Sony's hack gets worse with FBI warnings, threats against employees, and flaunting of the hypocritical CFAA
The hack which led to the exposure of financial information, email correspondence, and employee records from Sony Pictures Entertainment continues to hound the company. And if the warnings from both researchers and the Federal Bureau of Investigation are to be believed, it isn't over yet.
Researchers suggest this hack is meant to intimidate other companies that have been attacked by the same malware. Extortion is a "big concern because it would mean the point of [Sony's] public 'execution' was to warn to other companies that may already be hacked that the extortioners aren't bluffing," F-Secure, a well-known Internet security company, said on its blog. "Either way, Sony Pictures Entertainment may only be the first." Or, it might just be the first revealed to the public.
That notion is supported by the FBI's claim that few organizations in either the private or public sectors would have been able to defend against this attack. "The malware that was used would have gotten past 90 percent of the Net defenses that are out there today in private industry," the assistant director of the bureau's cyberdivision told the Senate on Wednesday, "And [would have been] likely to challenge even state government." The FBI later confirmed the remarks to CNET.
To summarize: whoever's behind this hack is probably interested in more than revealing secrets about Sony Pictures and the people it employs, and the FBI thinks a vast majority of both private companies and government organizations would be unable to defend against similar attacks.
It's still not clear who is behind the attack. Multiple publications have reported that North Korea is behind the attack; both Sony and the FBI say their investigations haven't supported the idea that all of this was caused by "The Interview," an upcoming stoner comedy about Seth Rogen and James Franco assassinating Kim Jong Un. A group called Guardians of Peace has claimed credit for the hack -- another group, Lizard Squad, claims to have hacked PlayStation Network.
While all of that is being sorted out, Sony Pictures has reportedly sought to prevent the download of the leaked files by using a distributed-denial of service (DDoS) attack on the sites hosting them. Brian Krebs, an independent cybersecurity journalist, reported those efforts on December 2; a Re/code report from Wednesday then claimed Sony was using Amazon Web Services as part of the attack. (Amazon has since said it has safeguards to prevent AWS from being used like that.)
Conducting DDoS attacks is illegal in both the United Kingdom and the United States, where participating in them has lead individuals to being charged under the Computer Fraud and Abuse Act of 1986, an anti-hacking statute which has been broadly interpreted to punish "hackers." But companies like Sony have never been charged under the CFAA, which means that if the company is employing the method to make its files unavailable, it's unlikely to be punished for doing so.
[illustration by Brad Jonas]