Even as Sony began restoring its PlayStation Network service, a researcher complains that several security issues remain unresolved.
Sony finally restored its PlayStation Network nearly a month
after the data breach that compromised more than 70 million user accounts. Japanese
regulators remained skeptical that the company had properly secured its
Sony began its phased restoration of the PlayStation Network
on May 14. To welcome users back, Sony rolled out a welcome-back
with free games, movie rentals and virtual toys. The package would
be initially available to registered PSN and Qriocity users in North
America, according to Patrick Seybold, senior director of corporate communications
and social media. Users in other countries will receive the package when
service is fully restored in those regions.
Sony was forced to shut down PSN for half an hour early in
the morning on May 16 as users clamored to reset their passwords. Players first
had to download a firmware update for the PlayStation console and then change
their passwords for the gaming service. The large number of email messages
automatically being generated slowed down the servers.
"From all of us at PlayStation, thank you and welcome back!"
Seybold wrote on the Sony blog. The package was a way to thank users for their "patience,
support and continued loyalty during the service outage," according to
The entertainment giant shut down PSN and Qriocity
20 without any warning. The company admitted six days later that its network
had been compromised and attackers had stolen user account data. It kept the
services offline as it ostensibly fixed issues
and improved security measures.
remained "vulnerable to attack" three weeks after attackers
compromised PlayStation Network, Qriocity and Sony Online Entertainment
Bumgarner, chief technology officer of the United States Cyber-Consequences
Unit, told Reuters. According to its Website, the US-CCU is an independent, nonprofit research institute that provides
the United States government with economic and strategic assessments of the
consequences of possible cyber-attacks.
Bumgarner claims he uncovered a host of security problems
using targeted Google searches. He did not attempt to break into
password-protected pages or exploit any vulnerabilities. His goal was to find
security flaws on pages that were readily accessible.
"No one should be able to point a Web browser at Sony
and see a security management console or find their identity management system
that has been indexed by Google," Bumgarner told Reuters.
Bumgarner found other exploits in Sony's network sites, including
the Sony Corporation of America, Sony Pictures Entertainment and Sony
Electronics. He came across Sony Santa, an old gift card registry sweepstakes
that collected personal information of customers. He also found an access point
to a server running an identity management system that contained logins and
password for employees in Sony Pictures Entertainment. Bumgarner also found a
page via Google search that listed names, email addresses and phone numbers of
IT managers, which could be misused to launch a spear-phishing attack.
In a file that instructs search-engine spiders which
sections of the site should not be catalogued, Bumgarner found a link to an
internal password-protected application. On May 4, Bumgarner came across a
server that provided him with names, Facebook IDs and IP addresses of Sony
customers playing games through Facebook. As late as May 10, he could view a
login screen for the Riverbed Technology security management appliance Sony had
deployed, with the user ID already pre-populated.
"Sony still has several external security issues that
need to be addressed," said Bumgarner.
Even though Sony has restored services in North America,
Europe, the Middle East and Australia and New Zealand, the company is still
waiting for approval from Japanese regulators before resuming operations in the
Asia-Pacific region. The regulators were not convinced the networks have been
properly secured, Kazushige Nobutani, director of Japan's Media and Content
Industry department at the Ministry of Economy, Trade and Industry, told Dow
Japanese government officials were concerned that Sony
hasn't shown how the new defenses it has implemented are "good
enough" compared to what was in place in the past. The Ministry of Economy
was also unconvinced that Sony had a solid plan in place to protect the
security of cardholder data, Nobutani told Dow Jones.
The welcome package gives customers a choice of two PlayStation
3 games, or two PlayStation Portable games. Games will be available for 30 days
after the online store comes back online, according to Sony. Customers will
also receive a selection of free movie rentals and 100 virtual items. Non PSN
subscribers will get a free 30-day membership while existing customers will receive
30 days extra. Sony promised more free content to come.
Sony Online Entertainment, turned off since May 2, will also
offer additional gaming perks when it comes back online.