If you haven’t already heard, Sony Pictures was recently breached, and it was brutal. If you need to be brought up to speed, take a look at my LinkedIn blog Sony-pocalypse – Now What? to see information on the breach of Sony Pictures. The blog covers the cyber attack, celebrity identity theft, password protection (or lack thereof), and the controversy being caused by the new movie comedy “The Interview,” which involves a plot to assassinate the North Korean leader, Kim Jong-un. It is believed to be a group out of North Korea that is responsible for the attack, however there is no hard evidence to this claim and North Korea has denied involvement — even though they have labeled it a “righteous attack.” The group stole several upcoming movies, including one that is considered to be a potential blockbuster (Annie) and posted them online for free peer-to-peer file share access. The Interview was not pirated as the group has criticized it and demanded that Sony Pictures cancel the movie’s Christmas day release. Watch the movie video trailer:
The group claiming responsibility for the breach, the “Guardians of Peace” (or #GOP) hacked into computers at Sony Pictures. Following is a video showing the “stolen” films as well as the message displayed on hacked Sony computers:
Here is more fallout from the breach: Private correspondence within Hollywood’s inner circles between powerful producers and executives concerning petty arguments and internal politics has been exposed. Certain data released included spreadsheets outlining financial deals Sony had with third parties, which could hurt its standing with its partners. Also exposed was how much these third parties have paid Sony for rights to certain TV shows and films. In short, it’s become an unmitigated disaster for Sony Pictures… however they’ve just answered the call. Or so they think.
According to Re/code (which provides online tech news, reviews and more), Sony has used Amazon Web Services to carry out a distributed denial-of-service attack (one of the topics I referred to in my blog IT: A Broader Topic of Conversation) on websites hosting its pirated movies. The company is reported to be using hundreds of computers in Asia to execute the “reverse attack” on sites where its stolen data is available, according to people with direct knowledge of the matter. However after further investigation it’s believed that Sony could possibly be using something known as a “bad seed attack” which provides data obfuscation or the scrambling of data to prevent unauthorized access to sensitive materials, which results in unintelligible or confusing data. It’s an encryption method employed to prevent the intrusion of private and sensitive online data, such as electronic health records. Sony has taken this to extremes that could ever be imagined for a major movie studio in trying to block their upcoming major releases (as well as the blockbuster “Fury”) from being viewed online.
A statement was recently released by Amazon Web Services in reference to such exploitation of their services: “AWS employs a number of automated detection and mitigation techniques to prevent the misuse of our services,” according to Amazon’s statement. “In cases where the misuse is not detected and stopped by the automated measures, we take manual action as soon as we become aware of any misuse.” Amazon has since denied that Sony Pictures has used their services for this denial of service. Another black eye for Sony Pictures?
Another statement: “So, when Sony fights back, as it is now, it’s far too late. It had several chances to shore up its defenses, but it never made a serious effort to fix its security holes. Now, nearly everything has been exposed. Celebrities’ personal data. Staffers’ borderline racist opinions on ******’s movie preferences (a high ranking government official whose name I decided not to include here). Its plan to join the MPAA in paying off states’ attorneys general to go after Google.”
Though Sony Picture may be acting in what could be considered self-defense, there also arises a question of ethics in terms of their attack on these websites. The ethics of using these sorts of techniques as an offensive measure have long been debated, and questions about its legality have also been discussed for quite some time. Keeping its confidential information out of the wrong hands may be Sony’s legitimate goal, but using what are termed unethical (and illegal) actions may prove to be an even more costly solution than the compromise itself. In an article from March 2013, George Kurtz, CEO of Irvine, Calif.-based active defense vendor CrowdStrike Inc., said enterprises are increasingly frustrated about their inability to stop advanced attacks, particularly those conducted by nation states. In another statement, Adam O’Donnell of network security hardware and software provider Sourcefire (now a Cisco company) “You’re responding to an adversary with bytes when they’re used to responding with bullets.They’re not operating in a world where they’re simply going to compromise your host and deface your website. They’re going to come back shooting. It’s something to consider if you’re going to punch the bully in the nose.”
It would seem that Sony Pictures really isn’t in the position to be provoking further attacks against them, which are likely to come. One published statement called it “hypocrisy and stupidity rolled into one.” Will they regret this counter-attack? Well, if the GOP is inspired to launch a counter-strike (which it could well in the planning stages of) it could potentially blow Sony Pictures sky high.
In fact, here is an article which could spell final doom for Sony Pictures in a “Christmas present” they won’t like, or be able to return. The article ends like this “The farther time goes by, the worse state SPE will be put into and we will have Sony go bankrupt in the end. Message to SPE Staffers: We have a plan to release emails and privacy of the Sony Pictures employees.If you don’t want your privacy to be released, tell us your name and business title to take off your data.”
The movie studio may have just made a grave mistake in trying to protect their hijacked interests and the GOP is indeed lying in the weeds and planning the next attack to launch against this major entity, possibly creating what could be…
Coming next: Sony-pocalypse: The Final Takedown…?
The post Sony-pocalypse Round 2 – Sony Pictures Fights Back… appeared first on rAVe [Publications].