By Mark Rasch
It hasn't been a good few weeks for Sony Pictures Entertainment (SPE). Their networks were taken down, employees threatened, e-mails exposed, salary and personal information disseminated. Its stars and executives have been portrayed as overpaid petulant jerks.
And at least some of its movies have been leaked online – including movies currently in theaters, and some to be released during the holiday season. This is on the heels of a multi-million dollar breach of the PlayStation system a few years ago. From this you might conclude that Sony is doing a bad job of security.
You would be right. And wrong.
It’s always easy after the fact to examine the security practices and see exactly what was wrong. Palm slapped on forehead. How COULD they have allowed this to happen? But the attack, which happened to Sony, can, and likely will happen at many if not most major companies. It’s because of the nature of data, networks, hardware, software and mostly – people. We design systems to do what we need them to do – to get information from people who have it to people who need it. That’s the core function of information systems. To some extent, security inhibits this core function.
To some extent. Encrypted files can’t be easily searched and indexed. A file that has limitations on its dissemination can’t be – well, disseminated. And as networks get more complex and interconnected, as we allow more and more people and entities on our networks or with access to them, security becomes more difficult. Plus, we really don’t know what the actual impact is likely to be from a massive (or less massive) breach. How do you measure Angelina Jolie’s feelings? What’s the value of an Adam Sandler movie? How many 60 year olds won’t go see Mr. Turner in the movie theater because it can be downloaded on a P2P torrent site?
It’s not that Sony wasn’t doing anything. It’s that it wasn’t doing everything. And what it was doing, it wasn’t doing all that well.
Or what we call, “typical.” In fact, at a hearing before the U.S. Senate Banking, Housing and Urban Affairs Committee on December 10, FBI Assistant Director of the Cyber Division noted, "The malware that was used [in the Sony attack] would have slipped, probably would have gotten past 90 percent of the net defenses that are out there today in private industry and I would challenge to even say government.” He called the degree of technical sophistication involved in the Sony attack "extremely high, and we can tell based on our investigative efforts to date, organized and certainly persistent.”
So you can’t necessarily blame Sony for being attacked, but you can’t necessarily exonerate the either. Some entities do a pretty good job at securing some parts of their networks, and some of their data. A large bank may have a security staff numbering in the hundreds of thousands. That’s because protecting the integrity of financial transactions (and the perception of that integrity) is a core function for the bank. That’s why they have those shiny steel vaults. Not so for most companies. Oh, and the banks can be, and are hacked. Frequently. And that’s not even adding sophisticated hacker networks, state sponsored attacks, or intelligence agencies. It’s all about levels of risk.
In light of the attacks, companies like Sony, Target, and Home Depot are inclined to open up their checkbooks and spend like a drunken sailor on security. Not necessarily a bad idea IF they spend wisely.
One thing Sony has decided to do is to hack back. Sort of. The website recode has reported that SPE “has taken technological countermeasures to disrupt downloads of its most sensitive information, which was exposed when a hacking attack crippled its systems in late November.” According to recode, Sony “is using hundreds of computers in Asia” over the Amazon Web Service in Tokyo and Singapore to execute a DDoS attack on websites distributing stolen Sony files – including Sony movies.
Recode provides few details of the DDoS attack except to state that Sony is apparently planting bogus “seeds” of the stolen files onto P2P file sharing and torrent sites in a manner reminiscent of the tactics of MediaDefender. The bogus seeds contain corrupted files, which are difficult and time consuming to download.
Thus, an individual seeking a copy of SPE’s film “Annie” would instead spend hours trying to download a file deliberately made to look like the pilfered movie, but really a worthless file. Think of a rogue movie theater offering a free screening of Sony’s Fury WWII Tank movie, and after selling popcorn and Coke, showing nothing but 6 hours of previews.
Although you can applaud Sony (and MediaDefender) for creativity, the move is actually a legally dubious maneuver, and depending on how it is implements, could also expose the company to greater liability and even prosecution.
The devil is always in the details.
Recode provides few details on what it terms a Denial of Service attack using AWS (Amazon Web Server), but from what it describes, it seems that the Sony response goes like this.
· Sony uses computers in Japan and Singapore on AWS to “seed” large files.
· This is necessary because P2P file shares and torrents create networks of individual computers, which contain the files that users seek.
· Sony names those files with names or hash functions to make them appear to be legitimate stolen copies of its own files. (an example might be 2014AnnieScreener.mp4). These may also include bogus “copies” of the stolen emails, documents or other files.
· Alternatively, Sony could be using real copies of the stolen files, altered in such a way as to make them unplayable and difficult to download.
· Sony may have embedded these files with a “beacon” or be using the attempts to download as a way of identifying the IP addresses of the attempted downloaders.
· The bogus files may or may not have code in them that runs on the computers on which the file is downloaded. If there is such code, it could simply beacon, or do something more.
Did I mention that the devil is in the details?
The problem is that the law in the U.S., and to a greater or lesser extent around the world, tends to disfavor what are called “self-help” remedies. Hacking back – a broad term that covers things from perfectly acceptable defensive operations up to and including affirmative information warfare and cybercrime – can run afoul of this principle.
The general laws prohibit things like “unauthorized access” to a computer, or “exceeding authorization” to access a computer. In the latter category, courts have included actions, which, while not strictly trespass, are unwanted by the computer or network owner. Thus, and employee with authorized access to sales leads in a company network who then copies these leads and provides them to a competitor can be prosecuted for “exceeding authorized access” because the employer did not grant access to the computer and files for that purpose.
In the Sony case, the P2P downloader who wants to watch Brad Pitt kill Nazis – no, the other movie in which Brad Pitt kills Nazis (this time with a tank), did not “authorize” the use of their resources to download djreck. (it’s Yiddish – look it up.)
Another provision of the US computer crime law makes in an offense to “knowingly cause the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a … computer” The fake Annie file is clearly a program, information, code or command, and SPE has knowingly caused its transmission to the attempted file sharer’s computer. They did so intentionally, and with the intent that it slow down the file sharers computer or connection. Whether this constitutes “damage” to the computer is a factual and legal question. Devil = details.
The computer crime law also prohibits “fraud.” This is lying about something. SPE is telling people (or leading them to believe) that there’s a really cool stolen file here. But there isn’t. Technically, that’s fraud. And they are doing so in the hope that the downloader will use up valuable time, energy (both human, computing and electrical), as well as resources (processing, bandwidth, network, etc.) in attempting to get the bogus “thing of value.”
So the downloader is defrauded out of a thing of value. Here the statute is more ambiguous, providing that it’s a crime for whoever “knowingly and with intent to defraud, accesses [uses the resources of] a protected computer [a computer subject to federal jurisdiction – basically any computer] without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.”
It seems to me that in this scenario, Sony doesn’t really get a “thing of value” from the downloaders, except maybe temporary forbearance.
This analysis is dependent on the idea that the described Denial of Service attack really isn’t a denial of service attack, but more a prevention of downloading attack. But if it is more than that – like a code insertion, or the deliberate slowing of computers or networks, it may be morally satisfying, but may not be legally justifiable. Devil. Details.
And it’s curious that the so-called DOS attack is being launched from Japan, Sony’s headquarters. Which raises the question of whose law applies here anyway? Japan’s Unauthorized Computer Access law (Law No. 128 of 1999 /Penal Code Articles 258, 259) is patterned after the laws in the US, UK and Council of Europe. So, the DoS attack may violate that law. For example, Japanese law provides:
Article 234 - Interference with business transaction by computer system
Any person who intentionally and knowingly, illegally, causes disruption or interference with regular execution of valid performance of computer system which is being used or intended to be use for business transactions of others, or causes executions which are contrary to the proper use or purposes of such computer system, by destruction of such computer system or electromagnetic record which is being used or intended to use in such computer system, by introducing false information or wrong instructions into such computer system, or by the other similar means, and causes interference with business transactions of others shall be punished with penal servitude for not more than 5 years or be fined not more than 100,000 yen.
Article 246bis - Computer Fraud
Any person who intentionally and knowingly, illegally, obtain unlawful profit or cause to obtain unlawful profit to any others, by introducing false information or wrong instructions into computer system which is being used or intended to be used for business transactions of others, by producing a false electromagnetic record relating to take, loss or change of property of others, or by using such false electromagnetic record on any business transactions, shall punished with penal servitude for not more than 5 years.
So whether Sony’s actions violate these provisions depends on exactly what the reported DoS attack does, and how. Sony’s overall response to the attack has to include technical, forensic, public relations, and legal support. Based on the PR response so far, I wouldn’t want to be Sony. After all, you don’t want to get Angelina Jolie angry. I’ve seen what she can do in Salt (and Salt II), Lara Craft, Mr. and Mrs. Smith. And don’t forget her role as Kate in the 1995 United Artists production, Hackers. Maybe that was just training.