Slashdot Mirror

← Back to Stories (view on slashdot.org)

HBO Hacker Leaks Message From HBO Offering $250,000 'Bounty Payment' (variety.com)

Posted by msmash on from the definitely-maybe dept.

The HBO hacker has struck yet again. From a report: Variety has obtained a copy of another message released Thursday by the anonymous hacker to select journalists in which HBO is apparently responding to the initial video letter that was sent informing the Time Warner-owned company of the massive data breach. The message from HBO, dated July 27, features the network's offer to make a "bounty payment" of $250,000 as part of a program in which "white hat IT professionals" are rewarded for "bringing these types of things to our attention." While the message takes a curiously non-confrontational tone in response to a hacker out to damage HBO, a source close to the investigation who confirmed the veracity of the email explained it was worded that way to stall for time while the company attempted to assess the serious situation.

12 of 60 comments (clear)

  1. That's not what WSJ/Fox News is saying... by __aaclcg7560 · · Score: 4, Informative

    I was going to submit the WSJ/Fox News article under my alias when the Variety story popped up, which has more insight on what HBO is doing.

    When the hackers came forward late last month, an HBO technology-department employee sent them a letter offering $250,000 to participate in the company's "bug bounty" program, in which technology professionals are compensated for finding vulnerabilities, according to a person familiar with the matter.

    HBO was buying time with that response and isn't in negotiations with the hackers, the person said. The hacker has demanded a ransom of around $6 million.

    The network has also been working with the Federal Bureau of Investigation and other law-enforcement agencies and cybersecurity firms to address the matter, people familiar with the matter say.

    WSJ (paywalled): https://www.wsj.com/articles/hbos-hack-hollywood-is-under-siege-1502443802
    Fox News: http://www.foxbusiness.com/features/2017/08/11/hbos-hack-hollywood-is-under-siege.html

    1. Re:That's not what WSJ/Fox News is saying... by msauve · · Score: 2

      Let me paraphrase:

      "We were going to pay him a relatively modest amount with plausible deniability, but won't now because he leaked that, which only gives incentive for others to hack us."

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  2. Lesson for HBO: Pay for good IT people by ErichTheRed · · Score: 4, Interesting

    I've been working in IT for over 20 years, and the thing I've seen over and over again is that organizations that cheap out on IT get stung by things like these more frequently. I've been through multi-hour company-wide outages because someone said there was no reason to keep a core application in more than one data center. We constantly see companies where "IT is not our core competency" getting breached when their lowest-bidder contractors leave an open hole exposed, or when the entire company is run on a massive tower of outsourcers that don't communicate with each other. If I remember correctly, that's how the Target breach happened...a contractor running the HVAC for the stores had a security hole in the systems connected to the store networks, which attackers were able to use to get to the registers and credit card terminals.

    You will never convince companies to do this, but in my opinion the only way to prevent breaches from happening or to minimize their damage is to pay in-house IT staff who *actually* understand what's being deployed. Staff who are paid well and not worked to death are going to be a lot more interested in keeping your business alive than some disinterested offshore firm or body shop who cares only about fulfilling the minimum terms in the contract. (The other thing that has to happen is that everything has to be secure by default, but almost nowhere I've worked has been able to wrap their heads around this. Too many places assume that there's an "outside" and an "inside" and spend all their effort defending the perimeter.)

    What's interesting is that $250K is pretty low for a first offer. I haven't looked through the archive of data these hackers claim to have, but summaries say they were able to get access to sensitive corporate data as well as unreleased content. Some group of people at HBO must be going through all the access logs and figuring out what kind of damaging information they may have exposed. Given that they're an entertainment company, just a dump of the company's email should reveal some very interesting exchanges with various high-profile individuals. Worth way more than a quarter million in my opinion....

    1. Re:Lesson for HBO: Pay for good IT people by Baron_Yam · · Score: 4, Insightful

      >I've been working in IT for over 20 years, and the thing I've seen over and over again is

      Let's generalize a bit. You've seen that corporations collect knowledge but not wisdom, so they keep repeating the fundamental mistakes while avoiding repeating the exact circumstances of them.

      Outsourcing vs. in-house. Cubical farms vs. offices. Part time vs. full time. Exploiting vs. 'partnering' with employees. It all goes in cycles of about half a career-span, as new people take over and experience is lost.

      Unfortunately, you do need to import new knowledge and youthful enthusiasm from time to time, and people do tend to calcify as they age and eventually they go and die on you.

      I simply find it very frustrating that I can see these loops and I'm not a genius, I'm simply in my 40s. Which leaves me wondering what kind of idiots are running the show, given that most of the people above me in the org structure are older.

    2. Re:Lesson for HBO: Pay for good IT people by Pascoea · · Score: 3, Insightful

      $250k will buy you two mid-level security engineers for a year. (source) That doesn't seem like that would cut it for an organization as large as HBO.

    3. Re:Lesson for HBO: Pay for good IT people by CodeHog · · Score: 5, Insightful

      "Everything is running fine, why are we paying IT so much?" "Everything is broken, what are we paying IT for?"

      --
      Fat, drunk, and stupid is no way to go through life, son.
    4. Re:Lesson for HBO: Pay for good IT people by rogoshen1 · · Score: 2

      but at the same time, for a company the size of HBO; that's a paltry sum per year to prevent these kinds of shenanigans.

  3. dont bullshit the hangman. by nimbius · · Score: 4, Informative

    When someone has proof theyve penetrated your network security and is holding your bread and butter hostage you have two choices: 1. pay the bounty and reassess the network. 2. dont pay, eat the loss, and still reassess the network.

    There isnt a CISSP section on stalling for time by bullshitting people who are clearly far more intelligent than you. If anything, you've just hardened their resolve to leak more out of sheer animosity.

    --
    Good people go to bed earlier.
    1. Re:dont bullshit the hangman. by tlhIngan · · Score: 2

      When someone has proof theyve penetrated your network security and is holding your bread and butter hostage you have two choices: 1. pay the bounty and reassess the network. 2. dont pay, eat the loss, and still reassess the network.

      There isnt a CISSP section on stalling for time by bullshitting people who are clearly far more intelligent than you. If anything, you've just hardened their resolve to leak more out of sheer animosity.

      In other words, don't even bother to pay because they're going to leak anyways. If not them, someone else will mysteriously get passed the data and it will leak out. So it's not even worth bothering paying it off.

      Plus, the data is time-sensitive. It will go stale and worthless over time. If they claim to have full episodes, it likely will only be of the next couple of episodes (TV shows are barely finished editing when they air) so in the end after a while it's worthless. Oh yay, a bunch of people got to see next week's episode early.

      Scripts, plans and other things? Sure they're nice, for the small crowd of videophiles that care about having every single thing about their favorite movie, but the vast majority of people just do not care about it. (Plus, everyone knows just because you have the shooting script, doesn't mean you have what they shot - shooting scripts and on screen action has diverged before and last minute edits aren't uncommon.).

    2. Re:dont bullshit the hangman. by edtice1559 · · Score: 2

      In which case, what HBO did makes a lot of sense. Stall for time since the value of data is going down. Of course that assumes that the hole has been plugged.

  4. Re: Hacker is Anarchist or Small Child by oobayly · · Score: 2

    Well yes, hackers are people who like playing with things they don't understand in order to understand them. I don't understand why you feel it necessary to denigrate them by likening them to "small children".

    Some is us like taking things apart, whether that's with a screwdriver or a disassembler, it makes no difference.

  5. Re: Hacker is Anarchist or Small Child by Opportunist · · Score: 3, Insightful

    I don't feel denigrated by being likened to a small child. Small children are at least curious and eager to learn (at least before this gets driven out of them when they get confronted by the school system).

    Most adults are lazy fucks that couldn't be bothered to learn something if their life depended on it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.