Wolverine’s nemesis: Data Leakage

As widely reported, the major motion picture opening today, X-Men Origins: Wolverine, was leaked on March 31st to major BitTorrent trackers and within twenty four hours had been downloaded some 75,000 times and to date more then 1mm. If the average movie ticket price is $7.18, then that’s potentially $7mm or more in lost revenue already from BitTorrent alone (without including other sharing of the file). The studio and related parties have responded by downplaying the quality of the leaked copy of the film; however, the leaked workprints are of high quality, missing minor effects, and were released a full month before the movie’s opening. The movie was not published by someone with a video camera, rather somewhere in the supply chain of the movie’s creation a leak occurred. This begs the question, is Hollywood the next industry most in need of a comprehensive data leak prevention (DLP) strategy?

The overall effect will still be unclear even after the box office receipts, while other titles in this series have been immensely popular, it will be difficult to separate economic effects due to the Recession from lost revenue due to the leak.

• X-Men (2000) – $296.3 million
• X-Men 2 (2003) – $407.7 million
• X-Men: The Last Stand (2006) – $459 million
• X-Men Origins: Wolverine (2009) – ?

One thing is clear, fans are seeing the leaked movie:

I watched this movie, won’t say how. Ha! I really liked it, even watching the unedited version of the movie with actors hanging from wires, planes not fully specially effected (special effects), and good but not perfect quality… – ea4131, fandango fan reviews.

Initial Response

The studio responded within days stating “We immediately contacted the appropriate authorities and had it removed”. Such action is largely meaningless after a leak has occurred, and the three leaked workprint versions are largely available to anyone who chooses to look for them. In fact, Fox News entertainment columnist Roger Friedman, terminated on April 6th after writing a review of the leaked copy of the movie, marveled at the ease of finding and watching a copy: “It took really less than seconds to start playing it all right onto my computer”.

Descriptions alternate between the leaked movie being described online as nearly complete and of reasonable quality to the studio’s (20th Century Fox) description stating that scenes and effects were missing, and the workprint included placeholder sound and music. The movie can be viewed and understood, the missing effects are both not central to the storyline and a minor distraction.

Investigation

The studio referenced working with the FBI in their initial release, and promised prosecution to the fullest extent of the law for whatever party was responsible for the leak. An initial clue of course to where the leak occurred is the print’s reference to Rising Sun Pictures, a visual effects company in Australia who performed work on the film. Rising Sun denies that any of its employees ever possessed a full copy of the film. The studio has also stated that the leaked version had forensic marks which will allow determination of the source of the leak. To date, (and despite reports of the three arrests of the Lindbergh baby kidnapper and the alleged anarchists Sacco and Vanzetti) no updates have been seen. Businesses in Dallas, TX were affected however when Core IP Networks, an ISP, was raided by the FBI and equipment seized.

Inappropriate Comparisons

The Wolverine movie entry on Wikipedia references a comparison between the leaked workprint and the leak of The Dark Knight, a video camera version of the movie released on sites such as The Pirate Bay, a popular torrent site. Such comparisons are inappropriate in that:

• The Dark Knight was leaked after its premiere, where it earned $158.4mm.
• A recorded version’s quality is different then a nearly complete work print.

The same can be said of the Czech Republic release of the Simpsons Movie, which occurred after the premiere. A similar problem occurred with a high quality print being released when a working print of Star Wars III started showing up on BitTorrent sites, however again after the release of the movie.

Data Leak Prevention

So what is the answer? Is it to get up and say “piracy is going out of style” or point out the righteous web sites that condemn this act of piracy? Is it to attach “Easter egg endings” as some have suggested. The last suggestion has some merit, however results in extra work and one would assume the persons working on the film would know a fake ending from the real one. Attempts to control or disable end user PC’s, as proposed in legislation is both unconstitutional and closing the barn door after the horse ran away. Attempting to shut down every BitTorrent web site is in the same category.

This is a question of managing insider risk. This is a set of 500+ megabyte files, trivial to transfer but also not difficult to monitor for. Data Leak Prevention (DLP) is alternatively named and defined, but in essence it is the monitoring of communication channels enabled by technology. That includes instant messaging, e-mail, file transmission (FTP, HTTP), and writes to portable media (CD’s, USB storage devices including thumb drives, iPhones, you name it). Inspection can be based on filtering rules using regular expressions, pattern matching against dictionaries, or in this case file size and type. Many endpoint solutions are capable of blocking based on certain rules, alongside monitoring writes to portable media.

This advocates no particular vendor solution or strategy, but rather states the need for a strategy. Every supplier in the chain of the production of a movie, and there are many, must have diligence performed against their security capabilities. These capabilities must include:

• A review of every communication channel and the monitoring or protections in place to prevent leaks.
• A policy covering what communications will be monitored what will happen when leaks are found.
• A set of standards describing how that policy is implemented and the process for monitoring and responding to incidents.
• An exception process such that minor needs for data transfer do not subjugate the entire policy.

So for example:

• E-mail – All e-mails passing network barriers (ingress and egress) will be monitored based on a rule set that alerts on any type of movie file and trigger alerts to be reviewed. All e-mails over 10 megabytes will be blocked. All third party e-mail web sites will be blocked by web content filtering.
• Instant Messages – All instant messages will be centrally logged. Attachments on instant messages will be blocked.
• FTP – File transfer protocol will be blocked at the firewall for requests originating from the end user network.
• HTTP/Web – Web content filtering will be in place, blocking all file sharing web sites based on a vendor supplied list of sites that is continually updated.
• Portable Media – Writes to portable media will be blocked for most employees (including CD writes, connecting portable devices, and USB drives). For those employees requiring portable storage, monitoring will be enabled, and a business justification required to issue this privilege.

Finally any transfer of media should be done within the confines of a true chain of custody process, including sign-offs for handing off and receiving movie data.

Perfect? No. Unlike having an adamantium skeleton, you will continue to be a little vulnerable. But in five minutes a blueprint that is probably more comprehensive then what is in place at the companies handling this movie is laid out above. This is a true 80/20 rule case, and while some will make the argument that users “will just move to a communication mechanism that is not monitored”, the information security teams at these companies will catch a number of leaks in the meantime and project a culture that truly states that movie leaks are a serious issue. It will also be much harder to leak a movie. If properly monitored, many of the initial attempts to leak the movie will be seen.

Moving the information security response from reactive, investigations and ham-fisted threats, to proactive stands to make a major difference. What will it take to get a proactive approach to information security into Hollywood? Maybe it is Wolverine losing a few million gross, as the movie industry can not afford to keep making movies for free.

Related Posts:

• Information Security’s Winners and Losers
• The “Aurora” IE Exploit Used Against Google in Action
• Baidu.com the Latest Victim of Iranian CyberArmy
• JUNOS (Juniper) Flaw Exposes Core Routers to Kernel Crash
• Forensics: Beverages Aside, A Look at Incident Response Tools

Filed Under: Data Leak Prevention • featured

Tags: copyright, Data Leak Prevention, piracy