Sony Jabs Hornets Nest, Allegedly Engages In DDoS Attacks Against Sites Hosting Leaked Documents
from the Sony-Pictures-tells-astonished-reporter-studio-is-'bigger-than-logic' dept
To be sure, there is a large amount of schadenfreude contained within the hacking of Sony Pictures. To have your dirty laundry aired for the world to see is excruciatingly painful, but Sony Corporation’s past actions have drawn a target on its back on multiple occasions.
Rayne, a contributor to Marcy Wheeler’s emptywheel blog, notes that Sony has been hacked 56 times in twelve years. And it has learned nothing. Passwords for Sony Pictures accounts were stashed away in a folder labeled “Passwords.” The password for this folder? “Password.”
So, when Sony fights back, as it is now, it’s far too late. It had several chances to shore up its defenses, but it never made a serious effort to fix its security holes. Now, nearly everything has been exposed. Celebrities’ personal data. Staffers’ borderline racist opinions on Barack Obama’s movie preferences. Its plan to join the MPAA in paying off states’ attorneys general to go after Google.
Sony has issued hundreds of DMCA notices in response to the leaked documents. It has seeded bogus torrents to thwart further distribution. Now, it’s allegedly decided to take an even more aggressive approach to the continuing leaks.
The company is using hundreds of computers in Asia to execute what’s known as a denial of service attack on sites where its pilfered data is available, according to two people with direct knowledge of the matter.
Sony is using Amazon Web Services, the Internet retailer’s cloud computing unit, which operates data centers in Tokyo and Singapore, to carry out the counterattack, one of the sources said.
Or not. Or possibly not at this moment. Re/code’s updated post contains a denial from Amazon.
“The activity being reported is not currently happening on AWS (Amazon Web Service),” Amazon said in an emailed statement to Re/code on Thursday. Amazon declined to comment further on whether the activity happened prior to Thursday.
“AWS employs a number of automated detection and mitigation techniques to prevent the misuse of our services,” according to Amazon’s statement. “In cases where the misuse is not detected and stopped by the automated measures, we take manual action as soon as we become aware of any misuse.”
Re/code’s sources say “yes.” Others say this isn’t happening.
CloudFlare, which offers denial-of-service protection and network monitoring, said it has not seen anything that would suggest Sony had conducted a counter-attack. The company said it would continue monitoring the situation.
If Sony is indeed engaged in DDoS attacks, it’s participating in the sort of behavior it’s been quick to decry in the past. Sony Pictures may be relishing the chance to turn hackers’ tools against them, but its history strongly suggests it really isn’t in the position to be provoking further attacks. To pursue this option is pure hubris. It’s hypocrisy and stupidity rolled into one. It may think it will escape this latest hack bowed but not broken, but whatever pride it has left at this point is delusional. It has opened everything up to criticism by failing to take proper precautions and destroyed its employees’ trust that their employer would make the minimum of effort to keep their internal conversations internal.
Filed Under: cfaa, ddos, emails, hack back, sony emails, sony hack, sony picture emails
Companies: sony, sony pictures
Comments on “Sony Jabs Hornets Nest, Allegedly Engages In DDoS Attacks Against Sites Hosting Leaked Documents”
If they thought it was bad before...
If they really were stupid enough to try and go on the counter-offensive, the results would almost certainly make the previous hack look like a temporary computer glitch in comparison.
As they have demonstrated, several times by this point, their technological capabilities and knowledge are sorely lacking, so any attacks they could mount would likely be little more than inconveniences. The same cannot be said however for their targets, who would likely be quite tech savy, and be more than capable of returning the favor(after all, assuming Sony went after the right target, they’ve already done so).
Not only that, but a large company like Sony attacking hacker groups would likely draw the attention of previously uninvolved groups, who I’m sure would relish the chance to inflict a little damage ‘in self-defense’.
I can certainly understand why they might desire a little payback after being humiliated and embarrassed like this(humiliation and embarrassment that they have only themselves to blame for mind), but to put it bluntly, they would be going into battle with a BB-gun, while their opponents are packing military-grade hardware. It would not end well for them.
Oh, and it gets even better:
http://www.engadget.com/2014/12/15/sony-hackers-offer-to-withhold-data/
Media: Shut up or we’ll sue you.
Re: Re:
Nice, Sony looks to be in full panic mode here if they’re lashing out at the press like that. It may make smaller outfits hesitant about publishing or reporting on the leaks, due to them not having the money to defend themselves(The US legal system: The best ‘justice’ money can buy), but I imagine a threat like that would just encourage larger press organizations, as it would just draw even more attention to the leaks.
Re: Re: Re:
If the Federal government, with all its power, couldn’t stop the media from reporting on things like Wikileaks, why does Sony think they are going to be any more successful with their threats?
Re: Re: Re: Re:
Because, unlike the government, corporations have all the actual power….you know, free speech. Well, money, but apparently that IS speech these days. Lord knows in these stories, all I can hear is the sound of benjamins.
As an active Sony and MAFIA hater I’m very pleased with the developments. I do want to see the shills trying to spin all the crap into some positive light.
I don’t thing this will produce much change though. Not if America doesn’t revolt (and Snowden wasn’t enough to make enough people wake up).
Re: Re:
From the public in general, perhaps not, but if Sony really is stupid enough to try and go after hacker groups, somehow I don’t think those groups will be quite so laid back about it.
Re: Re: Re:
Sony is that stupid. I’ve met some of the people at the head office here in Tokyo and they are typical Japanese “shachoo” types=their word is law even if they are being shortsighted and wrong.
Akio Morita’s ashes must be churning in their urn. He’d never condone Sony’s actions if he was still at the helm.
Amazon does no such thing
““AWS employs a number of automated detection and mitigation techniques to prevent the misuse of our services,” according to Amazon’s statement. “In cases where the misuse is not detected and stopped by the automated measures, we take manual action as soon as we become aware of any misuse.”
It is well-known that Amazon (a) makes it as difficult as possible to report abuse (b) forwards abuse reports TO THE ATTACKERS and (c) does little, if anything, to acknowledge abuse reports, act on them promptly, remove abusers, and notify reports of these actions.
That’s why, for example, it’s a best practice in anti-spam engineering to refuse to accept SMTP traffic from Amazon’s cloud. It’s overrun with spammers and Amazon — happy to accept their payments, no doubt – will not remove them. See recent traffic on both the mailop and nanog mailing lists for brief discussion of this.
If Amazon was serious about mitigating abuse, then (1) they would accept reports at the address mandated by RFC 2142 — ‘abuse” (2) they would act immediately on all such reports (3) beginning with acknowledgement (4) they would not notify abusers of their investigation (5) they would promptly shut down the abuse and remove the abusers (6) they would not permit the abusers back on their service (7) they would provide a full report to the people complaining — the victims — and would provide them with a substantial thank-you — after all, they’re doing Amazon’s job for them, FOR FREE.
The spin is strong with this one.
When the hack happened, the immediately issued a statement. This only served to confirm exactly how bad the hack actually was. In every other hack, they opted to ignore it and only when pressed very hard issued confusing denials.
They immediately blamed North Korea, citing an asinine movie they produced as the impetus. Pretending ONLY a nation-state could have the power to hack them, given the lengthy evidence that a ‘skiddie’ with a paperclip could own huge swaths of their global network, this is at best ill advised PR spin for a stupid movie.
Oooh the code for the hack is in Korean! Because tools are never sold, stolen, recompiled, reused by bad actors. If you have something that works why would you recode it into your local language?
Report on this and we’ll sue you!!! You will be responsible legally for all of the bad things that happen, is the popular game of put the blame on someone else and never accept that it was your failure in the first place. If we end up putting out a shitty movie, it will be the fault of the leaks!!
We’re going to shut down everything we are doing because bad things might happen!!! The script might make it online, and we’ll ignore all of the past incidents where early leaks improved the box office.
It is very possible that someone inside Sony might have greenlighted a project to try and stop the information getting out in a panic, ignoring how badly it will bite them in the ass. When people started asking questions, everyone wants to pretend nothing happened in the most noncommittal language possible. When their network got DDOS’ed they screamed, but when they do it – it is a righteous thing to do. When ‘skiddies’ DDOS they face a worldwide manhunt & jailtime, when corporations do it nothing happens.
It would be nice to see the MPAA taken to task for buying bad publicity using state AGs. The impunity with which they operate on a daily basis is a perfect example of how broken the system is. Money buys the “laws” you want at the expense of everyone else, when the purpose of laws is to protect the many not the one.
I look forward to what else will be coming out, and one can only hope that a hack of this scale is running inside both the **AA’s. If you think producers bad mouthing actors was horrible, imagine how horrified to see emails “asking” that offers being sweetened to get laws passed.
Re: Re:
I think they want to be caught for their outright impropriety.Just like a aerial killer gets caught by their own hubris.
Isn’t this a violation of the CFAA?
Where are those overly ambitious proscecutors now?
Re: Re:
sony is not an american company
Re: Re: Re:
So, 2 things wrong here:
1) “Sony” the umbrella company may not be a US Company, but it has subsidiaries in the US which are.
2) The US Government is perfectly willing to dispense with nuisances like territorial boundaries and extend a long arm into other countries when it pleases them to do so.
I had to google “schadenfreude” – Just sayin
Re: Re:
Lisa, on The Simpsons, has been using it for about a decade now. It’s common usage on the net these days.
Re: Re: Re:
“It’s common usage on the net these days.”
And everywhere else.
Re: Re: Re: Re:
If I still watched TV, I suppose I’d know that. We all choose our personal blinkers, or points of view. Where’s that omniscience upgrade I’ve been waiting for? 😛
Re: Re: Re:2 Re:
On TV, duh. 😉
Re: Re: Re:2 Re:
True, we all tend to mistake the limits of our vision as the limits of the world.
“If I still watched TV, I suppose I’d know that.”
Not sure how that’s connected. I don’t watch TV myself.
haven’t seen where at least one AG is going after Sony for using DDoS! that is illegal, as we all know, but it seems that it’s only illegal if you are not a member of the Entertainment Industries or Hollywood!!
rules for one, different for another, including threats of lawsuits to the press! how can that be?
the old dont do what we do, do as you’re told!!
Re: Re:
I seriously doubt that Sony are engaged in DDOS.
That’s within the realm of executive jailtime.
There already in hot water, but at least its mostly Civil hot water related to shareholders, employees and suppliers at the moment.
I doubt they would want to even risk criminal hot water as well, even as if you say, the chances of them actually going down are remote.
Re: Re: Re:
yes after all of the jail time they ended up serving for handing out rootkits and leaving peoples computers unusable after the root kit was removed, not to mention the additional jail-time when it was revealed they stole others code for the bundled player on the disc, they would be very wary of doing something childish and asinine.
o_O
Re: Re: Re:
Too big to jail.
Re: Re: Re:
That’s within the realm of executive jailtime.
That would depend on the country you are in and the country the target is in. Keep in mind that we are not talking about a US company.
I don’t think they have engaged in DDOS attacks for a few reasons, but avoiding jail seems like an unlikely reason.
More importantly, for them, engaging in an attack that they may want someone prosecuted for sometime in the future is a really bad idea. In addition, I would guess that the resources that they have that might be able to pull off a somewhat-secretive DDOS attack on anyone are REALLY busy right now trying to get a handle on the current hack they have suffered.
Re: Re: Re: Re:
Bear in mind that they’re not running a cyberlocker service, so nobody in the DOJ — or their paymasters — gives a damn.
Re: Re: Re:2 Cyberlocker
Could all you guys working for GOD or Anonymous who hang out here set up a cyberlocker service with some breadcrumbs leading back to the bosses at Sony?
IME when stealing something it’s always best to implicate a politician or the head of a multinational. It makes it so much easier to get away with things.
Re: Re: Re:3 Cyberlocker
you trying to get Mikey in trouble? BAD TROLL! BAD!-still a good idea though
Re: Re: Re:3 Cyberlocker
Huh, I thought the emails showing they basically purchased State AG’s to do their bidding might cause them trouble.
Sony has a long history of resorting to below-the-belt tactics in its fight against so-called “piracy” — such as infecting millions of innocent people’s computers with a rootkit virus. Since the ruling establishment won’t ever touch the big corporate criminals, the only form of justice we will ever see is vigilante justice. It’s always nice to see the hacker community strike a blow against evil entities by using their own tactics against them, as with MediaDefender, Aiplex, H.B. Gary Federal, and now Sony.
Re: Re:
Was the Sony rootkit installing itself from music cd’s ? I’m out of the loop a bit on this, but I remember the Beastie Boys had to fight like hell to not have some kind of DRM tech installing itself from their 2004 album To The 5 Boroughs (I think it’s that one), it turned out their album would install a rootkit ‘only’ in the american distributed cd’s.
So, that’s Sony Music, but I guess if corporations are people all the sums of their parts are one and the same.
Re: Re: Re:
Yes, the CDs had a data track with the rootkit on it, and it would install itself even if the user declined the EULA. Also there was no uninstaller until Sony released one after the s**t hit the fan, and even then it didn’t work until they patched it a couple times. Obviously the whole thing was never intended to be uninstalled, and of course extremely intrusive. How no one (AFAIK) went to jail is just amazing.
This is why disabling autorun was one way to avoid the issue, but IIRC at the time WinXP had autorun enabled by default.
I’ve never bought any Sony music since.
Re: Re: Re: Re:
Yeah, I lucked out getting the DVD version of Switchfoot. It was rootkit-free.
Re: Re: Re:2 Re:
(I bring up Switchfoot because they were the ones that told you you could defeat it by holding down the Shift key while putting the CD in.)
The Real Threat Is From South America
Look at: Peter Wilson, “Falling Oil Prices Push Venezuela Deeper Into China’s Orbit.” Business Week, December 12, 2014
http://www.businessweek.com/articles/2014-12-12/with-oil-prices-falling-venezuela-needs-china-more-than-ever#r=hpt-ls
For its own political and internal social reasons, China is willing to supply Venezuela with manufactured goods “on the never-never.” What is relevant to our concerns is that the deal includes three communications satellites, which mystify Business Week.
There are basically two feasible projects with communications satellites at this point. One is to put up a “constellation” of satellites, at least twenty, in low earth orbit, and use them for satellite phone, or satellite internet. This would be an inherently global project, in any case, and I cannot see why China, having built and paid for it, would want to hand it over to someone else.
The other project would be geostationary broadcasting satellites. What mystifies Business Week is of course that Venezuela is, in effect, a city, Caracas, which has a jungle. Caracas sits on a ridge a mile high, and about a hundred miles long, which provides a decent climate near the equator, and there are obviously more economical methods of broadcasting to so small an area. Three satellites sounds like a proposal to broadcast to most of both North and South America. That is precisely the point. Venezuela is disposed to “mess up” as many American entertainment businesses as possible, by rebroadcasting their material for free, sans advertisements.
Re: The Real Threat Is From South America
3 weeks until it writes you begging to remove its comments?
Re: Re: The Real Threat Is From South America
You would appear to be confusing me with Sony. I do not resemble a giant corporation in the slightest degree.
If Sony is engaging in these DDoS attacks, they could be held liable in a court of law for engaging in illegal activity such as this.
Re: Re:
Thank you. Captain Obvious.
Unless of course they claim copyright on the stolen documents, then they’re DDoSing pirate sites which are doubleplusungood and have no rights.
Re: Re:
Which court? If it’s a Japanese court expect the trial to take place 10yrs from now.
Sounds like war.
Hubris
Which, you must admit, fits completely with Sony’s corporate culture.
Re: Hubris
Frankly, While I buy that Sony proper is sending legal threats to news agencies, I think people are giving Sony too much credit here on the technical side. Frankly, it doesn’t sound like they have the technical wherewithal to pull off a DDOS Attack.
So here’s a little thought: If a hypothetical technically inclined 3rd party was angry at Sony for whatever reason, Everything required to build”Sony” for an AWS account was included in the data breech. Email accounts. Passwords. Credit card information (probably flagged already, but still). Servers to use as bounce points. Hair-trigger lawyers ready to sue anyone who dares to speak ill of Sony.
Frankly, if a hypothetical 3rd party wanted to mess with Sony this way, it’s not a stretch to think they could.
Re: Re: Hubris
“Frankly, it doesn’t sound like they have the technical wherewithal to pull off a DDOS Attack.”
They surely do. Sony does have actual skilled engineers in their employ. The problem with Sony is on the management side. Even if they can’t, hubris, hypocrisy, and stupidity are still strong parts of Sony’s corporate culture.
Re: Re: Hubris
I like this game. In the vein of “Let’s spin a movie plot”, try this. Some hypothetical movie studio gets hacked. Much hand-wringing ensues, leading one of the staff alpha male “Master of The Universe” types to say to him/herself, “Hmm, 4chan! I wonder if I can get some Anonymous Hackers to attack our attackers.” I can just see 4chan snickering in the background while stringing this doofus along, meanwhile ripping off Russian black market types in his/her name, whereupon much hilarity ensues.
I wonder if I can sell this idea to Sony. They could even use that old saw, “Based on a true story.”
Re: Hubris
To pursue this option is pure hubris. It’s hypocrisy and stupidity rolled into one.
Hypocridity? Stupocrisy?
Yeah….
I’m going to have to call bull on this.
This would be a concerted, technologically capable event, and Sony has proven time and time and time again that it knows jack shit about technology or IT protection, even the most basic stuff.
Re: Re:
They also appear to outright resent the idea of having to pay for such things (competent and sufficient IT staffing), considering it an unnecessary drain on the bottom line, which is bloody amazing in itself.
Price Waterhouse Coppers delivered their damning IT security audit report at least a month before the hack happened. That’s extraordinary. Any cluefull org would have gone into crisis mode at that point, and with Sony’s past history, they should have felt like deer in the headlights.
I agree with your “bull.” Sony wouldn’t know where to begin.
Re: Re: Re:
Yes they would, they pay money to someone to “fix” the problem for them like they always do.
They bankroll some insane as shit plan that someone conned them thinking would work and solve the problem.
It of course does not solve the problem, creates more problems, and then they pay a PR firm even more to shout North Korea did it much louder.
Re: Re: Re: Re:
Exactly. They may be clueless about “baked in” security, but they sure know how to throw money at problems after they occur. By the time this is over with, Sony will probably have lost over $300M in the past few years due to security issues. That would have paid for some good security staff and top-notch equipment.
The general wisdom in IT security is that the safest organizations are the ones who had a major breach a year earlier. However, organizations run by lawyers and accountants appear to be impervious to learning from the past. Real reputation means nothing, and they can pay to rehabilitate an “image”.
Re: Re: Re:2 Re:
imagine if the shareholders managed to stand up and take the costs out of the CEO & top staffs cheques.
They might actively work to make sure they don’t happen again.
More often that not the costs of these things are shoved onto everyone else, never the management who made the stupid decisions to pad their own cheques a little bit more.
Re: Re: Re:3 Re:
I expect we’ll see the top level people in Sony stand up and sorrowfully bow, offer their profound apologies and temporarily step down. At which point the uyoku and the bōryokudan step in and quietly ensure that the shareholders say nothing upsetting. It’s the Japanese way.
It wasn't a DDoS.
They just flung a load of bad seeds into the swarm, from what I read elsewhere (Ars).
FUCK YOU SONY IDIOTS
You are going to make a movie that presses an assassination against North Korean Leader and put millions and millions of lives at risk? GO FUCK YOURSELVES. You deserved to be dismantled.
Re: FUCK YOU SONY IDIOTS
Hmmmm that sounds strangely similar the NARRATIVE response in Benghazi by the Muslims who did not like a movie about Mohammad…hmmm odd indeed ……you best rethink your position or risk being called a stupid cunt, which you might be.
Sony re Hacking
As I set and listen to all this banter about who is right who did this, how stupid is he, on and on…it reminds me of the recent EBola quarantine proposals…. ah yes, as an average Joe, with average education, it comes down to a very simple solution ….. separate (quarantine) the server (disconnect the internet) from those “sensitive” systems…just like we should have stopped flights from countries where there was an outbreak. I mean, if it is “SENSITIVE” and “INTERNAL” then why was it even connected to internet access? Do these high tech gurus not know how to create a stand alone INTRANET for INTERNAL emails?… or how to store sensitive data on tape or drives that are not connected to the internet…..(yes I know about office locations, etc ) BUT…with all the cash at SONY….it must be LAZY.
Re: Sony re Hacking
I forgot to mention…. why is this a big story?
Seriously the DOD, IRS, CIA FBI, all get hacked several times a day….. and SENSITIVE DATA? …what? none of you knew that Jollie was a self mutilating brat…? …or that Obama is a race baiter who goes out of his way to help gays ,blacks, Muslims, communists, and any other “anti-American” identity around the world. Just saying. Sony? Who gives a flying flip.
XMAS Gifts for North Korea
While corporate cretins cringe and cower…
http://www.firehow.com/2013041237025/how-to-deal-with-little-fatty-the-third.html
Since they don’t like XMAS in NK, someone needs to sell Christmas ornaments with Dear Leader likeness.
There is one scene in #TheInterview that would make a particularly incendiary XMAS bauble!