Hollywood has an open door to cyber attacks

Hollywood has an open door to cyber attacks

Security-Assessment.com finds holes in production software

New Zealand - November 29th, 2011 - Hollywood studios could be at risk of their movies reaching the Internet prior to their release date. A consultant from New Zealand’s specialist security firm, Security-Assessment.com has discovered vulnerabilities in software used in the movie making process.

Nick Freeman, Senior Security Consultant from Security-Assessment.com (a subsidiary of Dimension Data), specifically targeted software used to create Hollywood’s top grossing films such as Iron Man 2 and James Cameron’s Avatar. Freeman discovered a range of vulnerabilities in the software throughout the process of film making, starting with script writing to video editing and animation.

"Within an hour of installing [Avid Media Composer], I had identified a remotely exploitable vulnerability. I was surprised at how easy it was to exploit”, said Freeman.

Freeman demonstrated a hypothetical scenario where he was able to leverage access into the separate layers of a studio's network by exploiting bugs in a range of software, such as Final Draft (script writing), Power Production’s StoryBoard Quick (storyboarding) and Muster (render farm management software).

Following the discovery, Freeman duly contacted the software vendors to notify them of the potential for security breaches and to offer his assistance in resolving the issues. He was surprised by the vendors’ responses, which refused to talk with him about the vulnerabilities he had discovered. His calls were redirected through various parts of the business with no results. Two new versions of the software have been released since Freeman declared the bugs, but the vulnerabilities still remain.

Freeman could only rationalise their reaction by considering their commercial motivations. “I was told that speed to market and features were more important to their customers. I suspect if the stakeholders of the films understood the risk, security would be higher on their list of priorities”.

Whilst Hollywood studios vigilantly manage the release dates of their films to maximize box office returns, Freeman suggests the holes in their software security could have serious implications. Early script releases, movie launch delays and the release of plot details (referred to colloquially on the Internet as “spoilers”) could all have major repercussions on the financial success of any Hollywood film.

“I am hoping that by exposing these issues, [the studios] will be aware of these open doors. Hollywood studios appear to invest heavily to ensure their products are kept under wraps” added Freeman.

In order to educate the market about these vulnerabilities, Freeman has posted four advisories on the Security-Assessment.com website www.security-assessment.com detailing the vulnerabilities discovered. These can be found at the following URLs:

• http://security-assessment.com/files/documents/advisory/Final_Draft-Multiple_Stack_Buffer_Overflows.pdf
• http://www.security-assessment.com/files/documents/advisory/Storyboard_Quick6-Stack_Buffer_Overflow.pdf
• http://security-assessment.com/files/documents/advisory/Muster-Arbitrary_File_Download.pdf
• http://www.security-assessment.com/files/documents/advisory/Avid_Media_Composer-Phonetic_Indexer-Remote_Stack_Buffer_Overflow.pd

Additionally, the slides for his presentation can be found here.

About Dimension Data New Zealand
Dimension Data New Zealand is a wholly owned subsidiary of Dimension Data Asia Pacific, which operates in over 60 offices across 13 countries. Dimension Data Asia Pacific is a wholly owned subsidiary of Dimension Data Holdings plc, a US$4.7 billion global ICT solutions and services provider with operations in 49 countries. Dimension Data helps clients plan, build, support, manage, improve and innovate their ICT infrastructures. It combines an expertise in networking, business applications, security, data centre solutions, Microsoft solutions and converged communications & contact centre technologies, with advanced skills in consulting, integration, training and managed services to design ICT solutions to accelerate the business ambitions of its clients. Dimension Data is a member of the NTT Group.www.dimensiondata.com/nz

About Security-Assessment.com
Security-Assessment.com is a purist security company, with a strong focus on research and development. This is delivered in the form of world-class advisory and assurance services to large and medium size enterprises that require a true independent measurement of security compliance, and who need specialist advice to improve their overall information security stance. We are a trusted partner providing clients with on-going assurance services and advice to support informed decision making regarding security and risk for their business. Security-Assessment.com helps design security into the organisational practices rather than through tactical or technological solutions.

ENDS

© Scoop Media