HBO. Sony. Netflix. WME. UTA. ICM. Being hacked in Hollywood was once an exclusive club, but it’s rapidly expanding. Criminals have taken notice of the easy pickings at entertainment companies, according to two leading IT security experts asked about the recent attack on HBO.
Hackers earlier this week obtained an estimated 1.5 terrabytes of information from the HBO system, including a script for an upcoming Game of Thrones episode and some shows of Ballers and Room 104. The materials also reportedly included financial documents, company emails, and some customer information. After the initial disclosure, tonight’s Game of Thrones episode leaked, but its appearance was believed to be unrelated to the previous intrusion. Hackers have also threatened to release more material.
Although identifying the exact culprits for HBO’s problem hasn’t been achieved, corporate hacking is maturing. Where once it was a game played by young men, it’s now grown into a criminal enterprise or a nation-state show of power, according to two leading IT security experts
Dan Clements, an IT cyber-security consultant who has worked with many three-letter agencies, said cyber-crime used to be just a lark to a large underground cadre of hackers. Composed of hard-core computer nerds and avid gamers alienated from the real world, all boastful and eager to impress their peers, the hacking groups usually infiltrated sites just to prove it could be done. The goal was to obtain a “trophy,” rather than a ransom.
That relatively benign practice changed with the Sony corporate hack, Clements said, an intrusion which the FBI blamed on North Korea. But before that major incident, where stolen executive emails led to firings, there was an earlier intrusion. A group called the Lizard Squad, made up of Eastern Europeans, Australians, and even a Hawaii-based hacker, probed into Sony, Clements said.
By sharing what they found on popular underground hacker web sites, they may inadvertently led to the North Korean exploits.
“Some of that Sony information had been floating around the underground, and the North Koreans may have had access to that intelligence,” Clements said. “The FBI said the cyber prints (on the major hack) were the North Koreans. But the rumor in the underground was that the gamers had already been in there.”
Pre-Sony, the underground groups could be found by people who knew where to look, Clements said. Now, most rogue hackers are practically invisible. “The groups are pretty dark these days,” Clements said. “In the old days, they liked to brag. There’s too much visibility these days. The young guys still brag, but the professionals aren’t going to be seen. You’re not going to be able to figure out who they are.”
Roderick Jones, a former Scotland Yard security expert who now runs Rubica, a San Francisco cyber-security firm, said that most hacking attacks begin simply. “If you look at the history of attacks that were, at the time, described as sophisticated and then back it up from there, they’re usually the effect of a Phishing attack against an employee. Stuxnet, that’s a sophisticated attack. The major of attacks aimed against organizations are getting employees to click bad links.”
Hacking into systems happens because of the collaborative nature of the workforce, Jones says. “Too many people have access to sensitive material,” he said, citing NSA whistle-blower Edward Snowden as the classic example.
Sadly, there is no defense against someone determined to get into a computer system, Clements said. “If you create a penetration testing group and formulate a hack plan, and have them try to get in, they’re going to be able to get in. The probability is so high that they can figure out how to get in, and once they’re in, then they migrate amongst servers and people and figure out what they want to take and if they want to hold us hostage. It just depends on their motivations.”
But there is one hope. Many former hackers eventually decide to go legit. “I’ve seen them over 20 years grow up and want to have real jobs,” said Clements. “A lot of them want to work for security companies, some of them help law enforcement.”