Connect with us

Security

Hackers are forcing Hollywood to reevaluate its cybersecurity

Published

on

(Bloomberg) — Sony. Netflix. And now, HBO.

While the 2014 hacking at Sony Pictures pushed entertainment giants to take computer security more seriously, recent incidents have exposed weaknesses throughout Hollywood’s food chain. Last week, as HBO investigated a cyberattack on its own systems, an unaired episode of its hit show “Game of Thrones” appeared online following an unrelated breach at a pay-TV partner in India. In April, when 10 episodes of Netflix Inc.’s “Orange Is the New Black” leaked, the incident was traced to a contractor.

Cybercrime is a growing problem for many industries, but Hollywood is especially vulnerable because of the long chain of people who work on a show or movie in post-production, experts say. Studios rely on an army of freelancers for everything from special effects to musical scores, creating a vast network of targets for hackers. Bringing those workers in-house is an option but would be expensive and could limit the talent studios can tap.

“Hollywood will have to recognize this will continue to grow and be an issue,” said Mike Orosz, who studies cyber risk as research director at the University of Southern California’s Information Sciences Institute.

HBO requires employees to have two-factor authentication and strong passwords for their computers. They also undergo security awareness training. But the company works with many post-production freelancers that handle sensitive information on personal email accounts and personal devices, raising security concerns, according to a former employee who asked not to be identified discussing an internal matter.

“Once the content is out of your hands, it’s truly out of your hands,” Orosz said. “The security of the third-party vendor is what you’re relying on.”

 HBO is still investigating how hackers broke into its computer system. They stole episodes of Larry David’s “Curb Your Enthusiasm” and “Ballers,” a person familiar with the matter said at the time. They also stole an executive’s emails and a summary of an unaired episode of “Game of Thrones,” according to Variety.

After receiving a ransom demand, an HBO executive emailed the hacker on July 27 offering $250,000 as payment for finding a security flaw, according to a copy of the message obtained by Bloomberg. HBO asked the hacker to extend the deadline for a week while the company arranged a payment in bitcoin. That was a stalling effort, according to a person with knowledge of the matter. Variety reported on the email earlier.

The hackers don’t appear to have breached the company’s entire email system, Chief Executive Officer Richard Plepler told staff last week. The network, owned by Time Warner Inc., declined to make any additional comment.

For Hollywood, hackers are threatening both reputations and businesses. A stolen movie that appears online before appearing in theaters loses 19 percent of its box-office revenue on average compared with films that are pirated after they’re released, according to a study by professors at University of Maryland and Carnegie Mellon University. People may not be willing to subscribe to Netflix or HBO if they can watch their favorite shows and movies online for free.

Ransom demands

What’s more, the wave of attacks is forcing media executives to confront a thorny question: Should they pay ransoms to hackers to get their content back?

The FBI says that’s always a bad idea.

“We believe it perpetuates the crime in general,” FBI spokeswoman Laura Eimiller said.

There’s also no guarantee paying the ransom will work. In April, Netflix refused to pay a hacker who stole unreleased episodes of “Orange Is the New Black.” Larson Studios, which worked with Netflix, told Variety it paid the ransom, about $50,000, in bitcoin. The hacker, who went by the name TheDarkOverlord, dumped the stolen episodes online anyway.

Larson Studios didn’t respond to a request for comment, while a Netflix official said only that the company is “constantly working to improve our security.”

In another high profile case this year, hackers threatened to leak a stolen copy of Disney’s new “Pirates of the Caribbean” if the company didn’t pay a ransom. The company refused, and Chief Executive Officer Bob Iger said later he believed it was all a hoax.

Even so, with millions of dollars at stake, some companies may decide paying is the best option, said Gary Davis, chief consumer security evangelist at the security firm McAfee Inc.

“If they got access to something like ‘Game of Thrones’ and I can pay them a couple million dollars to get that back, there’s probably a good use case,” he said.

The Sony attack, which embarrassed studio executives after private emails were made public, was linked by the FBI to North Korea, which allegedly was retaliating for “The Interview,” a film about a fictional plot to assassinate leader Kim Jong Un. Some studios have reportedly removed Russian President Vladimir Putin as a character in films because they’re concerned they’ll suffer a similar fate.

Sony has learned from that attack. Michael Lynton, former chief executive officer of Sony Entertainment, started transferring emails off his computer every 10 days.

“To me, that’s the solution,” Lynton said at event hosted by Lerer Hippeau Ventures in May. “Put it in a drawer and lock the drawer.”

This post was originally published by Bloomberg | Quint

Technology News on Bloomberg | Quint

Readmore

Security

Smartwatches ‘for children’ can eavesdrop and keep tabs on your kids

Published

on

The Norwegian Consumer Council has uncovered a litany of critical vulnerabilities and privacy shortcomings in several smartwatches specifically targeted at children.

Among other things, malicious agents can easily hijack control of the watches and turn them into covert spying devices, capable of listening in and keeping tabs on the children.

The Consumer Council made the disturbing discovery in collaboration with security firm Mnemonic, which assisted in conducting the security and privacy tests. The shocking findings suggested that, contrary to keeping children safe as advertised, the devices put them at risk.

The three flawed smartwatches all came from different manufacturers. The companies behind the glitchy devices are UK-based XPLORA, local brand Viksfjord, and Gator. All three devices also come with their own mobile apps.

According to the findings, attackers could seize control of the watches to watch, track and eavesdrop on children.

They could also establish connection with the kids abusing the same exploit. The report further notes the watches’ location settings could be spoofed to trick the children into thinking they are somewhere where they aren’t.

The watches also suffered from badly implemented safety features. Parents could, for instance, request to be notified when the child leaves a certain area – or conversely, enters a forbidden area – but Mnemonic and the council found that the features were threateningly unreliable when it came to sending out alerts.

Lastly, the apps associated with the watches lacked proper terms and conditions – in addition to missing the option to delete user data or accounts.

The council also examined the Tinitell watch, but was unable to exploit the device to the same extent as the previous three.

“It’s very serious when products that claim to make children safer instead put them at risk because of poor security and features that do not work properly,” commented the Council’s Director of Digital Policy Finn Myrstad.

“Importers and retailers must know what they stock and sell. These watches have no place on a shop’s shelf, let alone on a child’s wrist,” Myrstad added further.

The council has since forwarded their research to the Norwegian Data Protection Authority and the Consumer Ombudsman for breaches of the Norwegian Personal Data Act and the Marketing Control act. The complaints are based on the EU’s Data Protection Directive and the Directive on unfair terms in consumer contracts.

The press release further notes that the offending manufacturers continue to actively promote the watches even after they were warned of the violations. The worst part is that the devices are available in a number of other EU member states.

In the meantime, the Council advises consumers from refraining from buying the affected smartwatches until the manufacturers have amended the vulnerabilities. Their disclosure further guides people to ask for a refund, pointing to the security flaws discovered.

Read next: South Africa’s biggest data breach affects over 30 million citizens — and nobody knows where it came from

Readmore

Continue Reading

Offers

Learn how to understand — and get rich — with cryptocurrency investment for only $15

Published

on

Ask people about cryptocurrency and you’re likely to get a blank stare. The average man or woman on the street is as likely to tell you that it’s the currency of Superman’s home world of Krypton as they are to correctly identify it as virtual money. You can’t use it to buy coffee at Starbucks. You can’t even hold it in your hand. Yet cryptocurrency is quickly becoming an international wealth asset — as well as an investment arena — to watch.

Only 1 in 10,000 people are invested in cryptocurrency, and you can see how to get in front of this exploding money-making trend with this Step-By-Step Guide to Cryptocurrency Investment, available now for only $15 (over 90 percent off) from TNW Deals.

Bitcoin, the most famous cryptocurrency, has seen prices surge from $969 earlier this year to more than $5,000 in September. Meanwhile, rival Ethereum started 2017 at $8 and has recently traded as high as $400. This course will show you three different strategies for buying cryptocurrencies, then resell it later for short or long-term gains.

Your instruction will help you determine which cryptocurrencies are worth your investment, how to develop various trading strategies, as well as how to protect your money through your various trades. You’ll use Coinbase to convert real money into altcoins you can use in international cryptocurrency exchanges. Once you’ve taken advantage of cryptocurrency’s explosive growth, you’ll also know how to get your money — and your healthy returns — back out.

Put your money in the financial world’s bold new frontier with this detailed guide to altcoin investing, now over 90 percent off at only $15 with this limited time offer.

Get this deal

Readmore

Continue Reading

Security

Huge number of Android devices vulnerable to new catastrophic Wi-Fi attack

Published

on

Earlier today, reports emerged that the popular WPA2 Wi-Fi encryption protocol was fundamentally flawed, and could allow an attacker to intercept and read traffic sent across a wireless network. Now, details are emerging about the scale and severity of the problem.

The attack – known as a key retransmission attack (or KRACK) – sees a malicious actor trick a victim into using a compromised encryption key. Troublingly, Linux and Android-based users are most at risk. According to Matty Vanhoef, who uncovered the issue, 41 percent of Android devices vulnerable to an “exceptionally devastating” variant of the WPA2 attack, which makes it “exceptionally trivial” to manipulate and intercept traffic.

That said, it’s worth noting that the researcher stressses that the issue isn’t with the implementation of the WPA2 protocol, but rather the protocol itself. In the blog post describing the issue, Vanhoef said “if your device supports Wi-Fi, it is most likely affected.”

Showing the broadth of the issue, Vanhoef named names, saying “During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks.”

It’s hard to convey quite how bad this is. On a practical level, it means an attacker can intercept traffic between devices and a router, allowing them to peek inside all non-SSL traffic. They can also interfere with traffic, theoretically allowing an individual to inject ransomware and malware into unencrypted web pages in an ad-hoc basis.

Vanhoef mentions that the issue can be resolved with a backwards-compatible software patch. This should arrive soon, as he notified vendors in July, with a broader notification issued in August.

That’s good, but it’s worth remembering that there are a staggering number of devices (I would’t be surprised if it measured in the billions) affected. Not just phones and laptops, but also embedded systems, like routers, printers, and other Wi-Fi-enabled IoT devices, which aren’t as straightforward to update.

And ultimately, people tend to be bad at patching things. Even in 2017, it’s not uncommon to hear echoes of servers still connected to the Internet that are vulnerable to Heartbleed and Shellshock.

It’s also often the case that users aren’t presented the option to patch their devices. Android users are most at risk of this vulnerability. And yet, the Android landscape is notorious for its fractured nature, with manufacturers issuing software updates and security patches at an excruciatingly slow pace. That is, if they bother at all.

Read next: Someone is blackmailing dark web users to pay up or get doxxed

Readmore

Continue Reading

Subscribe to our Newsletter

Trending