After Hours

Sony's scapegoat for the PSN compromise fights back

Sony has cast some blame for its PlayStation Network security problems in the direction of Anonymous, but Anonymous has denied any involvement.

Back on 22 April, Anonymous was quick to comment on the PlayStation Network compromise in a statement titled, "For Once We Didn't Do It":

While it could be the case that other Anons have acted by themselves, AnonOps was not related to this incident and takes no responsibility for it. A more likely explanation is that Sony is taking advantage of Anonymous' previous ill-will towards the company to distract users from the fact the outage is actually an internal problem with the company's servers.

An amusing sign-off summed up the Anonymous reaction:

TL;DR

Sony Is Incompetent

Following the US House of Representatives Subcommittee on Commerce, Manufacturing and Trade's 4 May hearing, "The Threat of Data Theft to American Consumers", Sony rushed to respond -- after it failed to send a representative as requested by the committee. Sony used Anonymous to scapegoat some of its recent Playstation Network security compromise problems in PlayStation.Blog's "Sony’s Response to the U.S. House of Representatives":

We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named "Anonymous" with the words "We are Legion."

As pointed out by people associated with Anonymous "leadership", there is no way to independently verify the source of such a file if it exists. Is Anonymous the all-purposes bogeyman of corporate IT security now -- or is it just Sony's bogeyman when it wants to deflect attention from its own failings? Anonymous has some choice words on the subject in response to Sony's implication that the PSN compromise was an Anonymous operation.

Anonymous does have a recent history of harassing Sony, at least in part as a response to Sony's litigative attacks on PlayStation hacker George Hotz, whose goal was to provide a means for users to install Linux on their PlayStations. Sony took exception to Hotz' activities, and Anonymous took exception to Sony's strong-arm tactics, which ended in a gag order for Hotz. Anonymous' retaliations against Sony had apparently been confined to denial of service attacks against the corporation's websites and similar nuisance actions. Taking action that essentially targets customers is not consistent with common Anonymous tactics.

Since Sony's accusations, Anonymous has offered further denials of involvement, including a letterhead press release under the auspices of "Anonymous Enterprises LLC (Bermuda)". At some length, it spells out the rationale for Anonymous activities targeting Sony, and reasoning that suggests the PSN compromise is antithetical to Anonymous aims. A summary of the core message closes the letter:

If a legitimate and honest investigation into the credit card theft is conducted, Anonymous will not be found liable. While we are a distributed and decentralized group, our leadership does not condone credit card theft. We are concerned with erosion of privacy and fair use, the spread of corporate feudalism, the abuse of power and the justifications of executives and leaders who believe themselves immune personally and financially for the actions they undertake in the name of corporations and public office.

Anonymous will continue its work in support of transparency and individual liberty; our adversaries will continue their work in support of secrecy and control. The FBI will continue to investigate us for crimes of civil disobedience while continuing to ignore the crimes planned by major corporations which use their services.

It has been suggested that even if Anonymous did not launch the PSN compromise itself, Anonymous activities may have unwittingly provided some cover for the attackers who compromised the PlayStation Network. Whether you regard this as meaning that Anonymous is partly to blame for the PSN breach or not -- or whether you believe it at all -- likely depends on your level of sympathy for Anonymous' stated goals and methods.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

24 comments
HAL 9000
HAL 9000

Apparently their Security is so good that they had to shut down every part of the site that requires a Log In in an attempt to protect their users Personal Details. Seems to me that it was just a Train Wreck looking for a place to happen and completely reinforces my belief that most of the So Called Secure Sites are only secure as long as no one looks at them too closely. :^0 Col

Dr_Zinj
Dr_Zinj

Sony does have a valid gripe against Anonymous as the DDOS attack did distract from noticing other intrusions that did the data steal. But that's the only grounds they have to complain. Sony's security at the time of the attack was not robust enough to deter the hack, nor as robust as economically practical. (Neither is the security of most cloud companies, but that's a different discussion.) Dedicated Denial of Service attacks, when properly used, are a vaild method of civil disobedience. Proper use of DDOS requires the attackers to be publicly identifiable, prosecutable, and to not cause harm to bystanders. In the case of Sony, attacking the companies business servers is kosher. Maybe criminal, but really it's a civil infraction. Attacking the companies production servers (PS, On-line entertainment, etc.) deprives their customers of the product they paid for, but have no control over i.e. innocent bystanders. That's stealing from the customer base, and decidedly NOT kosher, and definately criminal. Anonymous, by definition, isn't engaged in valid civil disobedience. If you don't have the courage of your convictions to face up to the consequences of your protest, then your message is weak, and your cause is not justifiable. It takes guts to light up a joint on the Capital steps, or lie down in a Senator's office, or sit at a white's only bar, and then be arrested, jailed, and go to court. Intestinal fortitude that no member of Anonymous has.

OH Smeg
OH Smeg

After all if they can point their Finger at a organization impossible to confront in Court and blame them for their problems it's the perfect opportunity to deflect any criticism of Sony itself. But no matter even if Anonymous was directly involved isn't it' still Sony's Obligation to Secure their Systems to prevent things like this from happening? While Anonymous may have the means to perform an attack like this surely Sony has the means to Secure their own systems and if they don't what are the implications for all On Line Transactions? Col

seanferd
seanferd

Sony may be "grasping at straws". Also, Sony's security "may suck". Despite, you know, killing the Other OS option on PS3.

bboyd
bboyd

AnonOps doesn't fit the bill for either how it was done or why. Sounds like if Sony isn't lying that they got red herring files dropped during the attack.

apotheon
apotheon

Sony's security has been compromised . . . four times in this mess? Wow. Idiots running that place, I'm tellin' ya.

seanferd
seanferd

Anonymous was running an attack which covered for the intrusion? (Intentionally or not?) I had not heard this, but if true, I suppose the complaint would have some validity.

Neon Samurai
Neon Samurai

So, if I get mugged because I'm paying attention to the completely unrelated guy with piercings and a face tattoo across the street while turning and walking down a dark alleyway, it's the scary looking guy's fault for complicit-ly being on the same city block? - Sony couldn't be bothered to manage a network capable of better resisting DDoS attack. (it's called a network filtering.. write an F'ing Snort rule) - Sony couldn't be bothered to keep there server software up to date. - Sony couldn't be bothered to maintain effective firewall rules. - Sony couldn't be bothered to employ staff to monitor inbound traffic and egress. - Sony couldn't be bothered to encrypt the obviously sensitive customer data they felt a need to retain. And all this after a history of behavior between negligence and outright hostility towards it's customer base. Not to forget that, with a computer or database loss report from at least one company per week, all of this because "it never happened to us yet". Assuming the info sec staff had reported possible issues to management who chose to gamble the budget instead of allowing the IT team the time and budget to do it right; Sony didn't just screw the pooch on this one; they outright gang-fk'd the dog in the middle of the mashed potatoes during Christmas dinner with the kids and Aunty Ethel watching on in shock.

radleym
radleym

One individual being arrested as a nuisance to a large corporation or government office may be brave and romantic, but if you actually want to effect change you need a way to balance the (tiny) power of the individual against the (massive) power and resources of the target. Anonymous does this by the concerted actions of many anonymous individuals. You might compare this to the anonymity of the individual managers responsible for the decisions causing the problem, hiding behind the corporate facade.

Sterling chip Camden
Sterling chip Camden

"Oh, they were attacked by the evil, amorphous hackers (sic) of Anonymous!" Sony probably would have tried to pin it on Al Qaeda if it weren't for their coeval setback.

Slayer_
Slayer_

Off the top of my head, I can't think of a more disreputable company than Sony. Maybe Walmart?

Neon Samurai
Neon Samurai

It's not so much a new compromise as it is ongoing fallout from the big one. They've shutdown the ability for users to reset passwords. The process uses an email and a birth date before resetting. After bringing PSN back online, they realized that those two pieces of information are in the database so criminals can simply use the already stolen information to regain control of customer accounts.

seanferd
seanferd

I haven't been following this all that closely. Four security violations? Wow.

apotheon
apotheon

That's just Sony's excuse.

AnsuGisalas
AnsuGisalas

Learning from the mistakes of others is such a good way to improve... I mean, sure, learn from own mistakes too, but when the opportunity arises, and someone else messes up, don't just point and laugh - get smart, dammit!!!

seanferd
seanferd

Shiny keys! (jingle jingle) Any sort of misdirection is useful, right?

apotheon
apotheon

I dunno. I think Microsoft, Oracle, and SCO are as bad, but I don't know about worse. Worse is pretty tough to achieve.

NJcelt
NJcelt

Two months before this happened, I told them my account had been hacked, and I needed to change my personal data, to which Sony replied. There is no way to change that information. I had to sue in small claims, for the property I purchased on PSN' store (I'm just glad I gave out a fake DOB) Sony didn't show up for the hearing & sent me a check for my damages plus, court fees. Still someone, somewhere was playing, their playstation, with my old PSN account(which I decided not to rejoin) I sold all my PS3 items on craigslist, and got an Xbox 360 (lesser of two evils?)

Neon Samurai
Neon Samurai

It should never have been "but we've never been broken in too". From the very start, it should have been "we haven't been hit yet but company XYZ got broken into last week, are we making similar mistakes and can we do better than them if it does happen to us?" I know getting details on how the break-in happened sent me back to my databases to confirm I'm not taking similar risks. How did it happen. Do we have the same vulnerabilities in our setup. How do we better limit the success of a break-in and how do we manage the applicable fallout if it happens?

seanferd
seanferd

I hope no one was seriously injured. ;)

jck
jck

Just got my first, on-purpose (I've accidentally +ed someone earlier), non-originating post + I almost fell out of my chair laughing...and it has arms on it. :p

Editor's Picks