Cyber-security expert Dr. Gene Spafford has told the U.S. House of Representatives’ Subcommittee on Commerce, Manufacturing and Trade that Sony allegedly ignored reports of gaping vulnerabilities on its servers.
Spafford, a professor of Computer Science at Indiana’s Purdue University, was asked to detail his testified suggestion that Sony had not taken adaquete security measures against hacking.
“On a few of the security mailing lists that I read, there were discussions that individuals who work in security and participate in the Sony network … had discovered that the network servers were hosted on … very old versions of Apache software that were unpatched and had no firewall installed,” he replied.
“These were potentially vulnerable, and that they had reported these in an open forum that was monitored by Sony employees, but had seen no response and no change or update to the software.”
Asked when this took place, Spafford answered “two to three months prior to the incident where the break-ins occurred”.
In written testimony, Spafford added that he has “no information about what protections [Sony] had in place”, but cited news reports suggesting these preotections were inadequate.