After Sony: How to Help Prevent Cyberattacks

the interview
Sook, played by Diana Bang, with Aaron, played by Seth Rogen, and Dave, played by James Franco in 'The Interview.' Reuters

A number of cybersecurity bills that would require more information sharing between the U.S. government and private industry have been under consideration in Congress for several years. The intent of these bills is to protect critical infrastructure and financial firms in the United States by helping to prevent cyberattacks.

Private industry has resisted some bills because they may require U.S. firms to share sensitive and possibly proprietary information with the government. Those are legitimate concerns. However, information can flow the other way, too.

Little has been said about U.S. government information that could and should be shared to enhance the cybersecurity of private firms. At least one type of information should be shared with U.S. critical infrastructure and financial firms: the IP addresses of Tor network nodes.

Tor is a global network that helps users maintain anonymity by obfuscating users' true online locations. While it has many benefits, it is increasingly used to hide criminal activity online. The recent cyberattacks against JPMorgan Chase and Sony Pictures Entertainment highlight the need for such information sharing.

The malware in the Sony attack was traced to a hotel in Bangkok.

Earlier this year unknown cyberattackers infiltrated the network of one of the largest banks in the U.S. financial system, JPMorgan. The malware used in the attack slipped by the bank's antivirus filters, a not uncommon scenario today.

The attack was discovered only by accident. An external website, used to register runners for a JPMorgan sponsored charity race, was found to be hacked. The command-and-control servers for the malware used in the attack against the race website and the bank turned out to be the same. The IP addresses for these servers provided a valuable clue needed to identify the bank compromise.

In this case, the compromise was caught early enough so that no financial information was compromised. Even so, the names and email addresses of JPMorgan account holders that were stolen from the bank were posted on black market sites and forums hosted on Tor.

The recent attack on Sony Pictures was equally sophisticated. Command and control of the malware used in the attack appears to have originated from a luxury hotel in Bangkok, Thailand. This piece of information was obtained by IP address sleuthing.

A large amount of personal data, including digital copies of several unreleased movies (perhaps several terabytes), was copied and moved from the movie studio through the Sony PlayStation network. The PlayStation network runs on the Amazon Web Services cloud. The stolen movie studio network data exited Sony Pictures through the PlayStation network, and then was sent to a number of file-sharing sites via Tor. This circuitous route was used to mask the trail of the attackers and to enable large amounts of stolen data to be stealthily removed from the Sony network.

Tor has legitimate uses—but is a useful tool for hackers.

A few days ago, in a non-public report obtained by KrebsonSecurity, the U.S. Department of the Treasury issued a warning to U.S. banks to block account transactions that use Tor. The Treasury report found that the majority of bank account takeovers by cyberthieves might have been prevented had affected banks blocked transactions coming through Tor.

Tor, like other anonymity networks, has many legitimate uses. It is used by journalists, human rights defenders and pro-democracy activists in countries where censorship is common and Internet access is tightly controlled and monitored. However, as cyberattackers become more sophisticated, they may use the Tor network in more cyberattacks, and use it to exploit the data they capture from critical infrastructure and financial firms.

This will make it increasingly difficult for defenders to track and protect against cyberintrusions. There is no reason why legitimate bank customers, studio employees or others that need to communicate with private firms like Sony Pictures or JPMorgan would need to use Tor.

The U.S. government should provide the information it has on the constantly changing set of Tor nodes that exist around the globe. Tor IP addresses could then be blocked to prevent potentially damaging cyberattacks in the future.

Daniel Gonzales is a senior physical scientist at the nonprofit, nonpartisan RAND Corporation. This article first appeared on the RAND Corporation website.