Experts Question Sony Hack-Back Story'Doubtful' Company Is Waging DDoS Attacks
Information security experts are questioning the accuracy of a news report that claims Sony Pictures Entertainment is attempting to "hack back" to disrupt distribution of stolen Sony files.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The report on the news website Re/code, which is affiliated with CNBC, cites two anonymous sources saying that "the company is using hundreds of computers in Asia to execute what's known as a denial-of-service attack on sites where its pilfered data is available."
Multiple information security experts, however, have questioned that account. "I highly doubt Sony is doing this," Tom Chapman, director of the security operations group at computer security firm EdgeWave, tells Information Security Media Group. "And I highly doubt this would work. As for the legality, [it's] probably highly illegal."
What Sony might be doing, however, some experts speculate, is attempting to disrupt BitTorrent networks on which the stolen files are currently circulating by sending the "peers" that are attempting to download the file to sites where only bogus versions of those files are being stored. "Screwing with torrents is as old as torrents, and even if it were 'hacking,' which it isn't, it isn't hitting the attackers," says Jack Daniel, a strategist at vulnerability detection vendor Tenable Network Security.
Sony has failed to respond to repeated requests for comment on the hack attack against it.
Attackers Threaten Further Releases
Meanwhile, a group calling itself Guardians of Peace, or G.O.P., which claimed credit for the Sony attack, is continuing to release more of the "tens of terabytes" its claims to have stolen.
In an e-mail sent to Information Security Media Group on Dec. 11, someone claiming to be part of G.O.P. included links to multiple sites that contain a message from the group that includes links to download a sixth batch of leaked data, which attackers claim includes the Outlook mailbox for Sony's general counsel, Leah Weil, who joined the company in 1996. That leak follows the reported release of the Outlook mailbox for Sony Picture Chairman Amy Pascal.
G.O.P.'s latest message includes a warning to all Sony's employees. "We still have huge amount of sensitive information to be released including your personal details and mailboxes," it says. "Make the company cancel the release of the movie of terrorism, or you have to be blamed for it," it adds, apparently referring to Sony's forthcoming comedy The Interview, which according to leaked e-mails features Kim Jong-un's head exploding after he gets hit with a shell fired from a tank, Reuters reports.
Sony's Breach Costs Mount
Sony information that's already been leaked to date - beyond high-quality copies of five unreleased films - has included exhaustive lists of Sony's passwords for social media networks, as well as private details for 47,000 employees (see Sony Suffers Further Attacks).
As more and more such information - including Social Security numbers and other personally identifiable information on current and former employees - becomes public, and the related risk of identity theft increases, some commentators have been asking just how much Sony is going to have to pay to repair the damage.
Of course, that question can't yet be definitively answered. Full details of the Sony attack have yet to come to light, and the full ramifications of the data breach - including whether it might drive big-name stars, directors and writers to competing studios - probably won't be known for at least another six months, Jim Lewis, senior fellow at the Center for Strategic and International Studies, tells Reuters. "Usually, people get over it, but it does have a short-term effect," he says.
Still, Lewis believes that Sony's related breach costs could hit $100 million, although he notes that the costs would be higher had Sony lost customer data, as happened in the April 2011 attack that compromised the personal information of 77 million PlayStation network and Qriocity customers, triggering a U.K. fine and a U.S. class action lawsuit that Sony ultimately settled.