Sections

Third cyber-attack on Sony planned - rumour

Online gossip points to new breach, as U.S. Congress hears expert testimony

Online reports suggest that a group of hackers are planning a third wave of attacks on Sony this weekend, apparently as "retaliation" for Sony's handling of the original security breach.

According to CNET, discussion on IRC channels suggest that hackers already have access to some Sony servers. It is claimed they plan to publicise all or some of the information they copy from Sony's servers - potentially including customer names, addresses, and credit card numbers.

CNET suggests that the third attack will be by "the same group of hackers that was able to infiltrate the PSN servers", but does not speculate on whether they are associated with the Anonymous collective - as suggested by Sony Computer Entertainment boss Kaz Hirai.

In related news Purdue University security expert Dr. Gene Spafford has claimed in a report to the U.S. Congress House Energy and Commerce Subcommittee (PDF) that many companies and organisations that store large amounts of user data routinely run outdated operating systems without sufficient protection.

Although Spafford referred to the PlayStation Network incident he admitted he had no first-hand knowledge of Sony's security precautions, but he did offer this general summary of industry attitudes:

"My personal conclusion from reviews of reports in the press and discussions at professional meetings is that operators of these systems... continue to run outmoded, flawed software, fail to follow some basic good practices of security and privacy, and often have insufficient training or support."

Online reports claim that Sony was running an outdated version of the Apache Web server software without a firewall when it was originally attack, although this is still yet to be substantiated.

Related stories

Vita was simply too late - Tretton

Former SCEA CEO says Sony's latest handheld was a great machine launched when few people wanted a dedicated gaming portable

By Brendan Sinclair

Scorpio is a beast, but Microsoft needs to explain it better

The company needs to find a coherent party line about Scorpio, One S and Windows 10, and stick to it

By Rob Fahey

Latest comments (31)

Stuart Cripps Creative Lead, Evolution Studios5 years ago
When will these imbeciles realise how much they are hurting the consumer they claim to protect/serve!?
0Sign inorRegisterto rate and reply
Justin Titus Writer 5 years ago
Guess this will be a good test of Sony's new system. I find it hard to believe the already have server access, if all the servers are currently offline.
My guess its just glory seekers, I mean anyone can claim this stuff, lets see what happens.
0Sign inorRegisterto rate and reply
Andrew Goodchild Studying development, Train2Game5 years ago
But it's flawless logic hey? They are claiming this is in retalliation for Sony's handling of the last attack, suggesting they are sticking up for the consumer, but then threaten to publish user data.
I doubt the perpetrators will all get caught, but if some do, I hope the book will be thrown at them, after all, it shouldn't be some civil case this time, that can be settled out of court, it will presumably be a criminal case.
0Sign inorRegisterto rate and reply
Show all comments (31)
Justin Titus Writer 5 years ago
Yeah this is a criminal case and not a civil case. Kind of stupid to basically announce you are coming, I would guess the FBI will be watching.
0Sign inorRegisterto rate and reply
Some wannabes probably think it's a good idea to do this attack to gain notoriety, they will try and fail. Sony will then come out with a "Well our new system is foolproof, they tried to hack it and failed miserably" statement at which point a bunch of proper hackers will think "Oh really?" And so on and so forth...
0Sign inorRegisterto rate and reply
SenZ Customer Care Assisstant FISA BATIBOUW 5 years ago
They are proving their point the wrong way, and by doing so hurting the consumer.. This is very sad news.
0Sign inorRegisterto rate and reply
Jim Webb Executive Editor/Community Director, E-mpire Ltd. Co.5 years ago
Did 3 of you guys just suggest the hackers were from Anonymous when Anonymous has repeatedly said they have nothing to do with these hacks? Come on, fellas. This is why information gets skewed across the Internet so easily.
0Sign inorRegisterto rate and reply
It might be annonymous, it might be a splinter group or it might indeed be a group acting like annonymous, nontheless a file has been found which point in their direction, if it was them or not remains to be seen.

I feel nothing for these hackers, who claim they're helping the consumer but they're not helping at all, they wanna tackle the big bad companies that supposedly nobody can touch, yet they can get away with everything...get a life please...

EDIT: edited for typo's

Edited 2 times. Last edit by Joffrie Diependaele on 6th May 2011 1:01pm

0Sign inorRegisterto rate and reply
Jake Clayton5 years ago
Its not exactly the most trustworthy company in the world who has found this file remember.

and harming customers goes against everything anonymous is about, and so its either being framed by sony, (seriously wouldn't surprise me, their immature attitude to security and the way they smack talk everyone all the time) or being framed by some hackers. (would surprise me to be honest)
0Sign inorRegisterto rate and reply
Jim Webb Executive Editor/Community Director, E-mpire Ltd. Co.5 years ago
Sure, the hackers are certainly being as much a public nuisance as they are a corporate nuisance but I don't think the "file" found on the server proves much since any hacker could post that there. And why leave a file announcing your involvement only to say you had nothing to do with it? Sounds to me like a scapegoat file to point investigators away from themselves and toward Anonymous.
0Sign inorRegisterto rate and reply
Andrew Goodchild Studying development, Train2Game5 years ago
@ Jimmy. Re:"Did 3 of you guys just suggest the hackers were from Anonymous when Anonymous has repeatedly said they have nothing to do with these hacks? "
Bit confused, this comment was the first mention of Anonymous on the cooment thread :/
If I was one of the 3 you refered to I was in no way linking Anonomous, in any way. I was refering to the threats reported on here, and the hackers that made them. I'd guess the other comments were doing the same.
0Sign inorRegisterto rate and reply
Paul Shirley Programmers 5 years ago
If Sony have fixed their mistakes this is little more than an annoyance.

If Sony were premature in relaunching this is a timely reminder and a chance for them to reconsider.


Another little snippet Sony don't want publicised: anonymous called off the DDOS when it became obvious they were hurting PSN customers more than Sony. While that doesn't stop the large number of pissed off Sony customers continuing the attack, anonymous look like they care about Sony's customers a lot more than Sony did. Not surprising really, anonymous are flash mob vigilantes not criminals.
0Sign inorRegisterto rate and reply
Andrew Goodchild Studying development, Train2Game5 years ago
@Jake, so you keep insisting Anonymous are stand up guys and a force for good. Whilst I do not think they did this attack (it looks more financially oriented), did I miss something, or did some members of anonymous not dig up Howard Stringer's family details and encourage people to harass/cyber-bully his kids? Does not going after his children seem as ethical as going to an animal rescue to kick puppies?
0Sign inorRegisterto rate and reply
Aye well as I said it might be anyone, and as said before it might be Sony looking for a scapegoat, it might be annonymous lying, it might be an other group acting as Anon, we'll never know, but I do not place my trust in the word of a hacker group, nor the lies a big corporation spews out.

Point is, hack has been done, we got our details out, Sony got rep damage, people can't play their PS3's online, etc etc...

Was it really worth it to prove their security was weak? Nobody should be pointing us out they have weak security by hacking it. Whoever it was they're criminals, even if Sony is trying to blame someone for it, the hackers behind it are criminals.

In a perfect idialistic world nobody would need security as there would be no thefts or crimes, ofc we all know this is wishfull thinking as it will never happen, either way, the hackers had no bussiness on Sony's servers the 1st time (Anon) and the 2nd time (Hackers) and perhaps the 3rd time.

They don't need to protect the consumer, We didn't ask for their help, they don't need to make an example...

I'm quite annoyed by this matter as these hackers just hide behind a PC unable to trace them, so whats next after Sony, they might aswell hack anything and still get away with it...and even if Anon is worried about the consumer, this probably hasnt been done by Anon, so that means there are more dangerous hacker groups out there that we should be worried about, where does it end...?

Edited 4 times. Last edit by Joffrie Diependaele on 6th May 2011 4:22pm

0Sign inorRegisterto rate and reply
James Verity5 years ago
I think Sony should ditch keeping all Customer Details, and just use PSN cards for everything...
0Sign inorRegisterto rate and reply
Andrew Goodchild Studying development, Train2Game5 years ago
If they stopped keeping card details, they would lose a lot of sales. People have to think about buying a card, then remember to do so as well as finding time to go to a store. When I buy digital games I 9 times out of ten do it spur of the moment. And just becuase sony stop keeping details, that wouldn't give Microsoft, Steam or Apple an incentive to follow suit. So the result is that for people who pay by card, PSN would be more hassle to buy games on than their major rivals.
0Sign inorRegisterto rate and reply
Joe Neate Producer, SUMO Digital5 years ago
" potentially including customer names, addresses, and credit card numbers."

So also, potentially NOT publishing ANYTHING of the sort, but just other confidential Sony information which would be harmful to the company and not the consumer?
If they've said they're going to publish consumer details, please provide a source for that, and if not, let's not scaremonger, tabloid-style, eh?
0Sign inorRegisterto rate and reply
Phil Stewart Studying Games Design & Production Management, University of Abertay Dundee5 years ago
I severely doubt they can do anything just now as PSN is down. Probably just more idiots trying to scare the consumers. If there is a better security system being put in place by Sony I can only pray that if there is 'another attack' that they get caught out royally and to the point they never get to even touch any sort of computer related stuff ever again.
0Sign inorRegisterto rate and reply
Anthony A Studying Msc Management, Lancaster University5 years ago
"nor the lies a big corporation spews out."

Everyone lies. "Big" corporations are by no means unique in that regard.

Sounds like a bunch of idiots just doing more to damage Sony's consumers. Sad.
0Sign inorRegisterto rate and reply
Nicholas Russell writer 5 years ago
So, anyone else feel like turning vigilante, arming yourself with a torch and pitchfork, and hunting down this new group of hackers with a bloodlust usually reserved for Mortal Kombat?
0Sign inorRegisterto rate and reply
Jim Webb Executive Editor/Community Director, E-mpire Ltd. Co.5 years ago
Nicholas, I'm just as pissed at Sony for not keeping their Apache up to date. It's free software. Why leave it vulnerable? The last stable release was over 6 months ago. They were even warned of the attack back in February.
0Sign inorRegisterto rate and reply
Sony's Failure to provide useful updates and not patches to their network. It wouldn't be surprised if you actually looked at their network from the developer side and it was pretty basic stuff protecting your valuable information ounce you got through the network jargon.

Then to Jimmy "Why leave it vulnerable?" Isn't that a simple business question? Its cheaper and it works.(was working) Why fix something thats not broken.(Now broken which is why their fixing it.)
0Sign inorRegisterto rate and reply
Jim Webb Executive Editor/Community Director, E-mpire Ltd. Co.5 years ago
Part of being a network administrator is balancing the costs of upgrading software (and hardware) vs the costs of an attack. Given that their vulnerability was with the Apache server and that's free software, I find absolutely no excuse for leaving it vulnerable. As we are seeing, the costs of an attack far outweigh the costs of the software update. And Sony has hired new network administrators that understand that.
0Sign inorRegisterto rate and reply
Stefan Pettersson Specialist Consultant, Fat Tuna5 years ago
It's obvious where Sony put their money.

You can't jailbreak a PS3 by hardware as far as I know.

But you can hack both Sony Online and PSN and get 100+ million user accounts.

It's Sony responsiblity to keep their customers data safe, and they failed miserably. Now face the consequences. I don't support the hackers, but I blame Sony for not keeping my data (and credit card!) safe.

Edited 1 times. Last edit by Stefan Pettersson on 6th May 2011 8:00pm

0Sign inorRegisterto rate and reply
David Amirian Writer 5 years ago
when a store is robbed i blame the owner for not having more security rather than the people who went in and robbed it all.
0Sign inorRegisterto rate and reply
Jamie Watson Studying Bachelor of Games & Interactive Entertainment, Queensland University of Technology5 years ago
i agree with the others, this is some simple "oh no hackers attacked sony" its sony having bad method in place to protect customers against theft of data like this.

piece of advice - Sony,next time dont go shouting "out system is hack proof" because that is how you get the hackers (the bad ones_ to do something like this.

@stefan: you cant hack the PS3 by hardware mods (like you used to back in the PS2,xbox 1 days) but you can still jailbreak the system (not PSN etc, but the console itself)
0Sign inorRegisterto rate and reply
Adam Yaure Studying MSc Games Programming, University of Hull5 years ago
Hopefully they can defend against the hackers this time with the help of those top security firms.
Feels like end of the world if the hackers manage to win lol.
0Sign inorRegisterto rate and reply
Gregory Hommel writer 5 years ago
I would not dare to guess who's behind this attack. Although two Anonymous veterans have stated that it's "likely that newer members of the group are responsible." All I know is that this is a broad attack on Sony. This was to, and still will be the year Sony takes back any market share it lost on the PS3. This new console has been running into brick walls since it's inception. No one gave it any credit. Not for it's specs. Not for it's options. Now years later not even for it's superior capabilities. There has been a mass effort to stall the momentum of this console so it is no surprise at all that when the cycle was about to run it's course, and Sony was going to end up on top, something "awful" popped up. In my opinion all that has really happened is light has been shed on just how addicted approx. 75 million users, including me, are to online gaming.
0Sign inorRegisterto rate and reply
Stefan Pettersson Specialist Consultant, Fat Tuna5 years ago
David, seriously - you can't compare a store with the id-theft of 100+ million user accounts due to lax security. It's Sonys responsibility to keep user data safe and they failed so of course they should pay if their data is used in id-theft. If you can't keep user data safe, don't keep user data at all. Now go catch the hackers!
0Sign inorRegisterto rate and reply
Ben Meadows Senior QA Engineer, Thomson Reuters5 years ago
I thought the FBI was working on this case? Is it really that hard to find the guys who broke into the servers in the first place? I know about proxies and all that jazz but there has to be something that the FBI can go on here. If some people were caught and punished to the full extent of the law I doubt anyone else would be making threats about hacking Sony.

And to Sony... three letters... RSA! I do not understand how you can allow remote access to servers without basic protection in place. There is no way that you should ever allow people to access a server's file structure without further authenticating their identity, especially when people's credit card information is at stake. Ridiculous!
0Sign inorRegisterto rate and reply
Tom Keresztes Programmer 5 years ago
@Ben,

All you need to hide your identity is to use public or WiFi networks without protection. Buy an USB network adapter, pay via cash, and the chance of identification converges to nil. Keep moving (around a big city), and it takes a genius (or a carefuly written software) to even identify the MAC adapter in question...

0Sign inorRegisterto rate and reply

Sign in to contribute

Need an account? Register now.