Sony is having a busy news day today. First, a story has been circulating that the company has hired yet another security firm to help it with its investigation of the PlayStation Network security breach. According to GameIndustry.biz, Sony has retained Data Forte, a company led by a former U.S. Naval Criminal Investigative Service officer. Security firms Guidance Software and Protiviti consultants are also involved in the investigation.
Another report from Edge claims that a group of hackers has restored Linux support to the PS3 via re-enabling "OtherOS" support. Homebrew developers released custom firmware today called "OtherOS++," describing it as "one small step for devs, one giant kick in the nuts for Sony." This custom firmware apparently allows a greater level of control over the system, with full access to the system’s inner workings. The only catch is that OtherOS++ can only be installed on consoles that are running an older version of the firmware. ‘
Meanwhile the House Subcommittee on Commerce, Manufacturing and Trade held a hearing today on the threat of data theft to American consumers. The hearing was inspired by Sony’s current security nightmare. The committee called several expert witnesses on two panels. The first panel consisted of David Vladeck, Director, Bureau of Consumer Protection, Federal Trade Commission; and Pablo Martinez, Deputy Special Agent in Charge, Criminal Investigative Division, U.S. Secret Service. The second panel featured Justin Brookman, Director, Consumer Privacy Project, Center for Democracy and Technology; and Dr. Gene Spafford, Executive Director, Purdue University. A representative for Chairperson Mary Bono Mack (R-CA) said Sony declined to testify today citing "an ongoing investigation" with outside security firms and law enforcement. C-Span has full coverage of the hearing here.
Finally, Sony’s Patrick Seybold issued a statement on the PlayStation Blog following the House Subcommittee on Commerce, Manufacturing and Trade hearing. The full statement can be found below:
"Today, the Subcommittee on Commerce, Manufacturing and Trade of the U.S. House of Representatives Committee on Energy and Commerce held a hearing in Washington, DC on “The Threat of Data Theft to American Consumers."
Kazuo Hirai, Chairman of the Board of Directors of Sony Computer Entertainment America, submitted written answers to questions posed by the subcommittee about the large-scale, criminal cyber-attack we have experienced. We wanted to share those answers with you (click here).
In summary, we told the subcommittee that in dealing with this cyber attack we followed four key principles:
Act with care and caution.
Provide relevant information to the public when it has been verified.
Take responsibility for our obligations to our customers.
Work with law enforcement authorities.
We also informed the subcommittee of the following:
Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack. We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.” By April 25, forensic teams were able to confirm the scope of the personal data they believed had been taken, and could not rule out whether credit card information had been accessed. On April 26, we notified customers of those facts.
As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack. Protecting individuals’ personal data is the highest priority and ensuring that the Internet can be made secure for commerce is also essential. Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and find ways to combat cybercrime and cyber terrorism.
We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer.
We told the subcommittee about our intent to offer complimentary identity theft protection to U.S. account holders and detailed the “Welcome Back” program that includes free downloads, 30 days of free membership in the PlayStation Plus premium subscription service; 30 days of free service for Music Unlimited subscribers; and extending PlayStation Plus and Music Unlimited subscriptions for the number of days services were unavailable.
We are working around the clock to have some PlayStation Network services restored and we’ll be providing specific details shortly. We hope this update is helpful to you, and we will continue to keep you posted as we work to restore our network and provide you with both the entertainment and the security you deserve."