Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security Television Entertainment

HBO Hacker Leaks Message From HBO Offering $250,000 'Bounty Payment' (variety.com) 60

The HBO hacker has struck yet again. From a report: Variety has obtained a copy of another message released Thursday by the anonymous hacker to select journalists in which HBO is apparently responding to the initial video letter that was sent informing the Time Warner-owned company of the massive data breach. The message from HBO, dated July 27, features the network's offer to make a "bounty payment" of $250,000 as part of a program in which "white hat IT professionals" are rewarded for "bringing these types of things to our attention." While the message takes a curiously non-confrontational tone in response to a hacker out to damage HBO, a source close to the investigation who confirmed the veracity of the email explained it was worded that way to stall for time while the company attempted to assess the serious situation.
This discussion has been archived. No new comments can be posted.

HBO Hacker Leaks Message From HBO Offering $250,000 'Bounty Payment'

Comments Filter:
  • by __aaclcg7560 ( 824291 ) on Friday August 11, 2017 @10:49AM (#54990907)

    I was going to submit the WSJ/Fox News article under my alias when the Variety story popped up, which has more insight on what HBO is doing.

    When the hackers came forward late last month, an HBO technology-department employee sent them a letter offering $250,000 to participate in the company's "bug bounty" program, in which technology professionals are compensated for finding vulnerabilities, according to a person familiar with the matter.

    HBO was buying time with that response and isn't in negotiations with the hackers, the person said. The hacker has demanded a ransom of around $6 million.

    The network has also been working with the Federal Bureau of Investigation and other law-enforcement agencies and cybersecurity firms to address the matter, people familiar with the matter say.

    WSJ (paywalled): https://www.wsj.com/articles/hbos-hack-hollywood-is-under-siege-1502443802 [wsj.com]
    Fox News: http://www.foxbusiness.com/features/2017/08/11/hbos-hack-hollywood-is-under-siege.html [foxbusiness.com]

    • by msauve ( 701917 )
      Let me paraphrase:

      "We were going to pay him a relatively modest amount with plausible deniability, but won't now because he leaked that, which only gives incentive for others to hack us."
  • by ErichTheRed ( 39327 ) on Friday August 11, 2017 @11:01AM (#54991015)

    I've been working in IT for over 20 years, and the thing I've seen over and over again is that organizations that cheap out on IT get stung by things like these more frequently. I've been through multi-hour company-wide outages because someone said there was no reason to keep a core application in more than one data center. We constantly see companies where "IT is not our core competency" getting breached when their lowest-bidder contractors leave an open hole exposed, or when the entire company is run on a massive tower of outsourcers that don't communicate with each other. If I remember correctly, that's how the Target breach happened...a contractor running the HVAC for the stores had a security hole in the systems connected to the store networks, which attackers were able to use to get to the registers and credit card terminals.

    You will never convince companies to do this, but in my opinion the only way to prevent breaches from happening or to minimize their damage is to pay in-house IT staff who *actually* understand what's being deployed. Staff who are paid well and not worked to death are going to be a lot more interested in keeping your business alive than some disinterested offshore firm or body shop who cares only about fulfilling the minimum terms in the contract. (The other thing that has to happen is that everything has to be secure by default, but almost nowhere I've worked has been able to wrap their heads around this. Too many places assume that there's an "outside" and an "inside" and spend all their effort defending the perimeter.)

    What's interesting is that $250K is pretty low for a first offer. I haven't looked through the archive of data these hackers claim to have, but summaries say they were able to get access to sensitive corporate data as well as unreleased content. Some group of people at HBO must be going through all the access logs and figuring out what kind of damaging information they may have exposed. Given that they're an entertainment company, just a dump of the company's email should reveal some very interesting exchanges with various high-profile individuals. Worth way more than a quarter million in my opinion....

    • by Baron_Yam ( 643147 ) on Friday August 11, 2017 @11:14AM (#54991111)

      >I've been working in IT for over 20 years, and the thing I've seen over and over again is

      Let's generalize a bit. You've seen that corporations collect knowledge but not wisdom, so they keep repeating the fundamental mistakes while avoiding repeating the exact circumstances of them.

      Outsourcing vs. in-house. Cubical farms vs. offices. Part time vs. full time. Exploiting vs. 'partnering' with employees. It all goes in cycles of about half a career-span, as new people take over and experience is lost.

      Unfortunately, you do need to import new knowledge and youthful enthusiasm from time to time, and people do tend to calcify as they age and eventually they go and die on you.

      I simply find it very frustrating that I can see these loops and I'm not a genius, I'm simply in my 40s. Which leaves me wondering what kind of idiots are running the show, given that most of the people above me in the org structure are older.

      • by nnull ( 1148259 )
        A lot of idiots. You should see the amount of vendors I have to drop because they can't follow simple procedures.
      • Ego drives it. About 95% of people [cbsnews.com] believe they're smarter than the average of their peers. So they tend to be dismissive of the collective wisdom built up from the company's past experiences. When they implement a new change which is the same as an old change, they think "this time it'll be different because I'm in charge."

        The best (actually only) solution I've been able to find is to compartmentalize the damage. Instead of implementing a change company-wide or product-wide, implement it in a small
    • It will never happen until regulations demand it, or at least there is real accountability and real penalties to the careers of the executives responsible.

      The fundamental problem is that people are horrible at assessing risk.

      Then add in that the people who end up being decision makers over IT often don't have a clue about the things they are making decisions about.. and of course it ends in disaster.

      IT decision-makers end up being finance guys rather than tech guys at most non-tech organizations. Their bonu

    • by nnull ( 1148259 )

      Unfortunately, this situation is going to get worse. There are so many businesses with lousy IT and security, it's mind blowing. When I warned one company about their network being insecure and I could access all their PLC's, they just scoffed and laughed at it. Many businesses don't even have an IT department and contract with someone. This often results in servers not being kept up to date. I knew someone that had a CentOS server that wasn't updated for 10 years and no firewall protecting it, because the

    • "Everything is running fine, why are we paying IT so much?" "Everything is broken, what are we paying IT for?"
    • also pay for good infrastructure not well we can't do X to make it very secure as that will cost to much to have the infrastructure set up to be super secure

    • Pay for good IT people ... lowest-bidder contractors

      Unfortunately some companies pay incompetent people huge sums and promoting them to upper management, while ignoring their own good lower-level people that are aware about the problems but not empowered to fix them.

    • There's an assumption in here (one that I would probably dispute) that if Target had better security people, the breach wouldn't have happened. I'm not convinced that's the case at all. Yes this was a silly oversight, but the security team (no matter how large) would probably have been looking at things like updating the OS on PoS systems or whether or not the fact that attackers have physical access to the self checkout machines creates new attack vectors. The problem with being in the defensive team is
  • Or lose them.

    How any system, internal or external, has access to the systems where "valuable" information/data/media content exists without multiple levels of authentication, encryption and access controls seems to be something HBO shareholders should be seriously investigating.

  • by nimbius ( 983462 ) on Friday August 11, 2017 @11:18AM (#54991135) Homepage
    When someone has proof theyve penetrated your network security and is holding your bread and butter hostage you have two choices: 1. pay the bounty and reassess the network. 2. dont pay, eat the loss, and still reassess the network.

    There isnt a CISSP section on stalling for time by bullshitting people who are clearly far more intelligent than you. If anything, you've just hardened their resolve to leak more out of sheer animosity.
    • by tlhIngan ( 30335 )

      When someone has proof theyve penetrated your network security and is holding your bread and butter hostage you have two choices: 1. pay the bounty and reassess the network. 2. dont pay, eat the loss, and still reassess the network.

      There isnt a CISSP section on stalling for time by bullshitting people who are clearly far more intelligent than you. If anything, you've just hardened their resolve to leak more out of sheer animosity.

      In other words, don't even bother to pay because they're going to leak anyways

      • In which case, what HBO did makes a lot of sense. Stall for time since the value of data is going down. Of course that assumes that the hole has been plugged.
    • This sort of thing is more or less blackmail, though... get them to identify themselves for the bug bounty or have them pound sand because there's no point in paying the blackmail.
  • HBO is a subscription based service. Do they think people will stop signing up or quit because there is a chance some of their shows may be leaked early? Anything they show is pirated within an hour after first showing. While they certainly should make an effort to try to do better and stop this, I don't think there were a ton of 2am meetings discussing it.
    • by Anonymous Coward

      HBO is a subscription based service. Do they think people will stop signing up or quit because there is a chance some of their shows may be leaked early? Anything they show is pirated within an hour after first showing. While they certainly should make an effort to try to do better and stop this, I don't think there were a ton of 2am meetings discussing it.

      Agreed. I'm currently a subscriber & would not cancel if pirated copies of their shows were available.

      The thing that'd make me cancel is when I'm no longer getting good value for money - so if they don't get greedy & don't stop producing good content they'll be fine.

God made the integers; all else is the work of Man. -- Kronecker

Working...