The ransom note appeared online on aug. 7, in the form of a chilling video addressed to HBO CEO Richard Plepler.
“HBO was one of our difficult targets to deal with, but we succeeded,” a voice says over sinster-souding music from Game of Thrones, before making a threat: “Our demand is clear and non-negotiable: we want [redacted] dollars to stop leaking your data.”
The demands followed the hackers’ claim to have stolen 1.5 Terabytes of the network’s most closely-guarded secrets from internal servers deep in the HBO fortress — seven times as much data as was stolen from Sony Pictures Entertainment in 2014.
The theft, which became public in late July, reverberated throughout the media industry, though the full extent of what the hackers actually stole remains sketchy. So far, a script for an upcoming episode of Game of Thrones was released, as were unreleased episodes of Curb Your Enthusiasm, Ballers and Insecure, personal data on GoT stars and email messages from a senior executive, with the hackers promising to release more content from the hack each week.
Plepler, in his initial memo revealing the breach to staff at the channel, was candid but confident.
“The problem before us is unfortunately all too familiar in the world we now find ourselves a part of,” he wrote. “As has been the case with any challenge we have ever faced, I have absolutely no doubt that we will navigate our way through this successfully.”
Cyber-threats affecting governments, companies and individuals are at a record high, by many estimates, and online extortion has become a major issue with the unprecedented growth in the number of new ransomware mutations.
The Cybersecurity Issue: Cybercrime Losses Continue to Mount
HBO’s hack was just the latest example of an industry threat — including ransomware, malware and distributed denial-of-service (DDoS) attacks designed to shut down entire networks — that executives could not have imagined only a few years ago. And for the companies that make and distribute content in a competitive world of consumer-savvy conglomerates, the stakes have never been higher.
That’s particularly true for networks, which often have huge revenue expectations for expensive first-run originals. The premature drop of an episode of a hot show, or the release of, say, unsavory emails about a show’s stars, can have lasting and costly consequences.
High Costs of Hacking
Sony Pictures is estimated to have spent more than $100 million in costs related to its hack, according to Reuters, while Yahoo’s 2013-2014 email hack ended up reducing its sale price to Verizon Communications by $350 million.
For now, it is unclear how hackers accessed HBO’s internal systems, though in the case of Sony Pictures and other recent attacks, access was gained through “phishing” emails sent to company executives or other employees. Once the user clicks on an infected link, hackers may be able to gain access to their email accounts, computers or servers.
“The scary thing about HBO is that of their internal network, they happened to get to the crown jewels, because they got to Game of Thrones,’ ” a cybersecurity analyst who works with companies in this field and asked not to be named said. “If they can get to that, they can get to anything.”
Immediately after the attack, Plepler sent an email to staff at the premium cable channel, urging calm through what he called “this difficult period,” reassuring employees that HBO’s email system as a whole was not compromised in the same way Sony’s was, a compromise which led to online leaks of sensitive data on talent, projects and personnel.
“At this time, we do not believe that our email system as a whole has been compromised, but the forensic review is ongoing,” Plepler wrote in the memo.
Distributors are struggling to stay current with the problem as well. As the backbone of the U.S. communications infrastructure, cable and telecom companies are in the crosshairs of hackers on a daily basis. Attacks that take down their services can cripple businesses, annoy consumers and wreak severe economic damage.
Sophisticated hackers can find a way to gain entry into company servers, stealing internal or customer data. In July, for example, Verizon Communications revealed that personal data for millions of its customers was exposed due to a misconfigured cloud server.
“Twenty years ago, I had an ISP look me straight in the eye and say, ‘We build the highway, how you choose to drive on it is up to you,’ ” Dave Lewis, global security advocate for content delivery network and cloud services provider Akamai, said. “Unfortunately, that sort of mentality just doesn’t hold water anymore, and they really need to take these sorts of things seriously.”
Given the investments internet-service providers make in security, most offer premium tiers of service to clients, particularly in enterprise, that offer added security features. According to Cisco Systems’s 2017 Midyear Cybersecurity Report, 71% of service providers surveyed offer such products.
Of course, for ISPs, the biggest threat isn’t necessarily stolen internal or customer data, but a blunt-force attack on their networks.
“In 2014, I was in the White House and someone said we have some report of a 500-Gigabyte-per-second [DDoS] attack, and at the time the experts said, ‘That is just not possible, it’s not gonna happen,’ ” said Ari Schwartz, managing director of cybersecurity services for Venable LLP, who served as director of cybersecurity at the National Security Council during the Obama administration until 2015. “At the time, it was literally not possible. The biggest attacks were in the 100-Gigabyte range. Now we are seeing 10 times that amount three years later.”
Those attacks can slow the internet to a trickle, as with the U.S. attack last October, or knock it offline altogether, as attacks in Europe demonstrated.
According to Cisco’s 2017 midyear cybersecurity report, 34% of service providers surveyed said they lost customers as a result of attacks to their networks. “As an active security challenge, it is quite a bit to take on, the bigger the pipelines, the bigger the threats,” Michal Brenner, marketing manager for Cisco’s service provider business group, said. “Service providers, as they move to more advanced technologies, really need to look at their complete end to end infrastructure and see how to protect that in a holistic way.”
As internet-connected devices, from speakers to baby monitors, continue to grow in popularity, the risks to U.S. ISPs grows exponentially greater. Last October, hackers hijacked an army of thousands of internet-connected security cameras, smart TVs and other “Internet of Things” devices, and marshaled them against Domain Name System (DNS) provider Dyn. The “botnet” the hackers created launched a distributed denial of service attack (DDoS) that slowed internet traffic to a crawl across most of the eastern U.S. Similar attacks have occurred in Europe and the U.S.
Ensuring that IoT devices are secure will be a top priority going forward. For ISPs, that means making sure that they can isolate future botnet attacks, protecting the rest of their customers and the larger network.
Device makers are expanding their products to include more devices with built-in security. Arris, which produces modems, routers and gateways for use in homes and offices, recently launched a home gateway with built-in McAfee Secure Home Internet support. These devices can be particularly useful in securing Internet of Things devices, which may otherwise be vulnerable.
“For a lot of devices [like a WiFi-enabled camera] there is no way to put security software on top of it, but as long as they are connected through this gateway, then they will be under this umbrella of security protection,” Bill Zhou, vice president of product management for Arris, said. “That is really the beauty of it.”
Staying a Step Ahead
The biggest challenge for distributors, indeed for all companies, is taking the threats serious enough to create basic end-to-end protections. Most large ISPs and cable operators successfully fend off hundreds of attacks on a daily basis. More often than not, they’re able to stay one step ahead of malicious attackers, or at least keep up with them fast enough to prevent disaster.
Still, each new hack into a big media company brings the problem back into the spotlight.
“There are still a lot of companies out there in the space that don’t do true risk management, that see security as a compliance exercise, and even the small and medium- size guys have to move to start thinking of this as risk management,” Venable’s Schwartz said.
Perhaps more alarming is the rising trend of hackers looking not to ransom, release or sell stolen data, but to destroy networks altogether, to wreak havoc.
“The fantastic fantasies of Hollywood, of what a hacker could do, early in the days of making hacker movies, we are starting to get to the point where many of those things are becoming a reality,” Francisco Artes, an architect for Cisco’s security business group, said.
The Trump administration may also force the hand of internet providers, depending on the outcome of an executive order signed by the president in May.
That order asks federal agencies to examine whether service providers, particularly publicly-traded providers like cable companies and telcos, are as transparent as they can be with regard to the risks they face and the security precautions they take. The order also tackles botnets, and asks U.S. security officials to determine what role ISPs should have in preventing those types of attacks in the future, and whether the government should force them to keep “clean pipes.”
“People have been under-investing in basic hygiene, and that has to change,” Schwartz said.
SIDEBAR: Tips on How to Stay Secure
Security consultants suggest several tips for information-technology teams to avoid breaches. Senior executives and employees that work in IT are among the most frequent targets of hackers, because of the level of access they have to proprietary and confidential data. In general, though, the same basic rules of security can and should be used by all company employees.
1. Authenticate: Enable multifactor authentication on email accounts. Even if a hacker gets email credentials, multi-factor authentication, which can include authentication through codes sent to mobile devices, for example, they will have a much harder time actually accessing employee accounts.
2. Monitor: Networks and systems should be regularly monitored, and any unusual activity should be immediately escalated and, if the need arises, isolated.
3. Educate: Executives and employees should be kept abreast of the latest phishing emails, and reminded not to click on links they are not expecting. “These things happen every day,” Dave Lewis, global security advocate for Akamai, said. “Every single company is targeted by these sort of things.”
4. Communicate: Executives and IT professionals should regularly communicate with staff, and promptly alert them if there is a breach (as HBO did following its hack). Employees should be encouraged to speak up if they think something is wrong, even if it ends up being a false alarm.
5. Update: All software and applications used by everyone in the company should be kept as up to date as possible. “Everybody should be doing this by now, but quite frankly it is like working with an NFL football team and telling them that tackle and blocking is important, it always will be,” Francisco Artes, an architect for Cisco’s security business group, said. — AW
