Sony Hit by Terroristic Threats, Class Action Lawsuit

December 16, 2014 Updated: December 17, 2014

The hackers calling themselves Guardians of Peace escalated their attack on Sony Pictures Tuesday with a threat to bomb the premiere of “The Interview,” a comedy in which the North Korean leader Kim Jong-un is assassinated.

Sony has yet made no announcements of acquiescing to the hackers’ demand of retracting the film.

The hackers, believed to be based in North Korea, released a note online warning theaters not to show the film, told people who lived near the site of the premiere to leave their homes, and made a threatening reference to the 9/11 attacks.

The group has already leaked large caches of information from Sony’s databases, including budget details, the personal information of over 15,000 of its former and current employees, and company emails and memos.

The leaked emails have generated widespread backlash against Sony executives, some of whom who were revealed to have made insensitive remarks over a wide range of issues.

New Headaches

On Monday, two former employees filed a class-action lawsuit against the company for damages resulting from the leak of their private information, alleging that Sony did not take adequate precautions with their security network.

The leaked documents contained not only employees’ salaries but also their dates of birth, addresses, and Social Security numbers.

Michael Corona, who worked at Sony from 2004-2007, said that he has spent $700 on a year’s worth of identity-theft protection as a result of the leak. The other plaintiff Christina Mathis, who has not worked at the company for 12 years, also cites costs for identity-theft protection in the suit.

The complaint says that Sony had long known about its security vulnerabilities but chose not to fix the problem to keep costs down, citing internal IT memos and quotes by a former Sony director of information security.

Auditors had told Sony in 2005 that its employees had insufficiently complex passwords, but those concerns were ignored, the lawsuit says.

Valid Decision

“It’s a valid business decision to accept the risk [of a security breach]” Jason Spaltro told CIO magazine in 2007. “I will not invest $10 million to avoid a possible $1 million loss.” He is a former Sony director of information security.

Still, experts say that it’s impossible to determine the exact cause of the security breach at Sony.

“We don’t know how the hackers got in,” said Emin Sirer, a computer science professor at Cornell. “They could’ve broken in physically. It’s possible for them to get through this data in multiple ways, this is what makes security difficult.”

Paradigm Shift

Sirer suggests that the next stage of information security was the adoption of more decentralized access controls so that individual hacks would do limited damage, and not the creation of systems with no vulnerabilities at all.

“It’s impossible to have a machine that is “entirely secure” unless you unplug it from the network,” Sirer said. “The next step from this is to insure that faults are contained, that one small breach doesn’t turn into a big problem.”

Sirer works on a database called HyperDex, which uses Macaroons, an authorization credentials system created by Google.

“Macaroons was developed at Google to secure things like Gmail and Calendars, it’s been deployed at scale, not small scale, at Google scale,” Sirer said. “The core idea to make sure that no host has the keys to the kingdom lying on it, and is entrusted with a very limited capability.”

Compromised Everything

The exact details are unknown, but evidence suggests that the Sony hackers were able to use a centralized authorization credentials to sweep the entire database. The security firm Kaspersky Labs said that the malware installed in the Sony system had a valid digital certificate.

“By the time someone gets that certificate, it’s way down the line, they’ve compromised everything,” Sirer said.

Macaroons is a recent development that is being implemented in databases around the world, and the Sony incident, which Sirer calls “a landmark,” can only spur its adoption.

“I’m not necessarily suggesting it’s a solution to the actual problem, but it’s definitely a great idea in information security,” Sirer said.