May 15, 2011
Sony Faces Continuing Security Issues
Three weeks after a widespread cyber attack on its networks, Sony Corp. remains vulnerable to further attacks, according to an Internet security expert.
The Sony PlayStation Network, Qriocity and Sony Online Entertainment were the victim of one of the biggest data breaches in history, and the expert found a handful of security flaws in the networks while studying its systems via the Internet to see how difficult it would be to penetrate the systems since the initial attacks.
John Bumgarner discovered the flaws by using little more than a web browser, Google's search engine and a basic understanding of Internet security systems.
"Sony still has several external security issues that need to be addressed," Bumgarner, chief technology officer for the U.S. Cyber Consequences Unit, told Reuters.
Sony did not respond on the potential security lapses that Bumgarner said he had found, but three of five flaws that Reuters pointed out to the company on Thursday were fixed later that day.
"The first and most important thing to note is that protecting our customers data is a company-wide commitment that we take very seriously," a spokesman for Sony said in an emailed statement on Thursday.
Bumgarner stated, however, that several security flaws remain. He said he only viewed part of Sony's network that were visible over the Internet and did not attempt to break in to password-protected sites or exploit any vulnerabilities.
Bumgarner said he found no evidence of further breaches beyond the two Sony had disclosed. But he said he was able to find accessible areas of the network's internal systems that would be useful to hackers.
Bumgarner's findings uncovered a number of security gaps.
Through a series of Google searches, Bumgarner was able to find a software program that Sony developed in 2001 to run a SonyStyle.com Christmas gift registry and sweepstakes program called Sony Santa.
Sony Santa gathered users' names, addresses and ages. The names and partial addresses of some 2,500 of those contestants were posted on a website.
Sony acknowledged the issue and said the site had been taken down and Sony is working to remove any residual links to the list, a spokesman said.
Bumgarner also found a gateway to a server running an identity management system that apparently controls access to logins and passwords for employees of Sony Pictures Entertainment. He found that system using Google search.
Most companies try to hide those servers from the threat of potential hackers because the systems are linked to sensitive employee account data, he told Reuters.
Bumgarner said the domain on Sony Corporation of America's network where the application was located was carefully hidden from view, so casual surfers or web crawlers would not have been able to find it. But putting the URL in the file effectively perked the interest of potential hackers viewing it as a potential weak spot in Sony's networks, said Bumgarner.
Bumgarner located a server in the Sony network on May 4 that disclosed the names, Facebook IDs and IP addresses of Sony customers who played online games through Facebook. IP addresses allow somebody to track the general location of a player, he said.
Two days after releasing the discovery, Sony plugged the leak.
The company installed a security management system from Riverbed Technology on the server that leaked the Facebook data. Bumgarner was able to view an access screen to the Riverbed system that had the login field filled with a user ID through May 10.
"No one should be able to point a web browser at Sony and see a security management console or find their identity management system that has been indexed by Google," said Bumgarner.
Sony fixed some of the discovered flaws after Reuters detailed them in an email.
Bumgarner's research showed that Sony's problems are more widespread than the company let on. Sony said that only its PlayStation Network and Sony Online Entertainment systems were hacked.
Most of the discovered flaws were in other Sony networks, said Bumgarner. Those networks included Sony Corporation of America, Sony Pictures Entertainment and Sony Electronics Corp.
Mikko Hypponen, chief research officer at computer security firm F-Secure, said Sony should have been more careful with its servers and networks.
"They've been running in circles for the past three weeks," he said.
"The first thing a consultant group or an Internet response group would do is run a basic vulnerability scan and that's what they would find," said Hypponen, referring to the lapses found by Bumgarner.
Security experts believe the hackers initially got access to Sony's networks through a "spear-phishing" attack that targeted a systems administrator who had privileges to access data on Sony's networks.
In "spear-phishing" scams, hackers create emails with personalized messages so that the recipients think the email is safe and they click on links or download attachments that install malicious software programs on their computers and then take over. Once a PC is corrupted, hackers can use that computer as a base to launch more sophisticated operations.
Bumgarner, using Google searches, found a page on Sony's website that lists the names, email addresses and phone numbers of IT managers that hackers could have used to launch their spear-phishing attacks.
On the Net:
- Sony PlayStation Network
- Sony Online Entertainment
- U.S. Cyber Consequences Unit
- Riverbed Technology