Why the Blackhat movie isn’t far off from reality
Hollywood’s portrayal of big money hackers might scare IT pros, for good reason.
I caught a screening of new Michael Mann cyber-thriller Blackhat this week and, if you’re the worrying type, I wouldn’t recommend seeing it. You’ll come away wanting to never open another email attachment (probably a good idea anyway), leaning toward taping your USB ports shut to prevent any access and pretty much be looking to move to Green Bank, West Virginia – the town without Wi-Fi or cell phone service.
In the movie, Chris Hemsworth plays a convicted hacker who is furloughed from Federal prison to help U.S. and Chinese authorities track a hacker attacking power plants, the stock market and other critical infrastructure. The motive for the attacks: money, of course. It’s the reason for a lot of crimes, both cyber and physical. A couple of real-life hackers that allegedly targeted the credit card systems at a number of U.S. businesses a couple of years ago did so because of their meager job prospects in Russia. Hacking paid the bills.
Blackhat’s bad guys use remote access tools and other nefarious code to attack targets, looking for the weak spot in networks, software and other infrastructure. Unfortunately, here in the real world, we’re still making it too easy for attackers.
In Cisco’s 2015 Annual Security Report, CIO respondents admit their organizations are not good at installing patches. This is leaving the backdoor wide open for the bad guys looking to access sensitive systems and data, which can result in attacks like we’re been reading about in the mainstream news all too often of late.
The issue of patching and security grows bigger when you consider the Internet of Things, which is leading to connected cars, home and more. As we continue to connect more and more devices to networks, we’re increasing the number of potential weakness points for attackers to exploit. As security pros like to say, “A connected device is a hackable device.”
And if highly paid IT security professionals can’t keep pace with patching, how do we expect that of consumers? I’ve written before about the need to better inform the average consumer of the security risks inherent with a connected device they own. But even if we know, are we all going to install the necessary patches to our routers, PCs, tablets, phones, thermostats, security cameras, wearables, refrigerators, toasters and whatever else gets dreamed up in the next few years? That’s a lot of patches on a lot of devices to remember. Even if we’re good at patching, humans themselves are still a weak point. We’re still horrible at passwords. (Really, who thinks “123456” is going to be safe?)
The movie and real-world news demonstrates that security vendors, device makers and those building ecosystems for connected devices need to continually assess security and find ways to help ensure systems aren’t compromised, all while keeping a good user experience in mind. No easy task.
As for the movie itself: I’d give it a B-. The plot was good and the technical details weren’t tedious to bog down non-techies. At two hours in runtime, it probably could have been tightened up a bit to make it move a little faster. My wife thought it was a little violent too. Wired magazine has a good take on whether the technical details are up to par. For me, it still doesn’t beat the best hacking movie made: WarGames.