Sony Defends Actions In Letter To Congress, Blames Anonymous

Sony has sent an open letter to Congress detailing and defending its actions in the wake of multiple (successful) hack attempts over the past two weeks. The company previously declined to attend a hearing scheduled in the wake of its data theft debacle. The head of that hearing, Mary Bono Mack, tore the company up one side and down the other for its shortcomings; this recent missive is an apparent attempt to save face.

Ironically for Sony, the company's data was stolen right around the time period it brushed off any concerns that Anonymous' attacks could negatively impact its security or systems. Faced with irrefutable evidence that its servers were riddled with security flaws, Sony has instead claimed it "has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes."

The company then details why it blames Anonymous (up until now, that group has denied taking place in these activities.) "Sony Online Entertainment...discovered... a file on one of those servers named "Anonymous" with the words "We Are Legion."  Just weeks before, Sony companies had been the target of a large-scale, coordinated denial of service attack by the group called Anonymous. The attacks were coordinated against Sony as a protest against Sony for exercising its rights in a civil action... against a hacker."

The letter implies that these two attacks were causally linked and gives several reasons for why Sony failed to detect / prevent the data theft of several weeks ago. These second attacks were extremely sophisticated, exploited a software vulnerability, and "our security teams were working very hard to defend against denial-of-service attacks."

People talk about online crime and cyber warfare much the same way we talk about its real-world counterpart because it's the easiest way to explain complex scenarios. In this case, the analogy fails. Security teams don't defend against a DoS attack the way soldiers defend a checkpoint or patrol a country's borders; there's no squadron of guards sitting at terminals ready to leap into action at the first sign of trouble. It's far more likely that the security vulnerability Sony mentions gave the thieves a back entrance no one was watching—it might not have mattered if the security team was investigating a DoS or holding a bake sale.

The above is made more likely based on Sony's own report; the company only became aware of the problem when servers that were not scheduled for reboot began to do so. The rest of the letter details how the company has worked with law enforcement to date and how it intends to compensate customers (we've already covered both of these). Sony also notes that it hasn't noted any uptick in credit card fraud or seen evidence that information stolen from the PSN is
being used in a nefarious manner. If true, this actually argues against the company's assertion that the theft was carried out by criminal organization who wanted to use credit card information illegally.

Stealing credit cards is like stealing a mobile phone—the moment it's obtained, a timer starts counting down. Eventually, the thief must assume the rightful owner will discover the theft and cancel the card / turn off the phone. The only way a thief could make use of the credit cards he/she liberated from the PSN was to use them immediately.

The absence of any such activity seems to indicate that whoever did this was more interested in embarrassing the company over its poor security than in causing any sort of material harm to individuals. Judged by such metrics, it definitely succeeded.