ABSTRACT

Whether to obtain pre-theatrical content assets from US studios or circumvent distribution rights of European broadcasters, hackers are highly motivated to attack the global media and entertainment industry.

These attacks are facilitated by the current rapid adoption of embedded systems, cloud solutions, and web based platforms.

These attacks often undermine the very collaboration, cost-efficiency, monetization, scalability and user experience goals for which these systems were designed and deployed.

As malicious hackers advance their techniques at a staggering pace, often rendering current defense tactics obsolete, so too must security practitioners obsess over deploying progressive techniques.

Presented by the elite American organization of white hat hackers most widely known for being first to break the iPhone and the only security consulting firm engaged in the security team of USC’s Project Cloud initiative, this paper analyzes the anatomies of real world attacks against high profile systems.

It will extract lessons from these attack anatomies to provide a framework to account for these modern attackers, articulate context to the global media and entertainment industry, and supply readers with key takeaways, including immediately actionable guidance.

INTRODUCTION

In the current digital era, executives leading companies of all sizes are facing a daunting challenge in defending their most valuable digital assets.

Modern adversaries are very sophisticated, attack vectors are ever evolving, and digital assets are becoming exponentially more valuable.

Traditional defenses alone are no longer effective against these adversaries.

However, Chief Executive Officers and the executives who support them should not lose hope, as there are techniques that all companies can adopt in order to more effectively protect their assets in such a complex defense landscape.

These techniques are realistic to implement and in many cases are more cost-efficient than the lesser-effective traditional approaches. In this paper, we investigate a series of high profile breaches in order to understand the anatomy of each attack, and then extract security lessons from there.

Independent Security Evaluators

In 2005, three PhD candidates and one professor of the Information Security Institute of Johns Hopkins set up a lab to study RFID devices, understanding that there might be commercial interest if they were successful in breaking some high-profile systems.

The team started with the Texas Instruments Digital Signature Transponder (DST).

This was chosen for two reasons: First, at the time this was considered “unbreakable.”

Second, this system powered two very important and high profile use cases: the immobilizer function of Ford Motor Company ignition keys, which is an electronic prevention measure against forged keys starting automobile ignitions; and the Exxon Mobile SpeedPassTM, a dongle attached to the user’s keychain and linked to the user’s credit card.

C-Tech Series: Cyber Security Forum

At IBC2017, an invitation-only forum on Friday 15 September will examine what the cyber war means for broadcasters, how to anticipate the next threat and how to manage a breach. Click here for more information

An attack on either system carries obvious implications for theft, brand reputation, and personal safety.

It took the team two weeks to reverse-engineer the cryptic algorithm, a few more to create a non-functioning prototype, and another few weeks to create a fully functional radio.

To prove concept, the team invited several news outlets to watch a demonstration in which the team started a Ford with a key the reporters had watched the team make at Lowes Hardware, started the car, drove to an Exxon Mobile station, and pumped free gas.

Their success gained national press and commercial interest, thus beginning Independent Security Evaluators (ISE).

Today ISE has grown into a very sophisticated commercial enterprise-class consulting firm, dividing our time between research like that of the Texas Instruments case study, wherein we try to find the vulnerabilities of a system in order to advance some particular cause, and working directly with companies who hire us to find all ways in which an interested adversary could compromise their systems and to help develop mitigation strategies.

CASE STUDY TARGET

Over the all-important holiday shopping period of Q4 2013, cyber thieves broke into American retail giant Target and installed malware which resulted in the theft of 40 million credit card numbers and an additonal 70 million accounts of customer information.

To begin the attack, the hackers used a spear-fishing campaign to obtain some credentials of Target’s HVAC vendor.

The vendor had remote access to Target’s network environment for reasons of monitoring energy consumption and temperature control, yet it also had access to the payment environment.

Therefore, once in the system the attackers used the authentic credentials gained through the vendor to jump from the maintenance environment to the payment environment.

There they installed ram scrapper malware which copied digits resembling credit card numbers to text file. 

Once they obtained the growing data file, the attackers employed an exfiltration system whereby they leveraged NetBIOS and used communication to move the files to an area in the network where they could be removed without alarm.

Once removed, the files were dumped to compromised servers around the world for the attackers’ retrieval.

DOWNLOAD THE FULL TECH PAPER BELOW