PSN hack: Sony software "obsolete"

By Wesley Yin-Poole Published 17 May, 2011

German mag reveals hacker scan logs.

German magazine Computer Bild has uncovered evidence that suggests the PlayStation Network hack that left personal information tied to 77 million user accounts compromised was the result of Sony's "obsolete software".

The magazine claims to have received scan logs provided to it by hacker group Anonymous that indicate Sony servers were running "long-outdated" programs and web services prior to the 19th April attack.

These logs are the result of Anonymous' own scanning of Sony's servers for potential vulnerabilities that facilitate DdoS attacks.

"In some cases, the software versions had security holes that had been documented on the internet for years," Bild said.

"For example, the OpenSSH 4.4 service was used to encrypt data communication. The current version is 5.7, however. The version used by Sony has security holes that had already been known for five years."

Bild also accuses Sony of running servers with the "outdated" Apache version 2.2.10, which it says is "vulnerable to threats such as distributed denial-of-service attacks".

"Sony's other programs and services also do not reflect the current standards of security technology," Bild said. "For the criminals who later stole the personal information of over 100 million users, the dated protection mechanisms of the Sony servers therefore did not present an insurmountable obstacle.

"It appears that the corporate behemoth did not consider its server security to be that important – or that it had simply been asleep at the wheel. A cardinal error, because thanks to server scans and information in forums, the attackers were well-informed about Sony's security leaks. The users of the online services are now paying the price for this negligence."

Casting doubt on Bild's story, however, is its failure to reveal exactly which vulnerability was uncovered by Anonymous.

This absence was highlighted to Eurogamer by an informed source intimate with the PlayStation 3.

A Sony Germany spokesperson responded to Bild's accusations, saying, "I am not aware of any obsolete or unpatched server software."

Sony is in hot water with authorities over the hack and the security measures that were in place. The Japanese government this week halted Sony's plan to turn PSN back on – as it has done elsewhere – because it believes promised security countermeasures are "incomplete".

In the UK, independent watchdog the Information Commissioner's Office is in talks with the Japanese firm to determine whether it was in breach of the Data Protection Act. If it was in breach, it could be slapped with a £500,000 fine.

Last month Eurogamer's Digital Foundry revealed security failings that cast doubt on Sony's data protection methods.

"PSN vulnerabilities were well-known and being discussed in public months ago, and Sony didn't act soon enough," Digital Foundry wrote.

Picture of Wesley.

About Wesley Yin-Poole

Wesley is Eurogamer's news editor. He likes news, interviews, and more news. He also likes Street Fighter more than anyone can get him to shut up about it.

Read more articles from Wesley by visiting the Wesley Yin-Poole archive page.

You may also like...

Comments (53) Latest comment 1 year ago

Comments for this article are now closed, but please feel free to continue chatting on the forum!

  • tiny_Eggy #1 1 year ago

    Bild is a bit late to the party. The whole Apache thing has already been debunked.

  • lcmnick #2 1 year ago

    Post deleted at 12:48:44 14-04-2012

  • CaptainQuint #3 1 year ago

    Anyone else really begrudge changing their password the other day? Sony have left a lingering bad taste in my mouth.

  • Snake_2011 #4 1 year ago

    I find it very hard to believe anything anonymous.

  • Toothball #5 1 year ago

    Hah nmap. I use it all the time at work. Why do these logs look like they've been printed out and partially torn though?

  • HyperTails #6 1 year ago

    So long as Sony make sure security is top notch this time, I don't care what 'sources', esp those from the desperate to distance themselves Anonymous have to say.

  • Gaol #7 1 year ago

    This article confuses me. You are saying Anonymous didn't point out a specific vulnerability yet earlier you mention Anonymous have shown you which software version that Sony were running - surely if it's an outdated version with known weaknesses then this tells you which vulnerabilities it will have.

    I hope this isn't true, if it is then Sony sadly deserve all the shit that has come their way; and I say that as a long time Playstation user.

  • jonsaan #8 1 year ago

    I did actually say this at the outset. No suprise to me. Most big corporations are running old infrastructure. Total replacement is too costly so it's a gradual drip feed of new. They never catch up.

  • rprince #9 1 year ago

    I like that there is anyone in the Japanese government who can say "hold on, these new security measures are not ready yet", but the UK government are scrabbling to work out how much tax revenue they can squeeze from the situation.

  • Dewin #10 1 year ago

    Translation: We broke your window. It broke very easily so its your fault it got broken. You should have had bulletproof glass.

    You shouldn't have broken it in the first place ya douche!

  • Rodster #11 1 year ago

    Please visit http://www.sonydefenseforce.com for all your positive Sony news. There you'll find every Sony fuck up glossed over in true Sony style and where Microsoft is always the villian. :-D

  • Eldritch #12 1 year ago

    Bild = The Sun

    And Computer Bild is quite a joke, too. Still, I don't see why they should make up such a story about Sony, so it might very well be true.

  • telboy007 #13 1 year ago

    I was very disappointed to see the SDF website was last updated on Nov 8th 2010. Bad show.

  • Layzlo #14 1 year ago

    Man the media is relentless. Seriously, if you don't do your own research and trusted everything that the media prints, the world would be in a more f*** up place then it is now. I've never seen a smear campaign quite like this before.
    Edited by Layzlo at 17/05/11 @ 14:22

  • abigsmurf #15 1 year ago

    Why exactly are we supposed to believe a text file provided by someone who didn't given their name claiming to be from a group full of trolls and script kiddies is genuine?

  • GamesConnoisseur #16 1 year ago

    Simply pass the evidences to the authorities, if nothing criminal there for Sony other than hackers, end of story. If there is then Sony ll get hand slapped and be fined and again end of story.

  • Jos #17 1 year ago

    It seems hard to believe that if Sony's server security were as open to attack and proof of such so easily obtainable, and it being so for such a long time, that the servers hadn't been right royally messed around with by the script kiddies by now.

    Not that I know anything of their security. But all the pontification is as unfounded as it is ironic - if there is one thing you do in computer security it is make sure you understand the facts and consequences before messing around changing things.

    That said, it'll be fascinating to learn what was actually done to enable the breach. I'm guessing governmental scrutiny will mean it gets published eventually.

  • PixelPirate #18 1 year ago

    so. bored .of PSN stories now.

  • Otis_Inf #19 1 year ago

    Just because a service reports it's Apache httpd 2.2.10 doesn't mean it's a version which is unpatched. Sony might very well compile their own Apache source like other companies do too (Yahoo for example), which doesn't mean the online service is unpatched cruft from years ago. Unless hack logs are posted, it's not really said what exactly was unpatched, what was open and who's to blame.

  • blarty #20 1 year ago

    Wow..... Eurogamer just keeps on milking this news story.....

    Oh and by the way.... you're running on Apache/2.2.16 ... which was released 9 months ago....

  • Feanor #21 1 year ago

    Bild bilge.

  • abigsmurf #22 1 year ago

    [link url=http://forum.beyond3d.com/showpost.php?p=1549251&postcount=491
    ]http://forum.beyond3d.com/showpost.php?p...[/link]

    Look at the Apache version in the link they give (the version is at the bottom of the 400 error) from March. It's an up to date version

    Can Eurogamer update the story to reflect that rather than spreading more FUD?

  • fabiosooner #23 1 year ago

    At least the German magazine didn't flinch from calling the hackers what they are: criminals.

    Whether the size of Sony's negligence, it's infuriating to see people use it to justify a crime. Sony is paying for its carelessness and will pay even more once official investigations are concluded. So what's left? To get these suckers and throw them behind bars for good measure.

  • blarty #24 1 year ago

    Got to agree with #26 whatever you may think of Sony, whether they were incompetent, or whether they're arrogance invited these people to go at them..... don't forget that Sony didn't actually force them to break into their servers and ultimately the hack, the data loss and the 3 weeks downtime is down to the actions of the hackers.
    Personally, I believe Sony made a royal cock-up of this.... and they should have gone to town with their server security when all this GeoHotz malarkey started, but there is no such thing as unbreakable when it comes to security.... the most secure computer is one turned-off in a lead-lined room without a door, buried 50 feet under the ground
    Edited by blarty at 17/05/11 @ 14:16

  • thiagots85 #25 1 year ago

    Sony got hacked not because of the weak protection, it ws just that all the spotlights were at them at the moment... and because of the weak protecton

  • thiagots85 #26 1 year ago

    #28 ... "the most secure computer is one turned-off in a lead-lined room without a door, buried 50 feet under the ground"

    ...and then, the hackers would say..." grab your shovels... it's dig time!"

  • RawNinjaKid #27 1 year ago

    Who care? Sony have already paid for it financially wise.
    Anymore, would just harm the industry and us.

    The bottom line is that Sony's servers are probably now the most secure in the online world, as another hack of this sort will then harm their reputation for good.

    It's hilarious see all these govt departments acting all tough!
    Edited by RawNinjaKid at 17/05/11 @ 14:23

  • flaming.carrot #28 1 year ago

    Apache 2.2.10 is in no way obsolete, in fact I'm only using 2.2.3 on a brand new webserver that's only two weeks old. Just because the server is not running the latest httpd release does not mean it's obsolete software - server admins tend to upgrade to newer versions of Apache once they are ratified by their Linux distributor as fully stable with that particular OS. The exception being if a huge security hole is incovered - which is not the case with 2.2.10.

  • slippysloppy #29 1 year ago

    @CaptainQuint I don't mind having to change my password on PSN, in fact I welcome it. What worries me more is all the other sites I've registered with that have the same email and password association.

  • booner #30 1 year ago

    £500,000 - I think not. They COULD fine them that much, but if you look at the case recently brought to light of ACS law and the corrupt lawyer who sued innocent people for "filesharing", then leaked 6000+ personal details.....he was face with up to £500,000 fine.....but ended up with a insulting £1000 fine and a 25% discount if he paid it off early. ICO are weak and all bark, no bite.

  • TheWretched #31 1 year ago

    Well... if ComputerBild says it, it MUST be true... keeping in mind that ComputerBild is the daughter of german tabloid Bild, which is equally reliable as the Sun...

  • Steroyd #32 1 year ago

    Part of me doesn't care about all of this as long as the end result doesn't mean PSN gets shut down again.

  • blarty #33 1 year ago

    Well let's just hope that with all these Governments being so switched on to this issue, that some curious young computer user doesn't suddenly manage to get into the Pentagon looking for info on UFOs......




    What?!

  • coolbritannia #34 1 year ago

    Where are you guys getting all this info? All I can see is DIRT 3!

  • Razorus #35 1 year ago

    I need to ask something here because I can't seem to find the answer anywhere, so somebody please help me out!

    Music Unlimited keeps crashing. I thought it was supposed to be up and running by now?! I can log in, and just as I search for music or try my playlist, it crashes and says there was a server error. Their own website doesn't mention this and I can't find information anywhere! Is the same thing happening to everyone else?

  • DrStrangelove #36 1 year ago

    Casting doubt on Bild's story, however, is its failure to reveal exactly which vulnerability was uncovered by Anonymous.

    It should be mentioned that Bild is Germany's biggest tabloid, similar to The Sun in the UK, and Computer Bild is part of a series of magazines coming from the same publishing house. They're not as low-brow as the main newspaper, but still not very dependable because most articles are typically not thoroughly investigated.

    Of course, that doesn't mean that Sony didn't actually rely on obsolete security.

  • paulf #37 1 year ago

    'This absence was highlighted to Eurogamer by an informed source intimate with the PlayStation 3.'

    er ...

  • Der_tolle_Emil #38 1 year ago

    If such an article was published by c't I would believe every single word in it. Computer Bild... not so much. However, getting info about the software (version) running on the server is trivial and it's not surprising that they have that information - basically it's the first thing you do if you want to attack a server or if you want to secure it. Sadly all the information a server gives you to help the own IT team to secure it can also be used to attack the server.

  • davisorle #39 1 year ago

    Post deleted at 15:13:14 09-05-2012

  • RodHull #40 1 year ago

    Oh come come. Leave Sony alone. They had tsunamis to cope with and the had to retune all their tellies thanks to the digital switchover. Plus Jenny in HR accidentally forgot to submit their timesheets for January so they only got paid basic. Cut them some slack, people!

  • oupe #41 1 year ago

    Bild is a bit late to the party. The whole Apache thing has already been debunked.

    Link please. To a trustworthy site.

  • metamorphic #42 1 year ago

    Bild is basically Germany's version of the Sun/NOTW. I don't know why Eurogamer takes it seriously...

  • SeesThroughAll #43 1 year ago

    Bild is basically Germany's version of the Sun/NOTW. I don't know why Eurogamer takes it seriously...

    Because it provides them with a source of FUD.

    If this is proven false and Sony ever sues magazines and websites for this kind of crap, I will laugh out loud.

  • The-Jack-Burton #44 1 year ago

    This has already been discussed, somebody is looking for hits on their website.

  • Machiavellian #45 1 year ago

    Translation: We broke your window. It broke very easily so its your fault it got broken. You should have had bulletproof glass.

    You shouldn't have broken it in the first place ya douche!

    No that doesn't work for me your translation, here is mine.

    Instead of a window lets change the analogy to a bank because lets be honest, its not your home with your window but instead a corporation storing million of people data just like a bank would store your money.

    We broke into your vault. It broke very easily so its your fault it got broken. You should have provided the best security for your vault but you didn't. You waited until someone exposed how lax you were with information that is precious to your customers. You knew about the problems before the breach and you still did not do anything until we made you do it.

  • Machiavellian #46 1 year ago

    At least the German magazine didn't flinch from calling the hackers what they are: criminals.

    Whether the size of Sony's negligence, it's infuriating to see people use it to justify a crime. Sony is paying for its carelessness and will pay even more once official investigations are concluded. So what's left? To get these suckers and throw them behind bars for good measure.

    War is hell, one person criminal is another person hero. Sony declared war, they thought they had the advantage. They did not understand their opponent or the damage their opponent could do to them. They underestimated their opponent and are paying the price. Not condoning what happen to Sony but they did act like they were the shit and untouchable, they got touched. This was an expensive lesson for Sony. When you pick a fight, it's best to plug up all your holes first.

  • man.the.king #47 1 year ago

    I see 360 fanboys are willing to believe every single bad thing written about Sony and are unwilling to do the slightest bit of research if there is a possibility that research will disprove their bias about Sony.

  • theonlyix #48 1 year ago

    Well im not trusting them again... if they can get away with it, theyll do it all over (sony that is)

  • ro-kurorai #49 1 year ago

    lol, the German equivalent of "The Sun" or "Fox News" tries to sully Sony's reputation, surprise -_-

  • m0thr4 #50 1 year ago

    Actually this is one of the main reasons the reported version of Apache is nearly always misleading.

    This is why you should trust reports from professional security pen testers, rather than amateur hackers.

  • Snake_2011 #51 1 year ago

    @Machiavellian but people still rob banks so your meaning is pointless move on its done

  • bradgrenz #52 1 year ago

    Bild obviously doesn't understand that Sony's CDN servers just host media and not customer information. Their security wouldn't be that high a priority. Here's the story I wrote for Bitmob "debunking" a lot of the misinformation about how up to date Sony kept their servers: [link url=http://bitmob.com/articles/detective-work-reveals-psn-servers-up-to-date
    ]http://bitmob.com/articles/detective-wor...[/link]

    The biggest problem is people don't actually understand what servers do what, which are important to have up to date, why older versions might be in use and yet they will still make unsupportable claims about how Sony has failed based on insufficient information.
    Edited by bradgrenz at 18/05/11 @ 01:14

  • Machiavellian #53 1 year ago

    @Machiavellian but people still rob banks so your meaning is pointless move on its done

    The POINT is that you expect a company that has your personal data to not keep it laying around like its unimportant. This simple point for the Sony apologist is the main problem. The problem is not that Sony got hacked because that happens all the time. It's how Sony got hacked. Its the fact they knew about the problem and decided to do nothing hoping no one would take advantage. Its the fact that only after the crime did they hire someone to personally take their security serious.

    I do not know about you but I write software for the type of setup that Sony has all the time. Security is always a main concern and the way Sony servers allowed hackers so much access is nothing short of incompetence. You do not leave such personal data sitting on public servers. The only thing that should be on public servers are the files to host the site. The server account should not have enough access to browse the network or be able to access other servers. Trust me, I can go on and on about how criminal the Sony whole network was setup but just understand you do not have to take down everything if the setup was even half way done right.