed like hell now), so it might as well be that the next time these people buy a console, they’re going for the competition.
This is very, very, very bad for Sony.
It’s bad. Possibly very bad. Just not very very very bad. Please understand you have a bias whether you perceive it or not (as do I as a PSN user). The quantity of gleeful reporting of the PSN troubles by XBL subscribers saddens me – really, you were playing CO-OP L4D2 talking on in-game chat about how shit PSN is?!
It will have a massive outcome, mostly from the shit storm caused by people who ARENT members of it.
I’ve ‘lost’ my details 3 times in the last year from companies that I do paid business with, it rightly pisses me off and I would expect more from my local ombudsman.
To put it into scale, two of those sent me just an email apology days after I read about it on news site. One has had numerous blog posts, twitter updates and sent email.. I think Sony are doing fairly well on dealing with the problem and communicating it.
Whatever doesn’t kill them and all that..
No, we were discussing this particular story since it came up on my phone while waiting for the next chapter to load ^^.
I am neither but as a security geek, this comes as yet another blatantly public desplay of Sony’s neglegence. Sony’s track record for consumer hostile and/or neglegent actions goes back a long way; even further than than delivering malware to music consumers.
Sony is also a big company; they’ll take a beating and surivive. But will the actualy learn anything from it or will we be looking at yet another act of potentially criminal neglegence in another twelve to twenty four months?
I mean:
2000 – “We will develop technology that transcends the individual user.”, they’ll actively develop consumer hostile technologies
2001 – malware delivered intentionally on music disks in Europe and the US
2005 – rootkit malware being delivered intentionally is found and analyised by Mark Russinovich
2005+ – trojan malware delivered intentionally. Sony releases a program to “remove” the previously found rootkit. It only makes the rootkit visible to other software while installing yet more hidden malware
2005+ – when finally issuing a recal of all malware delivering music content, Sony ridicules the public including it’s own customer base for taking issue with the installtion of rootkits and spyware; “Most people, I think, don’t even know what a rootkit is, so why should they care about it?”
Yeah, it’s not like anyone has ever been harmed by a rootkit when protected by “don’t even know”-ing what a rootkit is.
If this had been an indavidual or lesser company there would be riots in the streets and “haxorses will be the end of civilization” headlines from every media outlet.. oh.. but it’s a giant mega-corp who’s primary function is to manufactur profits by robbing consumers.. so it’s ok then.
Previous to that, we have Sony trying to sue caset player manufacturers for “steeling” the triangle, square and parallel lines now common for denoting play, stop, pause.
Recently we have Sony delivering a string of anti-consumer changes to the PS3 bate and switch con job. Not to mention litigating against the freedom of an owner to muck with there legally purchased property.
And now this neglegence.
– we may have let some PSN user details slip out but it should only be names, addresses, birthdays and account passwords.. no credit card numbers though and it’s not like the details that did leak could be used to harm our consumers or commit fraud
– oh.. sorry, credit card numbers did get leaked so.. by the way, we stored those in plane text cause storing them properly behind encryption is just too hard for a mega-corp like us to just too much effort
– Sony Online Entertainment Network was not affected.. oh wait.. sorry.. it was affected.. our bad
– by the way, we didn’t bother keeping the servers that hosted this up to date or secured to even the remotest minimum due dilligence.. but hey.. it wasn’t our personal details on the servers
If it’s Sony’s information they’ll send an army of lawyers after your sorry ass but customer information.. psh.. whatever.. they paid us money already so fk them
Seriously.. how many times does a company have to shit on one’s face before they start caring?
The scary part is how many of the *other* companies we do business with on a day to day basis could be just as criminally incompetent in their practices without us knowing it. Until something like this happens that is.
Surely you don’t mean that women who do this are criminals.
Mmmm upon re-reading after your comment… You have a point.
Fixing…
Not to mention just how offensive that analogy is, in general. Not Cool.
Maybe remove the entire line completely, instead of just striking it out?
Insinuating women (or a man wearing a skirt) and rape might be a sensitive topic for some people.
Jesus guys, PC should have its limits too. This is way over that.
Its not about political correctness, its about Justice. I’m trying to keep my reply polite as this is a polite message board. But, if you think that’s in any way acceptable, you must be fairly ignorant of sexual assault.
I am not ignorant of that; however, there is a difference between being assaulted and actively invoking it on yourself. The sentence in question brought an example of how stupid Sony’s behavior would look like in another context.
We must accept that there are criminals on the internet, and it is dangerous not to protect yourself somehow, even if you are a regular user, in the same way as most cities have areas you should avoid at night. Disregarding this fact will only make a random user careless; but for a trillion-dollar enterprise, it is actively asking for trouble. Hence the analogy. Yes, this is the case where Sony was asking for it.
I concur. Even striked out and association with criminal behavior removed it still perpetuates the “she was asking for it” myth.
Wait – you’re linking this to rape? Wtf is wrong with you people?
Edited 2011-05-06 08:06 UTC
You are kidding, right? Even if it didn’t initially click, you’d have to be some kind of retarded not to see it now. The ‘she was asking for it’ attitude is still very prevalent and still a massive issue all over the world.
Upon reading, my mind immediately drifted to http://en.wikipedia.org/wiki/Uncovered_meat#Comments_concerning_dre…
Honestly, this is getting way out of hand. This has absolutely nothing to do with rape or anything even remotely related to it. I’m sorry, but I can’t help it that a story about a damn *lack of software security* somehow gets linked to *rape*. That’s just *insane*. Maybe you guys should spend a little less time in /4chan/, and not link a completely unrelated and perfectly innocent line to something as horrible as rape.
What’s next, no more winking smilies?
I admit this uproar about political correctness gets extremely annoying at times… Thom please do your thing and do not get discouraged about making innocent naughty comments.
This what makes your articles memorable!
Keep up the good work!
Thom, you posted it. Its a very clear reference to rape in the English language. It has nothing to do with 4 chan. You show that phrase to 1 million native English speaking women of average intelligence in the United States, and 999,999,999 will interpret that as a rape reference. Maybe your mastery of English isn’t as good as it appears. Analogies are the most difficult to master.
Just don’t put anything like that in any of the documents you translate. But, I’m glad to learn that you were ignorant of its implication.
In what way is “batting eye lashes” and “making pouty lips” related to rape? Seriously. How do you make the connection between the two?
One is about getting all chummy with the criminals, being all buddy-buddy, maybe as much as “getting into bed with the bad guys”.
The other is about forcibly having unconsensual sex with someone, through the use of force and violence.
How in the hell do you get from “batting eye lashes” to “forced to have sex”?
Please, explain it to me. Me thinks one doest protest too much!
Its not rape, its what he said about the “criminals” who would be attracted to someone behaving that way. That is where we have issues with the statement. Its a stupid statement because logically it only leads to one thing “she was asking for it”. Asking for what, exactly? What type criminal would be attracted to scantily clad women? I mean all you have to do is think through the statement for second to realize how sexist and wrong it was to begin with. This shit ain’t rocket science people.
Who is this “she” you speak of? Who are these “women” you speak of? Why are these women “scantily clad”? These are all things you made up all on your own. In my story, there’s only Sony hiking up its skirt. There’s no woman in sight, let alone a “scantily clad” one. That’s all in your head.
If you think you’re being all emancipated here, I’ve got news for you: nothing is more sexist than men pretending women need protection. You know, contrary to the nerd stereotype, most of my friends are women, and surprise surprise, they REALLY don’t need men protecting them. They can kick my ass all on their own.
Thom, the fact remains nearly every woman who would read such a sentence would believe it was a rape reference. Maybe the Netherlands is a feminist paradise free of sexual crimes. I doubt it, but I’ve never been. But most places around the world,sadly are not like that even in the first world. You’d be well advised to steer clear of future references of a similar nature.
Why don’t we ask some of the women here about it? Are you offended?
Frankly, up until now the only ones who seem to have been bothered are men.
My wife wasn’t offended. She also didn’t fully understand the reference in that context. But she also doesn’t understand how anyone could get “rape” out of it, and thinks people need to “untwist their panties”.
I don’t know. You were the one who brought it up.
Yeah, you tell yourself that. Either way I said I (me) was offended I’m not pretending to protect anyone. Who is here to protect? I’m offended because I’ve had family who have been in situations like this and I as someone who is close to these types of situations find that line of thinking offensive. It was an offensive statement anyway. I don’t give a shit how much you try to justify it to you and your “friends”.
(This is why I love OSnews’ comments. It’s an everyday surprise, you almost* never know what’s going to happen.
Article about a major breach in server security due to crazily bad security practices => Lots of comments about rape and the status of women in society. Comment discussion subject randomization is very strong here, and “off-topic” moderation looks totally out of place.)
I wish more women thought the way you and your friends do.
There’s more to the sex equality problem than men strictly following the male stereotype, there are also many women who, given the choice, willingly look for them** or participate to children education in a way that perpetuates these traditions.
If it was just a simple male vs female war, we’d just grab some weapons and get this sorted out, the way humans always do.
*Okay, in an article about a great achievement/failure by Apple/Google/Microsoft, you know.
**Disclaimer : this is not akin to rape, not even an allusion.
Edited 2011-05-07 06:59 UTC
Who the hell isn’t attracted to scantily clad women?
If you saw my mother dressed scantily you’d be scarred for life, not attracted to her.
Fair enough but I guess she wouldn’t be attracting criminals then either. I mean, it could even be a deterrent.
What the hell does “scantily clad women” mean ?
(3-post combo !)
I could post some pictures as a reference, but I don’t think they’d be entirely appropriate here…
We’re all adults here*cough*.
Maybe urban dictionary will be able to help me then
Got to try.
EDIT : It helped. This website is probably the most powerful tool for translating everyday English ever publised to date ^^
Edited 2011-05-08 10:35 UTC
While I think rape is a strong word, your analogy is basically saying that as a woman you want the criminals to take advantage of you, if you happen to have short skirts, pouty lips, and bat your eyelashes. Which IMO is quite offensive. It was a statement that made absolutely no sense in this context and what you said associated with “criminals” could in-fact be misconstrued as rape, because what other criminal would care about a woman who was batting their eyelashes, hiking up their skirts and pouting their lips? Someone who was only interested in thievery would be looking at how expensive her earrings were, or what purse she had, not how short her skirt was. I would like to add that just because a woman did in-fact hike up her skirt, pouted her lips and batted her eyelashes that “she was asking for it” which is what you are insinuating. If that were the case woman would have “criminals” very interested in them everytime they went to a club, or a nice restaurant. Apparently they are “asking for it” there too.
Now, had you said “this is tantamount to someone with a million dollars walking down the street with a transparent briefcase in a bad part of town”, then that would have made more sense. Instead you said some sensationalist crap with no real logic behind it and then got offended when people misconstrue what is clearly in the subtext of your statement. Please remove from article it doesn’t add anything to the conversation and it was just stupid IMO.
Edited 2011-05-06 16:25 UTC
Normally when I get angry at Europe, it is this hypersensitivity which I cite. If you come from an armpit of a country like me (South Africa) people tend to worry about real problems and therefor don’t take all the joy out of a colorful analogy.
The only reason the character in this analogy is female is because Sony was penetrated, and traditionally this is the role of the woman. If we view the security flaws as protuberances, we can rehash it as:
Sony appeared to have gone looking in ever nook and craggy for a suitably shady glory hole to poke us (its customers) into. Repeatedly.
What’s to say it wasn’t some burly football player hiking his skirt, batting his eyes and making pouty lips?
(ok, bad joke.. but just try to get that image out of your head now..
)
Oh come on, he’s dutch. “Amsterdam” ring a bell?
I don’t understand what you’re insinuating. Dutch people are just awesome and really, really friendly. I mean, every time I walk this beautifully-named street called red lights or something people are always greeting me so nicely, and some even wish to offer me money too.
The paramount of 21th century psychology will be a universal method/device for making other people believe you have something to offer that greatly interests them (which may or may not be true).
Will make everyday social interaction significantly more friendly
And maybe (even though it is all struck out) you should change battering to batting.
I was almost sick thinking about batter coated eyebrows.
Or severely bashed eyebrows.
Sony are criminals because it’s not their vagina they just exposed to the criminal world. It’s yours and mine and the man on the busses.
…I think it would surprise a lot of people just how many organisations of all sizes don’t keep software up to date or run effective firewalls. While this is insanely stupid for a company the size of Sony, and they deserve every head bashing they get over it, I can guarantee they aren’t on their own.
Downtime (cost), software compatibility (cost of upgrading) and cost of actually doing the job regularly are some of the major excuses I’ve had thrown at me in over 25 years of doing this stuff, and no amount of explaining how negative the consequences might or what the cost could be if they don’t do it seem to work on some people. Way too many have the “It’ll never happen to me” mentality. Windows and now Android are proof of that.
Edited 2011-05-05 21:39 UTC
Not only Windows and Android but iOS and Mac OS X as well.
Just about any software except “Hello, World!” is unsecure and probably being exploited for fun and profit as we speak.
For a large stock of 0day h3lL0 w0OrLd exploits, drop me a mail covertly. Surely we can find a suitable product matching your victim n0ob’s language of choice.
Sadly I have to agree. I’ve yet to join a company that actually implements proper upgrade planning into their IT strategy. Some of my customers (mainly banks) have no problem implementing proper security procedures and making sure their systems are patched, port locked and behind firewalls so it’s not impossible. Thing is, for a bank to get insurance, they need to be able to prove that they have taken all reasonable precautions, that is securing their systems one notch down from unplugging them from the network and locking them in a safe.
Explaining to a company the costs associated with the theft of potentially valuable data is far from easy. Many of the intermediary businesses working with the banks don’t have anywhere near the security needed to deal with large transactions. Sometimes the thought of who has my personal information stored where keeps me up at night. 🙁
Just to be clear. We’re not talking about a 25 employee car repair shop which run one server to host their website, email and employee database (no offense meant against those people), but a multi-billion dollar company like Sony. They definitely have the manpower and financial means to build and maintain a secure and always up-to-date infrastructure.
And if Sony doesn’t feel they can handle the server administration themselves, they can easily contract an external company to do that. For an online service like PSN where people’s credit card information is hosted on the servers, a properly secured environment is not optional but mandatory.
Sorry, but there is NO excuse for that.
Adrian
My momma always told me, “Stupid is as stupid does!”
Just something to keep in mind: a lot of Linux distros ship “outdated” software with backported patches, so software being “obsolete” doesn’t necessarily mean it lacks the latest security fixes.
Also, “firewall” could mean an actual firewall, or could mean a NIPS.
I do assume Spafford knows what he’s talking about, but the details are not there; and while this is very much in line with the kind of poor security I’ve personally seen in corporate environments, I think I’ll withhold judgment until I see something more… complete.
The word “unpatched” was specifically used.
One example of older version numbers is Iceweasel (firefox 3.6.?) in Debian. However, one example of up to date patches is Debian patching Iceweasel (firefox) or the relevant affected library.
When we’re talking security, it’s not the latest bleeding edge version release but the latest patch level which is important. Actually, having the latest bleeding edge version usually puts you at greater risk. There is a very good reason why Debian Stable freezes it’s list of package versions and just applies security and stability related patches.
And here’s the kicker.. hard to keep up to date?
aptitude update && aptitude full-upgrade
tadaa.. now your up to the latest patch version.. “not a big deal” ™
.. and lacking packet filtering rules.. really? If it’s a linux kernel, it has packet filtering (a firewall) by default in the kernel.. just friggin use it.. iptables is your friend. And as always, every network attached device should be running filtering rules in addition to any mid level or perimiter filtering (firwalls) implemented.
In security terms, Sony wasn’t even up to the stage of colouring with crayons. They got caught eating the crayon label paper and sticking broken bits of wax up there nose.
Having ipfiltering on the same machine that is running Apache is pointless. If the attacker successfully breaks in there there is nothing stopping him from removing all the ipfilters, too. That’s why you should always have a separate firewall that can only be managed from inside the internal network between Internet-side servers and the internal network.
I agree. A seporate appliance or server box between your server and the outside world is preferable. iptables on the local machine is still better than nothing though and head and sholders better than Sony seems to have done. All the mitigation in the world on top of your apache isn’t going to be much good if iptables underneath your apache still leaves the system wide open (not to mention the number of services that use a loop back port but have no justification for being accessible from outside localhost).
[quote]
Having ipfiltering on the same machine that is running Apache is pointless. If the attacker successfully breaks in there there is nothing stopping him from removing all the ipfilters, too. That’s why you should always have a separate firewall that can only be managed from inside the internal network between Internet-side servers and the internal network.[/quote]
Nope, it is not pointless. It prevents the admin from making a mistake in opening another app by mistake or due to a problem with an update process.
It is another layer of defense. I you know your Apache box is only supposed to be listening on port 80/443 then put the IP filter in there. It may just protect you from an internal compromise.
Haven’t done much work with corporate machines I take it. Sane admins don’t go off installing updates without understanding what they’ll do to the running systems. Admins who wish to remain employed also don’t run around rebooting mission critical systems whenever updates pop up.
That doesn’t excuse piss poor security practices, but there’s a hell of a lot more to the process than aptitude update && aptitude full-upgrade
I can has walk into PSN server? I need to’z bord teh fail train…
“I chew chew choose you…”
good God Sony, are you even trying anymore? I once saw I guy go off a snowboard jump, fall 25 feet out of the air, land on his head, and now is just barely more functional than a vegetable and even HE has a firewall on his computer and runs the updates….
I was just about to purchase a playstation phone, (when they came out) now I’m going with the HTC sensation.
I was just about to purchase a ps3 because my wife wanted one to play with her friends and i’d get to play the exclusives. I’ve told them all to get an xbox 360 instead.
This is so ridiculous it’s not even funny. I was super super excited about the xperia play. Before my HTC hero, every phone i’ve owned has been sony-ericson.
Sony has gone out of their way to make me avoid them.
No money for you!
You know, I’ve heard that the best time to eat at a restaurant is right after they’ve been visited by a health inspector and have been cited for rats in the cooking area, slime in the ice machine, etc. Why? Cuz you know they’re going to be clean after just having gotten their ass handed to them.
I would imagine Sony will be no different. When the PSN comes back online, I bet their shit is gonna be locked down tight and damn near impenetrable.
Note: I don’t have a 360 or PS3, so I’m not speaking from personal bias. But if I were going to buy a PS3, I would not be put off because of this security breach.
One might assume that, but I am afraid Sony has already found a flaw in your statement as this is their second security breach.
This article is bogus. I looked at the testimony for Spafford via the source link given on the Consumerist article. There is no mention of the lack of a firewall, Apache issues, or specific software patches not being applied; at least not specific to the attack on Sony. There is only this quote from the testimony, which itself is mere speculation, “I have no information about what protections they had in place, although some news reports indicate that Sony was running software that was badly out of date, and had been warned about that risk.”. The testimony also does not provide any sources regarding the alleged “news reports”. Perhaps he was referring to bogus news reports like the one on The Consumerist?
Completely OFF Topic, but -What if I didn’t write code?- and my commoditized data time(Work?) was data and raw data. This is what we as information servicers _Do_ Well if this is the case and I see an error in the system, something that is morally and ethically wrong isn’t it my right -Hell My Duty to report this. Isn’t it? When I code I report bugs? Why isn’t that same rule applied for accounting and practices? I mean in “Law” it is by the Sarbanes/Oxcley act, but in the world of Multinational and Transnational corporations what is “Law”.
I believe that many of the Ideals of this Computer Science Mindset have leaked into the common culture. I feel what I feel for Free & Open Source Software, BUT, what does Janice in accounting or Lester in Travel think about it. What do they do when faced with Market Realities of User Data Being Fully transparent to Widescale and Massive, Pervasive Damaging breach of trust, and not just on our accounts et.al. but also our kids accounts-dammit! This is redonkey-dickulonqulous -=-But what happens if Wikileaks publishes a branch on some of the dirt that is getting done by these Transnational and Multinational corps.? What press? not even silence…
If information wants to be known then it is our duty to share it.
Agreed.
Particularly when you cite GNU yet the article isn’t even about GNU software (Apache != GNU), so your tenuous link isn’t even relevant.
Edited 2011-05-06 11:22 UTC
It’s Sony’s priorities, a company vastly more interested in controlling customers than protecting them.
Sony’s attitude – Patch the web server, run a proper firewall, why bother that’s not important. Someone wants to install another OS on their Playstation, or copy a CD – Call in the IT team, pour in the cash, call in the lawyers this is serious.
Just thanks again Sony for this demonstration of fake information.
So the vilain of anonymous did that? Really? Or did you left top security softwares/servers not up to date?
Can someone with a security background explain me how exactly firewalls can improve the security of a computer ?
Firewall may or may not be specifically such a great term, it depends, and may refer to firewall installed on the machine itself, or a firewall between the machine and the internal network (the latter is obviously the more secure choice). But the point is that the server had full access to the whole internal network, it was not restricted in any way or form. In a network of the size of PSN itself and especially when the server is also acting as a server to traffic from the Internet any IT admin worth his/her salt should limit the access such a machine has on the internal network. Ie. it should not be able to access everything, only the very specific machines that it needs to function, and only the kind of traffic that one should expect from it.
Giving complete, unrestricted access to the internal network the magnitude of PSN from a machine running outdated, unpatched server software is a failure of epic proportions.
Edited 2011-05-06 11:35 UTC
Thanks to everyone who replied !
So if I sum up correctly, there’s more to firewall technology and its applications than the “let’s close ports like crazy and break everything which might use them” side of it, which is commonly called a firewall on the desktop. (Yup, I really am a networking newbie)
The firewall term may also refer to restricting which machines in a corporate network may connect to a given other machine. Sort of like more advanced routing.
I’d spontaneously wonder how a random forum’s server got physically connected to the Great PSN Database with full access to its data in the first place, but I guess for the first part it’s easier to do this way and for the second part it’s the security failure of epic proportions we’re talking about. Unneeded security permissions are the root of all evil.
I didn’t understand the part about apache’s mod-security.
Considering the firewall in the general sense of network filtering on the server or infront of it on a seporate box; to access my httpd or sshd, you have to be coming from a valid remote location explicitly allowed in the firewall rules. This makes my machine more secure than one which accepts potential attack from any remote location in addition to valid ones.
Deny all, allow the minimum required.
We can also look at application level “firewalls” in the form of mod-security for apache. This sits between your webserver/website and the remote connection filtering out attempts to exploit flaws in your httpd or website code. Sony can afford to hire an admin to manage mod-security.
We could also seporate the database and web servers and have the database server only allow connections from the webserver. One must now break into the webserver before being able to start breaking into the database server. Should the first one be breached, what allowed a criminal to access the webserver’s command line is not likely to be present on the database server. Monitoring of the webserver should make the breach evident; hopefully before the database server breach can be successful.
They don’t, in general. It’s perfectly possible to make a server secure, from the network perspective, without a firewall. In fact, if a firewall is necessary the person who installed the server didn’t do his job. Almost all properly designed software has built-in features for configuring access (tcpwrappers, apache allow/deny etc) and those features should be used.
In a properly configured server the firewall is an optional layer that increases security but isn’t a necessity for the secure operation of the server.
Sadly, a lot of people seem to think that a firewall is a magic bullet that will protect your server from all harm and that it is somehow essential.
Of course, application security is an entirely different ballgame.
Installing a firewall is not about protecting the server per se, it’s about protecting the network from the server.
I was talking about host firewalls (which i think neolander was asking about) and not perimeter firewalls.
From what I was able to read in the comments on /. the version Sony was running had/has no known external vulnerabilities so it’s likely the website was not the point of intrusion. Now they probably had other services running that where exposed do to the lack of a firewall which were exploited but then again this is all based on comment on /. so grain of salt and all that
Sounds like a troll to flesh out the culprit.
This is not news if you ask me. Most if not all LARGE (and something that controlls 77MILLION accounts will be large) networks like this are way behind in software release.
Hurdles for upgrading are certified releases, man power, process, lack of testing, and the list goes on and on.
Does it make it right? well no but Sony isn’t the only suffering from lack of formal upgrades.
http://forum.beyond3d.com/showpost.php?p=1549251&postcount=491
As it turns out, it is fairly simple to use Google’s webcache to show what version of Apache the PSN servers were using back in March. According to a page request archived by Google on March 23, 2011, at that time Sony was running version 2.2.17 of the popular software. You can see from Apache’s website 2.2.17 is the latest, stable version of the webserver available even today. This is a direct repudiation of the claims being made that Sony’s webservers were out of date by as much as five years.
Dr. Spafford