Slashdot Mirror

← Back to Stories (view on slashdot.org)

HBO Hacker Leaks Message From HBO Offering $250,000 'Bounty Payment' (variety.com)

Posted by msmash on from the definitely-maybe dept.

The HBO hacker has struck yet again. From a report: Variety has obtained a copy of another message released Thursday by the anonymous hacker to select journalists in which HBO is apparently responding to the initial video letter that was sent informing the Time Warner-owned company of the massive data breach. The message from HBO, dated July 27, features the network's offer to make a "bounty payment" of $250,000 as part of a program in which "white hat IT professionals" are rewarded for "bringing these types of things to our attention." While the message takes a curiously non-confrontational tone in response to a hacker out to damage HBO, a source close to the investigation who confirmed the veracity of the email explained it was worded that way to stall for time while the company attempted to assess the serious situation.

31 of 60 comments (clear)

  1. That's not what WSJ/Fox News is saying... by __aaclcg7560 · · Score: 4, Informative

    I was going to submit the WSJ/Fox News article under my alias when the Variety story popped up, which has more insight on what HBO is doing.

    When the hackers came forward late last month, an HBO technology-department employee sent them a letter offering $250,000 to participate in the company's "bug bounty" program, in which technology professionals are compensated for finding vulnerabilities, according to a person familiar with the matter.

    HBO was buying time with that response and isn't in negotiations with the hackers, the person said. The hacker has demanded a ransom of around $6 million.

    The network has also been working with the Federal Bureau of Investigation and other law-enforcement agencies and cybersecurity firms to address the matter, people familiar with the matter say.

    WSJ (paywalled): https://www.wsj.com/articles/hbos-hack-hollywood-is-under-siege-1502443802
    Fox News: http://www.foxbusiness.com/features/2017/08/11/hbos-hack-hollywood-is-under-siege.html

    1. Re:That's not what WSJ/Fox News is saying... by msauve · · Score: 2

      Let me paraphrase:

      "We were going to pay him a relatively modest amount with plausible deniability, but won't now because he leaked that, which only gives incentive for others to hack us."

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  2. Lesson for HBO: Pay for good IT people by ErichTheRed · · Score: 4, Interesting

    I've been working in IT for over 20 years, and the thing I've seen over and over again is that organizations that cheap out on IT get stung by things like these more frequently. I've been through multi-hour company-wide outages because someone said there was no reason to keep a core application in more than one data center. We constantly see companies where "IT is not our core competency" getting breached when their lowest-bidder contractors leave an open hole exposed, or when the entire company is run on a massive tower of outsourcers that don't communicate with each other. If I remember correctly, that's how the Target breach happened...a contractor running the HVAC for the stores had a security hole in the systems connected to the store networks, which attackers were able to use to get to the registers and credit card terminals.

    You will never convince companies to do this, but in my opinion the only way to prevent breaches from happening or to minimize their damage is to pay in-house IT staff who *actually* understand what's being deployed. Staff who are paid well and not worked to death are going to be a lot more interested in keeping your business alive than some disinterested offshore firm or body shop who cares only about fulfilling the minimum terms in the contract. (The other thing that has to happen is that everything has to be secure by default, but almost nowhere I've worked has been able to wrap their heads around this. Too many places assume that there's an "outside" and an "inside" and spend all their effort defending the perimeter.)

    What's interesting is that $250K is pretty low for a first offer. I haven't looked through the archive of data these hackers claim to have, but summaries say they were able to get access to sensitive corporate data as well as unreleased content. Some group of people at HBO must be going through all the access logs and figuring out what kind of damaging information they may have exposed. Given that they're an entertainment company, just a dump of the company's email should reveal some very interesting exchanges with various high-profile individuals. Worth way more than a quarter million in my opinion....

    1. Re:Lesson for HBO: Pay for good IT people by Baron_Yam · · Score: 4, Insightful

      >I've been working in IT for over 20 years, and the thing I've seen over and over again is

      Let's generalize a bit. You've seen that corporations collect knowledge but not wisdom, so they keep repeating the fundamental mistakes while avoiding repeating the exact circumstances of them.

      Outsourcing vs. in-house. Cubical farms vs. offices. Part time vs. full time. Exploiting vs. 'partnering' with employees. It all goes in cycles of about half a career-span, as new people take over and experience is lost.

      Unfortunately, you do need to import new knowledge and youthful enthusiasm from time to time, and people do tend to calcify as they age and eventually they go and die on you.

      I simply find it very frustrating that I can see these loops and I'm not a genius, I'm simply in my 40s. Which leaves me wondering what kind of idiots are running the show, given that most of the people above me in the org structure are older.

    2. Re:Lesson for HBO: Pay for good IT people by bravecanadian · · Score: 1

      It will never happen until regulations demand it, or at least there is real accountability and real penalties to the careers of the executives responsible.

      The fundamental problem is that people are horrible at assessing risk.

      Then add in that the people who end up being decision makers over IT often don't have a clue about the things they are making decisions about.. and of course it ends in disaster.

      IT decision-makers end up being finance guys rather than tech guys at most non-tech organizations. Their bonus comes from keeping the budget looking good so what do you expect?

      The reality is that IT and IT Security are simply not respected disciplines at most organizations (that are not directly tech related) and they never will be until there are some fundamental changes.

    3. Re:Lesson for HBO: Pay for good IT people by Pascoea · · Score: 3, Insightful

      $250k will buy you two mid-level security engineers for a year. (source) That doesn't seem like that would cut it for an organization as large as HBO.

    4. Re:Lesson for HBO: Pay for good IT people by nnull · · Score: 1

      Unfortunately, this situation is going to get worse. There are so many businesses with lousy IT and security, it's mind blowing. When I warned one company about their network being insecure and I could access all their PLC's, they just scoffed and laughed at it. Many businesses don't even have an IT department and contract with someone. This often results in servers not being kept up to date. I knew someone that had a CentOS server that wasn't updated for 10 years and no firewall protecting it, because the database developer said they needed access to it from the outside, EDI and ssh (This was their main company server, with all their clients, production scheduling, inventory, etc).

      The costs of setting up proper security procedures and a proper network is pretty negligible for many businesses. The costs of hiring a good IT guy to handle everything is also pretty negligible. But unfortunately, when many management types look at IT and also maintenance as a bunch of janitors, instead of firemen, this is the end result you get.

    5. Re:Lesson for HBO: Pay for good IT people by nnull · · Score: 1

      A lot of idiots. You should see the amount of vendors I have to drop because they can't follow simple procedures.

    6. Re:Lesson for HBO: Pay for good IT people by Baron_Yam · · Score: 1

      > a good IT guy will spend 99.9% of their time sitting on their ass playing videogames because they've automated everything and only have to respond when it fails.

      The problem is that's not a job, its jobS.

      The first job is automating the system, the second is maintaining it, and the third is being ready for disaster recovery.

      You probably need vastly fewer bodies for the second job, and while you need more bodies, you don't need them for very long for the third.

      So it makes more sense to hire contract for the first, have an employee for the second, and a support contract for the third than to have one group of people for all three but idle most of the time.

    7. Re:Lesson for HBO: Pay for good IT people by CodeHog · · Score: 5, Insightful

      "Everything is running fine, why are we paying IT so much?" "Everything is broken, what are we paying IT for?"

      --
      Fat, drunk, and stupid is no way to go through life, son.
    8. Re:Lesson for HBO: Pay for good IT people by rogoshen1 · · Score: 2

      but at the same time, for a company the size of HBO; that's a paltry sum per year to prevent these kinds of shenanigans.

    9. Re:Lesson for HBO: Pay for good IT people by Solandri · · Score: 1

      Ego drives it. About 95% of people believe they're smarter than the average of their peers. So they tend to be dismissive of the collective wisdom built up from the company's past experiences. When they implement a new change which is the same as an old change, they think "this time it'll be different because I'm in charge."

      The best (actually only) solution I've been able to find is to compartmentalize the damage. Instead of implementing a change company-wide or product-wide, implement it in a small section first. Let them try out the change for a few months, and then having to deal with the problems it causes is usually enough to overcome their ego. Then they can objectively re-evaluate whether the change really was a good idea before you implement it company-wide or product-wide.

      This works well for changes which affect events that occur with moderate frequency (happens often in the few months trial). Unfortunately it doesn't work for changes which increase the likelihood of black swan events, like cutting IT and increasing your chances of being hacked.

    10. Re:Lesson for HBO: Pay for good IT people by edtice1559 · · Score: 1

      There's an assumption in here (one that I would probably dispute) that if Target had better security people, the breach wouldn't have happened. I'm not convinced that's the case at all. Yes this was a silly oversight, but the security team (no matter how large) would probably have been looking at things like updating the OS on PoS systems or whether or not the fact that attackers have physical access to the self checkout machines creates new attack vectors. The problem with being in the defensive team is that you can be almost perfect and the attackers still win. Sometimes it just takes one mistake. A mistake that is made because there is just so much attack surface.

    11. Re:Lesson for HBO: Pay for good IT people by Mattcelt · · Score: 1

      $250k is only the tip of the iceberg.

      The blackmailer is demanding $6 million.
      Nearly the entire IT organisation, much of senior management, and fair number of people at Time Warner (their parent company) are now at least partially dedicated to resolving this problem. My guess is that they're spending roughly $20k per hour just in employees' time working on this. And that doesn't even account for the special contractors they've brought on, the delays in other projects, the reputation hit for the company, or the harm the blackmailer could do by releasing sensitive media.

      I think this will cost HBO around $20M by the time all is said and done. They could have hired a few more than two 'mid-level security engineers' for that.

      But for a company that profited $1.7 billion last year, that's hardly a drop in the bucket.

  3. Protect your family jewels by bobstreo · · Score: 1

    Or lose them.

    How any system, internal or external, has access to the systems where "valuable" information/data/media content exists without multiple levels of authentication, encryption and access controls seems to be something HBO shareholders should be seriously investigating.

  4. dont bullshit the hangman. by nimbius · · Score: 4, Informative

    When someone has proof theyve penetrated your network security and is holding your bread and butter hostage you have two choices: 1. pay the bounty and reassess the network. 2. dont pay, eat the loss, and still reassess the network.

    There isnt a CISSP section on stalling for time by bullshitting people who are clearly far more intelligent than you. If anything, you've just hardened their resolve to leak more out of sheer animosity.

    --
    Good people go to bed earlier.
    1. Re:dont bullshit the hangman. by tlhIngan · · Score: 2

      When someone has proof theyve penetrated your network security and is holding your bread and butter hostage you have two choices: 1. pay the bounty and reassess the network. 2. dont pay, eat the loss, and still reassess the network.

      There isnt a CISSP section on stalling for time by bullshitting people who are clearly far more intelligent than you. If anything, you've just hardened their resolve to leak more out of sheer animosity.

      In other words, don't even bother to pay because they're going to leak anyways. If not them, someone else will mysteriously get passed the data and it will leak out. So it's not even worth bothering paying it off.

      Plus, the data is time-sensitive. It will go stale and worthless over time. If they claim to have full episodes, it likely will only be of the next couple of episodes (TV shows are barely finished editing when they air) so in the end after a while it's worthless. Oh yay, a bunch of people got to see next week's episode early.

      Scripts, plans and other things? Sure they're nice, for the small crowd of videophiles that care about having every single thing about their favorite movie, but the vast majority of people just do not care about it. (Plus, everyone knows just because you have the shooting script, doesn't mean you have what they shot - shooting scripts and on screen action has diverged before and last minute edits aren't uncommon.).

    2. Re:dont bullshit the hangman. by GameboyRMH · · Score: 1

      No, but if you put a cheap lock on your door and it gets picked, and then they slowly steal everything in your house over a long period of time, I'd say they are.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    3. Re:dont bullshit the hangman. by Gilgaron · · Score: 1

      This sort of thing is more or less blackmail, though... get them to identify themselves for the bug bounty or have them pound sand because there's no point in paying the blackmail.

    4. Re:dont bullshit the hangman. by edtice1559 · · Score: 2

      In which case, what HBO did makes a lot of sense. Stall for time since the value of data is going down. Of course that assumes that the hole has been plugged.

  5. also pay for good infrastructure not well we can't by Joe_Dragon · · Score: 1

    also pay for good infrastructure not well we can't do X to make it very secure as that will cost to much to have the infrastructure set up to be super secure

  6. Re:Hacker is Anarchist or Small Child by Opportunist · · Score: 1

    Hey, I'm a white hat at day, but I'm not adverse to the idea of watching the world burn.

    There are things you pay me for. But there's also stuff I do for fun. Sometimes they overlap.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Re:Hacker is Anarchist or Small Child by someone1234 · · Score: 1

    Still, the guy who did this isn't a white hat.

    --
    Patents Drive Free Software as Hurricanes Drive Construction Industry
  8. What giving IT PE powers with big fines that will by Joe_Dragon · · Score: 1

    What giving IT PE powers with big fines that will get PHB asses in line.

  9. Why do they care? by sunking2 · · Score: 1

    HBO is a subscription based service. Do they think people will stop signing up or quit because there is a chance some of their shows may be leaked early? Anything they show is pirated within an hour after first showing. While they certainly should make an effort to try to do better and stop this, I don't think there were a ton of 2am meetings discussing it.

    1. Re:Why do they care? by Anonymous Coward · · Score: 1

      HBO is a subscription based service. Do they think people will stop signing up or quit because there is a chance some of their shows may be leaked early? Anything they show is pirated within an hour after first showing. While they certainly should make an effort to try to do better and stop this, I don't think there were a ton of 2am meetings discussing it.

      Agreed. I'm currently a subscriber & would not cancel if pirated copies of their shows were available.

      The thing that'd make me cancel is when I'm no longer getting good value for money - so if they don't get greedy & don't stop producing good content they'll be fine.

  10. Re: Hacker is Anarchist or Small Child by oobayly · · Score: 2

    Well yes, hackers are people who like playing with things they don't understand in order to understand them. I don't understand why you feel it necessary to denigrate them by likening them to "small children".

    Some is us like taking things apart, whether that's with a screwdriver or a disassembler, it makes no difference.

  11. Paying isn't the hard part - finding them is. by ron_ivi · · Score: 1

    Pay for good IT people ... lowest-bidder contractors

    Unfortunately some companies pay incompetent people huge sums and promoting them to upper management, while ignoring their own good lower-level people that are aware about the problems but not empowered to fix them.

  12. Re: Hacker is Anarchist or Small Child by Opportunist · · Score: 3, Insightful

    I don't feel denigrated by being likened to a small child. Small children are at least curious and eager to learn (at least before this gets driven out of them when they get confronted by the school system).

    Most adults are lazy fucks that couldn't be bothered to learn something if their life depended on it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  13. Re:Self referring links by GameboyRMH · · Score: 1

    Yo dawg I heard you liked Slashdot discussions, so I linked the discussion to the discussion so you can not RTFA while you're not RTFAing!

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  14. Re:Hacker is Anarchist or Small Child by Opportunist · · Score: 1

    Nope. Self-described white hat. But while we're at quotes from that particular Batman movie, there is one quote from Ledger's Joker that I do subscribe to.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.