Sony Rep to Testify for Congress About Network Breach

Wednesday, June 01, 2011



According to a report in the International Business Times, Sony Corporation will send Tim Schaff, president of the Sony Network Entertainment division, to testify before Congress about the company's ongoing network security problems.

Schaff's appearance is scheduled for June 2nd, though it appears Schaff may have few details to offer lawmakers.

"As yet, we do not know who was responsible for the intrusion; nor do we know precisely the amount of information that was taken; nor do we know with certainty the number of users whose data was actually affected. These gaps in what we know are not for lack of trying by experts, but rather an unfortunate testament to the skill of those who perpetrated the attacks. Some aspects of the intrusion may never be known," Hirai said.

In late April, Sony announced that the company's PlayStation network servers had been hacked, exposing the records of more than 70 million customers. During the course of the investigation, Sony discovered that the company's Online Entertainment network had also been compromised, exposing another 25 million customer records.

The breaches forced Sony to shut down both the PSN and Online Entertainment networks. Sony has since been the subject of a great deal of criticism regarding the company's delay in notifying authorities and customers of the exposure of account details.

"Available evidence suggests that a database containing personal information for every account was accessed, and that an attempt was made to take information from certain data fields in that database... To date, however, there is no evidence that credit card information was taken," Hirai said.

The statements issued by Sony conflict with an article in Help Net Security which notes that several independent security researchers have uncovered claims made by the alleged PSN hackers that they are in possession of more than two million credit card numbers pilfered in the PSN breach.

The Sony network attacks were precipitated by a distributed denial of service (DDoS) attack in early April, dubbed "OpSony", orchestrated by the rogue movement Anonymous. A press release that announced the attack indicated it is in retaliation for recent "legal actions against fellow Internet citizens GeoHot and Graf_Chokolo."

George "Geohot" Hotz is responsible for the well publicized "jailbreak" of Sony's PlayStation3, which allows non-approved software to run on the gaming system, and Alexander "Graf_Chokolo" Egorenkov drew the ire of Sony for his work in enabling the PS3 to run the Linux operating system.

While Sony has stopped short of accusing Anonymous members of the network breach, the company has made it clear they believe the DDoS attacks played a significant role in the hack.

"Initially, Anonymous openly called for and carried out massive 'denial of service' attacks against numerous Sony internet sites in retaliation for Sony Computer Entertainment America bringing an action in Federal Court to protect its intellectual property," Hirai contends.

Sony's Schaff will likely face questions about the state of the company's network security leading up to the breach event. Independent security experts believe Sony was lax when it came to implementing security efforts that could have prevented the unauthorized intrusion.

Dr. Gene Spafford recently offered Congressional testimony asserting that Sony was running outdated and obsolete software on the PlayStation and Online Entertainment Networks, leaving the systems extremely vulnerable to attack. Sony has since denied the allegations.

"SNEA was in the process of putting in place several key security measures (as set out in my May 3 response) before the attacks occurred; SOE had already taken a variety of steps in a multilayered approach to securing its network prior to the attack. In light of the sophistication of the attack, each company has made further refinements to its overall network security including new intrusion detection methods, policy changes, additional firewall protection, and more in-depth application testing prior to deployment," Hirai said.

The problems for Sony have not yet begun to diminish, as the company continues to be a preferred target for hackers looking to make headlines.

So-net Entertainment, a Japanese Internet service provider and subsidiary of Sony, was the victim of a network breach in late April, and Sony BMG Greece was recently the target of a SQL injection attack which may have exposed the usernames and email addresses of account holders.

Possibly Related Articles:
Attacks Headlines Network Security Anonymous Congress Sony hackers breach PlayStation Sony Online Entertainment
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.