Sony breach due to outdated, unpatched servers?
The congressional testimony before the House Subcommittee on Commerce, Manufacturing, and Trade held yesterday morning has revealed many things that shed a totally different light on the Sony PSN breach.
For one, it seems that the whole unfortunate thing could have been avoided – or, at least, made more difficult for the attackers – if Sony had listened to commenters on open Internet forums (one of which, by the way, is monitored by Sony employees) who pointed out the fact that Sony was using outdated and unpatched versions of the Apache Web server software. Also, that they had no firewall installed.
The fact that this was known in security circles months before the breach was revealed by Dr. Gene Spafford of Purdue University, who was brought in to testify. Sony was also invited to participate in the hearing, but declined citing the still ongoing investigation as the reason.
Though, according to Consumer Reports, the company did send a letter to the committee stating that it had added automated software monitoring and enhanced data security and encryption to its systems before after the breach occurred.
In the letter, Sony declined to specify what the investigation has uncovered so far, but hinted at the possibility that the hacktivist online group Anonymous was involved in the attack. The company says that the fact that it was defending its systems from denial of service attacks (most probably) mounted by Anonymous and that their online team was completely concentrated on this has allowed the breach to go unnoticed for a while. The company also said that it has found on one of its server a file named “Anonymous,” which contained the text “We are Legion.”
Sony does allow the possibility that the two attacks were not connected, but seems that it’s intent on placing the blame on Anonymous nonetheless. “In any case, those who participated in the denial of service attacks should understand that—whether they knew it or not—they were aiding in a well-planned, well-executed, large-scale theft that not only left Sony a victim, but also Sony’s many customers around the world,” Sony stated in the letter.
As a reply to those claims, Anonymous has issued a statement (which can be found at the Daily Kos) saying that “Anonymous has never been known to have engaged in credit card theft. Whoever broke into Sony’s servers to steal the credit card info and left a document blaming Anonymous clearly wanted Anonymous to be blamed for the most significant digital theft in history. No one who is actually associated with our movement would do something that would prompt a massive law enforcement response. On the other hand, a group of standard online thieves would have every reason to frame Anonymous in order to put law enforcement off the track.”
Ars technica reports that the Sony letter also confirms that the breach was spotted on April 19, confirmed internally on April 20 and that the FBI was notified on April 22.