Thousands could launch Sony-style cyberattack, says ex-hacker

Ninety percent of companies are vulnerable to a crippling hack, experts tell "60 Minutes."

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
3 min read

Ninety percent of companies are vulnerable to cyber attacks, security experts say. CNET

The chances of another company suffering the devastating effects of a cyberattack like the one perpetrated on Sony last year are not as remote as we would like to believe, security researchers say.

Given the current security levels for most companies, 90 percent of them would be vulnerable to such an attack, which destroyed 3,000 computers and released sensitive information and proprietary content, security experts tell "60 Minutes." And there is no shortage of technically proficient people willing to launch such an attack, said Jon Miller, a former hacker who now serves as vice president of strategy at Cylance, an antivirus software maker.

"There are probably a couple thousand, three, four, five-thousand people that could do [the Sony] attack today," Miller tells "60 Minutes"' Steve Croft in an interview airing Sunday evening on CBS television stations. (Editors' note: CNET is owned by CBS.) "Not all of them are in friendly countries and the number is growing rapidly."

The Sony hack is just one of many recent security breaches that have exposed huge caches of sensitive data belonging to individuals, corporations and governments -- data that could enable further criminal activity or assist in government espionage. The tools to conduct such an attack are readily available from Russian hackers for about $30,000, Miller says.

"It truly, truly is the Wild West right now," Miller said. "What we're seeing are people getting pulled out onto the street and shot and it's like 'Where's the Sheriff?' There's no sheriff."

Complicating things for companies is the sheer number of computers that must be protected, usually from the employees operating them, said Kevin Mandia, chief operating officer of FireEye, the anti-malware company that worked with Sony to mitigate the effects of the hack.

"The advantage goes to the offense in cyber," Mandia says. The defense must defend every computer, thousands in some cases, but "the offense side thinks, 'I only need to break into one and I'm on the inside.'...Nation-state threat actors, or hackers, target human weakness, not system weakness."

The security breach, which Sony discovered in late November, turned out to be more serious and pervasive than initially believed. A group calling itself #GOP, aka "Guardians of Peace," claimed responsibility and said it had obtained internal information. Hackers leaked the personal information -- including Social Security numbers -- of more than 47,000 celebrities, freelancers, and current and former Sony employees. They also leaked yet-to-be released movies, as well as embarrassing emails between Sony Pictures executives, among other internal documents.

The hackers, which the FBI traced to North Korea, were apparently trying to prevent the release of the satirical movie "The Interview," which depicts actors Seth Rogen and James Franco as TV journalists drawn into a CIA plot to assassinate North Korean leader Kim Jong-un.

Hacks on businesses and government agencies ran rampant in 2014. There were more than 1,500 data breaches worldwide last year, up nearly 50 percent from 2013.

Among the recent high-profile security breaches, a hack at Home Depot last year exposed 56 million credit card numbers, and another at Target yielded credit card data of 40 million Target customers and the personal information for an additional 70 million customers. In January, insurance provider Anthem revealed that hackers had broken into its computer systems and potentially accessed the personal data of 80 million people, including their names, emails, passwords and Social Security numbers. Such information makes Anthem's customers vulnerable to identity theft for the rest of their lives.