By
updated 5/6/2011 11:45:33 PM ET 2011-05-07T03:45:33

Credit: Dreamstime

Sony's websites and gaming networks, already stunned by the one-two punch of a denial-of-service attack and a massive network intrusion, may be in for a third attack over the weekend.

A report posted on CNET last night (May 5) says hackers in an online chat room discussed going back into Sony servers and making public all the personal records they could find, according to an unnamed source who says he observed the chat.

Meanwhile, members of the online activist movement Anonymous told the Financial Times in an article published today (May 6) that some of their comrades were likely behind the intrusion into the PlayStation Network, Sony Online Entertainment and Qriocity services.

A respected network security specialist testified before a Congressional panel Wednesday (May 4) that Sony was running outmoded, vulnerable software on its servers and had not taken basic security precautions.

And Sony itself said late Thursday that its servers would soon be back online, and that it was paying for identity-theft insurance for all members of its compromised networks.

[ What to Do If You're Affected by the Sony Data Breach ]

Third attack brewing

CNET's source said the hackers planning the third attack were motivated by Sony's clumsy consumer relations following the initial network intrusions in mid-April.

They claimed to have access to Sony servers -- which are supposedly offline -- and intended to embarrass the company by showing the world what they could find there.

The report could not be independently verified.

Sony shut down the PlayStation Network, which connects users of PlayStation 3 and PlayStation Portable gaming consoles, and Qriocity, which streams movies and other entertainment media to Sony devices, on April 20, hours after the intrusions were discovered.

But it waited until April 26 to inform users of their networks that their personal information, including names, addresses, telephone numbers and email addresses, had been exposed.

Anonymous connection

Embarrassing Sony would certainly be among the motives of members of Anonymous, which publicly launched distributed denial-of-service (DDos) attacks in early April against Sony websites to protest the company's lawsuit against a hacker who had shown others how to modify a PlayStation 3.

In a letter to U.S. congressmen Wednesday (May 4), Sony stopped just short of accusing Anonymous of also being behind the much more serious intrusions later in April, which compromised personal data attached to 102 million accounts worldwide.

Anonymous quickly replied that it had nothing to do with the intrusions, and that a file labeled "Anonymous" found on one of the hacked servers was meant to frame the group.

Yet at least two members of Anonymous told the Financial Times that it sure sounded like some of their colleagues were behind the more serious attack.

"The hacker that did this was supporting OpSony’s movements," an unnamed Anonymous supporter told the London-based newspaper.

"If you say you are Anonymous, and do something as Anonymous, then Anonymous did it," another Anonymous member, who claims to be a 16-year-old girl named Kayla, told the paper. "Just because the rest of Anonymous might not agree with it, doesn't mean Anonymous didn't do it."

Another unnamed member claimed to have some knowledge of the network intrusion, but said it was far less serious than what Sony has told the public.

"No credit card information was ever exposed, neither was over 100 million accounts," he or she told the Financial Times. "They had access to their databases, yes, but nothing was downloaded except a few admin accounts. Nothing has been exposed, no one is selling anything."

Flawed security

At the congressional hearing Wednesday, to which Sony sent its letter rather than appear, Purdue University professor and researcher Eugene Spafford testified that Sony may have been a sitting duck for hackers.

Spafford had seen recent discussions in security forums that Sony servers had been running an old version of the widely used Apache Web server software that "was unpatched and had no firewall installed," he said in response to questions.

Furthermore, he said, according to the Consumerist, a blog owned by Consumer Reports magazine, the finding of the vulnerable servers by third-party researchers was "reported in an open forum monitored by Sony employees."

(Stafford's statements do not appear in his prepared testimony.)

Coming back online

Despite these developments, Sony assured users of its online services that the three networks would be coming back online soon.

"In the coming days, we will restore service to the networks and welcome you back to the fun," company CEO Howard Stringer told users of the PlayStation Network in a blog posting Thursday. "A program for U.S. PlayStation Network and Qriocity customers that includes a $1 million identity theft insurance policy per user was launched earlier today and announcements for other regions will be coming soon."

He reiterated earlier Sony assurances that all members who used paid services would receive an extra month on their current subscriptions, plus time lost to the network outages.

© 2012 SecurityNewsDaily. All rights reserved

Discuss:

Discussion comments

,

Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments