backtop


Print 38 comment(s) - last by Hieyeck.. on May 6 at 10:51 AM


Sony Corp. has written to the U.S. Congress offering details of what it claims to know about a recent historic data breach. It claims to have found evidence implicating the hacker group Anonymous in the attack.  (Source: U.S. Congress)

Anonymous is loosely organized with no official leaders. Members in April organized distributed denial of service (DDoS) attacks against Sony websites, which they would later brag about in postings.  (Source: Flickr/Skepchick)

The FBI is investigating the breach and is expected to announce criminal charges against those involved once it finds out more.  (Source: FBI)
Company says it does not know whether its 12 million on-file credit cars were stolen

Today Sony Corp. (6758) dropped a bombshell.  In a letter to the U.S. Congress, Kazuo Hirai, Chairman of Sony's American Board of Directors admits that his company now believes all 77 million accounts related to the PlayStation Network were accessed.

He says that it was unclear what pieces of information were taken from the database entries for each user.  Most notably, he says that Sony, at present, has no way of knowing whether hackers offloaded the 12.3 million customer credit cards the company had on file, including 5.6 million cards belonging to U.S. customers.

I. Sony Blames Anonymous

The letter also drops a bombshell claim.  Sony's investigators claim to have found a file named Anonymous on the company's servers that states:
We are Legion
That phrase is commonly used by the group Anonymous.  Its appearance indicates that either:
a.) Anonymous was involved with the breach or...
b) Someone is trying to frame members of Anonymous.

Anonymous is a loosely organized group of hackers affiliated with the site 4Chan.  The group has no real leaders or ethical guidelines.  Its members contact each other over IRC chats and organize hacking operations that particular groups of individuals feel passionate about.

Recently some members of Anonymous attacked Sony's online properties with distributed denial of service attacks, in response to Sony's decision to ban Linux homebrews on the PlayStation 3 and to sue famed hardware hacker George "GeoHot" Hotz for posting keys to jailbreak the console.

Mr. Hotz has since settled with Sony and vocally distanced himself from the recent attacks saying he did not support them and had no involvement, though he chastised Sony for its poor security.  Mr. Hotz is a past victim of identity theft, so it's an understandably sensitive subject for him.

At the time of the DDoS attacks (April 2011) members of Anonymous vocally bragged about those actions online.  The group wrote:

Dear Greedy Motherf*ckers (sic) SONY,

Congratulations! You are now receiving the attention of Anonymous. Your recent legal actions against fellow internet citizens, GeoHot and Graf_Chokolo have been deemed an unforgivable offense against free speech and internet freedom, primary sources of free lulz (and you know how we feel about lulz.)

You have abused the judicial system in an attempt to censor information about how your products work. You have victimized your own customers merely for possessing and sharing information, and continue to target those who seek this information. In doing so you have violated the privacy of thousands of innocent people who only sought the free distribution of information. Your suppression of this information is motivated by corporate greed and the desire for complete control over the actions of individuals who purchase and use your products, at least when those actions threaten to undermine the corrupt stranglehold you seek to maintain over copywrong, oops, "copyright".

Your corrupt business practices are indicative of a corporate philosophy that would deny consumers the right to use products they have paid for, and rightfully own, in the manner of their choosing. Perhaps you should alert your customers to the fact that they are apparently only renting your products? In light of this assault on both rights and free expression, Anonymous, the notoriously handsome rulers of the internet, would like to inform you that you have only been "renting" your web domains. Having trodden upon Anonymous' rights, you must now be trodden on.

If you disagree with the disciplinary actions against your private parts domains, then we trust you can also understand our motivations for these actions. You own your domains. You paid for them with your own money. Now Anonymous is attacking your private property because we disagree with your actions. And that seems, dare we say it, "wrong." Sound familiar?

Let Anonymous teach you a few important lessons that your mother forgot:
1. Don't do it to someone else if you don't want it to be done to you.
2. Information is free.
3. We own this. Forever.
As for the "judges" and complicit legal entities who have enabled these cowards: You are no better than SONY itself in our eyes and remain guilty of undermining the well-being of the populace and subverting your judicial mandate.

We are Anonymous.
We are Legion.
We do not Forgive.
We do not Forget.
Expect us.

DDoS attacks fall under the gray area of U.S. computer laws as they represent sending the equivalent of thousands of legitimate webpage requests over a short timespan.  Some DDoS attackers resort to more blatantly illegal tactics -- such as infecting computers and using them as an attacking botnet.  It is unclear whether Anonymous used such tactics in their attacks on Sony.

Also unclear is whether Sony's claim of its file discovery implicating Anonymous in this new, separate attack is authentic, or whether the company (or some other party with a vendetta against Anonymous) is looking to seek revenge on the group for past attacks by framing its members as the perpetrators of the massive recent intrusion.

II. Intrusion is Historic

That question is very pressing, as the Sony breach is perhaps the largest online loss of customer information in history.  The Sony letter fails to address the recent loss of 24 million other records from Sony Online Entertainment (SOE).  Between those two losses, as many as 101 million customers may have been exposed (though likely a substantial number of SOE subscribers were also PSN subscribers).

Likely the historic nature of the intrusion will lead to some serious criminal charges if the government can successfully identify whom is to blame.

It is very likely that the freedom of U.S. members of Anonymous who participated in the initial attacks against Sony may very well hang in the balance of whether the company's claims are substantiated.

For customers, the prospect of lost credit cards is bad.  The prospect of lost passwords, email addresses, and real names is even worse, as it means that an individual could gain access to their private accounts, without additional precautions.

Outraged, customers in Canada have filed a class action lawsuit against Sony.  Similar suits are expected in the U.S. and the European Union.

The government is also contemplating criminal and/or civil penalties against Sony.  The company knew about the breach for two days before notifying the government -- something some politicians say was negligent.  The question of whether that negligence was criminal will surely be debated.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Sucks
By therealnickdanger on 5/4/2011 1:43:00 PM , Rating: 2
I've never input any personal or credit card information on PSN (thankfully), but I've got to say "you get what you pay for". I know Steam was hacked at one point a few years ago, but I think they've fixed their holes. Aside from individual accounts via social engineering, has Xbox Live ever been hacked? Seems like they really have their security nailed down tight...




RE: Sucks
By MrBlastman on 5/4/2011 1:58:44 PM , Rating: 4
Steam might be more secure but I still won't allow them to save my credit card information for future purchases. Forget it. The risks (and annoyance) are just too high for a little bit of convenience.


RE: Sucks
By nafhan on 5/4/2011 2:35:56 PM , Rating: 2
Unfortunately, some systems are implemented in such a manner that electing not to save info doesn't necessarily mean your info won't get saved - merely using your CC may put you at risk. For instance, I remember a few years back a researcher bought several hundred used HD's off ebay and found that a number of them were from PoS machines at a grocery store and contained recoverable CC info from every transaction that occurred over the life of the HD.


RE: Sucks
By therealnickdanger on 5/4/2011 4:33:35 PM , Rating: 2
Some copiers and printers store such information as well - any company should think twice about parting with used office equipment.


RE: Sucks
By theapparition on 5/4/2011 5:00:51 PM , Rating: 5
Everyone repeat after me.......

Prepaid Visa cards

Works wonders in situations like this. Just disposable cards that you don't care who gets the info.


RE: Sucks
By GulWestfale on 5/4/2011 7:26:08 PM , Rating: 2
absolutely agree. if you're in canada, you can get them at the post office. they are bought just like regular gift cards, and when you register them online you do not have to enter any real name or address- just make something up. they do work online (i've ordered stuff from amazon, for example).

just use common sense, damn it. but that does not absolve sony of blame for being n00bs when it comes to defending against hackers. one would think that the people who came up with rootkits would know about hackers...


RE: Sucks
By B3an on 5/5/2011 9:59:51 AM , Rating: 2
So can the prepaid cards be used on anywhere that accepts normal Visa cards?


RE: Sucks
By theapparition on 5/5/2011 12:56:29 PM , Rating: 3
Yes.

Also works wonders for teenagers using a Xbox account (or linked to a CC. Can only buy up to a certain amount. Also teaches responsibility that money is a fixed resouce. Not some magic card that can get whatever you want.


RE: Sucks
By TheHumanFla on 5/5/2011 2:13:08 PM , Rating: 2
Most of the big credit card companies can create virtual credit card numbers you can use directly against your main credit card. Many of the big banks have them now.

It's quite satisfying to be dealing with a sh*tty vendor who won't stop a repeating monthly charge and muttering "Now yous can't charge" right before hitting the cancel button on their virtual number.


RE: Sucks
By Hieyeck on 5/6/2011 10:51:34 AM , Rating: 2
Visa's pretty good about fraud. Had my card copied IRL and they told me to just forget the $300 that showed up on my bill.

What's important is to use online statements and review them frequently. Look for charges that don't make sense. Visa's more likely and quicker to write off a few hundred than a few thousand.


RE: Sucks
By StevoLincolnite on 5/4/2011 2:02:04 PM , Rating: 2
quote:
Aside from individual accounts via social engineering, has Xbox Live ever been hacked? Seems like they really have their security nailed down tight...


The service hasn't been hacked on the scale that Sony is currently experiencing... Although individual accounts from Xbox Live! officials like Major Nelson have been hacked, multiple times.

Then you had that spotty 2 weeks of issues when Halo 3 launched a few years back due to the number of users... But everyone got a free game out of that if I remember correctly.

I guess Sony just annoyed the hackers more than Microsoft did this time around with the removal of Linux.
Or... Microsoft simply has more experience with security due to Windows and constantly updating Xbox Live! Who knows.

But I believe Sony is silly for not Encrypting everything, including the Kitchen sink.


RE: Sucks
By Hiawa23 on 5/4/2011 2:57:32 PM , Rating: 2
They have had my credit card on file which I used to buy games & stuff, but I have been checking that card as it is the only one I use for gaming for the Playstation & Xbox 360. This might be Sony's RROD. You say you get what you pay for, but Playstaion Network is free. Personally, I don't see why the Sony fans use this to bash Xbox Live. I paid $37 last year for my Live subscription, which is worth every penny, yet Sony charges you $49 for plus which to me is not worth it. Sony will bounce back from this, I think.


Hate it when
By spamreader1 on 5/4/2011 1:53:30 PM , Rating: 5
My credit car is stolen. :)




RE: Hate it when
By MrBlastman on 5/4/2011 1:59:47 PM , Rating: 2
Did they take it for a spin? ;) Or did they just tear the seats out and leave it on the side of the road, burning?


RE: Hate it when
By ClownPuncher on 5/4/2011 3:21:17 PM , Rating: 4
They put it up on blocks in a Puerto Rican neighborhood.


RE: Hate it when
By Integral9 on 5/5/2011 8:48:37 AM , Rating: 2
Sounds like Valet Parking


RE: Hate it when
By SpaceRanger on 5/5/2011 2:35:02 PM , Rating: 2
1 day later, and the cars are still around too..


What is the potential for ID Theft from this?
By bmheiar on 5/4/2011 2:58:27 PM , Rating: 2
What is the potential for ID Theft from all of this?

My gf is all upset over this because she has a PSN account and had one of her credit cards saved to that account. Thou the last time she bought anything off of PSN was in 2009. So she is now afraid that since the PSN system was hacked and the possibility of someone(s) now having her name, address, phone #, email address, passwords, CC info and etc., that they can now steal her Identify. Is this possible even when they don't have her SSN?

She is checking that credit card account everyday to see if there is any additional charges (fraudulent charges) posting to her account. Nothing, yet.

I have told her, she can call the CC company and have the CC number cancelled and request a new card.

Does she have anything to fear about ID Theft from all of this?




By Gzus666 on 5/4/2011 3:04:31 PM , Rating: 2
They have confirmed about 900 CC#s were taken and none of them are from America. The rest is all speculation at this point but I highly doubt she has much to worry about. Most of that information can be found on anyone with simple Google searches. Change passwords if they are the same as anything else and move on.


RE: What is the potential for ID Theft from this?
By Silverel on 5/4/2011 3:11:33 PM , Rating: 2
If it was Anonymous you probably nothing to worry about. They would be going after Sony to cause them financial difficulties, not your gf.

I'm not fussing over any of it despite having accounts there, just sitting back and enjoying some popcorn.


By Taft12 on 5/4/2011 4:17:23 PM , Rating: 2
... but we don't know it was Anonymous and probably never will. The fuss is warranted.


By sviola on 5/4/2011 4:43:47 PM , Rating: 2
quote:
If it was Anonymous you probably nothing to worry about.


So, what you are saying is that if it is an unknown hacker that belongs to an organisation that likes to disseminate chaos that stole Sony's customers' credit cards there is nothing to to be worried about?

I for one completely disagree. If whoever did this was only doing it to give a headache to Sony, they wouldn't need cc numbers. Just the other data would suffice.


By LRonaldHubbs on 5/4/2011 6:06:46 PM , Rating: 2
One of my coworkers got a call from the bank a couple days ago about fraudulent charges on his debit card. It's the same card he had used with his PSN account. Can't say for sure that it was related, but it does seem pretty likely.


Evidence?
By MrTeal on 5/4/2011 1:43:26 PM , Rating: 2
quote:
Also unclear is whether Sony's claim of its file discovery implicating Anonymous in this new, separate attack is authentic, or whether the company is looking to seek revenge on Anonymous for past attacks by framing the group as the perpetrator of its recent system intrusion.


That's a pretty serious accusation. I'm not saying Sony is in the right here, but is there any reason to suspect they might be lying to the US Government other than just idle speculation?




RE: Evidence?
By Tuor on 5/4/2011 1:49:33 PM , Rating: 3
The evidence is not convincing... at all. Maybe in the future they'll provide something better, but at the moment what they have is nothing worth basing any conclusions on whatsoever.


RE: Evidence?
By Hakuryu on 5/4/2011 10:13:31 PM , Rating: 2
Is there any reason to suspect they might be lying? I'd say yes, but I wouldn't take it as the truth. I'd be more inclined to think it was simple incompetence (see above article) for them to blame a group that attacked them once without concrete proof, instead of lying.

I haven't followed this Anonymous movement, but everytime I hear about them, it is related to denial of service attacks, or them changing a website to show slogans or something. I've never heard of them trying to steal user information and credit card numbers; this smacks more of Russian or Chinese hacking rings, who do this for profit by using or selling information.


RE: Evidence?
By Flunk on 5/5/2011 2:46:47 PM , Rating: 2
By Anonymous' own rules anyone who purports to be Anonymous is. Therefore the file has to be authentic, even if it was written by the President of Sony himself.


In other news
By MeesterNid on 5/4/2011 2:37:14 PM , Rating: 3
Sony says "It's not our fault", points fingers at favorite scape goats.

They're just trying to use their PR department, while they still have the money to pay for it.




RE: In other news
By Taft12 on 5/4/2011 4:21:19 PM , Rating: 2
Anonymous is a particularly tasty scapegoat as they have no leadership or anyone authorized to speak on their behalf.

I can't recall desperation like this from such a large corporation since BP and the Gulf disaster.


RE: In other news
By karielash on 5/4/2011 5:56:20 PM , Rating: 1

hmmm... HBGary displayed a remarkable level of desperation... pretty close to Sony actually.


Sony got what it deserved
By Naviblue on 5/4/2011 2:17:54 PM , Rating: 1
I don't think the hackers main goal was to steal and use anyones personal information. They wanted to bring Sony down and did exactly that, they're probably celebrating their butts off right now. I hope they covered their tracks good and never get caught, Sony should burn for their actions against Geohot imo.




RE: Sony got what it deserved
By Mouth on 5/4/2011 2:42:39 PM , Rating: 4
I find it somewhat entertaining that the Corporation which put a root kit on my computer some years ago without my permission, is now squirming.


By masamasa on 5/4/2011 4:52:38 PM , Rating: 4
..and sticks the lot of them behind bars for a very long time. The world is full of jackasses everywhere you go. All their ever accomplish is to inconvenience everyone else. Lame...that's all it is, lame.




If Anonymous is involved hang the bums
By Beenthere on 5/4/11, Rating: 0
By Taft12 on 5/4/2011 4:23:18 PM , Rating: 3
quote:
The only good hacker is dead.


What a dumb thing to say, I'll bet you've said the same at some point about blacks, gays or jews.


Victory
By BailoutBenny on 5/4/2011 4:51:04 PM , Rating: 1
Sony leaders revealed to the world today that Anonymous was responsible for the attack on their servers. Sony claims the proof was a file named Anonymous containing the text "We are Legion." The file was promptly shot in the face and then buried at sea, in keeping with Anonymous tradition, so as not to become a shrine to other Anonymous followers.




RE: Victory
By priusone on 5/5/2011 8:11:13 AM , Rating: 1
The problem with your parody is that it doesn't fit, IMO.

Sony, like Al-Qaeda, has a hierarchical structure; there is a leader who can be shot in the face and buried at sea.

IMO, Anonymous is just a blanket statement which covers both individuals and groups acting towards a goal, no matter how silly or worthwhile it may be. I'm sure Anonymous helped by way of their DOS attack, which captivated Sony's attention long enough for a sophisticated group to penetrate Sony's system. My guess is that the group of people who did the hacking are more than happy to hide behind the name Anonymous to throw off the investigation.


"Game reviewers fought each other to write the most glowing coverage possible for the powerhouse Sony, MS systems. Reviewers flipped coins to see who would review the Nintendo Wii. The losers got stuck with the job." -- Andy Marken














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki