In the face of evidence of quite remarkable security weaknesses and wholesale lack of transparency, Japanese transnational Sony this week tried to shift blame for the cracking of its system and the theft of millions of customers’ credit card and identity details onto online activist group Anonymous.
A brief recap of just how badly Sony’s online PS3 and PSP online gaming networks were cracked: the names, addresses, birthdates, passwords and credit card numbers of up to 77m Playstation users worldwide were stolen just before Easter (for non-gamers: to play PS3 games online in multiplayer environments, you pay to access Sony’s networks; Microsoft has a similar network and payments system for Xbox online gaming).
The giant crack — one of the biggest ever — was announced the week after Easter after the gaming network went offline. It remains offline. Then, earlier this week, Sony revealed another personal information of 25m users of its PC online gaming network may have been stolen, including 20,000 credit cards. That network went offline as well. The crack is so massive credit card thieves are said to be concerned the price of illegally-obtained credit card numbers traded online is going to plunge.
Further, there have been claims security weaknesses in the Playstation networks may have been known for a long time.
Separate to this, in early April, Anonymous directed its Operation Payback campaign, aimed at members of the copyright industry such as record companies, at Sony in response to Sony launching litigation against American George Hotz, who “jailbroke” the PS3. Sony also (futilely) threatened to sue anyone who circulated Playstation encryption keys — they ended up circulating on Twitter, including in one case circulated unwittingly by a Sony employee.
The case against Hotz has since been settled out of court, but Anonymous launched a Distributed Denial of Service (DDOS) attack against Sony as part of Operation Payback, temporarily taking down the Playstation network and other Sony sites.
This week, Sony attempted to pin the blame for the crack on Anonymous’s DDOS attack. Sony chairman Kazuo Hirai wrote to a Congressional committee announcing — somewhat conveniently — that Sony had just discovered “that the intruders had planted a file on one of those servers named ‘Anonymous’ with the words ‘We are Legion’.” Hirai went on to say Sony had failed to pick that it was being cracked partly because it was trying to defend itself against the DDOS attacks.
“All perhaps by design,” Hirai added, unsubtly.
Mainstream media immediately reported Sony as blaming Anonymous for the crack, as was presumably Sony’s intention. Since most of the mainstream media regards Anonymous as simply a group of “hacktivists”, the idea of its engaging in identity and credit card theft seems to have been readily accepted.
A strong denial was promptly issued on behalf of Anonymous, although as always the amorphous and self-selecting nature of Anonymous means an official response is almost an oxymoron.
As the Anonymous media release noted, the attempt by Sony to implicate Anonymous reflected similar tactics to those outlined in the campaigns developed to discredit WikiLeaks and its supporters by the US companies HB Gary, Palantir and Berico, uncovered by Anonymous earlier this year in a crack that uncovered a stunning trove of information on US corporate and government plans for online warfare.
Late last week, there was another apparent attempt to discredit Anonymous, when a gigabyte of US Chamber of Commerce documents was made available online — the Chamber was one of the groups for whom HB Gary was working — with the password “Barrett Brown”.
Brown is a well-known associate of and occasional spokesperson, to the extent that anyone can be, of Anonymous; his mobile phone number was also used as a password. The documents turned out merely to be an extensive collection of publicly-available Chamber of Commerce material pulled from its website using software called “FOCA”. Circulating fake documents was one of the tactics proposed by HB Gary, although in this case the intent appears to have been to waste the time of anyone ploughing their way through a gigabyte of PDFs and PPTs that revealed little of interest.
The repeated attempts to discredit Anonymous may well drive a change in tactics from the movement that has evolved rapidly since the WikiLeaks diplomatic cables were released last year and the Arab Spring unleashed a war online to match the conflict on the streets of Middle Eastern cities (which continued today with the Syrian Government being identified as harvesting Facebook information on protesters).
“As for this sort of thing happening in the future, and the vulnerability we face due to the nature of our movement, some of us are now advising people to found small, cohesive groups by which to pursue these same issues in a more efficient manner,” Brown told Crikey.
“This is directed towards both Anons and others who are interested in fighting back against corrupt institutions using the best means that are available to us.”
In the meantime, Anonymous may well become the default entity for any large corporation that wants to distract attention from its own poor security.