{"id":17375,"date":"2020-09-15T00:34:29","date_gmt":"2020-09-14T20:34:29","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/hackers-movie\/17375\/"},"modified":"2020-09-15T00:34:29","modified_gmt":"2020-09-14T20:34:29","slug":"hackers-movie","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/hackers-movie\/17375\/","title":{"rendered":"A modern take on the movie Hackers"},"content":{"rendered":"

Several common misconceptions hinder the widespread adoption of cybersecurity culture. One myth \u2014 hackers are really smart, so it\u2019s pointless to fight them \u2014was popularized in particular by the movie Hackers<\/em>, released exactly a quarter of a century ago. The movie gave rise to a set of clich\u00e9s still employed by the film industry.<\/p>\n

Indeed, the movie\u2019s misfit heroes and their adversary, Plague, an infosec expert at Ellingson Mineral, are portrayed as highly intelligent geeks able to find and exploit vulnerabilities in any information system.<\/p>\n

For example, the main character is equally at ease breaking into a school database and a cable operator\u2019s network. Phantom Phreak makes calls from payphones to Venezuela without paying a cent. Even Joey, the group\u2019s youngest and \u00a0least-experienced hacker, manages to gain access to the Gibson supercomputer at Ellingson Mineral. It all looks quite impressive (for 1995) but let\u2019s take a closer look at the crew\u2019s accomplishments.<\/p>\n

Hacking a TV station<\/h2>\n

The protagonist, Dade (aka Crash Override), breaks into the network of a TV station to replace a dull show with something more captivating. He does so by calling the night guard, posing as an accounting employee who needs access to his computer, and asking the guard to read out the phone number on the dial-up modem.<\/p>\n

On the one hand, it\u2019s basic social engineering. On the other hand, it\u2019s lunacy on the part of the company \u2014 and I\u2019m not even talking about the haplessness of the guard. Why is the accountant\u2019s computer on the same network that controls the broadcast? Why does it have a modem constantly waiting for an incoming call? Why is the phone number written on the modem?<\/p>\n

While that intrusion is going on, it turns out another hacker is already inside the company\u2019s network: Kate, aka Acid Burn. How did she get there? Well, the company probably has other computers with exposed modems.<\/p>\n

Hacking Gibson<\/h2>\n

Novice hacker Joey breaks into the Gibson supercomputer. That is, he logs in through a modem from home using the head of PR\u2019s super-secure account password, god<\/em>. That\u2019s despite every character in the movie (including said head of PR and Plague, who is responsible for the company\u2019s security) knowing that the most common passwords in this flick\u2019s reality are love, secret, sex<\/em>, and god<\/em>. What\u2019s more, the head of PR has superuser rights for some inexplicable reason. All told, the hackers\u2019 \u201cgreat\u201d achievement is less about ingenuity than corporate fecklessness.<\/p>\n

Plague\u2019s skullduggery<\/h2>\n

The movie\u2019s plot revolves around the cunning scheme of the hacker Plague, who works at Ellingson Mineral. He writes a piece of malware to salami-slice a few cents off every company transaction, and transfers the proceeds to a secret account in the Bahamas. That might have been an original plotline had a similar scheme not been deployed 12 years earlier in the movie Superman III<\/em>. For some reason, everyone describes the malware as a worm<\/a>, although the film says nothing about its distribution and replication.<\/p>\n

Based on that information, can we really consider Plague a cybercriminal genius? Hardly. He heads information security at a company where no one apart from him has the first clue about the subject. And he\u2019s in cahoots with the head of the PR department, effectively giving him carte blanche? It\u2019s an insider attack; the problem is not so much a lapse in cybersecurity as the company\u2019s recruiting policy.<\/p>\n

Da Vinci virus<\/h2>\n

When Joey accidentally downloads part of the \u201cworm,\u201d Plague launches a virus (again, it\u2019s not clear if it actually is a virus<\/a>, or whether the writers just liked the sound of what in 1995 was a new term for most moviegoers) by the name of Da Vinci. The malware seizes remote control of the target company\u2019s oil tankers with the potential to capsize them by pumping water into the ballast tanks. In fact, though, the \u201cvirus\u201d is a red herring.<\/p>\n

Plague is simply using it to (a) divert attention from the money-grabbing \u201cworm,\u201d (b) accuse Joey and pals of hacking into the company and ultimately blame them for the \u201cworm,\u201d and (c) turn them over to the Secret Service, get inside Joey\u2019s computer, and find out what information has leaked \u2014 not to mention buy time for the malware to siphon off more cash.<\/p>\n

In fact, such a \u201cvirus\u201d is way too futuristic for that time. For a start, the very idea of a seagoing vessel in 1995 being permanently connected to the operator company\u2019s navigation systems is crazy. First, the Internet is not needed for navigation either today or back then; the GPS system was already fully operational and available to civilians.<\/p>\n

Second, for a ship to have been constantly online in the mid-1990s plays fast and loose with reality. Data transfer by satellite didn\u2019t exist then; it would have required a permanent\u00a0\u2014 and prohibitively expensive\u00a0\u2014 modem connection over a voice line.<\/p>\n

Moreover, tankers (which could be classified as critical infrastructure) do not have backup manual systems for ballast water injection control.\u00a0The process is fully computerized. For that matter, a computer is perfectly capable of failing even without malware. In short, for the Da Vinci virus to work, someone would have had to lay the long and laborious groundwork to sabotage the merchant vessel, including at the stage of ship design.<\/p>\n

Preparing for the showdown<\/h2>\n

The protagonists decide to stop the dastardly Da Vinci and obtain the full code of the \u201cworm\u201d to find out where the stolen money is being transferred. Their preparations are nothing if not thorough. But here the movie begins to go off the rails.<\/p>\n

The hacker Cereal Killer impersonates a telephone company employee, infiltrates the building of the US Secret Service, and plants a bug there. (Why none of the employees, supposedly professionals, suspects a teenager in saggy pants is a mystery, as is his off-screen punishment.)<\/p>\n

Dade and Kate sift through Ellingson Mineral\u2019s trash and steal some papers. That bit\u2019s believable\u00a0\u2014 even today not every company monitors how and where its garbage gets chucked. But a perusal of the trashed documents handily serves up 50 passwords that can be used to penetrate the corporate systems. More a gusher than a leak.<\/p>\n

The final battle for Gibson<\/h2>\n

The main characters ask the hacker community for help, and together they bombard the supercomputer with viruses. At this point, the film has finally lost all connection with reality. Unfortunately, we know nothing about the architecture of Ellingson Mineral\u2019s information systems, and therefore can\u2019t quite work out how a throng of attackers can simultaneously connect to Gibson, upload an assortment of viruses, and download the \u201cworm.\u201d<\/p>\n

It is not even clear whether they acted over the Internet or somehow connected directly to the company\u2019s internal modems. In any case, Plague somehow pinpoints the source of the attacks.<\/p>\n

At this point, the curious phrase \u201cMultiple GPI and FSI viruses\u201d is heard. GPI stands for General Purpose Infectors<\/em>, a long-outdated name for viruses that can be embedded in any executable file. FSIs, or File Specific Infectors<\/em>, are viruses that target files of a certain format. In other words, the phrase basically means that the security team can see a lot of viruses.<\/p>\n

International calls<\/h2>\n

Throughout the film, the hacker known as Phantom Phreak uses payphones free. The technique, which seems the least plausible from a 2020 perspective, is actually the most credible. In those days, phreaking\u00a0\u2014 breaking into telephone systems\u00a0\u2014 was a core part of hacker culture, hence Phantom Phreak\u2019s name.<\/p>\n

To make free calls, he uses a device that generates tones to simulate coins being inserted into the phone, a ploy known as red boxing<\/em>. It really did work, and instructions were widely circulated in hacker communities even in the pre-Internet age. Thinking that coins had been dropped in, payphones signaled to the billing system how many minutes to give the phreaker.<\/p>\n

By 1995, red boxing was already on its way out. Telephone companies, aware of the vulnerability, were busy implementing protective technologies such as frequency filters, duplication over digital channels, and ways to physically verify the number of coins inserted. But red boxing was still in play at the time of the movie\u2019s release.<\/p>\n

Equipment<\/h2>\n

Of special interest is the equipment used by the hackers. Kate, hailing from a wealthy family, works on a P6 laptop, which she says is \u201cthree times faster than a Pentium.\u201d That\u2019s a reference to the Pentium Pro, the first of Intel\u2019s sixth-generation x86 microprocessors. In those days it really was the world\u2019s most powerful chip, and it was released, like the film, in 1995. And Kate\u2019s modem could clock a speed of 28,800 kbps\u00a0\u2014 another best for that time.<\/p>\n

However, a closer inspection reveals that when connecting through public telephone booths, the protagonists use what looks like an acoustic coupler<\/a>, which converts acoustic signals into digital ones. That\u2019s an extremely unreliable contraption that supported only 1,200 kbps, and by 1995 it was hopelessly outdated. Still, it looks impressive.<\/p>\n

Pure fantasy<\/h2>\n

Other moments in the movie also stretch the imagination to the breaking point. Among other things, the hackers go after a government agent, during which they:<\/p>\n