There was news in the past few days that should not have been of any great concern to those executives around the country whose companies are at the top of their cyber game. For the rest of the business community, it might be a matter of concern.
Researchers at the data security firm Check Point discovered a new security vulnerability in PCs specific to a handful of media players that play movies with subtitles.
The hack took advantage of bad sourcing and a glitch on the processing side, inserting malicious code during the players' intake process of remotely served subtitles that play at the bottom of the screen.
The reason this matters: Sourcing. Vendors can always be your weakest link. It's not just about protecting you and your employees from dangers "out there." As was discovered by Target long ago, and countless victims of hacking exploits since, you are only as good as your vendors and service providers.
It's now more important than ever to think long and hard about the people you do business with, and they ways you source whatever it is you need to do business. Every decision represents a potential vulnerability.
It was big news when Wikileaks released the CIA cookbook for cyber snooping. There were all kinds of exploits in there, including WannaCry, which hit hundreds of thousands of machines worldwide shortly after the leak. Other exploits included the ability to turn on the microphone on a Samsung Smart TV.
You may think this is all too much, but do you know what kind of monitor is in your boardroom? Are you absolutely certain it can't be used to spy on you?
Most likely the only way you'd know the answer to these and other so-called "overly suspicious" questions (also known as "sane questions" these days) is if you have a cyber security professional in your employ, either as a staffer or consultant.
Pro Tip: You know you've got the right person when the entire staff believes there is no such thing as too much paranoia regarding cybersecurity, because the barbarians are always beating on your gates, if they have not already wormed their way into your virtual mailroom.
Bottom line: If news of the CIA leak didn't bother you, there's either a very good cybersecurity team in place where you work, or you're not fully apprised of the dangers out there.
The Subtitle Exploit
Although the recent story was about movies in translation, that may not be the only issue. All we know is that during the first micro-second when a video is played, the affected players send a request to a remote server for those subtitle files. The "best" file is chosen, and gets attached to the video.
In this hack, malicious subtitle files were placed on the service that supplies the subtitles to videos. OpenSubtitles.org is a public repository, which at least one of the affected players, Popcorn Time, confirmed it was using.
The way OpenSubtitles.org works is similar to many public digital depots: A request comes in for subtitles for a particular film or file--in this instance Disney's "Frozen"--and the repository serves the most popular file, which is then synced to the requested video in your player. It happens instantaneously from the user's perspective; in this case, when the receiving player pulls in the subtitle file during the download. It is during that operation when the player is stitching the subtitle to the movie it's about to play, this exploit allows hackers to take control of the machine that made the request.
With very little effort, the researchers at Check Point were able to game the system so that their subtitle files rose to the top of the list demonstrating the way a hacker could achieve the same outcome.
Why It Matters
Just because your systems and software is up to date, doesn't mean that you are safe. You are still vulnerable so long as you have employees. The weakest link among you is simply this or that colleague with a laid back approach to potential extinction-level events, for instance like a ransomware attack on a hospital.
In a perfect world, employees don't watch "Frozen" at work, but then again most workplaces aren't Disney-grade places. As such, this exploit could be a bring-your-own-device (BYOD) issue. If a user clicks through to the default player on their personal computer and they are on your network, everyone's potentially going to be hacked.
If you don't know your company's BYOD policy, be afraid.
The sigh of relief that wasn't heard around the business world was due to the fact that so many companies lack a cohesive set of protocols to ensure that they and their customers are safe.
With a seasoned CISO or, if that's beyond your budget, a cybersecurity savvy team member or outside trusted professional, the right questions are asked in every meeting about every single software or sourcing decision. This makes everyone in the room a stakeholder in that decision making process and cyber hygiene is not simply an afterthought in the wake of an unanticipated disaster.
The result: When news of a new exploit breaks, you know immediately whether or not it is an issue. And if it is, there's a plan for dealing with it so that the disruption to your daily business is kept to an absolute minimum, and hardly felt by partners, clients or users.