May 6, 2011

When in doubt, blame

Exposed for shockingly poor IT security, Sony has tried to shift the blame to Anonymous. It's a familiar tactic.

Bernard Keane — Politics editor

Bernard Keane

Politics editor

In the face of evidence of quite remarkable security weaknesses and wholesale lack of transparency, Japanese transnational Sony this week tried to shift blame for the cracking of its system and the theft of millions of customers’ credit card and identity details onto online activist group Anonymous. A brief recap of just how badly Sony’s online PS3 and PSP online gaming networks were cracked: the names, addresses, birthdates, passwords and credit card numbers of up to 77m Playstation users worldwide were stolen just before Easter (for non-gamers: to play PS3 games online in multiplayer environments, you pay to access Sony’s networks; Microsoft has a similar network and payments system for Xbox online gaming). The giant crack -- one of the biggest ever -- was announced the week after Easter after the gaming network went offline. It remains offline. Then, earlier this week, Sony revealed another personal information of 25m users of its PC online gaming network may have been stolen, including 20,000 credit cards. That network went offline as well. The crack is so massive credit card thieves are said to be concerned the price of illegally-obtained credit card numbers traded online is going to plunge. Further, there have been claims security weaknesses in the Playstation networks may have been known for a long time. Separate to this, in early April, Anonymous directed its Operation Payback campaign, aimed at members of the copyright industry such as record companies, at Sony in response to Sony launching litigation against American George Hotz, who "jailbroke" the PS3. Sony also (futilely) threatened to sue anyone who circulated Playstation encryption keys -- they ended up circulating on Twitter, including in one case circulated unwittingly by a Sony employee. The case against Hotz has since been settled out of court, but Anonymous launched a Distributed Denial of Service (DDOS) attack against Sony as part of Operation Payback, temporarily taking down the Playstation network and other Sony sites. This week, Sony attempted to pin the blame for the crack on Anonymous’s DDOS attack. Sony chairman Kazuo Hirai wrote to a Congressional committee announcing -- somewhat conveniently -- that Sony had just discovered "that the intruders had planted a file on one of those servers named 'Anonymous' with the words 'We are Legion'." Hirai went on to say Sony had failed to pick that it was being cracked partly because it was trying to defend itself against the DDOS attacks. "All perhaps by design," Hirai added, unsubtly. Mainstream media immediately reported Sony as blaming Anonymous for the crack, as was presumably Sony’s intention. Since most of the mainstream media regards Anonymous as simply a group of "hacktivists", the idea of its engaging in identity and credit card theft seems to have been readily accepted. A strong denial was promptly issued on behalf of Anonymous, although as always the amorphous and self-selecting nature of Anonymous means an official response is almost an oxymoron. As the Anonymous media release noted, the attempt by Sony to implicate Anonymous reflected similar tactics to those outlined in the campaigns developed to discredit WikiLeaks and its supporters by the US companies HB Gary, Palantir and Berico, uncovered by Anonymous earlier this year in a crack that uncovered a stunning trove of information on US corporate  and government plans for online warfare. Late last week, there was another apparent attempt to discredit Anonymous, when a gigabyte of US Chamber of Commerce documents was made available online -- the Chamber was one of the groups for whom HB Gary was working -- with the password "Barrett Brown". Brown is a well-known associate of and occasional spokesperson, to the extent that anyone can be, of Anonymous; his mobile phone number was also used as a password. The documents turned out merely to be an extensive collection of publicly-available Chamber of Commerce material pulled from its website using software called "FOCA". Circulating fake documents was one of the tactics proposed by HB Gary, although in this case the intent appears to have been to waste the time of anyone ploughing their way through a gigabyte of PDFs and PPTs that revealed little of interest. The repeated attempts to discredit Anonymous may well drive a change in tactics from the movement that has evolved rapidly since the WikiLeaks diplomatic cables were released last year and the Arab Spring unleashed a war online to match the conflict on the streets of Middle Eastern cities (which continued today with the Syrian Government being identified as harvesting Facebook information on protesters). "As for this sort of thing happening in the future, and the vulnerability we face due to the nature of our movement, some of us are now advising people to found small, cohesive groups by which to pursue these same issues in a more efficient manner," Brown told Crikey. "This is directed towards both Anons and others who are interested in fighting back against corrupt institutions using the best means that are available to us." In the meantime, Anonymous may well become the default entity for any large corporation that wants to distract attention from its own poor security.

Free Trial

You've hit members-only content.

Sign up for a FREE 21-day trial to keep reading and get the best of Crikey straight to your inbox

By starting a free trial, you agree to accept Crikey’s terms and conditions


Leave a comment

11 thoughts on “When in doubt, blame

  1. BearPowers

    Good story, one note you don’t pay to access the PSN. There is a Playstation Plus service which is subscription based, but for general online play (which is the equivalent of Microsofts paid service) you don’t need to pay.

  2. Sexual Lobster

    Come closer, I will show you my giant crack.

  3. Socratease

    Instead of looking for external scapegoats, Sony and its ilk would have more credibility of they fronted-up to the various questioning authorities with internal documents showing their security policy as well as their risk management strategy and measures they have used to test and assess it, such as use of professional ethical hacking companies.

    Of course, if they actually had such things in place, it is very unlikely that they’d be in the position they are now.

  4. slickdick

    Anyone with any understanding of network technology would know nothing is 100% secure. You can’t blame Sony because of the laws of Physics (If its connected its accessible). This is another bias article from a closet Anonymous supporter.

    Anonymous are Cyber terrorists too cowardly to put their names to what they believe in. Always have been, always will be, they cannot be trusted on any front.

    Anonymous are thieves that deal in pirate software (Warez), key generators and hacking utilities. Hell this whole thing is about them not being able to pirate software from PS3 and cheat on PSN it has nothing to do with OtherOS as they claim.

  5. MD43

    “for non-gamers: to play PS3 games online in multiplayer environments, you pay to access Sony’s networks; Microsoft has a similar network and payments system for Xbox online gaming”

    Wrong. You don’t pay to access the PSN which is a free service (whereas Xbox Live you pay with monthly payments), the only thing you pay for is purchases such as Playstation Plus, games, expansions and extra maps.

    In any case, I’m regretting buying a PS3 more and more everyday. Definitely going for an Xbox for the next gen. The main reason I didn’t buy an Xbox was because of the constant breaking and machine failures (back circa 2007) which my PS3 managed to do within a year anyway, and the fact that you don’t have to pay to play online, you only have to pay when mysterious purchases or withdraws are made presumable in China or Russia…

    Sony have failed in their security on a proportion no other company has achieved, it’s only natural they try to deflect some of the blame. It’s made all the more easier by the fact that Anon can’t officially defend themselves. Well done Sony.

  6. Michael Butler

    Hey SlickDick,
    I wouldn’t for a moment lose sight of the fact that the criminal(s) who’ve hacked Sony are the culprits.
    (In fact, Sony has been hit again – Sony Online Entertainment was penetrated and around 25 million accounts compromised just this week.)
    And we all know that if it’s online, it might get hit. You can bet your bottom dollar that Microsoft, Apple, Amazon et al are breathing huge sighs of relief that they didn’t get hit.
    I also don’t buy into the ‘Sony brought it on’ argument about going after geohot and raising Anonymous’ ire.
    But I absolutely do blame Sony for being so careless with my personal data, and there’s plenty of information floating around about just how poor the internal systems and safeguards were.
    I also deplore the length of time it took to notify users. I found out from a games-related news site several days into the outage.
    I should have found out in an email sent by Sony to my PSN ID’s email address.
    That’s my information that’s been stolen, and even if my credit card number remains secure, enough information has been taken for an identity thief to get up to all kinds of mischief in my name.
    Sony needed to tell me right away so that I could make decisions about what to do, not remain mute in a futile and counter-productive attempt to minimise the PR hit.
    Unsurprisingly, they’ve only made it worse.

  7. Simon Tait

    “Anonymous are Cyber terrorists too cowardly to put their names to what they believe in”.

    Just like you, ‘SlickDick’?

  8. dag

    I blame those that fail to take proper due diligence, Sony in this case. Good security doesn’t allow the information super highway to have a shortcut through your organisation. The following line is very telling: “The crack is so massive credit card thieves are said to be concerned the price of illegally-obtained credit card numbers traded online is going to plunge.”

  9. Socratease

    ^ Only when such breaches result in lawsuits with massive payouts will companies wake up to their obligations.

  10. SuprF1y

    It was a hack, not a crack. And no more ISH comments, pleeeeeeease.
    Software quality matters.
    The industry has gotten into the habit of not checking it’s blind spot when changing lanes.

Share this article with a friend

Just fill out the fields below and we'll send your friend a link to this article along with a message from you.

Your details

Your friend's details