It's not just TV stations that get hacked this way; it's common to leave post-it's with credentials in office environments; when you air them in HD on tv, that might cause problems :)
I once worked as a consultant to a subsidiary of one of the larger Cybersecurity vendors.
Many institutions have weak cybersecurity including healthcare concerns. In this Fortune article about he Sony hack, the CEO said basically that they did not want to spend the money for Cybersecurity. http://fortune.com/sony-hack-part-1/
Target and Lowe's POS terminals were hacked because they were told to upgrade their software to a newer version of the OS and they didn't do it. The CEO of Target was canned as a result.
Many firms and other institutions love the power of computing without spending the money and hiring the expertise needed to maintain the security. There are private security contractors that these groups can hire to ensure that their environment is fully secure .
In addition to financial audits, shareholders should insist on cyber security audits to ensure that the firm or institution is acting in a responsible manner.
Obviously acting in a responsible manner regarding Cybersecurity is not a guarantee, but many cases of hackers breaking in is because of not even making the attempt to be secure.
it's a tradeoff. you spend time, money and productivity loss (i.e. procedures) on IT security to decrease the risk of a successful attack. every additional dollar spent decreases the probability a bit further (if done right) but your returns are diminishing. at some point it's not worth anymore.
> "The TV5 attack fits into this pattern of highly-targeted attacks, rather than the kind of general criminal activity typically seen on the web."
in my opinion: no matter what kind of business you do, if you fall victim to the "kind of general criminal activity typically seen on the web" you're acting negligent.
then, after a certain point of increased protection attacks drastically decrease for most businesses because you're not worth the time and money it costs to attack you.
but fully secure? i mean, the stuxnet attack is the best counter example.
i compare it to healthy living: by investing time and money and refraining from doing certain pleasurable things you're improving your health and increase the chance to reach an old age. but it's no guarantee - you can still get hit by a car or succumb to cancer at age 20 just due to bad luck.
I think we agree. By doing your best to implement security measures (hire cybersecurity consultants, install the software they recommend, etc.) you are still exposed to risk, just significantly diminished since generally hackers would go after easier targets.
At issue is that many firms do not implement these security measures at all. The Sony people were repeatedly warned and had earlier breeches but didn't want to spend the money it took to follow measures recommended to them until after the attack. I think their mindset is not so unique and that many firms aren't doing what they can to try to eliminate the breeches. In some cases, the issues are internal, but in others customer lists are breeched, etc. or credit cards hacked as in Target, Lowe's, and others.
"""There are private security contractors that these groups can hire to ensure that their environment is fully secure"""
Leave the room as fast as you can if anyone ever pitches this to you.
IT security is mostly a risk assessment exercise at most companies. Likelihood of an incident*impact compared to cost. That's reasonable but I think both the likelihood and the impact are really hard to estimate well.
NOTE: I am not recommending this group for I don't recommend in this situation, but feel compelled to mention them to address this comment as a counterexample:
I believe Sony was using them for forensics as well as establish their new more secure system.
It is important to set up systems so that hackers if (and when) they do breech, are found ASAP, and only get access to compartments and not the entire company.
There are also Israelis that I know of who have a good reputation in cybersecurity.
Hijacking live broadcasts seems to be one of the ultimate hacker accomplishments. There is something about it that is far more disconcerting than just defacing a webpage. Seems like it would feel far more invasive, popping on your living room tv. Would love to know how much someone like the BBC spend on security, must be huge.
The most famous TV hack, Max Headroom [1] (NSFW), from what I recall involved overriding the terrestrial signal, presumably with very powerful broadcasting hardware. BBC are digital now, so I am surprised they haven't had a successful incident yet.
Also a very interesting story but Max Headroom will also stand alone IMHO due to the person never getting caught and the seemingly randomness of the whole thing.
"Any substantial delay would have led satellite distribution channels to cancel their contracts, placing the entire company in jeopardy."
Can someone explain that a little more? Are satellite carriage contracts so twitchy that going dark on a channel for more than a few hours forfeits your service?
I don't know about France's laws but in Belgium radiosilence and television black are forbidden and you don't need to be down for an hour to lose your license, and the carriers will in general ditch you really quickly AFAIK
I assume a substantial delay would have been days or weeks in this case. According to the article it was months before they were reconnected to the internet. If the broadcast engineers weren't there, I assume the damage might have been too great to reverse in any reasonable amount of time.
Terrestrial TV stations can lose your license if they go dark for too long. Obviously satellite is a little different, but I'm sure the people drawing up the contracts would understand that a station going dark is a possibility and would include contingencies for dark stations.
"If the broadcast engineers weren't there, I assume the damage might have been too great to reverse in any reasonable amount of time."
I am pretty sure they would have been able to get something back on air somehow within a day or two even if every single piece of electronics had been physically obliterated.
"The attackers used seven different points of entry. Not all of them were part of TV5Monde or in France. In one case, a company based in the Netherlands was targeted because it supplied the remote controlled cameras used in TV5's studios."
= cameras with a backdoo^^^^cloud integration/permanently connected to manufacturers server.
I'd be really interested in seeing informed commentary on what is gained by this.
In general, crippling hacks aren't terribly useful -- they're embarassing and harmful to the targets, especially in shaking confidence. But they're not particularly useful to a general attacker. Having insider access to a television or broadcast entity would itself be useful.
Other options might be to test (or prove) the capability to take a target down, particularly in preparation for other more advanced capabilities.
The more successful parasites don't disable hosts, but hijack them to their own ends. That is something I'd find more troubling.
Online searches don't show much at Schneier or other security-minded blogs. Am I missing something?
The cost is $3m per year for each year after the attack for extra protection ... I'd argue they were discounting their security posture by $3m every year before the attack.
