Sony Knew About Old, Unpatched Server Software for Months: Researcher

Sony's PlayStation Network and Qriocity servers were apparently running obsolete, unpatched software, and had no firewall in place, both no-nos for any company, but definitely for a company as large as Sony, trying to run a cloud-based service.

In testimony in front of Congress on Wednesday, Dr. Gene Spafford of Purdue University said that security experts monitoring open Internet forums were aware months ago that Sony was using outdated versions of the Apache Web server software, which "was unpatched and had no firewall installed."

Not only that, Spafford added that the "oversights" were "reported in an open forum monitored by Sony employees" two to three months prior to the recent security breaches of Sony's PlayStation Network (PSN) and Qriocity services. Despite that, the warnings went unheeded.

Spafford is also Executive Director of the Center for Education and Research in Information Assurance and Security (CERIAS). His testimony, in PDF form, is here.

Sony was invited to attend the hearing, but declined. Instead, the company sent the letter (which we reported on earlier) explaining how the hacking of their systems, and promising that Sony's systems will be more secure in the future.
Tags:  Sony, PS3, Hackers, breach, SCEA