Original URL: http://www.theregister.co.uk/2011/05/04/sony_implicates_anonymous/

Sony implicates Anonymous in PlayStation Network hack

Legions 'duped,' company says

By Dan Goodin

Posted in Games, 4th May 2011 18:52 GMT

Updated Forensics experts investigating the security breach on Sony's PlayStation Network found a file on one of the hacked systems that was titled “Anonymous” and contained the phrase “We are Legion,” the company's chairman told members of congress.

The revelation, made in a letter, (PDF here) that Sony Chairman Kazuo Hirai sent on Tuesday to members of the US House of Representatives, was used to support the company's contention that the massive security breach was carried out by members of Anonymous, the loosely organized griefer and hacker collective that sometimes uses the tag line: “We are Legion.”

“Just weeks before, several Sony companies had been the target of a large-scale, coordinated denial of service attack by the group called Anonymous,” Hirai wrote. “The attacks were coordinated against Sony as a protest against Sony for exercising its rights in a civil action in the United States District Court in San Francisco against a hacker.”

The sophistication of the PSN attackers, combined with the continuing DDoS attacks, made it hard for Sony admins to detect the compromise, which has resulted in the wholesale theft of personally identifiable information associated with 77 million accounts. Almost two weeks into the investigation of the hack, Sony learned that Station.com, its PC games site, was also breached, resulting in theft of PII associated with an additional 25 million accounts.

“Whether those who participated in the denial of services attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know,” Hirai wrote. “In any case, those who participated in the denial of service attacks should understand that – whether they knew it or not – they were aiding in a well planned, well executed, large-scale theft that left not only Sony a victim, but also Sony's many customers around the world.”

Hirai's eight-page letter didn't leave open the very real possibility that the DDoS attacks were unrelated to the security breach. It wouldn't be a stretch for those who penetrated Sony's servers and stole the mountains of data to have left the file behind as a decoy intended to distract investigators from the true culprits.

The Chairman's letter came in response to questions members of the House Subcommittee on Commerce, Manufacturing, and Trade posed late last month. It provides a timeline and new details behind one of the largest data thefts ever.

The first sign of trouble surfaced on the afternoon of April 19, when US-based members of Sony's team discovered that some systems were rebooting even though they weren't scheduled to do so. They promptly launched a probe by reviewing server logs and about 24 hours later found the first signs indicating an “unauthorized intrusion had occurred and that data of some kind had been transferred off the PlayStation Network servers without authorization.”

Sony responded by taking the PSN completely offline and calling in a “recognized security and forensic consulting firm”. Investigators began the lengthy task of mirroring the PSN systems, which Hirai said consist of some 130 servers and 50 software programs.

On April 21, as the scope and complexity of the investigation grew, Sony brought in a second security firm. They didn't finish the mirroring the nine or 10 servers suspected of being compromised until April 22, and it took another day for investigators to “confirm that intruders had used very sophisticated and aggressive techniques to obtain unauthorized access, hide their presence from system administrators, and escalate privileges inside the servers,” Hirai said.

On Easter Sunday, Sony brought in a third forensics firm and by the following day investigators were for the first time able to confirm that PSN users names, birthdates, addresses, email addresses, and passwords were plundered. They found no evidence that credit card data was stolen, but they couldn't rule out the possibility.

PII from all PSN users lifted

“Information appears to have been stolen from all PlayStation Network user accounts, although not every piece of information in those accounts appears to have been stolen,” Hirai wrote. “The criminal intruders stole personal information from all of the approximately 77 million PlayStation Network and Qriocity service accounts.”

On April 26, Sony first warned users of the data theft.

Investigators have determined that the intruders issued commands that probed the compromised systems for user data related to their email addresses and other PII. The investigators have also “seen large amounts of data transferred in response to those queries.” So far, there are no “confirmed reports of illegal usage of the stolen information.”

Investigators have seen no server queries for credit card data, and credit card issuers have yet to report any fraudulent transactions believed to be a direct result of the security breach.

In all, 12.3 million PSN accounts contained data from credit cards, some of which may have been expired. About 5.6 million of the accounts belonged to people located in the US.

Hirai outlined several steps Sony is taking to improve security, including the naming of a new chief information security officer, who will report to Sony's chief information officer. The company also plans to relocate its PSN systems to a “new data center in a different location with enhanced security.”

Sony will also provide US-based users with “complimentary identity theft protection services,” and hinted at giving users in other countries a similar offering.

Hirai's account didn't provide crucial details about the encryption and cryptographic hashing used to secure credit card numbers and passwords respectively. If the hashing followed security best practices, the passwords would have been converted into unique text stings that would be impossible for the typical attacker to reverse. Encrypting credit card data could also go a long way to securing it, provided the private key wasn't also exposed.

The account also makes no additional references to Anonymous, a group that is best known for its capacity to DDoS, and on rare occasion, remotely compromise, the systems of people and companies whose policies the group opposes. There is no evidence Anonymous has ever engaged in hacking for profit.

Various people claiming to be Anonymous members have issued conflicting communiques, with some warning Sony it would soon experience the wrath of Anonymous and others disavowing any involvement in the Sony DDoS attacks.

Hirai's letter didn't address the seeming contradiction.

“What is becoming more and more evident is that Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes,” he wrote. “Sunday's discovery that data had been stolen from Sony Online Entertainment only highlights this point.” ®

This article was updated to report additional details.