Sony Defends Actions In Letter To Congress, Blames Anonymous

Sony Defends Actions In Letter To Congress, Blames Anonymous

Sony has sent an open letter to Congress detailing and defending its actions in the wake of multiple (successful) hack attempts over the past two weeks. The company previously declined to attend a hearing scheduled in the wake of its data theft debacle. The head of that hearing, Mary Bono Mack, tore the company up one side and down the other for its shortcomings; this recent missive is an apparent attempt to save face.

Ironically for Sony, the company's data was stolen right around the time period it brushed off any concerns that Anonymous' attacks could negatively impact its security or systems. Faced with irrefutable evidence that its servers were riddled with security flaws, Sony has instead claimed it "has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes."



The company then details why it blames Anonymous (up until now, that group has denied taking place in these activities.) "Sony Online Entertainment...discovered... a file on one of those servers named "Anonymous" with the words "We Are Legion."  Just weeks before, Sony companies had been the target of a large-scale, coordinated denial of service attack by the group called Anonymous. The attacks were coordinated against Sony as a protest against Sony for exercising its rights in a civil action... against a hacker."

The letter implies that these two attacks were causally linked and gives several reasons for why Sony failed to detect / prevent the data theft of several weeks ago. These second attacks were extremely sophisticated, exploited a software vulnerability, and "our security teams were working very hard to defend against denial-of-service attacks."

People talk about online crime and cyber warfare much the same way we talk about its real-world counterpart because it's the easiest way to explain complex scenarios. In this case, the analogy fails. Security teams don't defend against a DoS attack the way soldiers defend a checkpoint or patrol a country's borders; there's no squadron of guards sitting at terminals ready to leap into action at the first sign of trouble. It's far more likely that the security vulnerability Sony mentions gave the thieves a back entrance no one was watching—it might not have mattered if the security team was investigating a DoS or holding a bake sale.

The above is made more likely based on Sony's own report; the company only became aware of the problem when servers that were not scheduled for reboot began to do so. The rest of the letter details how the company has worked with law enforcement to date and how it intends to compensate customers (we've already covered both of these). Sony also notes that it hasn't noted any uptick in credit card fraud or seen evidence that information stolen from the PSN is
being used in a nefarious manner. If true, this actually argues against the company's assertion that the theft was carried out by criminal organization who wanted to use credit card information illegally.

Stealing credit cards is like stealing a mobile phone—the moment it's obtained, a timer starts counting down. Eventually, the thief must assume the rightful owner will discover the theft and cancel the card / turn off the phone. The only way a thief could make use of the credit cards he/she liberated from the PSN was to use them immediately.

The absence of any such activity seems to indicate that whoever did this was more interested in embarrassing the company over its poor security than in causing any sort of material harm to individuals. Judged by such metrics, it definitely succeeded.
+1
+ -

Hey they have to blame someone and since they probably have no idea who did it Anonymous seemed like the perfect target. Of course what they might be doing by this is simply angering more hackers who will break into any new systems that have in place... There is always a way.

0
+ -

This seems like it is going to cause problems for sony if they try to attack anonymous back.

"You don't bring a lawyer to a computer fight"

0
+ -

>> "You don't bring a lawyer to a computer fight"

LOVE it.

+1
+ -

An expert on security net, Purdue Gene Spafford, said that personal from the PSN where using a 5 years old OS, Linux Apache, on their severs. They never up date it, it had security holes and no firewall on the system.

If thats true then Sony is the real resposable from its on stupidity and now is trying to blame Anonymous.

Sony, face it, its your stupid fault.

0
+ -

It doesn't matter who they think done it; they handled this situation in the most poorest way possible.

Hell if I was a PSN customer I would be writing a letter to Sony telling them to "F themselves."

0
+ -

I think Sony's dancing around the real blame. Yes, they were running an older version of Linux and hadn't applied any patches to their five-year old Apache web server (idiots). But, look at the diagram Sony produced:

"Inject communication tool via vulnerability in application server"... hmmm... not a vulnerability in the web server... not in the OS...

IT WAS A HOLE IN SONY'S BACK END PSN SOFTWARE! Delicious.

0
+ -

Well now they will totally be apart of this, if they weren't already. Dumb^2

Login or Register to Comment
Post a Comment
Username:   Password: