Sony Security Issues

[laughingbuddha]

As a PS3 user, and after getting my second apologie email from Sony today, I can't help but think Sony should've been running ASL on there servers

Just a thought.

[scott]

Yeah really If you followed their news they apparently didnt 1) have a chief information security officer 2) ever invest any money in security

And they ask my why Im a cynic.

[hostingguy]

The corporate employed security officers these days are often just paid monkeys to appease the sox and pci complaince - its unlikely they would have been able to stop a determined hacker no matter what they were running.

[laughingbuddha]

True. Scary to think they did it for this long, insane. Wouldn't surprise me if they didn't hash all the users passwords. Lord knows I'm getting new cards re-issued.

Mined you the amount of connect attacks and web vulnerability scans my logs tell me about daily, just goes to show how little people think about security.

Makes you wonder if people really are ready to enter this brave new world of the internet.

[hostingguy]

Sony says the stolen information includes names, addresses, e-mail addresses, birthdates, gender, phone numbers, login names and hashed passwords.

At least the pws were hashed.

[laughingbuddha]

well I guess that's one thing at least.

[Highland]

I don't think they were incompetent per se. You only need one hole in your security. That's why I live by the greater principle that ASL brings: security in layers. As someone who has been nearly hacked twice I can vouch that it works. Even still, the hacker could have gotten our DB if he had wanted it (he was only after the kernel thankfully). It's not terribly hard to get into the layer with the DB in most web apps.

My suspicion is that Sony had a hole on the PS3 itself. There's been lots of drama over a guy named "Geohot" who apparently hacked the OS (Sony wasn't bothering to digitally sign their OS so once you knew the key you could create your own custom signed OS). This apparently let people run their boxes in "developer mode" and do things like get fake credit on PSN and then buy games. I am willing to bet it let you do more than that and they probably found that they could run DB commands directly from these hacked PS3 OSes.

[scott]

Yup, we always assumed that everything was going to fail. So you layer it all up, and then assume that is going to fail, and then layer up more

[laughingbuddha]

On my server I've done all the normal stuff, ASL is running, updates are maintained daily, SHH access is not allowed by any customers, and the SHH port is blocked to all but 1 IP address.

As far as the domains I host, there are some WP installs, but most domains are email only, apart from a few that run sites/apps I've built, and these have a lot of security measures in the code itself.

I'm no Linux guru, so I rely on ASL to pick up the slack where my knowledge of Linux stops, in protecting my server.

[laughingbuddha]

At least I can't do any worse than Sony

[Highland]

It just keeps getting better and better.

Spafford told the subcommittee that, according to security mailing lists he subscribes to, "individuals who work in security and participate in the Sony network" had learned "several months ago" that PSN was hosted on servers running "very old versions of Apache software that were unpatched and had no firewall installed."

http://www.joystiq.com/2011/05/05/psn-s ... lled-secu/

Can we get Congress to mandate Sony buy ASL and install it? Or at least sit through Mike's testimony about why firewalls and security are kinda important?

[laughingbuddha]

Hell yeah I vote for that.

Good god. Pass me the "dumb ass" rubber stamp and red ink pad, cos I'm off to PSN HQ

[scott]

Yeesh, even Gene Spafford came down on them And hes super nice