Eurogamer

German magazine Computer Bild has uncovered evidence that suggests the PlayStation Network hack that left personal information tied to 77 million user accounts compromised was the result of Sony's "obsolete software".

The magazine claims to have received scan logs provided to it by hacker group Anonymous that indicate Sony servers were running "long-outdated" programs and web services prior to the 19th April attack.

These logs are the result of Anonymous' own scanning of Sony's servers for potential vulnerabilities that facilitate DdoS attacks.

"In some cases, the software versions had security holes that had been documented on the internet for years," Bild said.

"For example, the OpenSSH 4.4 service was used to encrypt data communication. The current version is 5.7, however. The version used by Sony has security holes that had already been known for five years."

Bild also accuses Sony of running servers with the "outdated" Apache version 2.2.10, which it says is "vulnerable to threats such as distributed denial-of-service attacks".

"Sony's other programs and services also do not reflect the current standards of security technology," Bild said. "For the criminals who later stole the personal information of over 100 million users, the dated protection mechanisms of the Sony servers therefore did not present an insurmountable obstacle.

"It appears that the corporate behemoth did not consider its server security to be that important – or that it had simply been asleep at the wheel. A cardinal error, because thanks to server scans and information in forums, the attackers were well-informed about Sony's security leaks. The users of the online services are now paying the price for this negligence."

Casting doubt on Bild's story, however, is its failure to reveal exactly which vulnerability was uncovered by Anonymous.

This absence was highlighted to Eurogamer by an informed source intimate with the PlayStation 3.

A Sony Germany spokesperson responded to Bild's accusations, saying, "I am not aware of any obsolete or unpatched server software."

Sony is in hot water with authorities over the hack and the security measures that were in place. The Japanese government this week halted Sony's plan to turn PSN back on – as it has done elsewhere – because it believes promised security countermeasures are "incomplete".

In the UK, independent watchdog the Information Commissioner's Office is in talks with the Japanese firm to determine whether it was in breach of the Data Protection Act. If it was in breach, it could be slapped with a £500,000 fine.

Last month Eurogamer's Digital Foundry revealed security failings that cast doubt on Sony's data protection methods.

"PSN vulnerabilities were well-known and being discussed in public months ago, and Sony didn't act soon enough," Digital Foundry wrote.

http://images.eurogamer.net/assets/articles//a/1/3/5/9/4/8/8/ss_preview_Some_Sony_servers_were_running_the_outdated_Apache_2_2_10_360x244_25719e90e791327a.jpg.jpg

http://images.eurogamer.net/assets/articles//a/1/3/5/9/4/8/8/ss_preview_The_Sony_servers_were_running_the_long_obsolete_OpenSSH_4_4_360x259_96c08ab8ad33412d.jpg.jpg

http://images.eurogamer.net/assets/articles//a/1/3/5/9/4/8/8/ss_preview_The_current_version_is_2_2_17_The_version_used_by_Sony_is_vulnerable_to_319x237_8280499751088e60.jpg.jpg

http://images.eurogamer.net/assets/articles//a/1/3/5/9/4/8/8/ss_preview_The_current_version_is_5_7_The_security_holes_of_the_version_that_Sony_used_to_295x219_b1143fbd7f8e91c0.jpg.jpg

So, there isn't any evidence of this being true and it's based on a 'my buddy told me this on this from a group with a shady history and a reason to lie', it's also odd that they mention that Japan says that Sony's new network is incomplete, when the original article I read only said that they wanted to check before it went up, they hadn't even inspected it yet.

In the end, everything Sony or any other promiscous random group says can't be taken at face value, I'll wait until the court decides on what should be done, what has been done and what will happen in the future, because as I've recently found out, people throw around a lot of bullshit when things like this pop up and everyone has an agenda (protecting their company, getting hits on their site, keeping the heat off of them, revenge and etc).

If there were 77 million accounts compromised, some of which belonged to the same user, shouldn't the number of users affected be lower than the number of accounts? It certainly can't be 100 million.

This is one of the caveats of running open source software.  If they can identify what version you're running, you are at risk.  All they have to do is run through the list of bug fixes since that version and you have your ammo.  Hell most likely people already wrote scripts for certain vulnerabilities so all you need to do is pull the script off the shelf and point it in the direction desired.

While MS has its fair share of security issues, not all of them are publicaly disclosed. 

So it was anon?

sooooo...what else is new?

Better be hacker proof now or the next time Sony is gonna have to cough up more than 2 free games!!!

... this is getting tiresome it seems like everyone thinks SONY's software was outdated and they all seem to point to random forum posts or was said in a IRC chat room. If it is false then it is pathetic of idiots who keep spreading it like propaganda, if it is true then we will find out when someone has better evidense then what is esstianally hearsay. 

Did you read the article?

"

The magazine claims to have received scan logs provided to it by hacker group Anonymous that indicate Sony servers were running "long-outdated" programs and web services prior to the 19th April attack.

These logs are the result of Anonymous' own scanning of Sony's servers for potential vulnerabilities that facilitate DdoS attacks."

Yes, it was Anonymous like 9/11 was Muslims