Hacks in the City: Latest in String of HBO Hacks Targets Company’s Social Media Accounts

HBO has had a rough summer, and things are getting progressively worse for the cable titan. The HBO hacks began in late June, when an individual hacker or group calling themselves “Mr. Smith” dumped several episodes of upcoming HBO series and the script to an upcoming Game of Thrones episode online. Mr. Smith claimed to have stolen approximately 1.5TB of data and threatened to release all of it unless HBO paid them $6 to $7 million. HBO countered with an offer of $250,000. Mr. Smith apparently found this laughable and continued to leak not only content and scripts but confidential emails and the personal data of the GoT cast.

While the attention of the media (and HBO) was focused on Mr. Smith, a full upcoming episode of GoT was released online. This wasn’t the work of Mr. Smith but that of malicious insiders at a company called Prime Focus Technologies, a third-party vendor of Star India, HBO’s business associate that airs GoT in India. In other words, HBO was victimized by a hack at a third-party vendor of a third-party vendor.

In Incident #3 in the string of HBO hacks, the company “hacked” itself. This time, an apparent employee mistake at HBO Nordic and HBO España, two European affiliates of HBO, resulted in the first hour of an episode of GoT being aired four days early. It didn’t take long for the content to appear online.

The network’s latest Excederin headache came on last week, when a separate hacker or group calling itself OurMine, which was behind several high-profile social media takeovers at other companies, took control of HBO’s Twitter and Facebook accounts.

It is highly unlikely the HBO hacks will stop anytime soon. Around the same time as the OurMine social media debacle, Mr. Smith contacted Mashable and sent them “what appears to be the login credentials for almost every single HBO social media account. Passwords for everything from @HBO, @GameOfThrones, and @WestworldHBO to various Instagram and Giphy accounts.” Mr. Smith also claimed to be in possession of the season finale of GoT and solemnly vowed to release it if HBO didn’t pay up soon.

Hey HBO, how’s that reactive cyber security working out for you?

The HBO hacks involve multiple cyber security issues, including malicious insiders, innocent but damaging employee errors, third-party vendor hacks, email hacks, corporate espionage, theft of digital IP and company secrets, and login credentials theft – and that’s just what’s happened and what we know about so far. It hasn’t yet been determined exactly how Mr. Smith and OurMine got hold of the credentials they needed to breach HBO’s internal network and social media accounts, but usually, login credential theft occurs through email phishing scams, so we’re probably looking at more employee error.

Two things are clear: HBO is a company in cyber security crisis, and it has inadvertently become a case study of why reactive cyber security doesn’t work. The fact that is being attacked on multiple fronts, by multiple parties, is indicative of a longstanding reactive stance to cyber attacks and deep-rooted security vulnerabilities at all levels of the organization. It desperately needs to implement sound GRC and proactive cyber security practices and wrest back control over its entire enterprise cyber ecosystem.

How much will all of this end up costing HBO in the end? Whatever the final number is, it’s safe to bet that it would have been a lot cheaper and far less damaging if HBO had never lost control over its cyber security in the first place.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

A new report by Synopsys and the Ponemon Institute finds that medical device security is plagued by a lack of standards, testing, and accountability.

Healthcare organizations tend to focus their cyber security efforts on HIPAA compliance, protecting patient data, and defending against ransomware attacks like WannaCry, with scant, if any, attention paid to medical device security. A Ponemon Institute study released last week by Synopsys, Medical Device Security: An Industry Under Attack and Unprepared to Defend, paints an ominous picture regarding the cyber security of IoT devices such as smart insulin pumps, diagnostic and monitoring equipment, and even the mobile apps used to control connected devices:

• 67% of medical device manufacturers expect that their devices will be hacked within the next 12 months, but only 17% are taking “significant steps” to prevent it.
• 56% of healthcare delivery organizations (HDOs) expect a hack within the next 12 months, but only 15% are doing anything about it.
• Fewer than half (41%) of device manufacturers have an incident response plan in place in the event of a hack.
• Among HDOs, the numbers are even worse; only 22% have an incident response plan.
• Only 9% of device manufacturers and 5% of HDOs test their medical devices at least yearly. Over half of HDOs, and 43% of manufacturers, either do not test their devices at all or are “unsure if testing occurs.”

No Testing, No Standards, No Accountability: What Could Possibly Go Wrong?

One would think that, given the fact that a faulty connected medical device could result in a dead or maimed patient, these devices would be subject to strict regulations and exacting security standards.

This is not the case at all. Medical device security is no more robust than general IoT security. The respondents to the Synopsys/Ponemon study cited a complete lack of security standards, testing, and accountability for medical device security, along with intense pressure to push products to the market as soon as possible. These are the same problems that plague the overall connected devices industry. Smart watches, smart doorbells, smart toys, and even smart cars are designed for ease of use and cutting-edge features, not cyber security.

Smart medical devices are no different. The FDA does have a set of voluntary guidelines addressing medical device security, but according to the study, only 51% of manufacturers and 44% of HDOs followed them.

Medical Device Security Cannot Be Reactive

Perhaps the most horrifying finding from this already frightening report is that most device manufacturers and HDOs stated that only a “serious hacking incident” would prompt their organizations to increase their medical device security budgets. Yes, you read that correctly: The majority of players in the medical device industry are relying on reactive cyber security, waiting until a breach has actually happened – which, in this case, could mean that someone dies or is maimed – to address device vulnerabilities.

Last fall, medical device maker St. Jude Inc. announced that it was forming a medical advisory board focused specifically on medical device security. This is a positive step, but it happened only after allegations that its smart cardiac implants were vulnerable to hacking, which prompted an investigation by the FDA.

The current reactive approach to medical device security is completely unacceptable. Knowing this, the FDA has cited the cyber security of medical devices as one of its top regulatory science priorities in 2017. However, the wheels of government turn very slowly; manufacturers, HDOs, and patients cannot afford to wait for the government to step in and save the day. The healthcare industry needs to start taking the same proactive approach to cyber security that it does to disease prevention. This isn’t just about money or reputation; human lives depend on it.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

The impacts of Reactive -vs- Proactive cyber security is very real!

Reactive -vs- Proactive; is there really a benefit to business? After correlating years worth of industry data the business and consumer impacts are quite clear but illustrating this information is difficult. We have created this infographic to help you make the business case for being proactive about security. After all … Lazarus Alliance is Proactive Cyber Security®!

What should be painfully obvious is that by taking proactive steps you avoid about 96% of all breach potential. While there is no such thing as a perfect solution you will be significantly less susceptible to cyber crime and not as likely to be in a reactive response.

While holistic governance in security, privacy, risk and cyber-law is increasingly complex and you are charged with delivering GRC guidance to your organization that they understand. The security industry has been conditioned to accept the “inevitable breach” and engage a reactive incident response plan. We have changed that paradigm in part with ITAM. The IT Audit Machine gives you everything you need to succeed. The Americas, Europe, Asia, MENA or wherever strong IT security policies and holistic GRC is needed and we deliver the foundation your company needs.

Why should only big business be able to afford world class technology security executive representation? You retain attorneys and accountants to perform complex tasks and represent you; retain technology security executive services and subject matter experts just the same!

Lazarus Alliance brings internationally recognized expert technology security executives to work for you. Your Personal CXO ® is the global hot-spot for retaining the services of the best and brightest subject matter experts in Cyberspace Law, IT Security and operations, IT Risk and Governance, Compliance, Policy and more!

Our clients range range from start-ups on up to multinational corporations from all business sectors from all around the world. We can help your organization too! If your company depends on technology for the success of your business; and what company does not in our technically connected global business community? You need qualified proactive cyber security assistance to implement effective controls and countermeasures.

Lazarus Alliance Cybervisors® are here to help!

The alternative may be that your company is on the next industry breach report and you are stepping down from your position because you could have done more to protect your company.