Sony ' vulnerable to more cyber attack'
Tokyo, May 14, 2011
Sony Corp's computer networks remain vulnerable to attack three weeks after the company learned that it had been victim of one of the biggest data breaches in history, according to an Internet security expert.
The expert found a handful of security flaws in Sony's networks while remotely studying its systems via the Internet to see how difficult it would be to penetrate the electronics giant's systems in the wake of the attacks.
Security researcher John Bumgarner discovered a potential bonanza for hackers by using little more than a web browser, Google's search engine and a basic understanding of Internet security systems.
"Sony still has several external security issues that need to be addressed," said Bumgarner, chief technology officer for the U.S. Cyber Consequences Unit, a research group funded by government and private sector grants that monitors Internet threats.
Bumgarner, a well-regarded Internet security researcher and U.S. military special operations veteran, identified a handful of flaws that would be easy for a hacker to identify and potentially exploit.
Sony did not respond directly to Reuters on the security lapses that Bumgarner said he had uncovered, but three of five flaws that Reuters pointed out to the company on Thursday were fixed later in the day.
"The first and most important thing to note is that protecting our customers data is a company-wide commitment that we take very seriously," a Sony spokesman said in an email on Thursday. Sony officials did not return calls seeking further comment on Friday.
It was not immediately clear if the identified security gaps allowed for access to active or defunct systems.
Several flaws remain, according to Bumgarner, who said he had viewed only parts of Sony's network that were visible over the Internet and did not attempt to break in to password-protected sites or exploit any vulnerabilities.
He found no evidence of breaches beyond the two Sony has disclosed. But he said he was able to find gateways to internal systems and locate data that would be useful to hackers by using simple techniques that he shared with Reuters.
The techniques uncovered a number of security gaps.
Through a series of Google searches, Bumgarner was able to find a software program that Sony developed in 2001 to run a SonyStyle.com Christmas gift registry and sweepstakes program called Sony Santa.
That program gathered users' names, addresses and ages. The names and partial addresses of some 2,500 of those sweepstakes contestants were posted on a website.
Sony said on Thursday that it learned of the error on May 5. The site has been taken down and Sony is working to remove any residual links to the list, a spokesman said.