A Manager’s Worst Nightmare

You get a call Friday night at 11:00 p.m. The computer in the studio has stopped working. Nothing is going out over the air. No music. No commercials. Dead silence. You’ve never gotten sressed so quickly in your life.

Computer attacks at radio stations have become normal over the past several years. Hackers, most likely from outside the United States, infiltrate a radio station’s computer system, and disable the automation running commercials. It’s a manager’s worst nightmare.

Ransomware attacks have wormed their way into the computers of small and large radio companies in recent months. An attack on Urban One cost the company hundreds of thousands of dollars between lost revenue and expensive IT and computer upgrades. San Francisco Public Radio KQED was hit this year as was Tampa Community station WMNF. Entercom also had its company-wide e-mail system attacked and there were several other stations and companies who had to deal with this new reality.

The bottom line — it could happen to any radio station at any time

Brian McHale has been in media and entertainment for 25 years. Today he’s a cyber-security advisor. Brian has worked for Discovery Channel, Starz, and Direct TV. He was VP of IT and Engineering for Fischer Communications and CTO for Journal Communications.

Bill Taylor started his career in the Air Force. He took his first job out of college working for MCI Worldcom as a data engineer. Now he’s in the IT security space working for a company called Cybersurance.

Bill and Brian met when Bill was the CTO of American Apparel in 2015. Bill was Senior VP of Information Technology in New York for CBS radio at that time, running IT.

In this two-part interview (today and tomorrow) with McHale and Taylor we find out exactly how these attacks happen, what to watch for and, most importantly, how you can avoid them happening at your radio stations.

Part One – How The Attack Happens

Radio Ink: How does this happen to a radio station?

Bill: Data security and protection becomes a bit of an afterthought because of the type of industry they are. Therefore, there are specific types of safeguards and countermeasures that could and should be taken to protect the data. We are seeing a lot of malware and ransomware attacks. Those types of attacks can be prevented or at least minimized in terms of the risks and impact they have by some technical safeguards such as encryption. As well as several administrative and physical countermeasures and safeguards to protect the access to that data. There needs to be more of a proactive approach to data protection and the risk management aspect within the broadcast industry in order to thwart those kinds of attacks.

Radio Ink: What’s going on in the computers in the studio? How do they figure out they are being attacked?
Brian: It starts with automation, spots not airing, scheduling is impacted. On air, when they go to commercial break, that automation is not firing and so they lose that revenue. One example is Max Media, who had to replace everything, including Wide Orbit automation rather than pay the ransomware. They had no control over what’s happening. Most of them now would basically cut to another channel to play music, to get anything on the air until they can figure it out. Their inability to run commercials/advertising.
Bill: There needs to be a proactive approach. They need to do an assessment of what types of data they have and what classifications of the data they have and how to protect it. Then take some steps to protect it. They need to have the processes in place so if they do have an attack they can follow the steps to minimize the impact and damage. Ultimately, this will protect their data, reputation, and the confidence they get from their stakeholders and business partners. A proactive versus reactive approach in the long run is a lot less expensive and a lot more effective.

Radio Ink: How is the attack getting into the system?

Brian: The majority of the stations are configured in a way where they have one chief engineer, and maybe one assistant; or, if they are bigger, one IT person or two. The job of the engineer is to keep stations on the air and the IT guys are doing maintenance, making sure desktops are supported and automation is running. The key is there’s nobody looking at what is happening. I’ve been in stations with lots of different Wifi connections set up; internally they have remote access to the towers. It’s difficult because they don’t look at it from a holistic or enterprise view, they do what they need to do to stay on the air. How do these attacks come in? There are multiple doors open at the station level and it rolls up to corporate as well. Most have come in through an attachment to an email. For example, Entercom lost their email, programming tools, scheduling, music logs, and like anything else there’s the low hanging fruit. There was an infected computer that could have come in as a malware attachment. These back doors are pretty easy to slip through. These stations have been sold and acquired for many years and there’s nothing top to bottom that says “here is our procedure in terms of how we’re going to lock the station down and protect it.” The majority of the systems now are commodity-based servers running Windows or Linux. IP based transmissions. There’s nothing overly fancy about what’s happening at these stations. There are some legacy applications that continue to run that are hard to protect from an antivirus standpoint.

Radio Ink: It could be somebody just clicking on an email?  Somebody somewhere has written that program to get into the system and attack the spots?
Brian: If you think about automation and look under the covers in terms of the operating system, it’s not that difficult. Based on technology, it’s just a computer and it has operating systems, software, applications running, database software. It’s not like they are encountering something they have not seen before. It is just a piece of enterprise IT structure sitting there. They know how to get in. There’s nothing different, then, when a hacker is looking at when they get into a radio cluster that they would see on the front end because it’s basic systems. Like Bill said, looking at the data and implementing a process with controls makes sense.
Bill: Every software out there has vulnerabilities that can be exploited or attacked. There is a process called vulnerability management where you routinely and proactively scan the systems with software to identify those weaknesses and then do the remediation work. That might be a patch, an upgrade, or a work around or turning off certain services. Larger enterprises have this as a process. Smaller organizations in the broadcast industry that don’t have a large staff to do this, it may be difficult for them to be proactive as a regular process. Ultimately that’s what needs to be put in place to prevent these types of attacks from happening. The attackers only have to find one weakness to gain access into a network and cause these types of problems. An organization needs to defend against these types of attacks. You have to put up a multi-layer defense. The bad guy only has to find one way to get in.

Radio Ink: When there’s a ransomware attack and a demand for a payoff, how are they contacting the station to ask for the money and not getting caught?
Bill: It is usually an email contact. They will go through various aliases and spoofing so they can’t be traced back to their IP address. There are ways through the dark web to do that. They send an email and ask for payment in a crypto currency so it can’t be as easily traced or stopped.

Radio Ink: Do you suspect these attacks on radio stations are coming from within the U.S.?
Brian: I’ve not seen anything written that would indicate either way. The sophistication of the attacks, and the fact they are leveraging bitcoin as payment, makes me think it’s not in the U.S. What can be done is you can block all that traffic. For example, if it’s coming in from Russia, you can look and see and get a sense if you’re not doing anything with Russia, why are we seeing so much traffic coming in through our fire walls. Those are strategic steps to look at. Who is trying to get into your network, looking at your logs, and hopefully you have firewalls in place and some security solution in the front end to protect your infrastructure. My guess is these are offshore.
Bill: Generally speaking, most of those types of attacks do come from overseas. Here in America we have laws like the Computer Fraud and Abuse Act (CFAA) that says if you get caught hacking into a computer you will be prosecuted. In other countries they don’t have an equivalent to the CFAA. They encourage that type of activity in countries like Russia, China, and North Korea. Those hackers almost always come from outside the U.S.

Radio Ink: If I’m a radio station manager, what should I be aware of?
Brian: Look at the logs themselves. Traffic. Something won’t play, or there’s no commercial insertion. They have basically locked down in terms of the scheduling side and log side, preventing everything from triggering. That causes an interruption of what’s on the air. They are sophisticated enough to know what will hurt the broadcaster. They are manipulating content, play lists, etc.

Part two tomorrow – What to do to avoid being attacked