Last month CDSA had the pleasure of attending an Open House event thrown by Los Angeles Duplication & Broadcast (LADB) at their Burbank facility that is right across the street from Disney. It was a high-end affair with a tented red carpet entrance, exquisite hors d’oeuvres and a well-dressed army of servers and valets. Eric Collins, LADB’s president and co-founder, was giving hands on demonstrations of their ultra-secure and monitored mobile delivery unit and their staff offered tours for VIPs of their first class facility that handles a multitude of “just-in-time” services for their studio and broadcast clientele. Robert Seidenglanz, LADB’s co-founder, also took time to guide guests through their facility showcasing its expanded capacity due to an efficient workflow strategy that helps new and existing customers take advantage of their companywide customer service culture of being reliable, fast and cutting edge to deliver on just about any need proposed by a content creator or production unit.
It was a lovely evening but looking back on the event it is their business culture around quality and content security that keeps resonating. In the tented area outside of the front entrance their consultant on security, Tom Carlson, gave an overview presentation throughout the event on the strategy that he helped LADB create where a commitment to both quality work and security is a cornerstone to their value proposition to customers. In addition to being a CDSA certified facility, LADB has dual ISO certifications (9001 and 27001) and an obvious strict adherence to the MPAA’s best practices for facilities working with their member companies. LADB is one of the only small companies committed to this comprehensive, 3-pronged security approach that have been validated by third party oversight. What’s so impressive is how the structured process created around these industry standards/initiatives drives their entire business from the drivers and front desk staff all the way up to the senior management team. And, the idea that LADB understands the importance of risk and accept the stewardship role/responsibility against all risk threats with their customers content whether internal or external, deliberate or accidental demonstrates that LADB is a thought leader for smaller companies in the production chain.
What is also notable about their formal program and commitment around security is not only their internal practices on client satisfaction, quality management and education it is the idea that they have processes in place to continually improve both quality and security service delivery. By having a mechanism for monitoring and measuring each internal department (IT, HR, Operations, Purchasing, Sales) activity with client’s content, through both internal and external oversight and a commitment to change management, they are exemplary in approach with an eye to the future. This is critical for any business working in our industry – a commitment to continually evolve with the technologies that help the creative community make the best content in the most efficient and secure workflow possible.
For additional information on Los Angeles Duplication & Broadcast you can visit their website at http://www.ladb.com/
FFmpeg is a complex software project designed to process virtually every video format in existence. Video formats can be extremely complex as well, and writing a new encoder or decoder is an expensive and error-prone task. Application vendors instead use FFmpeg, a freely available library, to process video files.
Like most large, complex software libraries, security vulnerabilities in FFmpeg have been discovered and repaired in new releases. It should be noted that FFmpeg’s past vulnerabilities do not indicate a poor quality product, and the fact that a given system relies on FFmpeg should not be considered a security vulnerability.
FFmpeg is written in C++, which, compared to other programming languages, compromises some amount of safety in favor of high performance and speed. In particular, the C++ language does not inherently protect against buffer overflow attacks. Successfully exploiting an unchecked buffer vulnerability allows an attacker to rewrite the executable code of a program at runtime with different code of the attacker’s choice, allowing an attacker to take control over the computer.
An attacker can take advantage of unchecked buffer vulnerabilities by carefully crafting a malicious video file that may not even be playable or contain any frames or audio. When FFmpeg processes the malicious file, the vulnerability is exploited and the attacker’s code embedded within the video file is executed. Figure 1 shows how an attacker could take advantage of a publically accessible, vulnerable system to gain access to the backend network to which the vulnerable system is connected. If the backend network is not carefully segmented, this allows the attacker to bypass the firewall.
Figure 1. An attacker crafts a malicious video file and transmits it to a vulnerable system. As this is legitimate access to the system, it is not blocked by the firewall or other perimeter defenses. A successful buffer overflow exploit could provide the attacker with full control over the vulnerable system, providing a network pivot point to access and attack other systems on the backend network, even if they are not vulnerable to the particular buffer overflow attack and would normally be protected by the firewall.
The FFmpeg 0.11 version, released in 2012, fixed 28 vulnerabilities that were notable enough to receive a CVE (Common Vulnerabilities and Exposures) number. The utility and versatility of FFmpeg produce a “perfect storm” of potential security issues. FFmpeg supports 197 different file formats and 166 different video codecs. Each format requires its own module of code within the library to process it. Every file format provides a different potential attack surface for FFmpeg, and many of the formats are little-used or obsolete, and therefore not a source of many bug reports.
Attacking FFmpeg via an unchecked buffer vulnerability requires detailed knowledge about the target system. Buffer overflow exploits targeted at one platform will not likely succeed on another. Necessary information includes the type and version of the operating system, exact version of FFmpeg, and potentially more details, such as the compiler flags used when building FFmpeg. However, an attacker can fingerprint vulnerable systems in many ways, and in particular, ISE has found that the FFmpeg library embeds its version number within files when encoding them. If an attacker has access to a video file generated by a vulnerable system, then the attacker could most likely obtain enough information about the system to craft an exploit.
A reason for concern, is that FFmpeg may be used on systems processing sensitive assets, such as unreleased video footage. In addition to an attacker obtaining these assets, an attacker could use a vulnerable system as a pivot point to gain further access to customer or vendor networks, or could use the compromised system for unrelated illegal purposes, such as hosting pirated content or launching a subsequent attack.
Of note is the fact that once a system is successfully compromised, not only are all assets on the system at the time potentially compromised, but as long as the attack remains undetected, any additional assets processed by the system in the future may also be compromised.
Users of FFmpeg should take several steps to minimize risk. The simplest and most effective mitigation is to always update to the latest release of FFmpeg, especially when security vulnerabilities are found and patched. Keep in mind that developers using FFmpeg cannot reasonably be expected to update instantaneously when a new release is issued, and there is the potential of zero-day attacks (those discovered and used by attackers but not yet known to the software provider). As part of a general defense-in-depth strategy, systems utilizing FFmpeg can take additional precautions:
- Applications that process external inputs (such as uploaded files) should always run on a low-privileged user account. They should never run as root (on Unix) or an administrator (on Windows).
- Compiler and operating system features that help to prevent some, but not all, buffer overflow exploits should remain enabled.
- Sensitive assets (e.g. video content) should never be stored on the same system that processes external inputs.
- Modular libraries, such as FFmpeg, can often exclude unneeded features or file formats when compiled. If a vulnerability is specific to the module for one file format, and that format is not included, then the resulting copy of FFmpeg becomes immune to that vulnerability.
This memo should not be taken as a security advisory for using FFmpeg, or an insistence against using FFmpeg. As with any software, there are security concerns, awareness, and particular configuration and hardening guidance that should be understood when adopting the technology. A good summary of FFmpeg and its risk of security issues is given on the About FFmpeg page of the FFmpeg project web site1.
SAN FRANCISCO — At a gala dinner last night in San Francisco, CDSA founder Larry Finley was posthumously inducted into the prestigious Consumer Electronics Hall of Fame. Finley was among an induction class of 12 industry leaders who were honored for helping found the CE industry as we now know it.
“This elite group of leaders has laid the foundation that our industry continues to build upon,” said CEA President and CEO Gary Shapiro. “Their vision, drive to excel and enthusiasm have helped to create the innovative CE products and services that have improved the lives of consumers worldwide. It is a pleasure to recognize this prestigious group.”
In the acceptance speech, Finley’s grandson and CDSA’s executive director Guy Finley explained: “Entertainment Matters. And it isn’t just the title of a conference I’m participating in at International CES in just a few months, it also explains that entertainment is and always has been a driving force behind all forms of new technologies. And it is a slogan that could very much define the
career of my grandfather and one of the CE industry’s founding fathers, Larry Finley, whose relationships with leading Hollywood figures connected hardware with software well before Steve Jobs saw the importance of this synergy.” In his introduction, CEA’s Shapiro accentuated last night the significance of Finley’s many contributions in the formative years of the industry as the basis for the entire packaged home video industry.
CDSA was originally founded by Finley as the International Tape Association (ITA) in 1970 at the dawn of the audio cassette. Finley, a concert promoter in San Diego and partner with the Dorsey Brothers, later became a pioneer in TV broadcast as a late-night TV host in Los Angeles. This was followed by his pioneering work as owner of the International Tape Cartridge Corporation (ITCC), which produced and distributed eight-track cassettes on behalf of per 50 record labels worldwide. Read more
Variety and CDSA Gather Experts to Address Innovations in Anti-Piracy and
Content Security, Dec. 6 in Los Angeles
LOS ANGELES — The Third Annual Content Protection Summit (CPS), produced by Variety and the Content Delivery & Security Association (CDSA), today announced that Senator Chris Dodd, Chairman and CEO of the Motion Picture Association of America (MPAA) will be featured in an exclusive Variety Conversation Keynote.
“With technology advancements and the development of an ever growing number of platforms for viewing motion pictures and TV shows, it is more important than ever to make sure important industries, government and consumers work together to ensure the Internet works for everyone,” Senator Dodd said. “Both the creative and technology communities are inextricably linked as we work to bring consumers the digital environment they want and both are essential to the economic well-being of our country.”
The event is one of the highlights of a day-long, deep dive into the latest innovations, findings and effective forms of deterrence in the protection of the creative products of leading movie, game, music and software companies. The event, themed “Innovation and Insights in Content Security,” is once again being held at the Los Angeles Hilton Hotel in Universal City on December 6.
”CPS is the official gathering of executives from across entertainment, focusing on the opportunities, and remarkable innovations in entertainment content protection,” said Alex Kochis, Conference Chair. “As the entertainment industry accelerates toward online services and digital products, we are experiencing a ‘perfect storm’ of threats to our business. Yet it is also a time of vast opportunity, disruptive business models, and remarkable innovation. This conference has always kept the industry’s leading practitioners on the cutting edge of the most effective best practices and engineered solutions and we are especially proud this year to have Senator Dodd join our industry discussion.” Read more
Two security experts from Microsoft and The Walt Disney Studios shared their perspectives on content protection during a CDSA-produced panel at Tuesday’s LA Games Conference. Aaron Kornblum, senior director of security policy, Interactive Entertainment Business for Microsoft, and Ben Stanbury, manager of information safeguarding for The Walt Disney Studios, talked piracy in the games business with moderator Guy Finley, executive director of MESA and director of anti-piracy affairs for CDSA.
Acknowledging the constantly morphing worlds of content production and delivery, Kornblum and Stanbury said that although their companies have had processes in place for protecting physical content, there is a need to revamp the assessment processes for protecting digital content.
“The piracy threat is evolving. Pirates are going to follow the money, and digital piracy is thriving,” Kornblum said.
Microsoft has taken proactive steps to protect its hardware and software. By utilizing its Xbox Live service as a tool to connect device and content, the company is able to identify if a console has been altered to play pirated content. According to Kornblum, if such a console is detected, it is then restricted from utilizing Xbox Live services. Read more
These days, managing a business means managing risk. M&E companies especially are managing opposing dynamics of increased digital threats, proliferating vendors, and prescriptive corporate governance and policies.
It’s a lot to manage and keep tabs on – and it’s only going to get more complicated.
CDSA is proud to introduce a new Enterprise Risk Management Tool (ERMT) that creates a customized solution for your individual risk management tasks and responsibilities. The first module – Vendor Risk Management – is currently in use daily at Electronic Arts and Disney. And, courtesy of the membership of CDSA, it is now being offered for your company’s review.
Join EA, Disney, and Microsoft for a webinar introducing CDSA’s Enterprise Risk Management Tool on Wednesday, March 28, 2012 from 11 a.m. to Noon Pacific.
This one-hour session will provide an overview of ERMT’s power in managing your company’s unique risk management processes and policies. It will give attendees a full product demonstration to illustrate how ERMT could work within your organization to manage vendor relationships remotely and with maximum vendor online involvement.
CDSA Chairman James Dunkelberger of Microsoft will introduce how ERMT can help build a “Trusted Partner Network” of security audited facilities. Product architect Spencer Mott of Electronic Arts will explain the roadmap for the ERMT moving forward. And Ben Stanbury of Disney, who has managed the development of the software over the past 7 years, will provide the walk-through of the tool to demonstrate its capabilities.
To register for the webinar, visit https://www1.gotomeeting.com/register/356457841.
Security Executive Cites the Roll-out of Media & Entertainment Industry Trusted Partner Network as Association Priority in Coming Years
REDMOND, WA — James Dunkelberger, General Manager of Product Release & Security Services at Microsoft, was named Chairman of the Content Delivery & Security Association (CDSA), the 40-year old nonprofit content protection association.
At Microsoft, Dunkelberger’s worldwide Product Release & Security Services team is responsible for many aspects of Microsoft’s IP protection strategy. He has worked at Microsoft for the last 15 years, holding management roles in Operations Management, IT, and Product Development. For the last seven years, he has been responsible for protection of IP both internal to the company and in the supply chain, anti-counterfeiting technologies and strategies, product quality controls, and product activation investigations/enforcement. Read more
MyInternetServices.com, LLC, (MIS) North America’s leading managed game server solutions provider, today announced its successful renewal of the Content Delivery and Security Association’s (CDSA) Content Protection and Security accreditation. MIS is the world’s first managed game server solutions provider to have successfully been certified against this stringent data security standard.
“We are very proud to be recognized as one of the ‘World’s Most Secure Content Services’” said Greg Howard, CEO of MIS. “Having MIS’s content security approaches benchmarked against the stringent standards established by the CDSA – and once again achieving the CDSA accreditation – demonstrates the ongoing commitment of MIS to content security in an insecure world.” Read more
Security industry veteran to focus on expanding content protection initiatives in U.S. and aligning the program with other leading security audit standards
Long-time entertainment security expert Peter Wallace has been named Worldwide Director of Anti-Piracy for the Content Delivery & Security Association (CDSA)’s security auditing programs. Wallace, who has built the program to over 70 participating sites in Europe, will turn his focus to expanding the participation of entertainment supply chain partners in the U.S. and Asia as part of his expanded association role.
“Peter was the chief architect of the association’s Content Protection Standard (CPS) and he has been hugely successful in gaining the trust and support of key entertainment supply chain executives throughout the EMEA region,” says CDSA Executive Director Martin Porter. “Under his leadership we will now begin to align our program worldwide as well as with other leading security standards.” Read more
In the first of a series of webinars on content protection, security and cyber-threat, Steve Armstrong, a leading international digital forensics expert provided guidelines and procedures for what to do if your network is compromised and your content and client information is stolen. Based upon true case studies, examples were shown on how attackers break into weak and poorly managed networks; critically, it also examined how these same networks fail to gather sufficient evidence, making forensic and criminal investigations next to impossible.
Download the audio/video recording of this insightful presentation and stay tuned for the next installment of the CDSA Security Webinar Series.