This HPA Tech Retreat devoted three sessions to an issue that’s grown in importance over the last few years: cybersecurity. The digitization of workflow, media, distribution and even projection has generally been a boon for efficiency and cost savings, but it’s opened a Pandora’s box of issues related to security, piracy and privacy. Motion Picture Solutions CTO Laurence Claydon addressed security holes in film/TV, Warner Bros. security architect Chris Taylor talked about security for on-location networks, and Avid director of architecture Rob Gonsalves delved into the scary topic of ransomware.
Claydon, who has worked in content localization for 20 years, asked attendees to raise their hands if they were interested in film/TV (nearly everyone raised their hands), and then security (very few). “If I go to a security conference, the hands are the other way around,” he says. “But we handle the content, so it’s our responsibility to handle its security.” He reported that the earliest example he could find of content piracy was when Mozart, at age 14, heard a piece of music closely held by the Vatican and then transcribed it from memory. “Since then, the advance of technology has increased the risk of piracy,” he notes dryly.
He briefly mentioned how the tsunami in Japan, which dramatically disrupted production of HDCAM SR videotapes, hastened the evolution to file-based workflows and the new hazards of online content. “Physical security allows you to control risk,” he says. “You know how many copies you made, you can lock it away in a safe place, and you can restrict playback with professional standards.” Industry security standards, he points out, are based on access.
Environmental Security vs. Content Security
Electronic file delivery is efficient and cost-effective, he said, but “all it takes is a few clicks” to send content to multiple people. One of the biggest security holes, he stressed, is created by passwords, which are regularly shared. That brought him to compare environmental security with content security. The first assumes content is protected in a non-hostile environment. “If we secure the environment with physical measures like locks, management and policy like staff training, we assume the content is secure,” he says. Content security assumes that the environment is hostile and protection, therefore, is provided for the content itself.
In the film/TV industry, users also have to balance speed versus security. “A day-and-date theatrical release is in itself an anti-piracy measure,” he said. “But tight deadlines lead to cut corners, increasing risk, so both factors need to be respected equally.”
Not all content is at risk of piracy to the same degree, he adds. “If it’s a 4 GB QuickTime, that’s high risk,” he said. “If I’m talking about a 12 TB 4K DCDM, it’s lower risk. Pre-release, it’s a very high risk. Post-release, it’s lower risk.” Localization increases the risk of piracy, as language versions mean that more than 100 pre-release copies may be circulating before the content is actually released.
“Subtitle files are still commonly sent via email, which is another enormous risk factor,” he said. Risks in content data transfer are particularly high, with notifications that contain the URL, username, and password copied, forwarded and replied to many times.
“Credential sharing is the biggest risk,” he concluded. “Email usage policies prohibit the sharing of passwords, but is that what’s actually happening?”
In his company, a shared password is treated like a hack. “We escalate immediately and contact all parties and request a password change that is communicated out-of-band,” he said. “Then it’s back to business.” This practice, over a nine-month period, has “almost obliterated” the practice of people sending passwords by email. Further mitigation is provided by 128-bit minimum (256-bit is preferable) AES encryption that is agnostic as far as media, operating system and application.
"Make it easy for your employees,” he urged. “That 170-page security manual makes it hard. It needs to be straightforward and easy to remember.”
Lock It or Lose It
Warner Bros.’ Taylor addressed the security of wireless production on sets, based on industry best practices. “If you’re not encrypting it, I’m reading it,” he said. “You want an encrypted network.”
But even encryption can be compromised by so-called man-in-the-middle attacks. “If you’re on a closed network, there are plenty of ways to attack that as well,” he said. “WEP is so easy to crack my kids can do it, but its replacement is still easy to crack. It’s pretty trivial to come across one of those passwords.” He also showed a picture of a $100 WiFI Pineapple router, which operates off a battery and can impersonate any open network and observe all traffic crossing through it.
Is there any way to protect wireless networks? One piece of advice was to never use default passwords. He notes that every device, from an ARRI camera to an iPad or routers, has a default password. Hardening your password is another must-do, and not just because two billion passwords have been made public via high-profile hacks of Yahoo, Dropbox and many other sites. Even after all the warnings about making passwords more difficult to break, he says, the word “password” has only moved from No. 1 to No. 2, and “123456” still accounts for most passwords.
“No password re-use and no single-word passwords,” he said. “Length is better than complexity. Change your password regularly, and two-factor authentication is also vital.” He also recommends monitoring the network for unauthorized devices, using separate networks to isolate sensitive data and not relying solely on Wi-Fi security. “Add a separate layer of encryption on the application level,” he said.
Ransomware attacks, a form of malware that encrypts data files and holds them for ransom, have grown fourfold between 2015 and 2016, for a total of 4,000 attacks daily in the U.S., said Gonsalves. He explained that ransomware accesses the user’s system via a phishing email that keeps the system running but looks for what could be important files, based on file type.
“It looks for high-value file extensions,” said Gonsalves. “That includes archives (zip and tar); development (jar, java); general use (doc, docs, pdf, ppt) and media assets (jpeg, jpg, m4a, mov, mp3). Overall there are about 300 file extensions on the top three ransomware families.” Tescrypt, Crowti and Fakebsod accounted for 74 percent of all attacks in 2016, Gonsalves said, with Tescrypt responsible for 42 percent of 2016 attacks.
Gonsalves said that ransomware can spread to other computers and look for any attached storage — including shared storage systems. Ransom fees are actually fairly low, typically between $300 and $10,000, and the content kidnapper usually asks for payment in bitcoin. An audience member cautioned that another way ransomware can get in is via enabled macros on Word or Excel files. Beware of zip attachments, as well, he said.
Anti-virus software may remove the malware, but once the files are encrypted, anti-virus software can’t decrypt them. “The damage has been done,” said Gonsalves. “In my experience, the company decides to pay and the criminal then provides a key to decrypt the files.” Gonsalves said the malware generates random names to conceal its purpose.
“When it runs, it technically doesn’t encrypt but creates a new file with a new file extension,” he said. “When it’s done encrypting, it deletes the original files. The encrypted files are attached to the malware, so when you attempt to open it, it opens the screen telling you that you’ve got ransomware.”
Building Up Defenses
With regard to prevention and recovery measures, Gonsalves stresses that users are the weakest link in security. “Malware generally gets in when your staff is browsing the web and responding to emails or downloading something or responding to a fake email and being phished,” he said. “Having a program to train employees is the most cost-effective means of prevention.”
He encouraged users to update to new versions of software programs, from Java to Word or Acrobat, which are nearly always focused on fixing security issues. Furthermore, he says, use the permission systems and operating system to allow read/write access only to people who need it. “Endpoint security is the anti-virus software like Bitdefender and Kaspersky,” he says. “They’ll look for suspicious behavior, so this is absolutely recommended."
Users can also avail themselves of so-called shadow copies, via Apple’s Time Machine and a similar feature for Windows (not turned on by default). He encouraged attendees to familiarize themselves with STIGs (Security Technical Implementation Guides), a methodology for standardizing security protocols that minimizes network-based attacks, and to develop a disaster recovery strategy.
He named three techniques that are not mutually exclusive but can be employed in tandem: deferred deletes; threshold triggering and multiple copy backups. “When ransomware starts to hit, you’ll have clean copies from the days before, so you can go back,” he says. Another suggested resource is NoMoreRansom.org.