Sony: We knew PSN security flaws

Sony: We knew PSN security flaws

By Rob Crossley

May 4th 2011 at 12:06PM

'We have to admit we were not fully sufficient' exec admits

Sony was internally aware of security shortcomings before its PlayStation Network was hacked, the company has said.

Sony chief information officer, Shinji Hasejima (pictured), this week confessed at a Tokyo press conference that security measures could have been improved.

“The vulnerability [of the network] was a known vulnerability, one known of in the world. But Sony was not aware of it... was not convinced of it,” he said.

“We are now trying to improve aspects of it”.

Shiro Kambe, the senior vice president at Sony, also apologised for the oversight.

“We thought we had taken enough management and control measures [to ensure the network was secure], but looking back, there might have been room for further enhancement,” he said.

“We have to admit we were not fully sufficient.”

Over 100 million PlayStation Network and Sony Online Entertainment accounts were exposed by an unauthorised user last month.

Around ten million credit cards stored on Sony’s servers may have been stolen, the company warned. A criminal investigation is underway in the US, though not in Japan – implying the hacker was based in the US.

[TIMELINE – THE PSN ATTACK AND COLLAPSE]

Sony repeatedly apologised at the press conference, beginning and ending the meeting with a ‘deep bow’.

The company explained that it was vulnerabilities in its web application server that caused the hack.

Rik Ferguson, both a PlayStation user and computer security expert at Trend Micro, said lax security controls for digital networks are not out of the ordinary.

“Unfortunately, it is common for companies to run servers that they know has vulnerabilities,” he told Develop.

“In the enterprise world, companies want maximum up-time. They don’t want to take their servers down, so they try to balance security with up-time.

“So companies try to deliver security patches in a bunch, say every few months. This of course means there’s a period of time when these vulnerabilities are not secured.

“Sadly a lot of companies are doing things this way”.