The 4 Biggest Cyber Threats Facing Hollywood
January 18, 2016 • By Christopher Null, WIRED Brand Lab • Blog Post
IN THIS ARTICLE
- Seasoned hackers Ralph Echemendia and Walter O'Brien outline the latest cyber threats Hollywood will face in the wake of the Sony attacks
Leading experts explain how entertainment industry titans can guard against the next wave of cyber attacks
Disney execs may now be sitting on the highest-grossing movie of all time (“Star Wars: The Force Awakens,” if you haven’t heard of it), but pity the folks who had to keep the film from falling into the hands of the dark side before its release. Like all movie, TV, music and video game content, the film was under assault from prying eyes and greedy pockets from the day it was announced.
Miraculously, the film made it to release with no major online leaks nor any significant spoilers— proof that at least someone knows what they’re doing in the world of digital media security these days.
Cyber attacks aren’t going to stop, and judging from recent headlines, they’re getting worse. Media and gaming companies—whose business revolves around heavily hyped mainstream content that everyone’s dying to get their hands on—have become prime targets. But, says Walter O’Brien, executive producer of CBS’s “Scorpion” and the real-world hacker upon whom the show is based, “Like most people in cybersecurity, most studios think it will never happen to them because they’re not a bank.”
What’s being done to stem the tide? Here are four major threats impacting entertainment and media companies—and what the industry is doing about them.
Threat: hackers leaking valuable content
Since the dawn of digital, leaking of valuable content has been a constant threat. Who can forget Sony Music’s 2002 strategy to prevent its upcoming Pearl Jam album from being leaked online by sending copies to music critics inside Walkman CD players that had been glued shut? We’ve come a long way since then, but with little effect. Advance leaks of movies and music still take place with regularity.
But some studios have gotten ahead of the hackers, says “The Ethical Hacker” Ralph Echemendia, who consults with Hollywood studios on digital security. “Disney is a lot keener here than the other studios,” he says. “For example, if you are a vendor to Disney and transfer, modify or touch any of their content, Disney will pay for penetration testing of your network environment. If it doesn’t pass, you can’t do business with Disney.”
Other studios have seen hack after hack take place, and little seems to change. And in fact, that may be by design. While HBO recently sent warning letters to BitTorrent users who leaked four episodes of the most recent season of “Game of Thrones”—said to be the most pirated TV show in history—the company has praised how piracy has contributed to its sustained buzz.
Is there a light at the end of the tunnel? O’Brien suggests that as it gets easier and cheaper to stream content online, would-be pirates will eventually choose to pay the modest fee instead of download an illegal copy of a film—simply because pirating a movie is just too much trouble. Yet he’s more interested in a future where VR devices like the Oculus Rift redefine the entertainment experience. “Entertainment will eventually be easier to protect because these aren’t just data files, they’re complex pieces of software that are easier to lock down. You just can’t capture a VR experience by pointing a cell phone camera at it and uploading it to BitTorrent,” he says.
Massively multiplayer online role playing games, or MMORPGs, may be based in worlds ranging from medieval fantasy lands to outer space, but all tend to have one thing in common: an in-game currency that can be used to buy and sell things. Sanctioned or not, those currencies invariably evolve into a real-world financial exchange where tokens trade for cash, either through official channels or through third parties like eBay. The natural upshot: hackers target these e-currencies, which are generally far less secure than places like real-world banks and quickly exchange them for real money.
The most notorious example occurred back in 2009, when a player “robbed” an in-game bank in Eve Online, stealing game credits worth more than $5,000 from other players. Since then, virtual currencies have only continued to flourish, but gaming companies are at least getting smarter about how they’re designed. Blizzard’s new e-currency for the popular World of Warcraft, for example, cannot be traded more than once, making it less attractive to thieves.
Other gaming companies have taken that idea a step further. Last year the game Dragon Knights of Valeria added support for HYPER, a Bitcoin-like digital currency that includes built-in cryptographic protections. It’s a small game and a small currency, but a potential sign of things to come in this space.
Threat: insiders handing over anything to the highest bidder
As any financial institution executive can tell you, the biggest risk is often the inside job. Why would anyone break a lock when the keys are already in someone’s pocket?
“Inside jobs do exist and are a real concern,” says Echemendia, “but it’s less of a concern than you’d think. A large part of the Hollywood workforce is interns and people who don’t get paid a lot but have pretty amazing access to content and communications, but if you’re an intern and you get caught, you’ll never work in this industry again. That’s the key in keeping this from being a bigger problem.” But the real issue, says O’Brien, is the vast number of hands that interact with each project. “Very seldom is a movie made by one entity anymore,” says O’Brien. “When one of them leaks it—the sound mixer or the color corrector—it can [...] your business very quickly.”
Watermarking of media like DVD screeners sent to the press has helped to stifle many leaks, but the bigger challenge, says Echemendia, is the rash of social engineering attacks that insiders face, which can turn them into unwitting accomplices. “The average time an attacker has access to a network is 229 days before detection, and Hollywood is even worse than that,” he says. “The Sony attackers were there for months.” He adds that today attacks often target c-level executives directly: whale-phishing, in the parlance of security pros.
Threat: rogue governments go ballistic
Sony made headlines at the end of 2014 when it was purportedly attacked by an unexpected enemy: the country of North Korea. Why did this happen? Because the studio was about to release a film making fun of it and its leader, Kim Jong-un. “There are a lot of secrets in this industry beyond seeing a movie early,” says O’Brien, pointing to the reams of embarrassing data revealed in the wake of the Sony scandal.
While Echemendia says he is skeptical that North Korea was really the culprit in the Sony hack, it nonetheless was not the first time a regime has been suspected of attacking an entertainment company. For example, China has been implicated in a recent cyber attack on a European media company. In January, Ukraine blamed a malware-driven attack against a major media company on Russia. And of course, at the extreme end of the spectrum are incidents like the 2015 shootings on Charlie Hebdo’s Paris offices, which show how literal state-sponsored attacks on the media can be.
“Western entertainment and media represent literal manifestations of the many freedoms and positions often used as examples by our enemies to condemn our way of life,” says Frank Spano, executive director of the Counterterrorism Institute. “As a result, the media can become a proxy target for ideologically motivated violence.” Spano advises these companies to pursue not just computer-based security training, but also to be prepared for attacks in the real world, too.