PSN hack: Sony software "obsolete"
German mag reveals hacker scan logs.
German magazine Computer Bild has uncovered evidence that suggests the PlayStation Network hack that left personal information tied to 77 million user accounts compromised was the result of Sony's "obsolete software".
The magazine claims to have received scan logs provided to it by hacker group Anonymous that indicate Sony servers were running "long-outdated" programs and web services prior to the 19th April attack.
These logs are the result of Anonymous' own scanning of Sony's servers for potential vulnerabilities that facilitate DdoS attacks.
"In some cases, the software versions had security holes that had been documented on the internet for years," Bild said.
"For example, the OpenSSH 4.4 service was used to encrypt data communication. The current version is 5.7, however. The version used by Sony has security holes that had already been known for five years."
Bild also accuses Sony of running servers with the "outdated" Apache version 2.2.10, which it says is "vulnerable to threats such as distributed denial-of-service attacks".
"Sony's other programs and services also do not reflect the current standards of security technology," Bild said. "For the criminals who later stole the personal information of over 100 million users, the dated protection mechanisms of the Sony servers therefore did not present an insurmountable obstacle.
"It appears that the corporate behemoth did not consider its server security to be that important – or that it had simply been asleep at the wheel. A cardinal error, because thanks to server scans and information in forums, the attackers were well-informed about Sony's security leaks. The users of the online services are now paying the price for this negligence."
Casting doubt on Bild's story, however, is its failure to reveal exactly which vulnerability was uncovered by Anonymous.
This absence was highlighted to Eurogamer by an informed source intimate with the PlayStation 3.
A Sony Germany spokesperson responded to Bild's accusations, saying, "I am not aware of any obsolete or unpatched server software."
Sony is in hot water with authorities over the hack and the security measures that were in place. The Japanese government this week halted Sony's plan to turn PSN back on – as it has done elsewhere – because it believes promised security countermeasures are "incomplete".
In the UK, independent watchdog the Information Commissioner's Office is in talks with the Japanese firm to determine whether it was in breach of the Data Protection Act. If it was in breach, it could be slapped with a £500,000 fine.
Last month Eurogamer's Digital Foundry revealed security failings that cast doubt on Sony's data protection methods.
"PSN vulnerabilities were well-known and being discussed in public months ago, and Sony didn't act soon enough," Digital Foundry wrote.