Hacker Rates 12 Hacking Scenes In Movies And TV | How Real Is It?

The probe used multiple SQL injections, but I haven't found any compromised files yet. This one is terrible! When I first watched this show, I turned off my TV that very second. Hi, I'm Keren Elazari, security researcher, author and friendly

hacker

. I have been in the field of cybersecurity for more than 25 years. I am the founder of Israel's largest

hacker

community, BSidesTLV, and Leading Cyber ​​Ladies. Today, we will look at some interesting clips of film and television piracy and discuss: how

real

is it? Oh! I would not do that. That's bad, bad OPSEC. Poor operational security. In

real

ity, it is possible that the computer is physically booby trapped.

If I had the computer like this, I would take it to investigate, I might even take X-rays of it before doing anything with it. When we bring a device in for a digital forensic investigation, we typically open it in a lab environment, not in the middle of our agency office. It's your omega site. I don't know the term "omega site". I think that's just adding Hollywood lingo to make it sound scary. The most encrypted level it has. It wouldn't be a level. It could be a file or, you know, a segment of the hard drive. There are no levels.

It doesn't look like this. There are definitely no 3D moving animations of what the file is doing. Q: It looks like obfuscated code to hide its true purpose. Well, that part is real. Yes, you could obfuscate your code and malware authors often do this. Q: You are using a polymorphic engine to mutate code. Every time I try to gain access it changes. We have seen polymorphic code, specifically with malware. Now we finally see a hexadecimal version of the code. Hex means hexadecimal. Now, hexadecimal means 16. Normally you can only see 16 characters. 0 through 9, A through F. You won't see G.

You won't see R. You won't see O. You can do a lot of things with code, and it may be beautiful, but it won't look like a map. It won't have those, you know, curly lines. This is something completely different. I think this is maybe three out of 10, and I'm just giving them some points for, you know, including some real real-world terms, like malware, polymorphism, and code obfuscation, but that's where the realism lies. ends, unfortunately, Mr. Bond. Darlene: They're in the middle of the final round of the CTF qualifier. So, Elliot and Darlene are visiting a hacker space that is currently housing a CTF.

A CTF is a capture the flag competition and this is a type of hacker game. It could be about cracking a really unique piece of code or something. So in this scene, they're in the qualifying rounds for DEF CON, and DEF CON is a real-world

hacking

conference. It is the largest

hacking

conference in the world. I've been to CTF at convention centers and college campuses. There are even hackathons and CTFs taking place on Italian farms. Although the one they are in now is extra-clandestine. Elliot: They allow you to save and load your game, restoring all the mines you found and all the projectiles you eliminated.

That is the weakness. What Elliot is doing could even be considered pretty rude, having someone surfing like that. If it happens. However, for Elliot to, you know, in one second understand what's happening on that screen, get all the context of that code, and then tell them how to win that challenge, I mean, I understand that the show, of course, does it. establishes. It could have above average intelligence, but it would have to be like a supercomputer. Elliot: The game relies on any information you give it to recreate the board. Poison the data. You can make it run any code you want.

It looks like hackers need to reverse engineer or take apart a Minesweeper style game. This sounds pretty realistic. It's actually based on the real-world CTF challenge from 2012. So I think it's cool that the show went to the trouble of getting a real-world hacking challenge. A CTF room can be noisy, sweaty and smelly. It can be electric. Elliot: All I have to do is hack the registrar and change the name server settings. What you are doing now is very realistic and would have taken much longer. You don't hack a logger in two seconds. Elliot needs to contact the backdoor they placed inside E Corp last season.

To do that, he is using the fact that the backdoor, which is basically computer software, has a C2 domain encoded. C2 in this context means command and control. And many times malicious hackers or criminals create a piece of code that will run within an organizational network, but in order to communicate with the backdoor, Elliot must first take over the domain. And the next thing he does, and we see him do it, is give the command "shred." Shred is a Unix command to not only delete files, but also rewrite them so that they are much more difficult to recover, even with specialized forensic software.

I'm going to rate this scene a nine out of 10. I'm only deducting one point just because of how quickly everything happened and how quickly those hackers let Elliot into their CTF game. Well, we can say that he is a hacker. He has all those stickers on his laptop. Nine Ball, Rihanna, is using open source intelligence, which is a fancy term for the Internet. This is what is called a phishing attack. Not only will she embark on a phishing expedition; she is phishing. She targets this particular person with an email with a topic, something she is really passionate about.

There are definitely attacks that would give an attacker control of her webcam, and they could even turn it on and you wouldn't know it was on. But it usually requires a little more time and a little more interaction on the part of the victim. Maybe they would run an app, install something. It will take a little more. These types of physical boxes that would allow you to unlock any password don't really exist for computer passwords. Many of you have a phone that if you enter the four-digit PIN or a seven-digit PIN and do it wrong, the phone will be erased after five or 10 incorrect attempts.

So those physical boxes in the real world, used primarily by law enforcement, would get around that using all sorts of different tricks, but they would require physical access to connect with a cable to your target device, to the phone. It makes sense that they would require an additional password just to access that particular software. That's great. That makes sense. However, it looks like a 12-character password and has not only numbers, but also uppercase, lowercase, and special characters. For a password of that length, you would have approximately 94 to the power of 12 different possible combinations. It's a number so big I can't even spell it.

You'd have to use the entire screen just to type it, right here. There's no way an electronic box can figure that out. And if Nine Ball has a box like that, it's more valuable than whatever they're going to steal from the Metropolitan Museum. I would probably say that the first part, about phishing, is extremely realistic, but then it loses reality. So I'm going to average it at seven out of 10. I think that was the turning point, where Hollywood started to show realistic hacking. So what we're seeing here is that Trinity is using Nmap, which is a legitimate network scanning and mapping tool that hackers use all the time.

We also see her using something called SSH Nuke. So SSH Nuke refers to "secure shell". And SSH Nuke is, according to the movie, basically an attack against the SSH service, where it takes advantage of a specific vulnerability. And he even tells us that he's trying to exploit version one of SSH, CRC 32. So this was a real-world vulnerability in SSH that was only discovered maybe a month or so before this movie was filmed. So while someone was working on writing the script, while they were in pre-production, this vulnerability was discovered in that piece of code and they already featured it in the movie, which I think is extremely timely and extremely accurate.

The only small element here that is not so realistic is that you are resetting the password. If you successfully exploit that vulnerability, the exploit would grant you root privileges. You wouldn't necessarily have to reset the password. There's no way I can hack like that and not make a ton of typos. All hackers know that you need fingerless gloves to type fast. I'm going to rate this scene a 9.5 out of 10. And I'm taking off half a point just for the gloves, girl. So Lisbeth is doing the legwork. She is investigating her goal. What she does is basically hang out and pick up, listen to the code while it's played on the keyboard.

And she sounded like one, two, one, two, which sounds like what she's pressing. So in the real world, it's not that difficult to understand what different digits sound like if you train your ear. She's not going to waste her time on that. She's not going to plug in her computer and be seen doing all kinds of nefarious things. She'll take photos, she'll get out of there, and then she'll analyze those photos to see exactly what the hardware configuration is, what the router is, what the type of communication setup is in that apartment building. And then she gets a specific device from one of her fellow hackers.

I think that's very realistic. It looks like, you know, a hacker space. It seems like I've visited a lot of places, definitely. From the device itself, it is difficult to say exactly what it is. We see that it is a Nokia. This could be in reference to something called the Nokia N900, which used to be known in hacker circles as the pwn phone. And it was a phone that was primarily used to hack into wireless networks. However, it didn't look exactly like that, so it could be a specialized device. It could be a tablet that has a cellular connection and a network interface.

It could be something like this. The device she uses in the film is a bit dramatized. It is a device that you can connect to Ethernet. That's where you put the network connection. And it also has space for a SIM card. So you insert a SIM card, it has a cellular uplink and you plug it into the wall. It is actually designed to look like an air freshener. And if I were doing a security assessment, I would sneak in, just like Lisbeth does, connect this to power, to the network, and then use this other connection, basically, from my remote hacker hideout, to Plug it in, call this bad boy and run some network assessments, see what I can sniff out, see what I can capture on that network.

So based on what we just saw, I'm going to give it a 10 out of 10. It's a very realistic scene. Mark: Billy Olson is sitting here and he had the idea to put some of the pictures next to pictures of farm animals and have people vote on who is more attractive. So, apparently Mark Zuckerberg wrote live on his blog about everything that happens in this scene, when he created his Facemash. So I'm going to assume that everything he's writing the writers took from his actual blogs. Brand: A number to represent the attractiveness of each person as they do on hotornot.com.

There was a website called Am I Hot or Not. It was very popular. Mark: Unfortunately, Harvard doesn't maintain a centralized public Facebook, so I'll have to get all the pictures of the individual houses people are in. So, you have to modify your script or you have to modify your process to match the specific houses, which is very realistic. Even today, the internal web pages of academic institutions are a spaghetti of different types of code bases and servers. Mark: They require a username/password. For one of the houses, you are asked to provide a username and password.

And the movie shows us for a split second that he has mzuckerberg's login, but then we see that he logs in with another username, called bagson. This is a trick. This is a time when he uses someone else's access. And that would probably go against the Computer Fraud and Abuse Act. Certainly against Harvard's rules of engagement. Mark: Dunster is intense. It will be difficult. I'll come back later. This is very realistic. If there's one that poses an extra layer or an extra challenge, we won't spend too much time on it. We'll turn around and get back to it.

And this is also what criminals do. They prefer ripe fruits. They look for the easiest goals first, and only later, or if they are trying to achieve a very specific goal, will they look for the goal that is even marginally more difficult. You want to have that extra layer of effort to get the bad guys in. Mark: To break Emacs and modify that Perl script. And the movie depicts it as if it all happened during one drunken night, whereas in the real world it took at least a couple of nights. Obviously he was very capable with what he was doing, but these are not zero-day feats.

These are not novel, innovative attacks that we have never seen before. Basically, you are automating the process of capturing images from web servers. So, something pretty simple. I would give it nine out of 10. I thinkthat the only unrealistic elements here is basically the fast forward they did to make it all happen in one dramatic night. Hack them all. This trick is actually based on a real-world trick that was demonstrated about a year before this movie came out. So in 2015, Charlie Miller and Chris Valasek demonstrated that they can remotely hack a 2014 Jeep Cherokee using the infotainment system.

I don't think it would have been realistic in 2016. It may not even be realistic today for a hacker to be able to access many different makes and models of cars. Even the best automotive safety researchers would have a hard time remotely turning on the ignition of a car that doesn't already have a feature like that built in. However, in the future we will see cars that are much more connected than ever. This could be a realistic and very scary scenario. I assume they are using unlimited computing power to coordinate the movements of all these vehicles. If you think about it, even if you have remote control of the steering of a vehicle, you would still need to have a satellite view of where all the cars are going and coordinate them in some way so that they all go in the same direction or where you want them to hit.

So we're going for seven out of 10. I'm taking points off for how easy everything is. Cipher already has everything set up, all you have to do is click on a tablet. I've definitely done it in the past. So, find a note, find a piece of paper that has the password of the system you want to access. People write down their passwords, but even more so, they recycle them. I just have to go to some of the many leaked password databases and I can easily find that you had five or six different accounts where you used the same password, so I bet you will use that same password. or a very close variation for many of their other online services.

And hackers do this all the time. It's called filling in credentials, and we're just going to fill them in and try to see if any account, any system allows us to log in. It's very easy for hackers to review your social media posts, or maybe even when you're on a Zoom call, and you have that Post-it with a password right behind you. Then you want to enable things like two-factor or multi-factor authentication. And sometimes that extra layer of security could also be biometrics. Good scene. It gets 10 out of 10 for accuracy. I have done it myself. Airiam, how are we doing on that central data audit?

Airiam: The probe used multiple SQL injections, but I haven't found any compromised files yet. This one is terrible! This is horrible. So, I have to tell you that when I first watched this show, I turned off my TV that very second. To think that a space probe in the future, somewhere in space, would use something like a SQL injection to attack a Federation starship. So SQL injections are something that hackers use nowadays. You rely on the fact that SQL Server will execute everything you enter. And this is ironic because SQL was first created in the 1960s or 1970s, so maybe the show's writers are basically telling us that we'll be stuck with SQL for the foreseeable future.

I give it one out of 10. So do they connect to our boxes and do our boxes connect to actual WiFi? Enter Everyone's Device: The scenario described in the scene is very realistic and they are using a real-world device, a WiFi pineapple made by Hak5. What I have here is the Pineapple Nano WiFi, which is a much smaller version of the routers they used on the show. And it's designed to be very stylish, so you could walk around with something like this in your backpack and no one would notice. So any phone or computer that walks near a device like this will log into it instead of the legitimate hotspot it thinks it's logged into.

And they couldn't tell the difference. We then showed them a fake landing page and forced everyone to download a doctored version of the Hooli-Con app. The second part of the trick is also realistic. They are using their WiFi control to direct people to a website they control that looks like the Hooli Conference website. I would rate this a 10 out of 10. I highly doubt the CIA has servers that can be accessed over the Internet. While on that server, all the files are organized nicely in interesting folders with all the project names undercover. Now, this may seem unrealistic, but actually, a year after this movie came out, we saw something called Vault 7, which was introduced by WikiLeaks, which was an actual CIA leak.

And they had a lot of their covert operations, including their hacking tools, organized in files and folders like that. It's not like any security monitoring tool I know of. However, what's probably happening here is that Nicky is using a backdoor that someone has already installed from within the CIA. So basically, Nicky's computer sends packets to specific ports on the CIA computer, and after a specific sequence, a packet is sent to, say, port 7000, port 8000, port 9000, the CIA computer. CIA accepts it as a secret handshake. and opens a connection from inside the CIA to Nicky's computer. This is a realistic capability.

Agent: Where is that trace? Agent: Unknown user. Again, they are using a basic capability. Traceroute is something that even your Windows computer could do, any Unix computer could do, but the CIA has additional things they put in there that will correlate it not only to a physical location somewhere in the world, but also to precise GPS. coordinates. Sakov's hacking camp. So it's notable that the CIA instantly knows that location, they know it's a hacker space, they know all the hackers in the world and they know where they live. Kill the building's power. You know, this is not a capability that an intelligence agency is going to flaunt, if they have that capability, to remotely cut off power to a specific building.

When hackers hacked into kyiv's power system in Ukraine in 2015, and then again in 2017, they knocked out power to parts of the city, and it took them months to set up that hack. I don't know if this is something that could really be done so specifically, in a particular house. We see IP addresses that are simply impossible. For example, an IP address starting with 300. So, IP addresses are made up of four octets, four segments. Each octet has three digits. The digits, of course, could be zero. So it could be anything from zero to 255. Every time in the

movies

you see an IP address that starts with... you know, that's like 257, it's fake.

It doesn't exist in the real world. If I'm hacking, I'd probably have some tools that would alert me if my computer was being scanned or tracked, but it wouldn't look like that. I'll give it a rating of six out of 10. They included some very realistic stuff, but fake IP addresses, that won't work. Okay, so "Hackers" is my favorite hacker movie of all time. It's the reason I chose to become a hacker in the first place. This is what it looks like when someone analyzes a piece of code. Spend a whole night. A montage passes by us.

He needs all that time, and he has friends, and they, you know, eat cold pizza and drink hot energy drinks. That's the hacker menu I grew up on. Dade: These are all the financial transactions that Ellingson makes, right? We now see hexadecimal on the left and right, the ASCII characters, or the financial transactions that the hexadecimal code would actually represent on Ellingson Corporation's computer systems. So this is quite realistic. The antagonist is using the Da Vinci virus. They basically created a very disturbing virus that threatens to capsize Ellingson Mineral Corporation's oil tankers if they are not paid a million dollars.

Mind you, this is the first ransomware case that Hollywood has described, before ransomware became a real thing. Nowadays, we have many attacks like this, where criminals take over your computer system and request payment to decrypt the files and give you back access to your systems. So while it wasn't accurate when the movie was developed, back in the '90s, I think it really predicted the future. I'd love to give this a 10 out of 10. I'll take away two points, a couple of points, simply because we don't actually see any of the software code. Stop recycling your passwords!

Not a good kind of recycling. Do not do it. In fact, I have a t-shirt somewhere that says, "Hackers don't get in. We log in." And that's pretty accurate.