Expert says much can be learned from attack on Sony

HBO, Netflix and Disney’s recent problems with security breaches and leaks all have one aspect in common: the fragility of third-party post-production companies.

All three have suffered intellectual property theft and, while it might make sense to question those companies’ security, experts blame offsite post-production companies. Alex Reid, chief research officer at Security Scorecard, told Polygon that the entertainment industry is seeing a series of “repeatable attack scenarios” that can’t be ignored. The trend he sees is a lack of security at the post-production houses and hackers finding a way to get in and steal information.

“A lot of the time the people doing the editing have access to confidential, highly secure information just so they can access files they need quickly,” Reid said. “The hacker underground has figured out how these transfers are being done and how to get into a company’s main database through that.”

Reid said he can’t be sure, but he believes hackers may be exploiting a simple file transfer protocol (FTP). An FTP network protocol is one of the most common methods of transferring files from one client to another computer server. Think of it this way: If an editor in Vancouver needs to work on audio for a Game of Thrones episode that is being kept in a London-based studio, FTP is one of the easiest ways for the editor to grab those files directly.

“Using an FTP goes back to the beginning of the internet,” Reid said. “It's not a very secure method; it's old, but it’s also simple, which makes the process of transferring something very easy. There might not be any password in place! Once an attacker has that, they can essentially log in to the entire network. If a hacker gets into your network with an authenticated credentials that they have now stolen and they're routing the traffic through an IP address, then it doesn't really flag to security firms as an attack since it's an authorized login.”

Reid believes this happened to HBO, Netflix and Disney. The attacks continue the trend security experts have seen since the Sony hack of 2014. Reid said that companies of these sizes with “any intellectual property of perceived value” will eventually be a target of attacks that will get mainstream media attention and, potentially, embarrassment for the studios and networks.

HBO told Polygon that, following the attack last week, the network believed “further leaks might emerge from this cyber incident.” That lines up with what security experts like Reid believe happened. If the hackers found a zero-day exploit, they could have secured a large amount of data (reportedly 3.4 GB) before the network found out. So they could be sitting on more information that they will release later.

“All of the information is not totally out there, and that’s wise on HBO’s part, but although it could be a second attack, it seems more likely that they're sitting on a large trove of data,” Reid said. “They might have been leveraging exploits that were exclusive to them, making this is a very targeted attack. The very nature of the ransom note going around certainly seems like it was targeted.”

In one of the slides from the ransom video that hackers posted, it is apparent they have more information than they have revealed so far.

"By penetrating your Internal Network and other related platforms, we obtained your highly confidential Documents, IT related data, Scripts and etc. these data dump, as you will see, contains HBO's Various Contracts, Mutual Agreements, Human resources, internal structure, International affiliates, Business strategies, international Marketing, IT infrastructures, producing films & Series (with very detail info!), budget detail for major operations, how you sell and how much!, various strategic insights in every aspects, confidential research, internal letters & Tax Evading Proofs! & Nielsen's Dirty Job! & etc."

If hackers went through a third-party post-production company to access files through the shared FTP server, they could have stolen an unimaginable amount of data. The question now is, how companies like Netflix, Disney and HBO can increase security between production houses to avoid further security breaches.

There are a few options. More secure email protocols, like using PGP encryption services, are one but once hackers have spread malware on a computer, they can download decryption keys. This will slow down the theft, but it doesn’t eliminate the possibility. The best solution, according to Reid, is to increase communication between the companies and keep a more secure eye on what files are being transferred and who’s looking at them.

“Companies have intellectual property that's perceived as valuable,” Reid said. “Both the networks and their third-party partners need to have a continuous internal monitoring program of what's going on in those third-party security networks. A lot was learned from the Sony incident and a lot of things were taken into account and things put in place. The concept of best practices for information security ... networks and studios realize they are now a target beyond just pirating content. They have to be smarter about it.”