from Hacker News

Sony was running unpatched Apache with no firewall for months before breach

by joshes on 5/5/11, 5:12 PM with 65 comments

• by ZoFreX on 5/5/11, 7:05 PM

  If I see one more article on this incident that abuses the word "firewall" I'm going to hurt someone. Surely Apache is either accessible via port 80, or it isn't. What would a firewall do to mitigate vulnerabilities in a webserver?

• by JoachimSchipper on 5/5/11, 5:56 PM

  Not part of this article: Sony ran unpatched Apache on a system actually containing sensitive data, Sony was actually hacked via unpatched Apache.

• by mrcharles on 5/5/11, 5:50 PM

  I have a feeling the upcoming lawsuits against sony aren't going to go well.

• by jswanson on 5/6/11, 2:36 AM

  I've worked in IT in Japan for a little over 5 years now.

  Getting people to /allow/ you to patch servers is like pulling teeth. Seriously.

  If the OS itself is so far out of date that you can hardly find patches for it anymore, the issue is even worse.

  The mere specter of something possibly breaking is usually reason enough in many people's minds to not prioritize security updates, or in some case, flat out disallow them.

  Sadly.

  Edit: keep in mind that this is anecdotal, I'm sure there are companies that patch their servers properly.

• by PatrickTulskie on 5/5/11, 9:31 PM

  An unpatched apache is hardly an apache at all.

• by foobarbazetc on 5/6/11, 3:40 AM

  This is bullshit.

  If they're running RHEL (which is likely), the version number doesn't mean anything, since RedHat back ports all security patches.

• by teyc on 5/6/11, 1:50 AM

  There is no mention of missing firewall in the report.

  http://republicans.energycommerce.house.gov/Media/file/Heari...

  Quote:

    In the Sony case, the majority of the victims are likely young   people whose sense of risk, privacy and 
    consequence are not yet fully developed, and thus they may also not understand the full 
    ramifications of what has happened.  Presumably, both companies are large enough that they 
    could have afforded to spend an appropriate amount on security and privacy protections of 
    their data; I have no information about what protections they had in place, although some 
    news reports indicate that Sony was running software that was badly out of date, and had 
    been warned about that risk.

• by heyrhett on 5/5/11, 5:39 PM

  What version was it running? Can anyone point to an explanation of the exploit?

• by fosk on 5/6/11, 8:59 AM

  Does anybody know what those hackers did to breach the servers?

• by phlux on 5/5/11, 5:51 PM

  I would wonder if whomever their sys ad was, deliberately left their perimeter weak.

  Also, did they never do a security audit??

• by dirtyhand on 5/5/11, 6:10 PM

  No phoenix firewall? pft