![](\"https:\/\/media.wired.com\/photos\/59961adcd5c2fb3991a1a05f\/master\/pass\/HBO-breach-03-FeatureArt.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Fri, 18 Aug 2017 15:46:32 +0000<\/strong><\/p>\n They say April <\/span>is the cruelest month, but HBO may beg to differ. The company kicked off August with an apparently massive breach of its servers<\/a>, in which hackers pilfered everything from full episodes of unreleased shows to sensitive internal documents<\/a>. Not long after, in separate and distinct incidents, two episodes of Game of Thrones<\/em> leaked out early. And Thursday, hacker group OurMine<\/a> hijacked HBO\u2019s main Twitter account, along with those of several HBO shows. It\u2019s been a hell of a couple of weeks.<\/p>\n But HBO\u2019s rocky patch of hacks and leaks also serves as an important reminder of just how hard it is for any company to lock things down these days. While the attacks blur together, they\u2019re in fact four distinct incidents, each with their own set of lessons.<\/p>\n \u201cThey have some supply chain issues, they have malicious insiders, they had accidental insiders, they have an account compromised,\u201d says Richard Ford, chief scientist at security software company Forcepoint. \u201cIt crosses a range of issues that highlight the challenges that a big organization like HBO faces.\u201d<\/p>\n Focusing on the variety of threats out there doesn\u2019t just provide some much-needed clarity around HBO\u2019s current dilemma\u2014it may help other companies prevent a similar mess down the road.<\/p>\n HBO\u2019s trouble actually began at the tail end of June, when hackers identified only as Mr. Smith<\/a> dropped four unreleased episodes of HBO shows\u2014including one, Barry<\/em>, not slated to debut until next year\u2014as well as the script to an unreleased episode of Game of Thrones<\/em>. They suggested they had 1.5 terabytes of HBO data in total, ranging from more shows to financial statements and other sensitive documents.<\/p>\n A week later, the same person or group followed up with a ransom note demanding millions of dollars in exchange for the leaks to stop, as well as a screenshot to a file directory that implied they had access to either information about or episodes of shows like Curb Your Enthusiasm<\/em> and Insecure<\/em>.<\/p>\n Hack Brief: HBO Shows and a Game of Thrones<\/em> Script Land Online<\/p>\n That Orange Is the New Black<\/em> Leak Was Never Going to Pay Off<\/p>\n Here\u2019s where things get a little confusing. In between those two hyped hacker releases, a full episode of Game of Thrones<\/em> leaked two days before the air date. It came not from Mr. Smith, as one might have assumed, but from four men in India who allegedly smuggled the episode<\/a> out of Prime Focus Technologies, a company that works with Star India, which carries HBO in that country.<\/p>\n While not a traditional attack, in which hackers breach a system, the Star India heist represents an increasingly common scourge for the entertainment industry and beyond: The not-quite-inside job. However secure HBO can make itself, it has little say in how Star India protects its data, and even less in what Prime Focus Technologies does.<\/p>\n \u201cThe whole business model today has exacerbated the insider threat, because there\u2019s a lot more insiders,\u201d says Stephen Cobb, senior security researcher at ESET, a global IT security firm. \u201cIf you sit down in a movie theater at the end and watch the thousands of people involved in that movie, most of them don\u2019t actually work at Paramount, or Sony, or whoever\u2019s name is on the picture\u2026 You\u2019ve got a lot of people having access to property which is very valuable.\u201d<\/p>\n HBO\u2019s in no way alone in this; Netflix recently faced\u2014and declined\u2014a ransom shakedown when hackers lifted episodes from the upcoming season of Orange Is the New Black<\/em><\/a> from a third-party production studio. And the ease with which unscrupulous employees can smuggle that property out of the building exacerbates the issue.<\/p>\n \u201cIf you look at what is involved in an insider leaking intellectual property, it used to involve physically carrying something out of the building that was big and heavy. Or in the case of a movie, a can of film,\u201d says Ford. \u201cNow it\u2019s a file transfer.\u201d<\/p>\n Taken together, the Mr. Smith hack and that initial Game of Thrones<\/em> leak would have already constituted one of the most high-profile month of security lapses the entertainment industry\u2019s recent history. But remember, that was just week one. Two lesser\u2014but still damaging, and embarrassing\u2014trip-ups still followed.<\/p>\n On August 16, HBO played itself. In an incident unrelated to the Mr. Smith hack, or the Star India leak, HBO Nordic and HBO Espa\u00f1a aired this Sunday\u2019s episode of Game of Thrones<\/em> for an hour\u2014plenty of time for it to land on torrent sites.<\/p>\n \u201cThe error appears to have originated with a third-party vendor and the episode was removed as soon as it was recognized,\u201d said<\/a> HBO Europe spokesperson Tom Nielsen in a statement. The key phrase, again, being \u201cthird-party.\u201d<\/p>\n Lastly, or at least most recently, came the OurMine hack. The group caused minimal damage, leaving a message that read, \u201cHi, OurMine are here, we are just testing your security, HBO team please contact us to upgrade the security.\u201d HBO regained control of its account within an hour.<\/p>\n \u201cThe infringement on our social media accounts was recognized and rectified quickly,\u201d says HBO spokesperson Jeff Cusson.<\/p>\n But the OurMine incident, in addition to adding literal insult to injury, also shows two distinct types of security threats.<\/p>\n 'You\u2019ve got a lot of people having access to property which is very valuable.' \u2014Stephen Cobb, ESET'<\/p>\n First, companies under fire tend to draw attention from other hackers. Sony, for instance, suffered 20 breaches<\/a> in two months following its devastating 2014 hack<\/a>.<\/p>\n \u201cAny high-profile hack will create elements of a dogpile and copycat, if we want to include both dog and cat in our analoty,\u201d says Cobb. \u201cThat organization is suddenly in the limelight. You also have copycats, where you have people out there saying wow, some of these big studios don\u2019t have perfect security.\u201d<\/p>\n On a more practical level, the OurMine Twitter takeover offers a textbook example of credential-stealing, a pervasive attack that can cause a lot more damage than just social media exposure.<\/p>\n \u201cSpearphishing attacks are increasingly common and with the right amount of reconnaissance on the target, they can be the quickest way to obtain credentials for email accounts, cloud storage or even social media profiles,\u201d says J\u00e9r\u00f4me Segura, lead malware intelligence analyst at security firm Malwarebytes. It\u2019s unclear if OurMine used that method specifically, but it seems like a likely route.<\/p>\n If any silver lining can emerge from HBO\u2019s stormy few weeks, it may be that it illustrates just how many attacks a company has to defend against\u2014and how to deal with them when they do occur.<\/p>\n \u201cWhat you\u2019re looking at here, with a digital business like HBO, is an ever-expanding attack surface. You have complexity, you have applications, third-party partners, social media,\u201d says Jeff Pollard, security analyst at Forrester Research. \u201cAny one of those could be the pathway for an attacker to get in.\u201d<\/p>\n As HBO has learned, defending against all of those threats simultaneously can feel a bit like defending King\u2019s Landing against dragons and White Walkers and whatever Little Finger\u2019s up to. But it\u2019s at least possible to adopt a mindset that helps minimize the damage.<\/p>\n \u201cFrom a defense standpoint, it\u2019s all about being able to protect your data wherever it\u2019s gone, and understanding how that data is ultimately leaving your control,\u201d says Forcepoint\u2019s Ford. \u201cA lot of the time in security we\u2019re focused on inbound, we\u2019re very threat-centric. But looking outbound, protecting that data wherever it is, is a paradigm shift we\u2019d do well to execute on.\u201d<\/p>\n Otherwise, absent more details about how the Mr. Smith hack happened in the first place, the best steps to take are also the simplest.<\/p>\n \u201cThe majority of the time, the lessons that are learned from these sort of events is that basic security principles and basic security hygiene are often not followed,\u201d says Pollard. Even a step as using two-factor authentication, for instance, could forestall potential Twitter takeovers.<\/p>\n Ultimately, the HBO hacks have proven less severe than what Sony suffered three years ago. Personal emails have not been publicly aired, and the leaks of shows so far don\u2019t seem to have put a dent in viewership. A very bad month has not turned as catastrophic as it first seemed it might have.<\/p>\n Then again, we\u2019re only two weeks in.<\/p>\n