Close
Are you sure? Are you sure you want to report this comment? I understand, report it. Cancel

Sony alleges Anonymous involvement in PSN outage

Thu 05 May 2011 8:09am GMT / 4:09am EDT / 1:09am PDT
Legal

Kaz Hirai pens lengthy letter to congress UPDATE: Anonymous denies involvement with CC theft

UPDATE

Anonymous has issued a press statement denying any involvement with the theft of credit card details form Sony's servers, although it doesn't go as far as to distance itself from the denial of service attacks which Sony claims weakened its defences enough to allow hackers access.

The hacktivist collective issued a letter in response to Sony mentioning the group in a letter to a US congress hearing, as reported below. The full press release from Anonymous can be read here.

Original story

Sony has intimated that loose hacking collective Anonymous may be involved in the PSN security breach currently engulfing the company, after revealing that investigators found a file bearing the group's name and motto on a hacked server.

In a lengthy letter to the US congressional hearing currently taking place on recent digital security breaches, SCEA president Kaz Hirai addressed several issues raised by the committee and appeared to link the recent attacks to Anonymous.

Hirai's letter states that on Sunday, investigators had discovered "that the intruders had planted a file on one of our Sony Online Entertainment servers named 'Anonymous' with the words 'We are Legion.'"

That epithet has appeared on several of Anonymous' communications and press releases and is considered to be something of a calling card. Hirai went on to point out that, only shortly before the most recent attack, Anonymous had claimed responsibility for a denial of service attack on Sony in protest at the company's prosecution of George 'Geohot' Hotz.

I am deeply troubled by these latest data breaches, and the decision by both Epsilon and Sony not to testify today. This is unacceptable.

Mary Bono Mack, chair of the Subcommittee on Commerce, Manufacturing, and Trade

"Just weeks before, several Sony companies had been the target of a large-scale, coordinated denial of service attack by the group called Anonymous," wrote Hirai. "The attacks were coordinated against Sony as a protest against Sony for exercising its rights in a civil action in the United States District Court in San Francisco against a hacker."

The letter is a response to a congressional request for answers to thirteen questions regarding the breach, one of which asks directly whether Sony has identified the culprits. Hirai's answer was "no".

Elsewhere, Hirai attempted to explain what many have seen as a tardy reaction to the crisis, particularly the delay in informing customers about the potential theft of important details.

"I am of course aware of the criticism Sony has received for the time taken to disclose information to our customers. I hope you can appreciate the extraordinary nature of the events the company was facing. brought on by a criminal hacker whose activity was neither immediately nor easily ascertainable. I believe that after you review all the facts you will agree that the company has been acting in good faith to release reliable information in accordance with its legal and ethical responsibilities to its valued customers.

"We have been investigating this intrusion around the clock since we discovered it, and that investigation continues today. Just this past Sunday, May 1st, we learned that a likely theft from another Sony company's online service had previously gone undetected, even after highly trained technical teams had examined the network infrastructure that had been attacked around the same time as the PlayStation Network.

"What is becoming more and more evident is that Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes. Sunday's discovery that data had been stolen from Sony Online Entertainment only highlights this point."

However, Hirai's attempts at ameliorating the concerns of the congressional hearing fell upon the relatively deaf ears of Rep. Mary Bono Mack, chair of the Subcommittee on Commerce, Manufacturing, and Trade. Apparently unsatisfied with Sony's excuses for not attending the hearing, Bono Mack called the response to the crisis "half-hearted and half-baked".

"[Sony and Epsilon] must shoulder some of the blame for these stunning thefts, which shake the confidence of everyone who types in a credit card number and hits 'enter'," sister site Industry Gamers reports Bono Mack as saying.

"As Chairman of this Subcommittee, I am deeply troubled by these latest data breaches, and the decision by both Epsilon and Sony not to testify today. This is unacceptable."

"According to Epsilon [another company which suffered a recent security breach], the company did not have time to prepare for our hearing - even though its data breach occurred more than a month ago. Sony, meanwhile, says it's too busy with its ongoing investigation to appear. Well, what about the millions of American consumers who are still twisting in the wind because of these breaches? They deserve some straight answers, and I am determined to get them..."

"Yet for me, the single most important question is simply this: Why weren't Sony's customers notified sooner of the cyber attack? I fundamentally believe that all consumers have a right to know when their personal information has been compromised, and Sony - as well as all other companies-have an overriding responsibility to alert them... immediately."

"In Sony's case, company officials first revealed information about the data breach on their blog. That's right. A blog. I hate to pile on, but - in essence - Sony put the burden on consumers to 'search' for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future."

Read Hirai's full letter to the hearing elsewhere on GamesIndustry.biz

17 Comments

robert troughton
Managing Director

220 93 0.4
Banks and the government, simply, need to change the way that online payments are transacted... credit card numbers should never be stored by the companies that you're purchasing from. If Sony can be hacked, what about all the smaller sites..? And if Sony didn't even notice the hacking of SOE until after the PSN hack was noticed, how many other companies could've had their information stolen without realising...?

Hearing Sony being blamed by Congress worries me. Companies shouldn't be punished for not having good enough security - they should simply not be allowed to store the information that the hackers are after. That information should be stored by the banks - or the governments.

Edited 1 times. Last edit by robert troughton on 5th May 2011 10:53am

Posted:3 years ago

#1

Marty Greenwell
Software Developer

56 38 0.7
Surely that's a punishment?

There is no need to store credit card numbers so long as the customer is prepared to enter a credit card number each time. Payment systems I've worked on queried the CC service provider with a credit hold request for the full value of the transaction, the return is a card validity code and a transactionID. The transactionID is stored and when the product is ready to despatch, the transactionID is sent to the CCSP to fulfil the payment. Though I suspect you're talking more about storing some random identifier that links to an account valid for that merchant only which can be used for multiple transactions.

Ultimately Sony is to blame though: I expect hackers to hack systems, but I also expect the data the companies hold to be properly protected and safeguarded - if this hack was done through known and patchable vulns Sony deserve a slapping.

Oh, and blaming Anonymous because they found a file labeled Anonymous? Weaker than my 90 year old gran's bladder that one.

Edited 1 times. Last edit by Marty Greenwell on 5th May 2011 11:11am

Posted:3 years ago

#2

Jake Clayton

54 0 0.0
This is complete hogwash.

it goes against everything anonymous stands for.

Posted:3 years ago

#3

James Boulton
Tools & Tech Coder

133 170 1.3
"Companies shouldn't be punished for not having good enough security"

What? Of course they should. If you put your money in a bank and find out they just chuck all your cash in a bin outside the back door, you'd expect something to be done about it would you not? Personal information like this these days is tantamount to cash.

Sony are holding your personal data, they need to comply with the Data Protection Act, and by the sounds of it whether they have or not is questionable. If they haven't complied with a law, they should be punished. Simple as that. They are under obligation to protect their paying customers data.

Personally I would think this entirely what a group of hackers would do to make an example of a corporation over personal rights infringements. I cant think of a more serious way to cause damage to be honest. Whether the data stolen will ever be used is entirely irrelevant now. And if you believe Anonymous to be moral, then just hacking the machines and leaving a calling card is enough to cause the damage without any theft of data.

And to not have up-to-date security patches on a production server which deals with personal banking details really is shockingly poor.

Posted:3 years ago

#4

Thomas Bahon
Head of Payment Services

26 1 0.0
@Marty Greenwell

Keeping tracks of credit card numbers on company side is helpfull to do some velocity checks for instance.
A 1-click-order is as a great marketing tool, but most of the time recorded personnal data is mainly used to fight against fraud.
In order to keep credit numbers, SONY must be PCI Compliant. Meaning, they need to secure their entire system and must be audited by third-party company approved by PCI Compliance Council.
If SONY doesn't respect these rules, the company could be fined by Visa (a big big fine).

In this case, the security has been broken, but it doesn't mean there was a weak security.

Posted:3 years ago

#5

Paul Shirley
Programmers

178 150 0.8
It's quite ludicrous for Sony to pretend this is anything but their own incompetence. The 'excuse' is apparently that any criminals rich enough to hire a botnet for a few days cant be defended against.

Bullshit.

In the middle of a DDOS attack they should be increasing surveillance of the critical areas, not chasing what could just be part of the attack. Other companies are smart enough to hire in professionals to deal with DDOS events. The very fact they thought anonymous was behind a DDOS and that they did let themselves be distracted, inevitably suggests they know anonymous has nothing to do with that file because it's not their MO.

If anonymous had reached deep enough to plant files we'd have seen every public facing Sony asset covered in embarrassing messages. Not a file that took days to find. I'd suggest Sony themselves, one of the recently sacked Sony support staff or the actual criminals are all infinitely more likely to have planted that 'evidence'.

Sony need to man up and stop making stuff up.

Posted:3 years ago

#6

Marty Greenwell
Software Developer

56 38 0.7
I know they must be PCI Compliant, but I'd suggest recorded personnal data is mainly used for marketing and data mining purposes ;)

Unfortunately it's this data that doesn't fall under the same level of compliance and perhaps it really should. Due to the usage purposes, chances are it's plain text, broad access and hell, maybe even with a general login with the dbowner box ticked, all helping open the doors to SQL injection vulns.

Of course this is hersay because we don't at the moment know the attack methods used, and probably never will - but I'm certainly not happy with the detail level of personal information lost and I would expect more than a token security effort.

Edited 1 times. Last edit by Marty Greenwell on 5th May 2011 3:19pm

Posted:3 years ago

#7

Gregor Manby
Producer

13 0 0.0
To claim Anonymous did or didnt do this is silly. It's not like its an organised force, its a bunch of people who hang out on the same websites and occasionally pull pranks. The hacker may be in 'Anonymous' or he may not, no one knows for certain apart from him.

Posted:3 years ago

#8

Phillip Chan
Writer

1 0 0.0
I think it's important to note the distinction that Sony isn't saying that Anonymous was responsible for the hack and theft. They said they found a text file which contains information that points to it being an Anonymous calling card. But then they also go on to directly answer the question of knowing who was responsible with "no".

Posted:3 years ago

#9

David Bachowski
VP Business Development

66 0 0.0
I'm not saying I know much about digital security, but to me saying that Sony's security was "weak" is like saying that a T-rex is weak. Enough cavemen with sticks can bring down any t-rex.

Yup. Don't know much about security, but I sure as heck know a lot about dinosaurs and cavemen.

Posted:3 years ago

#10

Iain Stewart
Artist

1 0 0.0
@ David B

'Yup. Don't know much about security, but I sure as heck know a lot about dinosaurs and cavemen.'

Apart, it would seem, from the fact that Dinosaurs were separated from Cavemen by a gap of several million years. Making the likelihood of any stick-based dinosaur-mugging incidents quite slim.

Please excuse the glib pedantry. I've been looking after small children all day.

Posted:3 years ago

#11

Marty Greenwell
Software Developer

56 38 0.7
"Enough cavemen with sticks can bring down any t-rex."

Dinosaur and Cavemen time periods aside, if that t-rex is wearing armour plating covering known vulnerabilities, the cavemen stand far more chance of being eaten before they break through to the sensitive areas.

Edited 1 times. Last edit by Marty Greenwell on 5th May 2011 9:06pm

Posted:3 years ago

#12

PATRICK CHUDE
Studying MSc. Information Systems

13 0 0.0
From Destructoid:-
"Sony responded to the questions from the U.S. House of Representatives' Subcommittee on Commerce, Manufacturing and Trade with an open letter yesterday. But Dr. Gene Spafford, professor at the department of Computer Science at Purdue University, noted something interesting when speaking at the hearing.

Presumably, both companies are large enough that they could have afforded to spend an appropriate amount on security and privacy protections of their data; I have no information about what protections they had in place, although some news reports indicate that Sony was running software that was badly out of date, and had been warned about that risk."

Youtube Clip showing the entire hearing: http://www.youtube.com/watch?v=2P58L1deE...

Posted:3 years ago

#13

Alan Botvinick
Producer

9 0 0.0
In US congressional testimony Dr. Gene Spafford of Purdue University said that Sony was using outdated software on its servers and knew about it months in advance of the recent security breaches. According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which "was unpatched and had no firewall installed." The issue was "reported in an open forum monitored by Sony employees" two to three months prior to the recent security breaches, said Spafford.

So...
No firewall
No encryption
No software updates
No monitoring
No listening to their own forum
No to quality control on their hardware

Certainly trust in Sony is very lacking.

Makes you wonder how many *other* companies we do business with on a day to day basis are just as incompetent in their practices without us knowing it. Until something like this happens that is.

<a href="http://bit.ly/l23xiT
">http://bit.ly/l23xiT
</a>

Watch Testimony Here:
http://bit.ly/lofVdV Edit

Edited 1 times. Last edit by Alan Botvinick on 6th May 2011 5:01am

Posted:3 years ago

#14

Jamie Watson
Studying Bachelor of Games & Interactive Entertainment

179 0 0.0
i was think anonymous didnt do this.

So now Sony if it wasnt anonymous then who was it?

Sony simply has bad security in place to guard against this type of theft.

simply put they need to strength their defences immensely.

Posted:3 years ago

#15

robert troughton
Managing Director

220 93 0.4
"Makes you wonder how many *other* companies we do business with on a day to day basis are just as incompetent in their practices without us knowing it."

This was really my point in the first place. The truth is, I don't have a PSN account nor an SOE one - I'm not affected by this particular hack in any way. But what has happened here should be opening people's eyes to much wider possibilities... what if eBay, Paypal, Amazon, Steam and others were hacked in similar ways? What of smaller companies..? There are many that store credit card details - and I'm absolutely certain that many of them don't update their software as often as they should... I'm sure many don't update it at all.

If only one company out of a thousand had security flaws, that still leaves credit card details under threat.

That's what I really meant when I suggested banks/government taking greater control. VISA/Mastercard/... should, in fact, do that... and then make absolutely certain that their systems are totally impenetrable.

Apart from hackers, what about IT and software engineers that work at these companies?

The best way to protect the information that thousands of companies store about people is to remove that information.

Posted:3 years ago

#16

robert troughton
Managing Director

220 93 0.4
Oh, also, I'm not condoning Sony's lapses in security. Those are serious, for sure, and heads should roll for that. But I also believe that the governing bodies should look to themselves, as well, for ways to prevent this sort of thing happening again. With a clever system that can be embedded within companies' websites - communicating with the website via the payment gateways would still allow all the functionality that you see on the web today - 1-click ordering and so on. It could also help smaller businesses to add credit card processing without needing to go through such as Paypal. So there could be -more- functionality with more security at the same time.

Posted:3 years ago

#17

Login or register to post

Take part in the GamesIndustry community

Register now