In response to the United States House of Representatives’ invitation to them to testify, Sony tipped their hand as to what they believe could have caused their recent security breach.
Chairman Kazuo Hirai penned a nine page letter to the Congressmen holding a meeting called “The Threat of Data Theft to American Consumers” that detailed what they believe to this moment happened on their network, how it happened, and gave a timeline as to the details, dating back to the original distributed denial of service (DDoS) attack by “hacktivist” group Anonymous in the middle of April. In one part, Sony outright implicates Anonymous in the attack:
When Sony Online Entertainment discovered this past Sunday afternoon that data from its servers had been stolen, it also discovered that intruders had planted a file on one of those servers named “Anonymous” with the words “We are Legion.” Just weeks before, several Sony companies had been the target of a large-scale, coordinated denial of service attack by the group called Anonymous. The attacks were coordinated against Sony as a protest against Sony for exercising its rights in a civil action in the United States District Court in San Francisco against a hacker.
It was hinted elsewhere in the letter that the security breach’s timing coinciding with the DDoS attack might have been intentional. The full letter can be read here.
In the actual House meeting, detailed by Nate Anderson of Ars Technica, Sony and another company were blasted by the committee for their poor response to the intrusion. Dr. Gene Spafford of Purdue University testified that Sony employees talked on forums about how certain areas of their network had outdated software and no firewalls, something the company was forced to cop to. Rob Crossley of Develop-Online has an in-depth feature into exactly what happened here.
Earlier in the week, Sony declined the invitation to testify at the House committee meeting.
Anonymous has itself been quick to respond to the accusations. In a letter to congress obtained by UK-based CVG, the group pointed out that they did not know who did the attack, that they did not authorize it, nor does the attack fit in with Anonymous’s “modus operandi”. They also made great lengths to point out that federal contractors such as HBGary and Palantir had made great lenghts to discredit their clients’ enemies via “false flag” operations, and that it was possible that the planting of the “Anonymous” file on the Sony servers was just that. Nate Anderson of Ars Technica was able to get statements from one of the group’s IRC channels, as well as a statement that “Sony Is Incompetent”.
The PlayStation Network outage has entered its third week since being taken down on April 20th.
Analysis: The tricky nature of Anonymous is that it could have been someone associated with them, it could have been someone else, no one knows. There is no real organization to Anonymous, and that’s the tricky part. For all we know, the person who planted the file on Sony’s servers could have been completely unrelated to Anonymous, or he could have done it “for the lulz”.
Ultimately, I think Sony is disinterested in that. Notice how many times, in all of their literature they’ve put out since it was admitted that this was a data breach, they’ve made sure to let everyone know of the ILLEGAL and CRIMINAL nature of the act. It makes an end user scream “no shit, Sherlock” at their computers, but it’s intended to make sure to everyone that Sony is the victim of an illegal attack. They’re in full damage control mode, and controlling that damage is the only thing that truly matters at this point; everything else is secondary. Their feeling is that, by pointing this out to the House again and again, they’ll distract them from realizing that Sony created their own problems through their knowingly not protecting their data. Judging by the language used at the Congresspeople in question, it didn’t work. This is why Sony made sure to point out in a long paragraph about the one file that was found on their server: they’re trying to make sure everyone knows the blame is on those bad guys at Anonymous, which they’re hoping will lead to investigations and maybe someone definitive to sue.
I’ve talked at length about what I feel Sony’s motivations are. They are not interested in helping their consumers, they are interested in using their consumers to help them from the people – the federal government – who could really do damage should they want to. Turning Anonymous into more of a boogeyman than they are only helps them towards that goal.