Why the Sony hack could lead to even more attacks -- not just on companies but on everyday web users
Last week, Sony Pictures was hacked. Hacked bad. Not only did the attacker leak DVD-quality movie files of films both released and unreleased -- like the Brad Pitt WWII flick "Fury" and the Jamie Foxx "Annie" redux -- the hack exposed budgets, layoffs, salaries, and 3,803 social security numbers of Sony Pictures employees.
While a lot of talk has centered on whether or not North Korea was involved as retaliation for an upcoming Seth Rogen movie, one cybersecurity expert has a different takeaway: That this could create a field day for hackers who didn't even have anything to do with the attack.
Robert Cattanach is a partner at the international law firm Dorsey & Whitney who specializes in cybersecurity regulatory litigation. After studying the moves of hackers for years, he argues that the films themselves leaked in the attack are going to become a prime target for cybercriminals.
"If you’re going to watch part of 'Fury' or all of 'Fury,' that’s a long time," Cattanach says. "Somebody could spend a long time getting into your system while you’re connected. So the concern is not that the video itself but that the site you’ve now opened yourself up to has access to your computer. And it’s a two-way street."
Of course, pirated content has always been a breeding ground for malware. But part of what makes the content associated with the Sony attack so attractive to hackers, Cattanach argues, is that this is a high-profile, headline-making attack, and therefore the leaked movies could attract lots of average consumers who don't normally seek out pirated content -- and who may lack the expectations and experience to avoid malicious websites and prompts.
"I think what’s different about this is, it’s hot stuff," Cattanach says. "I think regular people might say, 'Gosh I might like to see a free viewing of Fury.'"
He adds: "There’s a greater risk that otherwise law-abiding regular folk might be a little curious and go to sites that, if they knew what potentially lurked on that site, they would avoid."
So while web-savvy pirates are well-practiced at identifying and avoiding sites or files containing malware, an everyday user who reads one of the countless news stories promising a free Brad Pitt movie will be like a deer in headlights to hackers.
As for the North Korea angle? Cattanach isn't convinced.
"Based on what I’m hearing, and I only know what I hear here and there, it's looking like it may have been more of an insider job at Sony because of the fact that, apparently, they have some administrative privileges, and they had an encryption key. We’ll know more in a day or a week."
[illustration by Brad Jonas]