Plot thickens: Sony said to retaliate with DDoS counter strikes

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Byron Aco­hi­do, ThirdCertainty

A news report based on intel­li­gence sup­plied by unnamed sources has added a stun­ning twist to the increas­ing­ly con­vo­lut­ed after­math of the Sony Pic­tures hack.

On Wednes­day, Re/code, a rep­utable tech­nol­o­gy news blog co-found­ed by for­mer Wall Street Jour­nal reporters Walt Moss­berg and Kara Swish­er, ran with this sto­ry out­lin­ing how Sony has been engag­ing in retal­ia­to­ry denial of ser­vice attacks to crip­ple web­sites post­ing stolen Sony data.

More: Sony’s hacked keys and cer­tifi­cates pose broad risk

Sev­er­al news sites, includ­ing The Reg­is­ter,  ZDNet and Slate are now ampli­fy­ing Re/code’s scoop. How­ev­er, no oth­er media out­let has yet added any cor­rob­o­ra­tion as to the core alle­ga­tions, as ini­tial­ly report­ed by Re/code’s Dawn Chmielews­ki and Arik Hasseldahl.

Sony has declined to com­ment. Mean­while, Ama­zon has come out and refut­ed that Ama­zon Web Ser­vices servers were used by Sony to pull off at least some of the alleged DDoS counter strikes, as report­ed by Re/code.

Huge reper­cus­sions

In the world of dis­trib­uted denial-of-ser­vice (DDoS) attacks, retal­ia­to­ry counter strikes are noth­ing new. DDoS has long been a way to make a polit­i­cal state­ment or com­mit extor­tion against the own­ers and oper­a­tors of a pub­lic-fac­ing website.

DDoS attacks are almost always dri­ven by motives hav­ing to do with crim­i­nal prof­it or mak­ing some kind of an ide­o­log­i­cal state­ment. If Re/code’s sto­ry holds up, and Sony is, in fact, impli­cat­ed in dis­rupt­ing a legit­i­mate web­site that hap­pened to be host­ing con­tent post­ed by an uniden­ti­fied par­ty, the long run reper­cus­sions could be huge.

Sony “may be just pil­ing onto the law­suits they will be fac­ing over this event,” observes Deena Coff­man, CEO of IDT911 Con­sult­ing, which is part of iden­ti­ty and data risk con­sul­tan­cy IDT911. Full dis­clo­sure: IDT911 spon­sors ThirdCertainty.

The attack report­ed by Re/code “looks very des­per­ate and it is ille­gal,” Coff­man says.

Deena Coffman
Deena Coff­man

Oth­er secu­ri­ty experts agree.

Cyber vig­i­lan­tism is not the cor­rect path,” observes Richard Blech,  CEO of encryp­tion com­pa­ny Secure Chan­nels. “Going after the attack­er at the expense of the public’s rights, is more bul­ly­ing than law abid­ing. A mis­take was made: the data wasn’t encrypt­ed. Com­pil­ing that mis­take with threats may feel moral­ly cor­rect, but they are not eth­i­cal­ly correct.”

Jay Kim, CEO of encryp­tion stor­age ven­dor Dat­aLock­er, finds it hard to believe the report­ed retal­ia­to­ry attacks were orga­nized by Sony at a cor­po­rate level.

This would be a fool­ish and ille­gal attempt at putting the genie back in the bot­tle,” Kim says. “The cor­po­rate suits would more like­ly mobi­lized their legal teams. The secu­ri­ty team guys may have tak­en things per­son­al­ly and tak­en some indi­vid­ual actions but we will nev­er know unless they take credit. ”

DDoS attacks are designed to make a web­site inac­ces­si­ble to the intend­ed users, usu­al­ly by inun­dat­ing the tar­get­ed web­sites with nui­sance data exchanges. The com­put­ing pow­er is typ­i­cal­ly sup­plied by com­pro­mised PCs assem­bled in groups 10,000 or more strong. These attack units, known as bot­nets, are typ­i­cal­ly con­trolled by a sin­gle attacker.

DDoS fla­vors

Anoth­er way to do a DDoS attack is to round up PC pow­er from thou­sands of vol­un­teer sym­pa­thiz­ers, a method­ol­o­gy per­fect­ed by mem­bers of the Anony­mous hack­ing col­lec­tive. A tool called the Low Orbit Ion Canon acts as a hub from which vol­un­teers can direct nui­sance traf­fic to the tar­get­ed web­site of the moment.

In bom­bard­ing the U.S. finan­cial sec­tor in 2012 and 2013, hack­tivists who iden­ti­fied them­selves as act­ing in Iran’s nation­al inter­ests went to the trou­ble of assem­bling a spe­cial­ized bot­net com­prised of cor­rupt­ed web­site com­put­er servers they con­trol. The result: a bot­net on steroids.

More: Run­ning sum­ma­ry of Sony hack major developments

In March 2013, a mas­sive DDoS attack shut down the SpamHaus anti-spam­ming watch­dog group. The attack­ers used yet anoth­er com­plete­ly dif­fer­ent – though just as lethal – approach, referred to as a DNS ampli­fi­ca­tion attack.

The attack­er essen­tial­ly fooled the domain name sys­tem that helps route data traf­fic across the Inter­net into send­ing a large response to spoofed requests that appear to orig­i­nate from the tar­get­ed web­site. The SpamHaus DDoS attack was so mas­sive that it spilled over and slowed Inter­net traf­fic all across Europe for a peri­od of time.

Clear­ly, DDoS attacks are not some­thing any glob­al cor­po­ra­tion of good stand­ing would deploy as part of a rou­tine busi­ness initiative.

Brett Fer­ni­co­la, CISO at STEALTH­bits Tech­nolo­gies, says the reports from Re/code appear to ref­er­ence a few hun­dred machines in Asia linked to Amazon’s Cloud Ser­vice. What may have actu­al­ly hap­pened, Fer­ni­co­la says, is a strat­e­gy where­by some­one, pre­sum­ably act­ing on Sony’s behalf, cre­at­ed ” hun­dreds of fake, yet semi-func­tion­al tor­rents that look like the data you want to pro­tect. The only trick is the data is fake and you don’t allow any­one to get a full func­tion­al down­load if you can. All the par­tic­i­pat­ing box­es in this scam seed the fake data at a throt­tled rate and cut off the leach­ers at ran­dom per­cent­ages, 50% 99%, doesn’t real­ly matter.”

The result: folks try­ing to down­load the wide­ly report­ed stolen copies of Sony block­busters, or busi­ness doc­u­ments with juicy details, down­loaded “ran­dom cor­rupt­ed junk,” Fer­ni­co­la says. ” You could call this a coun­ter­mea­sure of secu­ri­ty through obscu­ri­ty, in the end its only going to stop the basic user from down­load­ing a copy of all their secrets.”

DDoS details aside, there is a larg­er les­son for all com­pa­nies in pos­ses­sion of sen­si­tive data, says Dan Pas­tor, head of intel­li­gence at Israeli secu­ri­ty com­pa­ny Cyte­gic.

Observes Pas­tor: “This entire inci­dent demon­strates how enter­pris­es mis­man­age their cyber­se­cu­ri­ty oper­a­tions. Some­one at Sony should have tak­en into con­sid­er­a­tion that pro­duc­ing a movie about North Korea would cer­tain­ly trig­ger some aggres­sive response, and pre­pare means to mit­i­gate the oncom­ing assault. It is the management’s respon­si­bil­i­ty to deter­mine which assets are the most crit­i­cal, and the CISO’s role to secure these as best as pos­si­ble with the resources allocated.”

More on emerg­ing threats

Cor­po­rate use of cloud apps spikes risk of breaches

Word­Press emerges as a cyber­crime hotbed

Mali­cious ads pose insid­i­ous, elu­sive threat




Posted in Cybersecurity, Data Breach, News & Analysis