Plot thickens: Sony said to retaliate with DDoS counter strikes
By Byron Acohido, ThirdCertainty
A news report based on intelligence supplied by unnamed sources has added a stunning twist to the increasingly convoluted aftermath of the Sony Pictures hack.
On Wednesday, Re/code, a reputable technology news blog co-founded by former Wall Street Journal reporters Walt Mossberg and Kara Swisher, ran with this story outlining how Sony has been engaging in retaliatory denial of service attacks to cripple websites posting stolen Sony data.
Several news sites, including The Register, ZDNet and Slate are now amplifying Re/code’s scoop. However, no other media outlet has yet added any corroboration as to the core allegations, as initially reported by Re/code’s Dawn Chmielewski and Arik Hasseldahl.
Sony has declined to comment. Meanwhile, Amazon has come out and refuted that Amazon Web Services servers were used by Sony to pull off at least some of the alleged DDoS counter strikes, as reported by Re/code.
In the world of distributed denial-of-service (DDoS) attacks, retaliatory counter strikes are nothing new. DDoS has long been a way to make a political statement or commit extortion against the owners and operators of a public-facing website.
DDoS attacks are almost always driven by motives having to do with criminal profit or making some kind of an ideological statement. If Re/code’s story holds up, and Sony is, in fact, implicated in disrupting a legitimate website that happened to be hosting content posted by an unidentified party, the long run repercussions could be huge.
Sony “may be just piling onto the lawsuits they will be facing over this event,” observes Deena Coffman, CEO of IDT911 Consulting, which is part of identity and data risk consultancy IDT911. Full disclosure: IDT911 sponsors ThirdCertainty.
The attack reported by Re/code “looks very desperate and it is illegal,” Coffman says.
Other security experts agree.
“Cyber vigilantism is not the correct path,” observes Richard Blech, CEO of encryption company Secure Channels. “Going after the attacker at the expense of the public’s rights, is more bullying than law abiding. A mistake was made: the data wasn’t encrypted. Compiling that mistake with threats may feel morally correct, but they are not ethically correct.”
Jay Kim, CEO of encryption storage vendor DataLocker, finds it hard to believe the reported retaliatory attacks were organized by Sony at a corporate level.
“This would be a foolish and illegal attempt at putting the genie back in the bottle,” Kim says. “The corporate suits would more likely mobilized their legal teams. The security team guys may have taken things personally and taken some individual actions but we will never know unless they take credit. ”
DDoS attacks are designed to make a website inaccessible to the intended users, usually by inundating the targeted websites with nuisance data exchanges. The computing power is typically supplied by compromised PCs assembled in groups 10,000 or more strong. These attack units, known as botnets, are typically controlled by a single attacker.
Another way to do a DDoS attack is to round up PC power from thousands of volunteer sympathizers, a methodology perfected by members of the Anonymous hacking collective. A tool called the Low Orbit Ion Canon acts as a hub from which volunteers can direct nuisance traffic to the targeted website of the moment.
In bombarding the U.S. financial sector in 2012 and 2013, hacktivists who identified themselves as acting in Iran’s national interests went to the trouble of assembling a specialized botnet comprised of corrupted website computer servers they control. The result: a botnet on steroids.
In March 2013, a massive DDoS attack shut down the SpamHaus anti-spamming watchdog group. The attackers used yet another completely different – though just as lethal – approach, referred to as a DNS amplification attack.
The attacker essentially fooled the domain name system that helps route data traffic across the Internet into sending a large response to spoofed requests that appear to originate from the targeted website. The SpamHaus DDoS attack was so massive that it spilled over and slowed Internet traffic all across Europe for a period of time.
Clearly, DDoS attacks are not something any global corporation of good standing would deploy as part of a routine business initiative.
Brett Fernicola, CISO at STEALTHbits Technologies, says the reports from Re/code appear to reference a few hundred machines in Asia linked to Amazon’s Cloud Service. What may have actually happened, Fernicola says, is a strategy whereby someone, presumably acting on Sony’s behalf, created ” hundreds of fake, yet semi-functional torrents that look like the data you want to protect. The only trick is the data is fake and you don’t allow anyone to get a full functional download if you can. All the participating boxes in this scam seed the fake data at a throttled rate and cut off the leachers at random percentages, 50% 99%, doesn’t really matter.”
The result: folks trying to download the widely reported stolen copies of Sony blockbusters, or business documents with juicy details, downloaded “random corrupted junk,” Fernicola says. ” You could call this a countermeasure of security through obscurity, in the end its only going to stop the basic user from downloading a copy of all their secrets.”
DDoS details aside, there is a larger lesson for all companies in possession of sensitive data, says Dan Pastor, head of intelligence at Israeli security company Cytegic.
Observes Pastor: “This entire incident demonstrates how enterprises mismanage their cybersecurity operations. Someone at Sony should have taken into consideration that producing a movie about North Korea would certainly trigger some aggressive response, and prepare means to mitigate the oncoming assault. It is the management’s responsibility to determine which assets are the most critical, and the CISO’s role to secure these as best as possible with the resources allocated.”
More on emerging threats