Media Security? What Security?

Media security is top of the list for broadcast executives. And the recent Sony Pictures hack illustrates that everyone is a potential target. John Watkinson looks at why cyber-attacks have become common, and what broadcasters, Hollywood and TV show makers can do to try and protect their investments.

Few people can be unaware of the rise in cybercrime. As computers become cheaper and more numerous, so the misuse grows. The recent hack suffered by Sony Pictures illustrates that everyone is a potential target.

It is unfortunate but true that there is an enormous gulf between what is known and what the average person knows. Thus technology falls into two categories. There is equipment of proven reliability produced in a carefully regulated environment intended solely for use by qualified people who have had extensive training in how it works and in what the pitfalls are so they can be avoided. An airliner would be a good example of such technology.

Professional gear--Hack free?

At the other end of the scale we have consumer gear, which is for use by people who have no clue about the technology they are using. The potential for pitfalls are downplayed in order to make the equipment appear simple to use and the performance is usually exaggerated. Basically, a lot of things are sacrificed to reduce the product cost. Personal computers, cell phones and tablets fall into that category.

Consumer electronics are the least protected devices from cyber hacks.

Consumer electronics are the least protected devices from cyber hacks.

Obviously a broadcaster, a movie studio or a post production house wouldn’t dream of using consumer grade equipment or unskilled staff in the performance of their art. Lenses, microphones, cameras, mixers, color correctors and so on are all stringently specified and people know how to use them. But what about the computers?

The good news is that you don’t need to worry about the quality of the computers you are using or the extent of the security you have against cyber attack. To be reading this article you must have access to the Internet, which means the Internet has access to your computer. I can tell you right now that whatever device you are currently using is woefully inadequate and the security you believe you have is an illusion brought on simply by the fact that you haven’t been hacked yet.

You can have two reactions to that statement. The first is to dismiss it as the outpourings of a sensationalist. You can happily put your head back in the sand, in which position you will be ideally configured to get your ass kicked, or you can read on and try to establish if what I am saying has an element of truth. I suggest you try to disprove what I am saying and if you can’t then you should be concerned. Actually that’s only the first step towards taking some security steps for your own good.

As this image shows, even home networking devices are not safe from hacking. In this case, a NEST thermometer was hacked by University of Central Florida undergraduate security researcher Grant Hernandez. He programmed it to riff off a favorite line from the movie <em>2001: A Space Odyssey.</em>

As this image shows, even home networking devices are not safe from hacking. In this case, a NEST thermometer was hacked by University of Central Florida undergraduate security researcher Grant Hernandez. He programmed it to riff off a favorite line from the movie 2001: A Space Odyssey.

One of the benefits of computers and the internet is that discussion forums have developed where people can exchange views, ideas and solutions. What I find amusing is that on many of the forums concerned with computer security there will always be someone who says that however secure a system is some hacker will always find a way around it. Clearly no proof of this claim is given, because it is an opinion and a misinformed opinion at that.

The reality is that there are unhackable computers and they are not curiosities in the corner of a laboratory, but they are out in the world doing a job unaffected by people who have no business messing with them. They don’t run anti-virus software because they don’t need it. It might be interesting to look at how they work in a future piece. The further reality is that there are standards for computer security that can be measured and there are established procedures for meeting those standards.

The official government

The official government "Orange Book" provides standards and criteria for computers. It was first released by the U.S. Department of Defense in 1983.

But I have virus protection

One such set of standards and criteria was published, unsurprisingly, by the US Department of Defense as long ago as 1983. These are the Trusted Computer System Evaluation Criteria (TCSEC) also known colloquially as the Orange Book from the color of the cover. TSEC was replaced in 2005 by the Common Criteria for Information Technology Security Evaluation, which is an ISO/IEC standard usually called Common Criteria.

TCSEC and CC specified a number of security levels that computers can meet. Don’t worry, if you are a broadcaster, the computers you are using don’t come close to meeting those requirements. You won’t even get on the bottom rung of their security ladders.

The number of viruses in existence is probably not known, but it is huge. These viruses exist for one reason alone, which is the presence of vulnerabilities in computers. If the vulnerabilities weren’t there, there would be no point in attempting to attack them. Let’s be absolutely clear about what anti-virus software does. When a new virus has begun to spread, your anti-virus software offers no protection. Protection is only available once the virus has been recognised. That is why your antivirus software needs constant updating so that it can close the stable door after the horse has bolted, when what you actually need is a better stable door. Selling anti-virus software is good business, and the vendors have no interest in hack-proof computers because they would be out of a job.

Computer attacks are not accidental. They are pre-meditated and coldly calculated acts of moral bankruptcy and they occur because society contains elements of dishonesty, irrationality, greed, prejudice and malice. Civilised societies have evolved to deal with that sort of thing, by making it a crime to perform damaging actions and by making it possible to identify the offenders. One of the reasons people offend using computers is that they presently offer a cloak of anonymity to the miscreant. Imagine what would happen to the standard of driving if cars weren’t required to have license plates. Computers are a relatively recent phenomenon compared to the timescale of societies and the unfortunate fact is that we have not yet evolved to deal with them or their misuse.

One of the reasons the problem has got so bad is that it has crept up on us incrementally, like brake pads wearing out. Once upon a time computers were expensive and uncommon, but the price kept coming down and the uses to which they were put kept going up. Now society depends heavily on them, it is becoming clear they are not that dependable. Life-support computing applications such as fly-by-wire won’t touch conventional computers with a very long stick even if the stick has been certified. With the level of security as it stands, the future of the Cloud becomes highly questionable and the Internet of Things will be a shambles.

For years foreign countries have been accused of stealing military secrets via the Internet. But on January, 13th, 2015 the U.S. Central Command (CENTCOM) Twitter and YouTube Internet sites were hacked, supposedly by the ISIS.

For years foreign countries have been accused of stealing military secrets via the Internet. But on January, 13th, 2015 the U.S. Central Command (CENTCOM) Twitter and YouTube Internet sites were hacked, supposedly by the ISIS.

Politicians from Obama down are slowly waking up to the fact that there is a problem with computer security that is not about to go away. One might say the problem is about to become a crisis. The misuse of computers affects the whole of society, from the individual, through businesses to government and the military. The cost of computer misuse is now of sufficient magnitude to be damaging to the economy.

A Government solution

History shows that when threats to civilization have occurred before, legislation will be enacted to control it. Unfortunately, the number of politicians who can speak with authority about computers and software is not great. And unfortunately, they will be under pressure to do something and what they do may not be very subtle. One of the things that they may, and perhaps should, do is to remove the anonymity.

No manufacturer wants to be the first to introduce a secure computer to the mass market because of the price disadvantage it would carry. That leaves it to politicians to require certain security standards be met before computer systems can be sold. That way all manufacturers see a level playing field. But, would society accept such stringent controls and regulations? Would you buy a computer knowing you would have to register it to yourself, much as you do your car? Use the comments section to respond.

In Part 2, I intend to look at how computers could be made more secure.

*John Watkinson is a Member of the British Computer Society and is a Chartered Information Systems Practitioner.

You might also like...

Designing IP Broadcast Systems - The Book

Designing IP Broadcast Systems is another massive body of research driven work - with over 27,000 words in 18 articles, in a free 84 page eBook. It provides extensive insight into the technology and engineering methodology required to create practical IP based broadcast…

Demands On Production With HDR & WCG

The adoption of HDR requires adjustments in workflow that place different requirements on both people and technology, especially when multiple formats are required simultaneously.

If It Ain’t Broke Still Fix It: Part 2 - Security

The old broadcasting adage: ‘if it ain’t broke don’t fix it’ is no longer relevant and potentially highly dangerous, especially when we consider the security implications of not updating software and operating systems.

Standards: Part 21 - The MPEG, AES & Other Containers

Here we discuss how raw essence data needs to be serialized so it can be stored in media container files. We also describe the various media container file formats and their evolution.

NDI For Broadcast: Part 3 – Bridging The Gap

This third and for now, final part of our mini-series exploring NDI and its place in broadcast infrastructure moves on to a trio of tools released with NDI 5.0 which are all aimed at facilitating remote and collaborative workflows; NDI Audio,…