Sony PlayStation Network Returns to Service, Security Problems Remain

Even as Sony began restoring its PlayStation Network service, a researcher complains that several security issues remain unresolved.

Sony finally restored its PlayStation Network nearly a month after the data breach that compromised more than 70 million user accounts. Japanese regulators remained skeptical that the company had properly secured its infrastructure.

Sony began its phased restoration of the PlayStation Network on May 14. To welcome users back, Sony rolled out a welcome-back package with free games, movie rentals and virtual toys. The package would be initially available to registered PSN and Qriocity users in North America, according to Patrick Seybold, senior director of corporate communications and social media. Users in other countries will receive the package when service is fully restored in those regions.

Sony was forced to shut down PSN for half an hour early in the morning on May 16 as users clamored to reset their passwords. Players first had to download a firmware update for the PlayStation console and then change their passwords for the gaming service. The large number of email messages automatically being generated slowed down the servers.

"From all of us at PlayStation, thank you and welcome back!" Seybold wrote on the Sony blog. The package was a way to thank users for their "patience, support and continued loyalty during the service outage," according to Seybold.

The entertainment giant shut down PSN and Qriocity on April 20 without any warning. The company admitted six days later that its network had been compromised and attackers had stolen user account data. It kept the services offline as it ostensibly fixed issues and improved security measures.

Sony's computer networks remained "vulnerable to attack" three weeks after attackers compromised PlayStation Network, Qriocity and Sony Online Entertainment, John Bumgarner, chief technology officer of the United States Cyber-Consequences Unit, told Reuters. According to its Website, the US-CCU is an independent, nonprofit research institute that provides the United States government with economic and strategic assessments of the consequences of possible cyber-attacks.

Bumgarner claims he uncovered a host of security problems using targeted Google searches. He did not attempt to break into password-protected pages or exploit any vulnerabilities. His goal was to find security flaws on pages that were readily accessible.

"No one should be able to point a Web browser at Sony and see a security management console or find their identity management system that has been indexed by Google," Bumgarner told Reuters.

Bumgarner found other exploits in Sony's network sites, including the Sony Corporation of America, Sony Pictures Entertainment and Sony Electronics. He came across Sony Santa, an old gift card registry sweepstakes that collected personal information of customers. He also found an access point to a server running an identity management system that contained logins and password for employees in Sony Pictures Entertainment. Bumgarner also found a page via Google search that listed names, email addresses and phone numbers of IT managers, which could be misused to launch a spear-phishing attack.

In a file that instructs search-engine spiders which sections of the site should not be catalogued, Bumgarner found a link to an internal password-protected application. On May 4, Bumgarner came across a server that provided him with names, Facebook IDs and IP addresses of Sony customers playing games through Facebook. As late as May 10, he could view a login screen for the Riverbed Technology security management appliance Sony had deployed, with the user ID already pre-populated.

"Sony still has several external security issues that need to be addressed," said Bumgarner.

Even though Sony has restored services in North America, Europe, the Middle East and Australia and New Zealand, the company is still waiting for approval from Japanese regulators before resuming operations in the Asia-Pacific region. The regulators were not convinced the networks have been properly secured, Kazushige Nobutani, director of Japan's Media and Content Industry department at the Ministry of Economy, Trade and Industry, told Dow Jones Newswire.

Japanese government officials were concerned that Sony hasn't shown how the new defenses it has implemented are "good enough" compared to what was in place in the past. The Ministry of Economy was also unconvinced that Sony had a solid plan in place to protect the security of cardholder data, Nobutani told Dow Jones.

The welcome package gives customers a choice of two PlayStation 3 games, or two PlayStation Portable games. Games will be available for 30 days after the online store comes back online, according to Sony. Customers will also receive a selection of free movie rentals and 100 virtual items. Non PSN subscribers will get a free 30-day membership while existing customers will receive 30 days extra. Sony promised more free content to come.

Sony Online Entertainment, turned off since May 2, will also offer additional gaming perks when it comes back online.