Sony's server software outdated and unpatched before attacks, says witness


Sony's server software outdated and unpatched before attacks, says witness

Warwick Ashford

Sony was using outdated software on its servers when its PlayStation and Online Entertainment networks were infiltrated by hackers in a data breach affecting over 100m users' personal data, a US House of Representatives hearing has been told.

Sony knew about the vulnerability before the security breaches, Gene Spafford, professor in information security at Purdue University, told an Energy and Commerce Subcommittee hearing into the threat of data theft.

Gene Spafford, who chairs the US Public Policy Council of the Association For Computing Machinery, said security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software - which was unpatched and had no firewall installed - according to US reports.

The issue was reported in an open forum, monitored by Sony employees, two or three months before the security breaches, Spafford said.

Sony declined to attend the hearing, but said in a letter that it has added automated software monitoring and enhanced data security and encryption to its systems, in the wake of the recent security breaches.

In written testimony, Spafford said organisations continue to run outmoded, flawed software, fail to follow some basic good practices of security and privacy, and often have insufficient training or support.

The most commonly cited reason for these failings is cost, he says.

"The cost of providing better security and privacy protection is viewed as overhead that is not recovered in increased revenue, and it is usually one of the first things trimmed in budget cuts," says Spafford.

Running outdated software and unpatched operating systems exposes citizens to risks and consequences whose cost a company does not bear, says Spafford. Because of this, companies do not have an immediate economic incentive to make the investment needed to prevent breaches, he says.

However, he says, there is still a risk of real loss if a breach occurs, with the cost to a company per record averaging $214.

Sony hires investigators after attackers hack 100m users' data >>


Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy