Panelists joined in. Dr. Gene Spafford of Purdue testified that Sony's system was weak, and that those weaknesses had been revealed on security mailing lists months before the breach. According to Spafford, key parts of Sony's PlayStation Network ran on Apache servers that "were unpatched and had no firewall installed." This was reported in a forum known to be frequented by Sony employees, he said, though no changes were made in the months leading up to the attack.
Without Sony or Epsilon present, much of the hearing focused on potential data protection legislation that would create some kind of process for auditing a company's data security measures to make sure they conform to best practices. Breach notification rules were also discussed, and the Federal Trade Commission pushed for Congress to give it civil penalty authority to go after companies that lose data through carelessness; in the last 10 years, the FTC has brought cases against 34 such companies, though it is currently limited in the penalties it can seek.
Can better standards really protect against such breaches? A Secret Service investigator at the hearing said that they could, adding that in his view, 96 percent of such breaches could have been avoided through straightforward, well-known security techniques. Sophisticated hackers do exist, of course, but they are rare. If companies can simply cut off script kiddie access to their systems, it will be a big step toward better data security.
http://arstechnica.com/tech-policy/news/2011/05/house-hearing-blasts-sonys-half-hearted-half-baked-hack-response.ars
lol @ Hirai's "highly sophisticated" claim.
Sony chief information officer, Shinji Hasejima (pictured), this week confessed at a Tokyo press conference that security measures could have been improved.
“The vulnerability [of the network] was a known vulnerability, one known of in the world. But Sony was not aware of it... was not convinced of it,” he said.
“We are now trying to improve aspects of it”.
Shiro Kambe, the senior vice president at Sony, also apologised for the oversight.
“We thought we had taken enough management and control measures [to ensure the network was secure], but looking back, there might have been room for further enhancement,” he said.
“We have to admit we were not fully sufficient.”
[...]
Sony repeatedly apologised at the press conference, beginning and ending the meeting with a ‘deep bow’.
The company explained that it was vulnerabilities in its web application server that caused the hack.
Rik Ferguson, both a PlayStation user and computer security expert at Trend Micro, said lax security controls for digital networks are not out of the ordinary.
“Unfortunately, it is common for companies to run servers that they know has vulnerabilities,” he told Develop.
“In the enterprise world, companies want maximum up-time. They don’t want to take their servers down, so they try to balance security with up-time.
“So companies try to deliver security patches in a bunch, say every few months. This of course means there’s a period of time when these vulnerabilities are not secured.
“Sadly a lot of companies are doing things this way”.
http://www.develop-online.net/news/37592/Sony-We-knew-PSN-security-flaws
( Edited 04.05.2011 18:31 by Modplan Man )