In the face of evidence of quite remarkable security weaknesses and wholesale lack of transparency, Japanese transnational Sony this week tried to shift blame for the cracking of its system and the theft of millions of customers’ credit card and identity details onto online activist group Anonymous.
A brief recap of just how badly Sony’s online PS3 and PSP online gaming networks were cracked: the names, addresses, birthdates, passwords and credit card numbers of up to 77m Playstation users worldwide were stolen just before Easter (for non-gamers: to play PS3 games online in multiplayer environments, you pay to access Sony’s networks; Microsoft has a similar network and payments system for Xbox online gaming).
The giant crack — one of the biggest ever — was announced the week after Easter after the gaming network went offline. It remains offline. Then, earlier this week, Sony revealed another personal information of 25m users of its PC online gaming network may have been stolen, including 20,000 credit cards. That network went offline as well. The crack is so massive credit card thieves are said to be concerned the price of illegally-obtained credit card numbers traded online is going to plunge.
Further, there have been claims security weaknesses in the Playstation networks may have been known for a long time.
Separate to this, in early April, Anonymous directed its Operation Payback campaign, aimed at members of the copyright industry such as record companies, at Sony in response to Sony launching litigation against American George Hotz, who “jailbroke” the PS3. Sony also (futilely) threatened to sue anyone who circulated Playstation encryption keys — they ended up circulating on Twitter, including in one case circulated unwittingly by a Sony employee.
The case against Hotz has since been settled out of court, but Anonymous launched a Distributed Denial of Service (DDOS) attack against Sony as part of Operation Payback, temporarily taking down the Playstation network and other Sony sites.
This week, Sony attempted to pin the blame for the crack on Anonymous’s DDOS attack. Sony chairman Kazuo Hirai wrote to a Congressional committee announcing — somewhat conveniently — that Sony had just discovered “that the intruders had planted a file on one of those servers named ‘Anonymous’ with the words ‘We are Legion’.” Hirai went on to say Sony had failed to pick that it was being cracked partly because it was trying to defend itself against the DDOS attacks.
“All perhaps by design,” Hirai added, unsubtly.
Mainstream media immediately reported Sony as blaming Anonymous for the crack, as was presumably Sony’s intention. Since most of the mainstream media regards Anonymous as simply a group of “hacktivists”, the idea of its engaging in identity and credit card theft seems to have been readily accepted.
A strong denial was promptly issued on behalf of Anonymous, although as always the amorphous and self-selecting nature of Anonymous means an official response is almost an oxymoron.
As the Anonymous media release noted, the attempt by Sony to implicate Anonymous reflected similar tactics to those outlined in the campaigns developed to discredit WikiLeaks and its supporters by the US companies HB Gary, Palantir and Berico, uncovered by Anonymous earlier this year in a crack that uncovered a stunning trove of information on US corporate and government plans for online warfare.
Late last week, there was another apparent attempt to discredit Anonymous, when a gigabyte of US Chamber of Commerce documents was made available online — the Chamber was one of the groups for whom HB Gary was working — with the password “Barrett Brown”.
Brown is a well-known associate of and occasional spokesperson, to the extent that anyone can be, of Anonymous; his mobile phone number was also used as a password. The documents turned out merely to be an extensive collection of publicly-available Chamber of Commerce material pulled from its website using software called “FOCA”. Circulating fake documents was one of the tactics proposed by HB Gary, although in this case the intent appears to have been to waste the time of anyone ploughing their way through a gigabyte of PDFs and PPTs that revealed little of interest.
The repeated attempts to discredit Anonymous may well drive a change in tactics from the movement that has evolved rapidly since the WikiLeaks diplomatic cables were released last year and the Arab Spring unleashed a war online to match the conflict on the streets of Middle Eastern cities (which continued today with the Syrian Government being identified as harvesting Facebook information on protesters).
“As for this sort of thing happening in the future, and the vulnerability we face due to the nature of our movement, some of us are now advising people to found small, cohesive groups by which to pursue these same issues in a more efficient manner,” Brown told Crikey.
“This is directed towards both Anons and others who are interested in fighting back against corrupt institutions using the best means that are available to us.”
In the meantime, Anonymous may well become the default entity for any large corporation that wants to distract attention from its own poor security.
Good story, one note you don’t pay to access the PSN. There is a Playstation Plus service which is subscription based, but for general online play (which is the equivalent of Microsofts paid service) you don’t need to pay.
Come closer, I will show you my giant crack.
Instead of looking for external scapegoats, Sony and its ilk would have more credibility of they fronted-up to the various questioning authorities with internal documents showing their security policy as well as their risk management strategy and measures they have used to test and assess it, such as use of professional ethical hacking companies.
Of course, if they actually had such things in place, it is very unlikely that they’d be in the position they are now.
Anyone with any understanding of network technology would know nothing is 100% secure. You can’t blame Sony because of the laws of Physics (If its connected its accessible). This is another bias article from a closet Anonymous supporter.
Anonymous are Cyber terrorists too cowardly to put their names to what they believe in. Always have been, always will be, they cannot be trusted on any front.
Anonymous are thieves that deal in pirate software (Warez), key generators and hacking utilities. Hell this whole thing is about them not being able to pirate software from PS3 and cheat on PSN it has nothing to do with OtherOS as they claim.
“for non-gamers: to play PS3 games online in multiplayer environments, you pay to access Sony’s networks; Microsoft has a similar network and payments system for Xbox online gaming”
Wrong. You don’t pay to access the PSN which is a free service (whereas Xbox Live you pay with monthly payments), the only thing you pay for is purchases such as Playstation Plus, games, expansions and extra maps.
In any case, I’m regretting buying a PS3 more and more everyday. Definitely going for an Xbox for the next gen. The main reason I didn’t buy an Xbox was because of the constant breaking and machine failures (back circa 2007) which my PS3 managed to do within a year anyway, and the fact that you don’t have to pay to play online, you only have to pay when mysterious purchases or withdraws are made presumable in China or Russia…
Sony have failed in their security on a proportion no other company has achieved, it’s only natural they try to deflect some of the blame. It’s made all the more easier by the fact that Anon can’t officially defend themselves. Well done Sony.