Sony Responds to Congress, Hires Security Firm, and More

May 4, 2011 -

Sony is having a busy news day today. First, a story has been circulating that the company has hired yet another security firm to help it with its investigation of the PlayStation Network security breach. According to GameIndustry.biz, Sony has retained Data Forte, a company led by a former U.S. Naval Criminal Investigative Service officer. Security firms Guidance Software and Protiviti consultants are also involved in the investigation.

Another report from Edge claims that a group of hackers has restored Linux support to the PS3 via re-enabling "OtherOS" support. Homebrew developers released custom firmware today called "OtherOS++," describing it as "one small step for devs, one giant kick in the nuts for Sony." This custom firmware apparently allows a greater level of control over the system, with full access to the system's inner workings. The only catch is that OtherOS++ can only be installed on consoles that are running an older version of the firmware. '

Meanwhile the House Subcommittee on Commerce, Manufacturing and Trade held a hearing today on the threat of data theft to American consumers. The hearing was inspired by Sony's current security nightmare. The committee called several expert witnesses on two panels. The first panel consisted of David Vladeck, Director, Bureau of Consumer Protection, Federal Trade Commission; and Pablo Martinez, Deputy Special Agent in Charge, Criminal Investigative Division, U.S. Secret Service. The second panel featured Justin Brookman, Director, Consumer Privacy Project, Center for Democracy and Technology; and Dr. Gene Spafford, Executive Director, Purdue University. A representative for Chairperson Mary Bono Mack (R-CA) said Sony declined to testify today citing "an ongoing investigation" with outside security firms and law enforcement. C-Span has full coverage of the hearing here.

Finally, Sony's Patrick Seybold issued a statement on the PlayStation Blog following the House Subcommittee on Commerce, Manufacturing and Trade hearing. The full statement can be found below:

"Today, the Subcommittee on Commerce, Manufacturing and Trade of the U.S. House of Representatives Committee on Energy and Commerce held a hearing in Washington, DC on “The Threat of Data Theft to American Consumers."

Kazuo Hirai, Chairman of the Board of Directors of Sony Computer Entertainment America, submitted written answers to questions posed by the subcommittee about the large-scale, criminal cyber-attack we have experienced. We wanted to share those answers with you (click here).

In summary, we told the subcommittee that in dealing with this cyber attack we followed four key principles:

Act with care and caution.
Provide relevant information to the public when it has been verified.
Take responsibility for our obligations to our customers.
Work with law enforcement authorities.

We also informed the subcommittee of the following:

Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack. We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.” By April 25, forensic teams were able to confirm the scope of the personal data they believed had been taken, and could not rule out whether credit card information had been accessed. On April 26, we notified customers of those facts.

As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack. Protecting individuals’ personal data is the highest priority and ensuring that the Internet can be made secure for commerce is also essential. Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and find ways to combat cybercrime and cyber terrorism.

We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer.

We told the subcommittee about our intent to offer complimentary identity theft protection to U.S. account holders and detailed the “Welcome Back” program that includes free downloads, 30 days of free membership in the PlayStation Plus premium subscription service; 30 days of free service for Music Unlimited subscribers; and extending PlayStation Plus and Music Unlimited subscriptions for the number of days services were unavailable.

We are working around the clock to have some PlayStation Network services restored and we’ll be providing specific details shortly. We hope this update is helpful to you, and we will continue to keep you posted as we work to restore our network and provide you with both the entertainment and the security you deserve."

Comments

Re: Sony Responds to Congress, Hires Security Firm, and More

Hacking the system to run code for backups,homebrew and trainers is worlds seperate than hacking the online system to steal account info.

 

Also it dose not help that sony left the barn door open as far as secuirty was conserned...


I have a dream, break the chains of copy right oppression! http://zippydsmlee.wordpress.com/2010/05/21/cigital-disobedience/


Copyright infringement is nothing more than civil disobedience to a bad set of laws. Let's renegotiate them.

---

http://zippydsm.deviantart.com/

Re: Sony Responds to Congress, Hires Security Firm, and More

It's also not helping that these thieves caused even more damage to even the idea of hacking.

The thieves who do it for nothing other than personal gain, be it to play games without ever paying or to steal other people's money doesn't help at all.

Re: Sony Responds to Congress, Hires Security Firm, and More

While I understand both sides of the issue. I think both sides are at fault here. The hackers should not have attacked PSN, and Sony should have been more proactive with security. The fact that they were not proactive proves that they do not care about their customers, at least to me. I know I am not going to buy another Sony product any time soon. Microsoft and Nintendo have been accredited by the Better Business Bureau since the late 80s, and Sony has received an F rating from the BBB for poor customer service. Here's the links if you don't believe me.

http://www.bbb.org/greater-san-francisco/business-reviews/computers-software-and-services/sony-computer-entertainment-america-in-foster-city-ca-16128

http://www.bbb.org/western-washington/business-reviews/video-games-wholesale-and-manufacturers/nintendo-of-america-in-redmond-wa-502092

http://www.bbb.org/western-washington/business-reviews/computers-software-and-services/xbox-in-redmond-wa-22228659

Re: Sony Responds to Congress, Hires Security Firm, and More

The BBB is like a security blanket. Is there when you need it but it doesn't mean its any good. the company is utterly useless. They have no enforcement powers and a case is marked as solved when the company replies to them reguardless of the actions even if they don't do squat since they replied to the enitity is marked as a closed case and a positive mark for the company. Type Better Business Bureau on the Rip-off report website and you'll see over 400 complaints. Not to mention several articles portraying the utter incompetence. And it's a shame though being a member used to mean something.

Need proof?

http://consumerist.com/2008/04/bbb-is-useless-says-cable-company-call-center-manager.html

http://www.searchengineguide.com/david-wallace/has-the-better-business-bureau-outlived.php

 

Re: Sony Responds to Congress, Hires Security Firm, and More

Thank you for the very good sources and for helping the discussion. Here's 3 internets.

Re: Sony Responds to Congress, Hires Security Firm, and More

Looks like it was Anonymous after all. All who didn't see this coming, raise your hand.

...Hello?

...Anybody?

_____________________________________________________________________________

"Power means nothing without honor and pride."

http://grifsgamereviews.blogspot.com My video game review site.

Atlanta Video Games Examiner for examiner.com

Re: Sony Responds to Congress, Hires Security Firm, and More

"...and they definitively possess Weapons of Mass Destruction..."

or, since it seems to be more to your liking

"...I will close Guantanamo Bay..."

or let's go with a classic

"...I did not have sex with this woman..."

or, well, anything Nixon said past a certain point, really...

In other words, there's a huge step between saying something and proving something, ESPECIALLY when it conveniently align with the spokesman main goals. Again, not that whoever did it didn't think himself part of Anonymous, but there is a lot to prove just to prove that, and even then, it doesn't mean the act of the few reflects on the many.

Re: Sony Responds to Congress, Hires Security Firm, and More

Especially given the nature of Anonymous. And that's assuming the message isn't a red herring to begin with. It's just as likely that the hacker knew of Anonymous's recent hostility towards Sony and planted that message to shift attention towards them.
---
I'm not under the affluence of incohol as some thinkle peep I am. I'm not half as thunk as you might drink. I fool so feelish I don't know who is me, and the drunker I stand here, the longer I get.


---
I'm not under the affluence of incohol as some thinkle peep I am. I'm not half as thunk as you might drink. I fool so feelish I don't know who is me, and the drunker I stand here, the longer I get.

Re: Sony Responds to Congress, Hires Security Firm, and More

And, again, the humor is lost. Sometimes I don't even know why I try.

For the love of pie, people need to grow a sense of humor and stop taking everything at face value.

If I really thought it was Anonymous, I would have said so a long time ago.

_____________________________________________________________________________

"Power means nothing without honor and pride."

http://grifsgamereviews.blogspot.com My video game review site.

Atlanta Video Games Examiner for examiner.com

Re: Sony Responds to Congress, Hires Security Firm, and More

I sure hope Sony doesn't hire HBGary. 

Re: Sony Responds to Congress, Hires Security Firm, and More

It may be far too early to determine if Anonymous really is behind this- I am amazed at how all of a sudden this PSN outage is somehow the result of benevolence on the part of hackers (judging by the comments on stories like this on the internets).  

These people aren't saving lives or bringing freedom to opressed people-  being angry because a company is trying to stop your ability to steal software is not justification for stealing personal information and credit cards.  This sense of entitlement is staggering. 

Re: Sony Responds to Congress, Hires Security Firm, and More

And Sony's customers are actually entitled to anything in the wake of this?

Legal issues and personal financial issues aside, I think this is GREAT. Why? Because it serves as a huge wake-up call. Everyone loves Windows XP, or at least compared to Windows Vista and 7. I listened to a bit of perspective in a recent netcast about when XP first came out and remembered that I purposely chose Windows ME on a new computer in the pre-XP SP1 days because I'd heard Windows XP was so insecure. Microsoft even halted development of Windows for a while to rethink how they did security in the wake of XP.

Sony clearly had work to do on the security front. The positive thing that absolutely must to come out of this is for Sony and other companies in all ranges of industry to rethink their digital security systems and do what they have to to better prevent similar disasters in the future.

 

 

Re: Sony Responds to Congress, Hires Security Firm, and More

Ahhh yes, I assume you mean the much touted (pre-release) feature of XP to let you access your desktop from any windows computer in the world. Then scrambling for a patch because , SURPRISE SURPRISE, people were using that same feature to crack everything in sight from day 1.

 

 

Hunting the shadows of the troubled dreams.

Hunting the shadows of the troubled dreams.

Re: Sony Responds to Congress, Hires Security Firm, and More

While you are correct, that Sony really was in dire need to shore up their security, that doesn't change the fact that they were targeted, and were the victim of the crime.  However, people are so concerned with setting Sony ablaze that they forget the real criminals are the people who did this to Sony and - by extension - all PSN users.

---

With the first link, the chain is forged.

--- With the first link, the chain is forged.

Re: Sony Responds to Congress, Hires Security Firm, and More

At the same time, a letter from Kaz Hirai doesn't prove anything one way or the other and, until they find who made this file, it doesn't mean the group Anonymous, as opposed to an individual withholding a handle/alias, is responsible either.

Yes, the real crime was perpetrated by an individual (as Sony has stated before), but that doesn't mean Sony isn't still culpable. The FBI, FTC, two dozen US Attorney Generals, the Canadian government, the EU, all of them have a legitimate legal reason to be taking a hard look at Sony, they're just guilty of a different fault. The issue for Sony is whether their security philosophy is a fault or a crime.

Re: Sony Responds to Congress, Hires Security Firm, and More

This is my main beef with all this.

Evveryone is crying and whinning about personal information being compromised and yet nobody is demanding the heads of the criminals. I want the bastards involved in this attack captured, convicted and with a nice fat jail sentence next to bubba so he can recreate scenes from Deliverance on the posterior of this arrogant jerk off. If people are so pissed at the privacy being invaded might as well close Facebook and every other social network cause no matter how much information you are concealing from them they STILL know who you are, what you like, where you REALLY live and everything else in between. And they'll sell this information to the highest bidder in a freaking blink of an eye.

Re: Sony Responds to Congress, Hires Security Firm, and More

And this is my beef...

I see people calling for the heads of the hackers all over the place.  I also see people like you who seem to think that if people are annoyed at Sony that they somehow are not annoyed at the hackers too.

This is not a zero sum situation.  Railing against Sony for thier behavior is not an endorcement of the hacker's attack.

It also remains to be seen exactly what was stolen or the nature of the attack.  I have seen in multiple hacking trials over the years prosecutors trying to twist 'this person got into a system and didn't really do anything' into 'since they accessed the system they read and stole everything on it!'

Re: Sony Responds to Congress, Hires Security Firm, and More

Indeed.  It's utterly asinine for people to suggest that criticizing Sony automatically means you support the people who actually breached the network.  But of course by this point I've come to expect that level of discourse from the GP comments section.

In real life, it is of course entirely possible for both the infiltrators to be guilty of a crime and Sony to be guilty of negligence.  But that's just a little too complicated for some of the posters here I fear.  Hell, one of them even called me an idiot for saying so.

Re: Sony Responds to Congress, Hires Security Firm, and More

No wonder people call you an idiot.

Nobody is claiming that people who bash Sony are in favot of the hackers so get your facts straight before you make a fool out of yourself. But that's just a little too complicated for you is it?

Re: Sony Responds to Congress, Hires Security Firm, and More

And only you are claiming that nobody is calling for the hackers to be punished.

Maybe you should work on that self-filter before accusing others of being idiots?

Re: Sony Responds to Congress, Hires Security Firm, and More

I don't think they're "in favor" of the hackers, but I do find it troubling that all anyone is concentrating on is Sony's security, which was hacked through illegal custom firmware in the first place.  It's not like the security measures put in place were shaky to begin with - they were beaten by people who were breaking the law merely by posessing the tech to beat it.  Then they used it, breaking the law again.

A similar scenario.

A beautiful woman goes home.  Three men run in and gang rape her.  Everyone's response?  "WHY DIDN'T SHE LOCK THE DOOR!!!"

There isn't a court in the whole country that would allow that sentence to escape anyone's mouth.  There isn't a newspaper or journalist who'd allow that to be printed or spoken on-air.  There sure as hell wouldn't be any US Senators demanding to know why she didn't do enough to prevent her own rape.  However, we're doing exactly that with Sony.

---

With the first link, the chain is forged.

--- With the first link, the chain is forged.

Re: Sony Responds to Congress, Hires Security Firm, and More

Or like your car insurance being invalidated if you don't lock your car door.  Oops.

-Ultimately what will do in mankind is a person's fear of their own freedom-

Re: Sony Responds to Congress, Hires Security Firm, and More

Holy inappropriate and offensive comparison, Batman! This is nothing like a woman being gang raped at all, first of all, and second of all, those arguments get used in court all the damn time- if the woman who is raped even gets the cops to arrest her rapist!

I know that you support Sony 100%, but could you try not to make hurtful and offensive comparisons like that one?

Re: Sony Responds to Congress, Hires Security Firm, and More

Well, details have not come out so it is hard to say if it was the firmware hack that did it (though if it was the firmware hack, then that opens up the possibility that the 'stolen personal information' is a bit of a mistruth)...

It was also reported that Sony was running outdated versions of Apache on their servers, so it might have been a run of the mill attack on servers.   There is also speculation that since the intrusion was detected a few days after they fired 200+ employees from their on-line division that it was an inside job revenge hack.

Oh, as for your similar scenario.  Yeah.. try talking to some rape victims.. those arguments are still used in courts (even in child molestation cases).  Not defending their use, but pointing out that they ARE used in courts all the time.

I would also not call it a similar scenario.  Depending on the actual details, some versions describe Sony as having a poorly designed system with weak security.   It is true that hackers will be able to break most systems via technology or social engineering.. but companies that fail to adiquitly secure a system deserve ridicule for it.  You don't take on a responsibility like that and then not follow through with what is needed. If a bank failed to lock its vault, while people would be annoyed at the robbers the bank would still shoulder blame.

Re: Sony Responds to Congress, Hires Security Firm, and More

"yet nobody is demanding the heads of the criminals"

You mean that wasn't a given?

The problem with these types of situations is that, it seems more often than not, the criminal is caught in the end, but the companies who were broken into learn nothing.

It's as if an exec says, "Well, it happened to Company X, but it will never happen to us!" And then they just sit back and pray that they're not the next ones in the news.

So, with all the data losses and 'break-ins' in recent years, it's time we start holding companies just as responsible for their complete failures to increase their own security.

 

On top of that, it would be rather easy for Sony or the hackers themselves to try and put the focus on Anonymous as being responsible with such a 'clue'. After all, Anonymous were making idiots of themselves publicly proclaiming that they would bring Sony down, so they make an easy scapegoat.

Re: Sony Responds to Congress, Hires Security Firm, and More

Yes, Sony customers are ENTITLED to have their private data and credit card numbers protected.

Sony customers sure as hell are ENTITLED to be informed the moment there is even the possibility that their private info and credit card numbers have been compromised.  

What exactly is so unreasonable about expecting these things?

Re: Sony Responds to Congress, Hires Security Firm, and More

I was talking about the Welcome Back program, but sure.

Also, I said "legal issues and personal financial issues aside" for a reason.

Re: Sony Responds to Congress, Hires Security Firm, and More

It's still nice of Sony to do it.

Re: Sony Responds to Congress, Hires Security Firm, and More

Right. It's good will on the company's part. The Welcome Back program with Sony, Microsoft offering Undertow after Xbox Live went down from the traffic overload at the end of 2007, game and software developers releasing post-release patches to fix a title.

Even from the Steam Subscriber Agreement: "You understand that neither this Agreement nor the terms associated with a particular Subscription entitles you to future updates, new versions or other enhancements of the Software associated with a particular Subscription although Valve may choose to provide such updates, etc. in its sole discretion."

It's all good will that they're not obligated to offer. They do it because it's easier and cheaper to keep a loyal customer than to attract new ones. Nowadays, it's expected. Nowadays, it's perceived as an entitlement.

Re: Sony Responds to Congress, Hires Security Firm, and More

Yeah, this isn't good will.  This isn't even "it's cheaper to keep a loyal customer than attract a new one".  That is what companies which haven't screwed up this major do.  This is "It is cheaper to try and throw some free crap at our customers and pray to god that they don't sue our balls off".

This is very much the boquet of roses given to a woman after being caught in bed with her sister.

-Ultimately what will do in mankind is a person's fear of their own freedom-

Re: Sony Responds to Congress, Hires Security Firm, and More

It's not Good Will. It's PR. They are trying to avoid a public image destruction. Mind you, it doesn't mean they should have one or that they are not doing the right steps to avoid it, but still, let's call a duck a duck.

Re: Sony Responds to Congress, Hires Security Firm, and More

Honestly, any PR right now is bad PR as long as the nwtwork is down. Offering this package means nothing if peopel can't use it.

Re: Sony Responds to Congress, Hires Security Firm, and More

Plus, better this happen now than when Sony released all their other devices that will use a similar network setup.

Re: Sony Responds to Congress, Hires Security Firm, and More

They misspelled malevolent, but I see that was your point.

 It won't surprise me if some are trying to find these hackers and turn in some of the most selfish people on the planet.

Sur,e hacking CAN unlock features of a system someone might want ot use, but incidents like this destroy and good reputation in short order.

ANd looking at a few things, I heard Anonymous was behidn the Ddos attacks that crippled the network, so, even if they didn't steal the data themselves, they enabled it.

Re: Sony Responds to Congress, Hires Security Firm, and More

We just want it up and running again and itl ooks like it being promised this week is going to fal lthrough.

 
Forgot your password?
Username :
Password :

Poll

Who's responsible for crappy Netflix performance on Verizon?:

Shout box

You're not permitted to post shouts.
MaskedPixelanteIf by "distance themselves from Google Plus" you mean "forcing Google Plus integration in everything", then yes, they are distancing themselves from Google Plus.07/26/2014 - 12:20pm
MechaTama31I wish they would distance G+ from the Play Store, so I could leave reviews and comments again.07/26/2014 - 11:03am
Matthew Wilson@pm I doubt it. Google seems to be distancing themselves from G+07/25/2014 - 9:31pm
Papa MidnightGoogle+ Integration is coming to Twitch!07/25/2014 - 8:41pm
MaskedPixelanteThis whole Twitch thing just reeks of Google saying "You thought you could get away from us and our policies. That's adorable."07/25/2014 - 2:52pm
Sleaker@james_fudge - hopefully that's the case, but I wont hold my breath for it to happen.07/25/2014 - 1:08pm
SleakerUpdate on crytek situation is a bit ambiguous, but I'm glad they finally said something: http://www.gamesindustry.biz/articles/2014-07-25-crytek-addresses-financial-situation07/25/2014 - 1:07pm
E. Zachary KnightMan Atlas, Why do you not want me to have any money? Why? http://www.atlus.com/tears2/07/25/2014 - 12:06pm
Matthew WilsonI agree with that07/25/2014 - 10:45am
james_fudgeI think Twitch will have more of an impact on how YouTube/Google Plus work than the other way around.07/25/2014 - 10:22am
IanCWelp, twitch is going to suck now. Thanks google.07/25/2014 - 6:30am
Sleaker@MP - Looked up hitbox, thanks.07/24/2014 - 9:40pm
Matthew WilsonI agree, but to me given other known alternatives google seems to the the best option.07/24/2014 - 6:30pm
Andrew EisenTo be clear, I have no problem with Google buying it, I'm just concerned it will make a slew of objectively, quantifiably bad changes to Twitch just as it's done with YouTube over the years.07/24/2014 - 6:28pm
Matthew WilsonI doubt yahoo has the resources to pull it off, and I not just talking about money.07/24/2014 - 6:15pm
SleakerI wouldn't have minded a Yahoo purchase, probably would have been a better deal than Tumblr seeing as they paid the same for it...07/24/2014 - 6:13pm
MaskedPixelanteIt's the golden age of Hitbox, I guess.07/24/2014 - 6:08pm
Matthew Wilsonagain twitch was going to get bought. It was just who was going to buy it . Twitch was not even being able to handle the demand, so hey needed a company with allot of infrastructure to help them. I can understand why you would not want Google to buy it .07/24/2014 - 5:49pm
Andrew Eisen"Google is better than MS or Amazon" Wow. Google, as I mentioned earlier, progressively makes almost everything worse and yet there are still two lesser options. Again, wow!07/24/2014 - 5:43pm
Andrew EisenI don't know. MS, in my experience, is about 50/50 on its products. It's either fine or it's unusable crap. Amazon, well... I've never had a problem buying anything from them but I don't use any of their products or services so I couldn't really say.07/24/2014 - 5:42pm
 

Be Heard - Contact Your Politician