Published June 23, 2011
BOSTON – Sony Corp's computer networks remain vulnerable to attack three weeks after the company learned that it had been victim of one of the biggest data breaches in history, according to an Internet security expert.
The expert found a handful of security flaws in Sony's networks while remotely studying its systems via the Internet to see how difficult it would be to penetrate the electronics giant's systems in the wake of the attacks.
Security researcher John Bumgarner discovered a potential bonanza for hackers by using little more than a web browser, Google's search engine and a basic understanding of Internet security systems.
"Sony still has several external security issues that need to be addressed," said Bumgarner, chief technology officer for the U.S. Cyber Consequences Unit, a research group funded by government and private sector grants that monitors Internet threats.
Bumgarner, a well-regarded Internet security researcher and U.S. military special operations veteran, identified a handful of flaws that would be easy for a hacker to identify and potentially exploit.
Sony did not respond directly to Reuters on the security lapses that Bumgarner said he had uncovered, but three of five flaws that Reuters pointed out to the company on Thursday were fixed later in the day.
"The first and most important thing to note is that protecting our customers data is a company-wide commitment that we take very seriously," a Sony spokesman said in an email on Thursday. Sony officials did not return calls seeking further comment on Friday.
It was not immediately clear if the identified security gaps allowed for access to active or defunct systems.
Several flaws remain, according to Bumgarner, who said he had viewed only parts of Sony's network that were visible over the Internet and did not attempt to break in to password-protected sites or exploit any vulnerabilities.
He found no evidence of breaches beyond the two Sony has disclosed. But he said he was able to find gateways to internal systems and locate data that would be useful to hackers by using simple techniques that he shared with Reuters.
The techniques uncovered a number of security gaps.
Through a series of Google searches, Bumgarner was able to find a software program that Sony developed in 2001 to run a SonyStyle.com Christmas gift registry and sweepstakes program called Sony Santa.
That program gathered users' names, addresses and ages. The names and partial addresses of some 2,500 of those sweepstakes contestants were posted on a website.
Sony said on Thursday that it learned of the error on May 5. The site has been taken down and Sony is working to remove any residual links to the list, a spokesman said.
Bumgarner also found an access point to a server running an identity management system that he said controls access to logins and passwords for employees throughout Sony Pictures Entertainment. He located that system by conducting a Google search using the terms "site:.Sony.com identity."
Most companies attempt to hide these servers from the prying eyes of potential hackers because these systems are linked to sensitive employee account data, he said.
In a file on Sony's website that alerts search-engine crawlers to which sections of the site that Sony wants a search engine to avoid cataloging, the company provided a link to an internal password-protected software application.
Bumgarner said the domain on Sony Corporation of America's network where the application was located was carefully hidden from view, so a web crawler or casual surfer would not have located it. But putting the URL in the file effectively served as a red flag to potential hackers who might see it as a potential weak spot in Sony's armor, Bumgarner said.
On May 4, Bumgarner located a server in the Sony network that disclosed the names, Facebook IDs and IP addresses of Sony customers who were playing online games through Facebook.
The company installed a security management system from Riverbed Technology on the server that leaked the Facebook data. Bumgarner was able to view an access screen to the Riverbed system that had the login field filled with a user ID through May 10.
"No one should be able to point a web browser at Sony and see a security management console or find their identity management system that has been indexed by Google," he said.
Sony has fixed some of the flaws after Reuters detailed them in an email. They include removing the file from its website that tells search-engine crawlers which sections of the site to avoid cataloging. Sony disabled access to the password-protected application that the file originally pointed to and eliminated access to the Riverbed security system.
Bumgarner's research showed that the problems with Sony's systems are more widespread than the company has acknowledged. Sony has said that only its PlayStation Network and Sony Online Entertainment systems were hacked.
Most of the flaws that Bumgarner discovered were in other Sony networks -- that of the Sony Corporation of America, Sony Pictures Entertainment and Sony Electronics Corp.
Security experts say companies need to be discerning when deciding which servers to expose to the Internet.
Many of the flaws that Bumgarner discovered were identified with a tactic known among hackers and security experts as "Google hacking" -- using the search engine's advanced features to find information that would be of use to hackers.
He found the Sony Santa program by searching for items on Sony's network written in Microsoft Excel format (site:.sony.com filetype:xls).
Mikko Hypponen, chief research officer at computer security firm F-Secure, said Sony should have been more careful.
"They've been running in circles for the past three weeks," Hypponen said.
"The first thing a consultant group or an Internet response group would do is run a basic vulnerability scan and that's what they would find," he said, referring to the lapses found by Bumgarner.
Security experts have said they believe the hackers initially gained access to Sony's network through a "spear-phishing" attack that targeted a systems administrator who had broad privileges to access data on Sony's networks.
In "spear-phishing" campaigns, hackers craft e-mails with personalized messages so that the recipients let their guard down and click on links or download attachments that launch malicious software programs that take over their computers.
Once one PC is corrupted, hackers can use that machine as a base from which to launch sophisticated operations, such as the attacks on Sony's networks.
Bumgarner found a page on Sony's website that lists the names, e-mail addresses and phone numbers of IT managers that he said the hackers could have used to launch a spear phishing attack. He found that information through Google searches.
(Additional reporting by Liana B. Baker; Editing by Ken Li and Ted Kerr)