Sony attack could be turned on anyone
No one in the entertainment world wants to be Sony these days.
After a security breach resulted in the theft of personal information in more than 100 million user accounts, it didn’t seem things could get much worse. But a series of rapid-fire smaller hacks to sites in Canada, Thailand and Indonesia — along with an exploit on Sony’s PlayStation site that temporarily put accounts at risk again — continued to endanger the company’s reputation with consumers.
Instead of the muffled competitive snickering that usually occurs when a rival stumbles, other entertainment companies have watched in fear as the drama has played out, knowing that their own online operations were spared only by the whim of the hacking community.
There’s no single human face to put on hackers. While some, like Kevin Mitnick, have achieved a level of notoriety, it’s actually a decentralized group that most executives picture when discussing the threat: Anonymous.
Fashioning itself after the terrorist hero of the film and comic “V for Vendetta,” this leaderless (and, naturally, anonymous) organization fashions itself as a group of “hacktivists” — protesting what it decides to be violations of Internet freedom and freedom of speech by hacking the sites of the organizations responsible.
The group is responsible for some of the largest attacks online, such as a group effort to upload pornographic videos to YouTube disguised as children’s videos and a series of attacks on the Church of Scientology. In the past year, its targets have included Sony, the MPAA and the RIAA.
It’s the group’s potential ties to the Sony attack that have people worried. While the party or parties behind that breach have not yet been identified, Sony has made it clear that it believes Anonymous played a role in the attack.
The group initially announced plans to attack Sony’s websites after that company’s lawsuit against George Hotz, a hacker who broke through the PlayStation 3’s security protocols (which prevented people from running pirated software), then told the world how to do so.
The group managed to disrupt Sony’s Web servers with its usual method: a Distributed Denial of Service (DDoS) attack in April. (Anonymous attackers, using software known as “Low Orbit Ion Cannons,” repeatedly pinged the company’s servers. When done simultaneously by enough users, this can bring the site down — usually quickly and without warning.)
Weeks later, after the severity of the data intrusion had been discovered, Kazuo Hirai, chairman of the board of Sony Computer Entertainment America, told the House Subcommittee on Commerce, Manufacturing and Trade via a statement that the hackers left a calling card.
“When Sony Online Entertainment discovered this past Sunday afternoon that data from its servers had been stolen, it also discovered that the intruders had planted a file named ‘Anonymous’ on one of those servers, a file containing the statement ‘We are Legion’ (a motto favored by Anonymous),” he wrote.
Sony believes the data intrusion occurred on or around the same time as this attack — but was not detected because it was a very sophisticated hack that exploited a system software vulnerability and the company’s security teams were distracted trying to defend against the DDoS attack.
“Whether those who participated in the denial-of-service attacks were conspirators or whether they were simply duped into providing cover for a very clever thief we may never know,” Hirai wrote. “In any case, those who participated in the denial-of-service attacks should understand that — whether they knew it or not — they were aiding in a well-planned, well-executed, large-scale theft.”
Anonymous later issued a statement denying responsibility for the data theft — though it did concede that it was possible that some members acting on their own may have gone off the reservation.
That’s part of the problem with fingering Anonymous in cyber crime — anyone can claim to be a member. And since there are no formal requirements to join, it’s difficult, if not impossible, to verify or disprove such a claim.
Security experts, though, say that while Anonymous is certainly a thorn in the side of the industry, it does not (as a collective, at least) represent a particularly large threat.
“What it has done is (the equivalent of setting) a bunch of brush fires — as opposed to burning down houses,” said Hemu Nigam, founder of SSP Blue, an Internet security consultant business and former VP of Internet enforcement at the MPAA. “At the end of the day, does that really have any impact on the revenue that’s generated by Hollywood and the entertainment industry? Does it have an impact on their reputation or future success? Does it have any effect on people who consume Hollywood content? None whatsoever. If anything, the opposite has happened. People ask, ‘Who are these guys that are promoting illegal activity?’ ”
Before targeting Sony, Anonymous had the MPAA and RIAA in its sites for actions the groups tool to squash filesharing websites, such as the Pirate Bay. The websites for both organizations suffered some offline time, but the impact was muted.
The group published the home address of the RIAA’s CEO, along with his salary information and his wife’s name, encouraging members to arrange for pizza and other deliveries to him.
The MPAA and RIAA attacks lasted less than a day and probably wouldn’t have made news outside of entertainment industry trades and tech sites until Gene Simmons got involved.
The frontman for the rock group Kiss riled pirates and their supporters with comments at a convention in Cannes, France, saying, “Make sure your brand is protected. Make sure there are no incursions. Be litigious. Sue everybody. Take their homes, their cars. … The music industry was asleep at the wheel and didn’t have the balls to sue every fresh-faced, freckle-faced college kid who downloaded material.”
The next day (and for roughly the following 36 hours), his site was toast.
Anonymous got its start on 4chan, the Internet’s most infamous imageboard, specifically its sometimes gritty “/b/” subforum. The founder of that site, though, says while the site (and the group) have become notorious for their exploits, there’s a value in hiding behind that wall of anonymity.
“One of the things that 4Chan does that’s really special is the way people come together to collaborate en masse,” said Christopher Poole at South by Southwest this year. “It’s the process at which you arrive at the product that is fascinating. … Anonymity is authenticity. It allows you to share in a completely unvarnished, raw way. … The cost of failure is really high when you’re contributing as yourself.”
In fact, the notoriety that Anonymous has achieved for its exploits has upped the stakes in the hacking world. Now, rather than sticking to the shadows, hackers seek high-profile targets and brag loudly when they disrupt them.Most recently, a group calling itself LulzSec proudly boasted that it was behind the takeover of PBS servers that included the posting of a false news story on the NewsHour website that rapper Tupac Shakur was still alive and living in New Zealand.
The group was in such firm control of the network’s operations that it even hacked PBS’ statement on the hack, replacing it with an obscenity.
Whether Anonymous itself is a direct threat is actually immaterial as its targeted attacks are often announced well in advance on its Internet Relay Chat channel or the group’s website.
That gives people who may have more nefarious goals the chance to use the group’s attacks as a way to probe for system weaknesses — which can then be exploited (and shared with other hackers).
“When vulnerability is identified, there’s a lot of copycat hackers looking to come after you,” Nigam said. “It could be they’re attacking because you have consumer information that they want to sell on the underside of the Internet. They could attack because they want to store something there. … There are all sorts of reasons people could be motivated to attack a large network.”