Sony tells Congress: Anonymous responsible for PSN attack

By on May 4, 2011, 5:27 PM

A US Congress subcommittee met today to discuss the recent PSN data breach. Airing on C-SPAN, the congressional hearing criticized Sony for its lack of security and its slow response time -- and the company's reputation wasn't aided by the fact that it decided not to attend the gathering. The company said it was too busy with its ongoing investigation to appear. Instead, Kazuo Hirai, chairman of the board of directors at SCEA, responded to the concerns by releasing eight-page letter after the fact. You can read the full statement on Flickr.

Rep. Mary Bono of the Subcommittee on Commerce, Manufacturing, and Trade said she is "deeply troubled" by the data breaches and that Sony's refusal to testify was unacceptable. Much of Bono's anger was focused on the way Sony handled the attack, asking why the company's customers weren't notified sooner. Sony took approximately one week to inform its users that hackers stole their sensitive information, including names, locations, email addresses, usernames and passwords, and possibly even credit card numbers.

"I fundamentally believe that all consumers have a right to know when their personal information has been compromised, and Sony -- as well as all other companies -- have an overriding responsibility to alert them... immediately," Bono said. She continued by calling Sony's efforts "half-hearted" and "half-baked" because the company announced the breach on its blog, forcing customers to seek the information. Sony has been emailing its 78 million registered accounts, but that's hardly a quick process -- we just got an email notification yesterday.

Defending itself, Sony said that it dealt with the attack by following four key principles: "act with care and caution, provide relevant information to the public when it has been verified, take responsibility for our obligations to our customers, and work with law enforcement authorities." The company's forensic teams until April 25 to determine what data was swiped and Sony informed customers on April 26. It's still unknown if credit card data was taken, but Sony notes that credit card companies haven't reported any related fraudulent transactions.

Interestingly, Sony is now blaming Anonymous for executing the attack. Although the hacker group has repeatedly denied involvement, Sony says it discovered a file on one of its servers named "Anonymous" that contained the words "We are Legion" -- a phrase commonly used by Anonymous. Additionally, the company believes that the denial of service attacks orchestrated by Anonymous and the subsequent PSN/Sony Online Entertainment breaches are related. Anonymous still denies responsibility, and a single file is hardly damning evidence.

Sony has employed a third security firm to aid in the investigation, which now involves US Homeland Security and the FBI. The company says it's still working around the clock to revive its services, but it hasn't provided any concrete dates. When everything is restored, the company promises to offer US customers a "Welcome Back" package that includes free downloads as well as 30 free days of PlayStation Plus and Music Unlimited. The company will also extend those subscriptions for the number of days services were unavailable.




User Comments: 35

Got something to say? Post a comment
Proofix said:

We are Legion!! dum dum dum dum. DANANANA! Suspect !!

Emin3nce said:

DURRR...

Anyone could figure that out. It's what I've been saying all along.

Burty117 Burty117, TechSpot Chancellor, said:

To be fair, I would have put a .txt on the server I was hacking to lead them off my trail to Anon's, makes the whole "finding me" a bit more confusing

Anyway I really don't think Anon did it, the fact that they as a group have put a video up and gone on record to say they did not have anything to do with this makes it sound fairly trust worthy. I mean, I trust them more than Sony right now

Probably the work of some 10-15 geeky 20-30 year olds who felt Sony needed a kicking.

I don't personally have anything Sony but I still feel Sony needed a kick in the teeth any who.

princeton princeton said:

I still say it was a disgruntled employee who "Accidentally" left a backdoor open after getting fired/quitting.

Then they "Accidentally" told somebody about the flaw in the system.

BrianUMR said:

From what I have read about this so far is that anon was DDos them when the attack happened. They weren't sure if the second attack was from anon or someone working with anon or an independent attack.

Lokalaskurar Lokalaskurar said:

burty117 said:

To be fair, I would have put a .txt on the server I was hacking to lead them off my trail to Anon's, makes the whole "finding me" a bit more confusing

Anyway I really don't think Anon did it, the fact that they as a group have put a video up and gone on record to say they did not have anything to do with this makes it sound fairly trust worthy. I mean, I trust them more than Sony right now

Probably the work of some 10-15 geeky 20-30 year olds who felt Sony needed a kicking.

Exactly!

For all we know, this could've been a gang of crackers who wanted to join Anonymous' cause, maybe/possibly somebody showing off after the DDoS-attack on Sony or something, and that 'We are Legion' thingy definitely sounds like a dark trail.

I'm very surprised that Sony directly assumes that it was Anonymous based on this file - Sony might actually got a better hint and are now laying their own 'dark tracks' for us to speculate about (a fake file, maybe?). Or perhaps just to portray Anonymous as the kind of cracking-bunch they really are?

Ooo. The mystery. The speculation.

Win7Dev said:

Well, I suppose that the file was probably a false trail, but it could have been a reverse psychology move as well. I have nothing against Sony or Anonymous, but I don't think we will know for awhile who really is behind it. I mean, if the FBI and Homeland security can't figure out where the penetration occurred in a day or two, they aren't going to for a long time. Even if they got an IP address or something, they would need to go through a ton of red tape to get to the real person behind it. I would think that the hacker(s) used some random persons' computer via a virus and then used the infected computer to infect and control a second, possibly repeating this process a few times. After getting a chain of a few (possibly a hundred or more) they could have sent a chain of commands in a different order each time through the chain to get one computer to do their dirty work and download the information. It would be nearly impossible to legally trace the path back to the attackers as it would involve viewing the HDD contents of random people who did nothing wrong other than having crappy antivirus software. This is all just a theory, but it seems fairly logical.

princeton princeton said:

BrianUMR said:

From what I have read about this so far is that anon was DDos them when the attack happened. They weren't sure if the second attack was from anon or someone working with anon or an independent attack.

Anonymous didn't do anything. They even put up a vid denying any involvement in the incident. If you've seen their track record you'd know they would want to take credit for it.

gwailo247, TechSpot Chancellor, said:

This just illustrates the problem when you go from posting anti CoS videos to doing DDos attacks and so forth. There is a line between seeking anonymity when dealing with an organization that uses more or less legal tactics as retribution for free speech, and doing blatantly illegal things.

Anon's initial goal and tactics were good for what they originally did. It was only when people started saying "Hey, lets do something else..." that this thing spiraled out of control.

You can't go around saying that we're this decentralized group of people who have no leadership, and then at the same time start saying as to they were and were not responsible for. Even if they catch the person responsible, all he has to say is that he *is* part of Anonymous, and who is to dispute him?

Sure the whole Anonymous thing was a good idea when all the PR was ostensibly positive, but what happens when things start going bad?

Yeah, we hacked Sony, but we didn't steal credit cards. Yeah, we disrupted BofA servers, but we didn't blow up one of their branches.

All you're doing is providing both a cover for other people to use your "good" name for their nefarious deeds, and you're also prompting more intrusive government legislation. If there is no way to find out who is doing what, do they really think that the gov't is just going to throw up their hands and ignore it? Or proceed with the assumption that everyone is a possible suspect and react accordingly? And lets not ignore the possibility of the gov't itself using Anonymous to both get away with doing shady things, and to operate as a false flag operation to bring about more restrictions.

Trillionsin Trillionsin said:

Well, of course its anonymous... until they find out who did it. Isnt that the definition of the word guys? Stop acting like its a group of people... (not denying it isnt)

Anonymous will always exist... until you name out the people. hahah

But I guess a word is a name/alias... [link]

Obvious said:

Lets think deeper about this. right in the middle of the massive battle for music clouding positioning and all the battle for media giants for their member base - trying to situate themselves on the internet -- this hack could easily have been orchestrated by several massive corporations - such as Apple, Google, Amazon, or even Scientology - whose thorn in their side is... ...Anonymous. The fact there was a file marked with their signature tagline makes me come to one huge conclusion -- its all BS. I guarantee this attack on SONY was purely a move to substantially weaken their position in the marketplace. Let's start bloggin this - instead of our personal rants that do nothing constructive -- this looks like a set-up -- it reeks of one...

Obvious said:

ANONYMOUS = ANONYMOUS.

an obvious attempt to frame-up Anonymous or the typical scapegoat situation - that takes the place of the real massive corporation that tried to weaken SONY by screwing with them...probably hiring out some kid in Thailand or Russia to hack in....

...and those scummy attornies - or ambulance chasers trying to get users to sue is a laugh -- screw you - you ratty little trolls -- anything to worm a dollar with your legal BS

Obvious said:

dude anonymous did not hack SONY. they are being used as a scapegoat...if you robbed a bank - would you leave your drivers license behind - purposely!!!!???? NO. this is so typical -- i say - look deeper and realize -- its the competition who did it -- who is that?---

google -- apple -- amazon -- any giant corp - racing to win the massive members for clouding games music etc

edvim said:

Oh please, Sony is just scapegoating Anonymous. They blame Anonymous, I blame Sony. It's their servers and their security lapses that are the problem -- the ultimate responsibility is Sony's. I thought Japanese companies had a more ethical backbone, this is a typical dodge American corporations take.

yorro said:

7. Anonymous is still able to deliver.

PinothyJ said:

WTH! If they were half as intelligent as they are big they would know that Anon had nothing to do with the PSN attack. But that's okay, we are going to piss off a decentralised organisation notorious for getting exactly what they want and with very few casualties by directly attacking them because it's the wise thing that will make this whole thing blow over without a hitch.

God I hate them right now...

Wendig0 Wendig0, TechSpot Paladin, said:

If Anonymous/AnonOps hacked Sony, Sony and everyone else would know about it. As a group they wouldn't deny it. I see this turning into a witch hunt.

treetops treetops said:

Emin3nce said:

DURRR...

Anyone could figure that out. It's what I've been saying all along.

Dur what, did you even read the article?

matrix86 matrix86 said:

While I do agree that the hacker needs to be caught, Sony is just trying to get out of this by changing the subject...or raising the curtain of distraction. Besides, Anon makes it clear when they hack. They don't just leave a little file behind. They come out and say "HEY! LOOK AT WHAT WE DID!"

This hacker was both smart and stupid. Smart in that he left behind a false id to throw Sony off of his scent, but not smart enough to know that this is not Anons style.

I'm really hoping this guy (or group) isn't part of Anon and is going rouge on his own free time. I can't even imagine how p*ssed Anon would be if they found out someone in their organization was doing this. Not that there's much they could do as turning the hacker(s) in could be disastrous. Depending on how much the hacker(s) know, it could mean trouble for Anon......how awesome would it be if Anon hacked the investigation, got a hold of the files, and found and turned in the culprit?

BrianUMR said:

Princeton said:

BrianUMR said:

From what I have read about this so far is that anon was DDos them when the attack happened. They weren't sure if the second attack was from anon or someone working with anon or an independent attack.

Anonymous didn't do anything. They even put up a vid denying any involvement in the incident. If you've seen their track record you'd know they would want to take credit for it.

Yeah I didn't say they did it. I was saying that is what Sony said. Anon did take credit for DDos them. I do agree thought if anon did it they would have had a video

taimuraly taimuraly said:

If its not them, then I think Anonymous should step in and help find the person/people involved. They say they don't forgive and heres someone making their name bad and also affecting millions of innocent users.

Burty117 Burty117, TechSpot Chancellor, said:

taimuraly said:

If its not them, then I think Anonymous should step in and help find the person/people involved. They say they don't forgive and heres someone making their name bad and also affecting millions of innocent users.

I guess those users shouldn't have bought a PS3 I guess

Why would they help a company that they hate? I know this guys is making them look bad but at the same time Anon probably are secret laughing at Sony over this.

Mantrhax Mantrhax said:

the truth is, Sony has no clues about who attacked PSN....and making false statments will probably open doors for more attacks....

way to go sony

Guest said:

Personally it sounds like an inside job that took advantage of the DDoS from Anonymous to sneak in unnoticed besides all that other traffic.

They fired around 200 employees a few days before the networks went down, and they all had a 2 week notice.

NeoFryBoy said:

This is probably the one attack Anonymous would never want to take credit for. Bunch of teenagers and momma's boys in their 20s got a little more than they expected.

9Nails, TechSpot Paladin, said:

This all comes back to Anon's message to Sony; "You own your domains. You paid for them with your own money. Now Anonymous is attacking your private property because we disagree with your actions. And that seems, dare we say it, 'wrong.' Sound familiar?"

This basically goes against Sony's firing the first shot at Geohot and taking him to court his trying to use his PlayStation as he wished.

So Geohot wrote a jailbreak for iPhone. Apple didn't budge. He works on a jailbreak for PS3 and Sony jumps out of their skin. Sony doesn't have any credit here, and loses class as a company.

Anonymous also has been quoted as saying; "Anonymous is not a group of hackers, We are average Internet citizens ourselves and our motivation is a collective sense of being fed up with all the minor and major injustices we witness every day."

And Anonymous said that they don't intend to steal customer info. They're motivation is not for profit or to hurt consumers, it is to raise awareness.

You can read more at: [link]

This really smells like a Sony spin, and just Sony trying to play victim for the war they started.

gwailo247, TechSpot Chancellor, said:

9Nails said:

Anonymous also has been quoted as saying; "Anonymous is not a group of hackers, We are average Internet citizens ourselves and our motivation is a collective sense of being fed up with all the minor and major injustices we witness every day."

How exactly can you quote Anonymous? I can decide to "join" Anon right now, and put out some kind of media statement, and it would be all over the world in 15 minutes, especially if its real juicy.

Did all those 13 year olds who downloaded LOIC and went after various targets get sworn into Anonymous?

I have little doubt that the "original" Anonymous members, whomever they are, had nothing to do with the credit card theft, but when your organization is pretty much open to anyone who wants to do something and use your name, is this surprising? Neither is the fact that people are going to do criminal acts and hide under Anon's name, and its not surprising that Sony is going to blame this on Anon, as Anon can't do anything to show their innocence. Was the anti-Iran thing Anonymous, or CIA people calling themselves Anonymous?

If Anonymous was to get any credibility back, they should find the people who are responsible for the second hack, and then they might get their activist, and not criminal, reputation back.

9Nails, TechSpot Paladin, said:

gwailo247 said:

How exactly can you quote Anonymous? I can decide to "join" Anon right now, and put out some kind of media statement, and it would be all over the world in 15 minutes, especially if its real juicy.

Man, that's a good question. I don't know how they work, if it's some form of collective ideas, like a Wiki or open source project where the work of many individuals build a single page or idea. They say that they're not monolithic, so if you believe that then there isn't a single mind that's ruling an organization.

gwailo247 said:

If Anonymous was to get any credibility back, they should find the people who are responsible for the second hack, and then they might get their activist, and not criminal, reputation back.

Kind of like how OJ was looking for his wife's killer?

I'm not sure how forensically Anonymous could go about this one. I'd doubt any individual would step through Sony's datacenter under an Anonymous Visitor Pass and have access to their files, records, and any other information that could be useful in finding out who did this. It would be like trying to determine what made a bang and crashing sound in your neighbor's house with only a description of the sound. When it might just be that their cat knocked over a bookcase and broke a vase. Things link this would take some private data to discover. In this case, what direction (group, website, organization, country?) do you even go to start looking?

ikesmasher said:

lol they PLACED a file on sony's server? sounds like a personal problem to me, sony can stop whining now.

captaincranky captaincranky, TechSpot Addict, said:

I don't see how "Anonymous" could do an attack like this, and still retain the respect of its followers. I mean really, Anonymous likes to have community support for thier "righting of wrongs" against ordinary users. They can't retain the impression of, "purity of purpose" if they're stealing people's personal information. If they can, then their "followers" have some sincerely distorted senses of value.

In brief, launching a "DDOS" attack to "teach a company a lesson", is a far different thing than stealing people's credit card numbers.

gwailo247, TechSpot Chancellor, said:

I'm not sure how forensically Anonymous could go about this one. I'd doubt any individual would step through Sony's datacenter under an Anonymous Visitor Pass and have access to their files, records, and any other information that could be useful in finding out who did this. It would be like trying to determine what made a bang and crashing sound in your neighbor's house with only a description of the sound. When it might just be that their cat knocked over a bookcase and broke a vase. Things link this would take some private data to discover. In this case, what direction (group, website, organization, country?) do you even go to start looking?

I really have no knowledge of IT security, but hackers get caught somehow, and typically the people employed to do so are (former) hackers themselves, so I would assume if you go with the 'it takes a thief to catch a thief' maxim, they'd be able to do something.

Like I said, I do believe (more or less) that the idealistic people who founded anonymous are not behind the credit card theft, but they either need to restore their name, or abandon the scheme. If they continue like this, when something worse happens, they'll get blamed more and more.

Their last missive still ended with the 'we are legion, we don't forget' crap, so if they were really not behind this, and they're unable to do something when outsiders do things in their name, then they're just making fools of themselves at this point.

aj_the_kidd said:

Anonymous still denies responsibility, and a single file is hardly damning evidence.

To me this one line summarizes it all, Sony don't have any solid proof and seems like they are just looking for a scape goat and Anon is the best one out there, that people know about.

fpsgamerJR62 said:

The problem with using a name like " Anonymous" is that pretty much anyone can claim to be Anonymous.

Guest said:

I think Sony is just desperately looking to finger some one for the massive breach of their security. Too bad their assh*les and no one wants to defend them anyway.

PinothyJ said:

I think Sony is just desperately looking to finger some one for the massive breach of their security. Too bad their assh*les and no one wants to defend them anyway.

Wait, what...

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.