frenta - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Sony Pictures hacking back: The ethics of obfuscation

News roundup: Amid a devastating breach incident Sony Pictures is fighting back, raising legal and ethical questions. Plus: A big week in security acquisitions; Comcast sued over open Wi-Fi; and Yahoo announces vulnerability disclosure policy.

The devastating cyberattack on Sony Pictures Entertainment late last month has produced a steady stream of news, but Sony isn't sitting idly by; the company has decided to "hack back," countering the damage caused by attackers using methods that pose legal and ethical questions.

According to Re/code, Sony is using Amazon Web Services to carry out what Re/code referred to as distributed denial-of-service attacks on websites hosting its pirated movies.

However, in describing Sony's tactics, the article seems to suggest Sony is not using DDoS, but rather a "bad seed" attack that provides targeted data obfuscation. In an approach similar to what music and other film companies have done in the past to thwart the spread of pirated media, Sony has reportedly been spreading fake torrent files that closely match its stolen files, right down to the SHA1 signatures, in an attempt to obfuscate and frustrate those attempting to download the stolen files. Anyone attempting to access the pirated files would be connected to fake "seeds" that deplete their system's software resources and bring download speeds to a crawl.

AWS has since refuted the claim that Sony is using its servers for distributed denial-of-service attacks, citing that DDoS is prohibited by the company's terms of service. "AWS employs a number of automated detection and mitigation techniques to prevent the misuse of our services," the company said in a statement, yet it's unclear if Sony's bad seed attack violates the cloud service provider's terms of service.

News of Sony's actions broke Wednesday after a fifth data dump of movies, scripts, Social Security numbers, corporate emails and more was released from the reported 100 terabytes of data stolen from Sony's network.

While many media outlets are standing by Sony's actions -- one stated that it's "refreshing to see Sony on the offensive" -- it is important to note that distributed denial-of-service attacks are traditionally used by malicious hackers to render a target system, network or website unusable. Plus, they're a potentially criminal and civil offense.

Even if it can be confirmed that Sony is conducting a bad seed attack and not a DDoS attack, its actions would still be highly questionable under the law. According to attorney and cyberlaw expert Mark Rasch, Sony may be in violation of U.S. computer fraud law because it would seem to be intentionally misleading downloaders into attempting to acquire its fake files.

Though Sony may be acting in what it sees as self-defense to protect the property that has been stolen from it, the ethics of using these sorts of hacking techniques as an offensive measure have long been debated, and questions about its legality aren't new. Keeping its confidential information out of the wrong hands may be Sony's legitimate goal, but using unethical -- and illegal -- actions may prove to be an even more costly solution than the problem itself.

In other news

  • Belden Inc., based in St. Louis, announced Tuesday that it has acquired Tripwire, Inc., based in Portland, Ore., for $710 million. The communication technology company is adding the information security and compliance software vendor to its portfolio in hope of delivering next-generation cybersecurity products to enterprise, industrial and broadcast markets. Belden president and CEO John Stroup said the acquisition "positions Belden as a leader in helping customers deploy and secure the Internet of Things." The purchase is expected to be finalized in the first quarter of 2015.
  • In other acquisition news, Cisco Systems Inc., based in San Jose, Calif., Wednesday announced its intent to purchase Chicago-based Neohapsis Inc. The multinational networking giant is adding the security advisory company to "deliver comprehensive services to help our customers build the security capabilities required to remain secure and competitive in today's markets." The terms of the deal were not disclosed, but the acquisition is expected to close in the second quarter of 2015.
  • Comcast Corp. was slapped with a class-action lawsuit last week by two Pittsburgh residents over claims that company's Wi-Fi hotspots on their home wireless routers are "power-wasting, Internet-clogging (and) privacy threatening." The plaintiffs alleged that Comcast is "exploiting them for profit" and violating the Computer Fraud and Abuse Act, California's Comprehensive Computer Data Access and Fraud Act, and the Business Professions code. The lawsuit also claims that Comcast "turns the service on without permission and places the costs of its national Wi-Fi network onto its customers." The suit alleges that the secondary Wi-Fi channel on consumers' routers will push "tens of millions of dollars per month of electricity bills onto consumers" and that consumer security risks are increased because it "allows strangers to connect to the Internet through the same wireless router used by Comcast customers." Comcast released a statement on Tuesday: "We disagree with the allegations in this lawsuit and believe our Xfinity Wi-Fi home hotspot program provides real benefits to our customers. We provide information to our customers about the service and how they can easily turn off the public Wi-Fi hotspot if they wish."
  • Yahoo Inc. announced that it will disclose to the public any new vulnerabilities found within 90 days of discovery. In a blog post published Tuesday, Yahoo's senior manager of penetration testing, Chris Rohlf, wrote, "By committing to this short time frame, we will help ensure that these vulnerabilities are patched as quickly as possible." A short FAQ on the blog explains that "90 days is a long enough timeline that developers can write, test and deploy a fix to an issue. Within this time we will do our best to coordinate disclosure of the vulnerability and ensure that a proper fix has been developed." The team does, however, reserve the right to extend its deadline if the vulnerability is being actively worked on by the vendor. However, if it feels no progress is made, it will publish the vulnerability's details to protect the Internet community. While many companies have similar internal policies, few have publicly disclosed them. Yahoo follows in the footsteps of Google, which announced its Project Zero initiative in July.

Next Steps

Catch up on the FBI warning that links wiper malware to the Sony hack

Learn the latest on the ethics of hacking and ethics lessons

Does open Wi-Fi improve convenience or aid criminals?

Get help with zero-day attack defense and patching

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments