While Sony just finished making claims at their recent conference to free Anonymous of responsibility for the attacks, they have since issued a reply <view full letter> to the congressional letter stating otherwise. The Subcommittee on Commerce, Manufacturing and Trade of the U.S. House of Representatives Committee on Energy and Commerce held a hearing in Washington, DC on the "Threat of Data Theft to American Consumers." While Sony did provide a response letter, they declined to make a presence to testify at the hearing. Sony desperately tried to explain the seriousness of the situation, and why the investigation and announcement timeline occurred as it did. They hoped the committee could "appreciate the extraordinary nature of the events the company was facing," and understand a monolith company must take every precaution to save as much face as possible to protect their profits at the expense of others.
In summary, we told the subcommittee that in dealing with this cyber attack we followed four key principles:
- Act with care and caution.
- Provide relevant information to the public when it has been verified.
- Take responsibility for our obligations to our customers.
- Work with law enforcement authorities.
We also informed the subcommittee of the following:
- Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.
- We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.”
- By April 25, forensic teams were able to confirm the scope of the personal data they believed had been taken, and could not rule out whether credit card information had been accessed. On April 26, we notified customers of those facts.
- As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack.
- Protecting individuals’ personal data is the highestpriority and ensuring that the Internet can be made secure for commerce is also essential. Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and find ways to combat cybercrime and cyber terrorism.
- We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer.
We told the subcommittee about our intent to offer complimentary identity theft protection to U.S. account holders and detailed the “Welcome Back” program that includes free downloads, 30 days of free membership in the
PlayStation Plus premium subscription service; 30 days of free service for Music Unlimited subscribers; and extending PlayStation Plus and Music Unlimited subscriptions for the number of days services were unavailable.
We are working around the clock to have some PlayStation Network services restored and we’ll be providing specific details shortly. We hope this update is helpful to you, and we will continue to keep you posted as we work to restore our network and provide you with both the entertainment and the security you deserve.
Representative Mary Bono Mack also made a return, slamming Sony in their absence at the hearing.
Rep. Mary Bono Mack (R-CA), chair of the Subcommittee on Commerce, Manufacturing, and Trade, opened the hearing with a sustained attack on both companies. After saying that both Sony and Epsilon were also "victims," Bono Mack stopped sympathizing with the firms. And she made clear that she's no fan of using "a blog" for public disclosure of a breach:
But they also must shoulder some of the blame for these stunning thefts, which shake the confidence of everyone who types in a credit card number and hits "enter"…
As Chairman of this Subcommittee, I am deeply troubled by these latest data breaches, and the decision by both Epsilon and Sony not to testify today. This is unacceptable.
According to Epsilon, the company did not have time to prepare for our hearing—even though its data breach occurred more than a month ago. Sony, meanwhile, says it’s too busy with its ongoing investigation to appear. Well, what about the millions of American consumers who are still twisting in the wind because of these breaches? They deserve some straight answers, and I am determined to get them…
Yet for me, the single most important question is simply this: Why weren’t Sony’s customers notified sooner of the cyberattack? I fundamentally believe that all consumers have a right to know when their personal information has been compromised, and Sony - as well as all other companies—have an overriding responsibility to alert them... immediately.
In Sony’s case, company officials first revealed information about the data breach on their blog. That’s right. A blog. I hate to pile on, but—in essence—Sony put the burden on consumers to "search" for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future.
Panelists joined in. Dr. Gene Spafford of Purdue testified that Sony's system was weak, and that those weaknesses had been revealed on security mailing lists months before the breach. According to Spafford, key parts of Sony's PlayStation Network ran on Apache servers that "were unpatched and had no firewall installed." This was reported in a forum known to be frequented by Sony employees, he said, though no changes were made in the months leading up to the attack.
Without Sony or Epsilon present, much of the hearing focused on potential data protection legislation that would create some kind of process for auditing a company's data security measures to make sure they conform to best practices. Breach notification rules were also discussed, and the Federal Trade Commission pushed for Congress to give it civil penalty authority to go after companies that lose data through carelessness; in the last 10 years, the FTC has brought cases against 34 such companies, though it is currently limited in the penalties it can seek.
Can better standards really protect against such breaches? A Secret Service investigator at the hearing said that they could, adding that in his view, 96 percent of such breaches could have been avoided through straightforward, well-known security techniques. Sophisticated hackers do exist, of course, but they are rare. If companies can simply cut off script kiddie access to their systems, it will be a big step toward better data security.
In case you didn't read it in the quote box above, let me point out: “According to Spafford, key parts of Sony's PlayStation Network ran on Apache servers that "were unpatched and had no firewall installed." This was reported in a forum known to be frequented by Sony employees, he said, though no changes were made in the months leading up to the attack.” LoL~!
So whether Anonymous was involved or not is still unclear. You have to take into consideration that the real attacker(s) could be using Anonymous as a scapegoat, or claiming to be an arm of Anonymous while the rest denies accountability. Thus is the undefinable state of "Anonymous". What is clear is this attack was very much premeditated. While Sony was busy dealing with the massive DDoS from Anonymous, the attacker(s) were using that as cover during their intrusion. On April 19, Sony noticed that some of the 130 servers in the PSN were experiencing unscheduled reboots and started investigating logs to find out what happened. The next day, they found evidence of the real attack. Mentioning Sony attacks on AnonOps can possibly result in a ban now as the majority of activists want no claim in the matter as they move on to attacking Viacom and New Zealand over Copyright Infringement trolls and data logging and censorship in the name of profiteering. (See: WikiLeaks cables about how US bankrolled about half a million in NZ$ back in 2005 a private IP enforcement unit run by major rights-holders in the region.
On top of all that, another class action lawsuit has been filed by Canadian law firm McPhadden Samac Tuovi. The lawsuit is currently still in its propositional phase. However, Sony has 20 days to respond, and can potentially be charged in excess of $1 billion for damages by Canadian citizens who have been affected by the breach. It seems Canadians are also catching on to the fact that Sony cares more about protecting its profits and games than its customers' sensitive data. The complaint claims that Sony must, "pay the costs of credit monitoring services and fraud insurance coverage for two years."
Sony is still looking to have a phased relaunch of the tighter PSN this week.
SOE said it would offer a free month of DC Universe Online for players on the PC
and a month's worth of subscription credit and a wearable in-game mask to
make up for the prolonged outage that has rendered the game unplayable.
What a cool mask for all the troubles.
Sony also went into further detail about the security groups they hired to assist with investigation of the attack; consultants from Guidance Software and Robert Half International Inc.'s subsidiary Protiviti were brought in. Services from a team from Data Forte, lead by a former U.S. Naval Criminal Investigative Service special agent, are also being retained. The three "recognized security firms" will work with the FBI in backtracing the identity of the alleged cyber-criminals. If you ask me, Sony should have gone straight to CSI so they could use their coveted VB GUI IP-backtracer softwarez