It’s been a bad couple of weeks for Sony, and I suspect it’s about to get much much worse.
First, there was that inexplicable outage on its PlayStation Network. Since April 20, PSN subscribers have been unable to get online. For the first five days, Sony was as silent as a department store mannequin about the cause. On April 26 Sony finally owned up to the fact that it got hacked and oh, by the way, the identities of 77 million users were stolen. Nice.
It gets worse. Sony then revealed that its PC-based gaming network, Sony Online Entertainment, also got hacked, putting another 25 million identities into the hands of criminals.
Sony claimed that the financial information for these users was encrypted, and thus not at risk from hackers. But the New York Times reports that credit card numbers allegedly taken from the PSN have been listed for sale on the Internet black market.
[ See also: Is Facebook really ‘the most appalling spying machine’? ]
Yesterday, having been called on the carpet by Congress to address the hacking incidents (it sent a letter instead), Sony made another egregious error: It pointed the finger at Anonymous, that collective of prankster vigilantes that have made life a living hell for several organizations it took a dislike to.
Sony’s “proof”? Pretty flimsy, really. One is that Anonymous launched a DDOS attack against Sony’s corporate sites (to protest Sony bringing the hammer down on white hat hacker George Hotz) at or around the same time as the PSN got hacked. The other is a mysterious file, left on Sony’s servers by the attackers. Per Sony’s letter to Congress:
When Sony Online Entertainment discovered this past Sunday afternoon that data from its servers had been stolen, it also discovered that the intruders had planted a file on one of those servers named "Anonymous" with the words "We are Legion." Just weeks before, several Sony companies had been the target of a large-scale, coordinated denial of service attack by the group Called Anonymous…
… Whether those who participated in the denial of services attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know. In any case, those who participated in the denial of service attacks Should understand that - whether they knew it or not - they were aiding in a well planned, well executed, large-scale theft that left not only Sony a victim, but also Sony's many customers around the world.
First let me stipulate that it’s impossible to discuss with any accuracy the behavior of a shadowy collective whose center is everywhere and nowhere, and which claims legions of members, none identifiable by face or name.
Having said that, the PSN and SOE hacks do not fit the MO of Anonymous as we have seen it over the past couple of years – most notably, in its thorough pwnership of HBGary Federal last February.
When Anonymous hacks something, they generally want the world to know about it. They deface the Web site, usually with a blisteringly articulate letter ridiculing the site’s owners. They dig into company secrets and spill them across the InterWebs. They are not quiet.
Here’s one thing Anonymous doesn’t generally do: Hide files with cute little catchphrases in them for the victim to find. That’s way too coy for those guys. This file seems pretty clearly designed as a red herring to throw the clueless (that would be you, Sony) off the track.
And that is what Anonymous says in its 900-word response, posted today on Daily Kos. Among other things, the Anonymous spokesperson writes:
Whoever broke into Sony's servers to steal the credit card info and left a document blaming Anonymous clearly wanted Anonymous to be blamed for the most significant digital theft in history. No one who is actually associated with our movement would do something that would prompt a massive law enforcement response. On the other hand, a group of standard online thieves would have every reason to frame Anonymous in order to put law enforcement off the track.
Anonymous goes on to imply that this was perhaps a smear campaign initiated by a company like HBGary or even people working on behalf of our government. I suspect it was more likely a campaign by rival hackers – possibly even Backtrace Security, a splinter group of Anons who are unhappy about the serious political turn the group has taken and want to get back to more juvenile pursuits. Or maybe just your usual gang of Eastern European cyber thieves.
But back to Sony. What were they thinking, exactly? That throwing suspicion onto Anonymous would get them off the hook? What’s more likely is that this will further stoke the ire of that collective, which if it hasn’t hacked Sony’s networks surely will be thinking about giving it a go. So far, nothing embarrassing has emerged from the Sony hack attacks, save for clear evidence of Sony’s ineptitude. Expect that to change if Anonymous starts digging in.
If you think you’ve been bitten by a rabid dog, the one thing you don’t want to do is walk over and kick the dog. Seems like common sense to me. But that may be more than we can expect from Sony.