Hacking the movies

In the first month of 2015 a new hacker movie is set to come up called, Blackhat. The movie is about a convicted blackhat hacker getting recruited by the government to track down and another hacker causing mayhem and destruction. It looks fascinating and I plan to at some point see it and hopefully review it on the site.

In the meantime here are the hacker movies (in no particular order) I have seen and what I've thought of them.

Hackers - 1995

Very entertaining movie. It's been a while since I've seen it, but there a lot of very memorable scenes that I can recall. It was also referenced at the most recent DEF CON by Wesley McGrew when he hacked the pineapples people tried to use at the security conference.

Sneakers - 1992

I recently watched this movie for the first time and I was a little disappointed that I've missed out on this wonderful movie for the past two decades. It uses a lot of techniques pen testers use today to break into an organization and it's got a top notch cast. Robert Redford, David Strathairn, Dan Aykroyd, Timothy Busfield, Mary McDonnell and Donal Logue. I'm pretty sure the logo for the Blackhat conference comes from this movie.

Swordfish - 2001

I've read on Twitter that the hacking scenes in this movie are bullshit (I haven't watched it since getting into infosec) and they probably are, but that doesn't make it any less entertaining. The hacking part of the movie is simply there to push the story along to John Travolta shooting people while standing in a sports car and helicopters making buses fly. I watched this movie several times in my younger years.

Die Hard 2 - 1990

It might be a little bit of stretch to call Die Hard 2 a hacker movie, but I just watched it recently and think it's totally a hacker movie. A rogue military group takes over Dules airport to free a drug lord being extradited to the U.S. They hack into Dules airport tower and seizing control of all the systems. There's not a lot of actual hacking, but there is quite a bit of social engineering that provides a nice twist towards the end of the movie.

Live Free or Die Hard - 2007

This Die Hard actually did have quite a bit of hacking included in the movie and for the life of me I don't remember a whole lot about the movie. I thought it was a solid movie, though of course not as good as the other Die Hard movies. I'll be watching it again some time in the near future.

Office Space - 1999

In an interview I was once asked to name my three favorite movies. This was one of the movies I answered with and as expected I didn't get the job. This movie isn't about hacking but it's one of the key elements of the film when Peter, Michael and Samir upload a virus to try and rip off the company their about to fire. It's a good example of insider threat now that I think about it. It's still one of my favorite movies of all-time and if employers can't handle that, that's their problem.

The Matrix - 1999

I'm still not sure if this should be considered a hacking movie, but it uses hacking as the gateway into the real world and out of the dream state that is the Matrix. It's a visual stunning, action packed movie that still holds up to today. The other movies, not so much.

Tron - 1982

This falls along the same lines as The Matrix. A visually stunning movie that uses hacking as a gateway into another world. Tron: Legacy (2010) is even more stunning, but like the Matrix sequels falls short of the original. The soundtrack is good though.

The Italian Job - 2003

There's quite a bit of hacking from "The Napster" (Seth Green) as well as some social engineering. I would have to watch the movie again (it's free on Amazon Prime, at the moment), but from what I recall there wasn't a lot of messing about with hacking techniques. Lyle (Seth Green) was in and out and probably highlighted a weakness in traffic equipment that has become a bit more relevant today. Though, it seems to be used more as a prank than for a brilliant plan to steal a ton of gold bars.

The Social Network - 2010

Facebook all started with the hacking of the Harvard network by Mark Zuckerberg, according to the movie. The hacking seemed pretty legitimate in the movie, though I'll need to go to the judges on that one. It played a small role at the beginning of the movie and that was about it. Then it turned into a programmer and developer movie. I thought the movie was good and enjoyed it thoroughly. Like a few other movies that only have small parts of hacking this probably should make the list, but it's on the Wikipedia list so there's that.

What about you?

What are some movies you enjoyed or hated that included hacking? What did I miss and what should I see? Which ones incorporate the best hacking techniques?

Happy New Year!

This post first appeared on Exploring Information Security.

Hacking infosec links December 29, 2014

Hacker Lexicon: What Is an Air Gap? - Kim Zetter - WIRED

Air gaps generally are implemented where the system or network requires extra security, such as classified military networks, the payment networks that process credit and debit card transactions for retailers, or industrial control systems that operate critical infrastructure. To maintain security, payment and industrial control systems should only be on internal networks that are not connected to the company’s business network, thus preventing intruders from entering the corporate network through the internet and working their way to sensitive systems.

Hacker Lexicon: What Is a Backdoor? - Kim Zetter - WIRED

Generally this kind of backdoor is undocumented and is used for the maintenance and upkeep of software or a system. Some administrative backdoors are protected with a hardcoded username and password that cannot be changed; though some use credentials that can be altered. Often, the backdoor’s existence is unknown to the system owner and is known only to the software maker. Built-in administrative backdoors create a vulnerability in the software or system that intruders can use to gain access to a system or data.

Marketing Just Isn't Ready for Hackers - Peter Herzog - Dark Matters

The infosec staff that came through had been talking about it being a potential toehold in the company to reach other systems. But when they saw the compromises didn’t go further than a few servers in marketing, they concluded it was just an employee who brought the infection in from home and that they caught it in time.

But did they?

This post first appeared on Exploring Information Security.

Blackhat trailer numero uno

Yes, this is in fact a movie about a hacker.

I'm not sure if it's going to be a hacking movie, but Thor...excuse me Chris Hemsworth is a hacker that has been put away by the US government for 15 years. He's released to help the US government hunt down another hacker attacking US infrastructure.

On top of being a, "genius hacker and coder from MIT" he also apparently kicks ass like Thor and can handle a gun, at least in the trailer. It will be interesting to see if the hacker role will play a significant role or a side roll to this movie. The term blackhat, for those who don't know, is used to denote hackers who are of a criminal nature. Or they use their "powers" for self gain. The hope is that the studio using the title "Blackhat" for one of its movies about hackers would ensure that there is at least some relevancy to its correct usage. But Hollywood can be Hollywood sometimes.

It looks like an interesting movie, though.

Micheal Mann is one of the main players behind the scenes of this movie with director, screenplay, story and producer credit. Some of the other movies he's known for include: Heat; Public Enemies; The Insider; and The Last of the Mohicans (IMDB). The dude has been nominated for an Oscar four times. If you browse his IMDB page you'll get an idea of what kind of movie this is likely to be. Of the movies I've seen he's been involved in: Hancock; Miami Vice; and Ali. All solid movies in my opinion.

Will this be a true hacker movie? Unlikely, but nothing will be if Hollywood is involved.

Will this be an entertaining movie about hackers? There's a very good chance.

Movie expected release date: January 16, 2015.

This post first appeared on Exploring Information Security.

Def Con links August 18, 2014

Hackers Unveil Their Plan to Change Email Forever - Denver Nicks - Time

Jon Callas, chief technology officer of Silent Circle and a co-founder of the Dark Mail project, told TIME that “the biggest problem we have today with email is that it was designed in the early 1970s and it was not designed for the problems we have today. Even the standard email encryption that we have today protects the content but not the metadata.”

You cannot 'cyberhijack' an airplane, but you can create mischief - Adam Greenberg - SC Magazine

Ultimately, airlines are very safe, Polstra said, but he added that nearly every protocol used in aviation is unsecured – meaning no encryption – and that there is potential to annoy air traffic control and small aircraft.

Founder of America's Biggest Hacker Conference: 'We Understand the Threat Now' - Denver Nicks - Time

Nothing changed before or after Snowden’s revelations. The security researchers knew that of course that’s what the NSA or any government can do. If you talked to the hackers last year it was like, “Of course you can do that. I’ve been doing that for 10 years.” But now that it’s sunken in at a more policy level you can have the conversation. Before you would say something to your parents and they’d be like, “Oh hahaha. You’re paranoid.” Next thing you know your parents are like, “Oh my God. You were not crazy. You’re not my paranoid son.” Now we’re at a place where people can relate and that’s a much more healthy place for us to be.

 This post first appeared on Exploring Information Security.

'Hacker Summercamp' links August 11, 2014

Meet the Puzzle Mastermind Who Designs Def Con's Hackable Badges - Kim Zetter - WIRED

This is really cool and I am jealous of anyone that got one of these badges.

Dan Geer Touts Liability Policies For Software Vulnerabilities - Sara Peters - Dark Reading

Another angle on Dan Geer’s opening keynote at Black Hat. Rafal Los linked to the full talk on Twitter if you’re interested:

John McAfee: Google and Facebook's Erosion of Privacy is a Tragedy - Phil Muncaster - Infosecurity Magazine

John McAfee had an interesting closing talk at BSides Las Vegas about privacy.

This post first appeared on Exploring Information Security.

Terrifying 'Hacker Summercamp' links August 7, 2014

BSides Las Vegas - Incidents happen, react and learn from them - Dan Raywood - IT Security Guru

Adam Shostack opened the BSides Las Vegas conference with a talk titled "Beyond good and evil." The gist of the talk is to be more open about incidents that occur within the organization. The idea is that the transparency will not only benefit the breached but also those looking to learn from a breach.

Black Hat 2014 and Media Fud - Bill Brenner - Liquidmatrix

Read this and you'll understand why I the word 'terrifying' led the title of this post.

CIA Insider: U.S. Should Buy All Security Exploits, Then Disclose Them - Kim Zetter - WIRED

In the opening keynote at Black Hat, Dan Greer suggested, among other things, that the U.S. government buy up all the zero-day vulnerabilities and release them to the public. This would allow companies to close a lot of vulnerabilities in their software and applications. I like the idea, I just don't think we'll ever see it happen.

This post first appeared on Exploring Information Security.

InfoSec links July 18, 2014

It Is Idiotic To Hand Out Your Twitter Password to Prove Passwords Are Dead - Kashmir Hill - Forbes

How a journalist distributed denial-of-service (DDoS) his account in one easy step. He tweeted out his Twitter password with two-factor authentication on. He wanted to prove that two-factor authentication was a fantastic security measure. To my knowledge no one has gotten into his Twitter account yet, however, he has had to switch phone numbers.

Project Zero - A Team of Star-Hackers Hired by Google to Protect the Internet - Mohit Kumar - The Hacker News

I can’t help but get a little giddy about this. Sounds very Avengers like and a new way to think about information security. I have on my board at work “Hunt Teams,” which is an idea I heard on a podcast. The team essentially tries to prove that the organization hasn’t been hacked yet.

Meet Google's Security Princess - Clare Malone - Elle

A wonderful read on Google’s Security Princess (her title choice) Parisa Tabriz. She’s the hacker hired by Google to break into Google. The article talks about her background and rise to a security manager of 30 people at Google. It’s Friday, take about 15 minutes through this article. You won’t be disappointed.

This post first appeared on Exploring Information Security.