Blackhat movie: The Good, the Bad, and the Ugly

The movie does, in fact, have some interesting things to say about the kinds of cyberthreats we're now up against

If you still haven't seen the new movie Michael Mann movie, Blackhat, with Chris Hemsworth playing the lead, you won't be getting any new insights into how hackers work.

If you are not a security professional, however, then the movie does, in fact, have some interesting things to say about the kinds of cyberthreats we're now up against, so stop reading and go see it.

Good: The IoT attack was real

Unlike other movies, in which hackers magically crack "several layers of encryption" with their laptops, the attacks in this movie are actually credible hacks.

The central attack, for example, takes down a nuclear power plant. Okay, there was a bit more explosion than when Stuxnet took down a nuclear power plant in Iran, but then again, it is a Michael Mann movie.

"The gist of Stuxnet was to go after programmable logic controllers inside critical infrastructure devices and industrial devices," said Jeff Schmidt, founder at Chicago-based JAS Global Advisors LLC, a consulting firm focusing on technology for critical infrastructure sectors.

"In the case of Stuxnet, it was centrifuges used in preparing uranium," he added. "In the case of this movie, it was water pumps that were used in a nuclear power plant."

This is a real threat. Many industrial control systems were built before the Internet or by companies that focus on hardware, not security software, and are now vulnerable. If your company or organization is putting off spending the money it would take to get this fixed, then maybe this movie will scare you into action.

Bad: ... but the IoT attacks made no sense

Right at the start of the movie, the bad guys go after two targets -- the nuclear power plant, and the Chicago futures market.

The attack on the power plant brings in massive and immediate attention from law enforcement, who immediately launch a coordinated global search.

The attack on the Chicago futures market brings in $75 million. Without the other attack, the bad guys could have taken the money, gone home, and lived happily ever after.

"It reminded me of the old James Bond movies and the cartoons where the bad guy always has the perfect opportunity to kill the hero, and employs some overly complicated Rube Goldberg machine to kill the good guy and it never works," said Schmidt.

Instead, the two initial attacks turn out to part of a setup for a ridiculously complex evil plan that I'm not going to go into here.

"In reality, it's just unnecessary," said Schmidt. "With their skills, there are a lot easier ways to make more money -- and they already did! $75 million in a couple of hours. They could lather, rinse, repeat and make a whole lot of money."

Ugly: ... the criminal hacker is the one genius who can fix things

Plenty of smart people try their hand at hacking and find out that they're good at it, but stop short of actual criminal activity and jail time. Or maybe they just were smart enough not to get caught.

And plenty of other smart people go straight into computer science and forensics and cyber security.

If the FBI needed some bright minds to send against the bad guys, surely there were better options than a criminal who'd written a Trojan back in college and had been stuck in prison for the previous five years after getting caught breaking into a bunch of banks. Not to mention the fact that he'd previously served another year for a bar fight.

In fact, we first meet him at the start of the movie when he's caught yet again, this time for using a cell phone to hack into the prison's commissary accounting.

Really, you want this guy? Really?

Then, instead of keeping him in some secure facility while he offers his advice in return for time off his sentence, the FBI sends him into the field. What? Why?

So, okay, it's unlikely, but maybe this guy has some insights into some code. But since when does that make him qualified to run around alleys and get into shootouts?

Good: The social engineering was real

In one pivotal scene, Hemsworth's hacker, who's named Hathaway, sends an email to an NSA official purporting to be from the official's boss, referring to a conversation that official just had with an FBI agent.

That's an excellent example of a highly targeted spear phishing attack, in which the hacker uses all the knowledge he acquired about the target to create an email that convinces the official to open a document that contains malware.

This happens. The Sony hack reportedly started with a phishing email. People are always clicking on things they shouldn't -- even people who you'd think would know better.

Later on in the movie, a pretty woman talks a bank employee into printing something for her from a USB drive -- a drive that also contains malware.

That happens, too.

But....

Bad: The social engineering is normally just the start of an attack

But it's a big step from infecting a computer at the bank's periphery to actually being able to initiate wire transfers out of bank accounts.

It's not necessarily impossible, but banks have been adding a lot of checks and balances in recent years. Not only would it would take more than a few minutes to get to the core financial systems, but even once into an account, it takes more than a few clicks to initiate a wire transfer.

Maybe movie criminals do business with different kinds of banks, but in my experience, wire transfers require paperwork, a lot more information than just the destination bank account, and take a couple of days to go through.

Though I do have to give this bank props for not transferring the money one dollar at a time, the way most other movie banks seem to do, while showing a progress bar and a convenient "abort" button that makes the money go back again -- but also one dollar at a time.

Meanwhile, the NSA has been upping its security as well. The system Hathaway was after should have been a lot harder to get to.

"Such a system would not be on the Internet with just user name and password authentication," said Schmidt. "Even if the system was connected to the Internet, some strong authentication would be required. The fact that our hero could just log into the system from China via the Internet, that would not happen."

Good: The terminology was real

Thanks to the consultants who worked on the movie there was a lot of accurate terminology in the movie, from the Unix code used, to the discussions of remote access Trojans and Onion routers, to the programmable logic controllers.

When Hathaway communicates with the bad guys, he does so through a server.

"He's on a Bash shell, that was real," said Derek Manky, global security strategist at Sunnyvale, Calif.-based Fortinet Inc. "That was pretty surprising to me that they used real commands and that was a real way to communicate. Other movies don't use that -- it's usually fantasy interfaces with message that pop up on the computer."

The IP addresses weren't realistic -- some of the numbers went above 255.

"But I'm pretty sure they did this intentionally, not to advertise anyone's IP addresses," Manky said.

Bad: Real hackers prefer IRC

The Unix write tool is old-school terminal-to-terminal, said Schmidt.

"It's not totally off-base, but it's not the tool that the bad guys and good guys use to talk in real life," he said. "It's almost always over IRC."

IRC -- Internet relay chat -- allows for both group discussion channels and private messages, and, though it dates back to the early days of the Internet, back before the Web, it is still being used for communication.

"IRC is a great way to do that anonymously and pseudoanonymously," said Schmidt. "Most of the big botnets, their command and control leverages IRC. When you're negotiating a ransom, its almost always over IRC ... and nowadays over Twitter."

Ugly: Banks aren't people?

Hathaway is the movie's protagonist, so there's always an excuse for what he does. He robbed banks because he couldn't get hired with a conviction on his record. And, as he points out in the movie, he didn't steal from people. Just banks.

Oh, so that makes it okay.

I was not happy with the movie's ending. However, I console myself with the fact that given his inability to avoid getting caught -- even the NSA found him out immediately -- Hathaway will be back in jail in no time.

Tags entertainmentblack hatadvanced persistent threatsIoTJAS Global Advisors LLC

Show Comments