RSA At The Movies: Security Pros Rate Realism Of Hollywood Cybercrime
Realistic Threat Or Hollywood Hokum?
Information security is not to be taken lightly, and nowhere is that message hammered home harder than Hollywood. Tinsel-town churns out film after film depicting cybercrimes, hacks, attacks and other Internet-age assaults. Some of it is so unbelievable that it can't be true. But some is pretty close to reality.
At RSA Conference 2011, a panel of security professionals led by Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, viewed a handful of films to determine whether or not the threats depicted were real.
Grab some popcorn and see what was determined during the RSA session "Cyber Catastrophe in the Movies: Realistic Threat or Hollywood Hokum?"
Live Free Or Die Hard
The Scenario: 2007's fourth installment in Bruce Willis' Die Hard film franchise showed up a few times during the session, but in its first appearance a team of hackers gain access to the Traffic Control Center in Washington, D.C. and alter and manipulate the traffic light pattern in such a way to crash dozens of cars and create mass chaos in the streets.
The Verdict: Not possible. While hacking into traffic control infrastructure is a common theme in movies and television, Borg said it can't happen. His agency has investigated if such attacks are possible and have determined that they are not.
"This was one of the many we investigated and we discovered you can't do this attack," he said. One reason it's not plausible is how most traffic lights are controlled: It's impossible to turn both lights at the same intersection green without climbing up and manually altering it. Hacking into the system just isn't possible. "Hollywood likes it because they get to crash cars," Borg said.
War Games
The Scenario: A young Matthew Broderick and a young Ally Sheedy gain access to their school's computer system to change grades and crack their way into an airline reservation system and book a trip abroad. Access is granted using a computer-based auto-dialer.
The Verdict: Data alteration and database corruption are still common attacks; and changing grades by hacking into a school network occurs more frequently than most people realize, the scenario played out in War Games is "mostly authentic" despite the film being released in 1982 before the Internet as we know existed. Borg, however, pointed out two key flaws: Matthew Broderick's character, computer geek David, had a clean bedroom and a girlfriend.
Untraceable
The Scenario: This 2008 thriller follows the FBI's hunt of a serial killer who posts live videos of his victims and his killings on the Internet on a Web site that can't be traced. The FBI can't track the killer down because of redirects, IP address mirrors, server exploitation and a botnet that the killer launches to render him and his videos, well, untraceable. For the killer, the more people that watch the live videos, the faster and more violently the victim dies.
The Verdict: "There's a lot of realism," said Danny McPherson, vice president of research and development at VeriSign. McPherson said anonymization and the inability to trace IP addresses are common tricks for Internet scammers and crooks. Borg added that while the technology is realistic, but the psychology isn't, because most Internet users in the U.S. wouldn't be drawn in by an Internet killer. "If you've got someone who's sophisticated and they don't want to be [traced], they can't be," he said. "This was a grisly movie, but it raised a lot of interesting issues."
The Net
The Scenario: Dr. Alan Champion, played by Dennis Miller, dies in the hospital in this 1995 thriller because someone accessed and changed his hospital records, resulting in his receiving the wrong care.
The Verdict: It's scary how possible this is, Borg said. There is a huge opportunity to alter patient records in minor ways so they won't raise a red flag, creating "chilling opportunities for making mischief." Later Borg added "the opportunities for attacks are just huge and scary," he said, noting that that scene in The Net is completely realistic.
AntiTrust
The Scenario: Tim Robbins runs a software company in this 2001 film, and in his attempt to get ahead and beat out the competition spies on researchers with hidden cameras to record their work and claim it as his own.
The Verdict: It's possible, but hidden cameras likely wouldn't be the best way to capture data, instead, keystroke loggers or other tools would be used. Still, McPherson said threats like data infiltration and the like are still quite common. Paul Davis, CTO of NJVC added that espionage for intellectual property is quite common. "Companies really need to that about how they're going to protect and share their information," he said.
Sneakers
The Scenario In this 1992 hacker must-see, a crew hacks into the federal reserve, the energy grid and an air traffic control system with the help of a microchip that breaks the cryptography of these encrypted sites.
The Verdict: It's far-fetched, but possible, but not at the level illustrated in the film. However, there are tools out there to decrypt encrypted data, the panel said.
Live Free Or Die Hard
The Scenario: In this scene, a group of gun-toting cybercriminals storm a control center for the power grid in an attempt to shut it down.
The Verdict: It can be done, but the Hollywood depiction of a power grid control center is way off and nowhere near as sophisticated as the real deal, Borg said. Additionally, there would be more layers of physical security to prevent a strong-arm attack, such as security tokens that need to be plugged in to operate the systems; biometrics like thumb prints; cameras; and more. Regardless, a skilled enough hacker could gain access without physically storming the center.
Live Free Or Die Hard
The Scenario: The natural gas company's computer network is accessed and the flow of gas is rerouted so it all converges on one location, creating a massive explosion.
The Verdict: According to Borg, it's doable, but an attacker couldn't pinpoint the location of the explosion.