Sony Hack -- Is Another One on the Way?

May 6, 2011— -- As if the recent wave of hacks wasn't enough, Sony might soon be in for another, according to a new report.

Citing an "observer of the Internet Relay Chat channel used by the hackers," the tech site CNET said that a third major hack against Sony has been planned for this weekend. According to the report, the hackers plan to not only break into the company's network but to publicize some or all of the information they can grab, including customer names, credit card numbers and addresses.

This latest threat comes two weeks after a network security breach that Sony said might have compromised personal information, including credit card data, for a reported 100 million PlayStation and online gaming customers. In a message to customers posted online Thursday, Sony CEO Howard Stringer apologized for "the inconvenience and concern caused by this attack."

According to CNET, the hackers behind this latest planned attack say they already have some of Sony's servers under their control.

But Chester Wisniewski, senior security adviser for security firm Sophos Labs, said the report may turn out to be false.

Security Expert: Threat of New Attack Could Be Rumor

"This might be a baseless rumor," Wisniewski said, adding that he's familiar with the Internet Relay Chat forum and believes it's filled mostly with "bluster."

Still, Wisniewski said, while the recent attacks have been devastating for Sony and its customers (himself included), the company's recent actions made it an attractive target for the hacker community.

In early April, the loosely affiliated international hacker group Anonymous posted a statement online promising Sony that it would experience "the wrath of Anonymous" after Sony took legal action against George Hotz, a PlayStation 3 user. Sony claimed Hotz had broken the law by sharing information on how to hack the system to play pirated videogames, but the two parties later announced that they had settled the matter.

In addition to its suit against Holz, Sony has also come down hard down on illegal downloads of movies and music. In the past few months, the company further upset techies when it revoked the PlayStation 3's ability to run the operating system Linux, according to Wisniewski. Several customers bought the PlayStation 3 specifically for its Linux capabilities, which allowed the system to work as a general computer, he said.

"They certainly have done a lot of things over the years to annoy the most skilled attacker kinds of people," said Wisniewski.

In a letter to members of the House Commerce Committee released Wednesday, Sony said the network security breach followed "large-scale, coordinated denial of service attacks" the company claims were launched by Anonymous. The letter also said the company found a file called "Anonymous" on one server that had been breached.

This week, the hacker group posted an online message denying its involvement in the Sony data breach.

"Let's be clear, we are legion, but it wasn't us, you are incompetent Sony," the message said, adding that though the data heist took place "in the midst of Anonymous' OpSony," credit card fraud is not the group's MO.

Were Hackers Behind Data Breach 'Bad Seeds' in Anonymous?

Jeff Moss, the chief security officer of the Internet Corporation for Assigned Names and Numbers and the founder of two well-known computer security conferences, raised the possibility that the culprits behind the data-collection attack were "bad seeds" in Anonymous.

"I'm wondering if there were a couple of bad actors in Anonymous who knew the plan and said, 'that's great, why don't we steal credit card [information] during this whole thing?" he said.

If hackers execute another attack this weekend, Moss said Sony's ability to defend its servers against the onslaught would depend on how long the hackers had been plotting and the nature of the attack.

"I don't think you can just get control over a network that large and lock everything down and kick out all the hackers with absolute assurance that quickly," he said. "It would be great if we could."

At the very least, however, with the advance warning, Sony could monitor its logs for errors and unusual activity, he said.

In the weeks since Sony broke the news of the data breach, Wisniewski said he's been surprised to see such lax security at the Japanese tech giant. Not only did the company reveal that it didn't encrypt general personal information (even though it did have the ability encrypt financial information such as credit card data), he said it was reported that Sony was running out-of-date software -- a major no-no in the security world.

"It's such a large organization, you'd think you'd have the team and the money and the skills to do that," he said. "It was disappointing to see that they have so many gaps in their protection."

But considering the company has spent the past two weeks shoring up resources, he said they should know where their defenses broke down and what they need to do to block future attacks.

Still, given the size of Sony's empire -- from consumer electronics and gaming to movies and music -- Wisniewski said that if the hackers are trying to convey a political message, fighting them could turn into a game of "Whack-a-Mole." Once the company secures one section of its network, hackers could rear their heads again in a different place online.

Given the nefarious ways criminals can use personal data, Wisniewski said the best news could be that whoever is behind the attacks is like Anonymous and doesn't intend to use the data to commit fraud or other crimes.

"But once data has been stolen, it's only a bad thing," he said.