Hacking the movies

In the first month of 2015 a new hacker movie is set to come up called, Blackhat. The movie is about a convicted blackhat hacker getting recruited by the government to track down and another hacker causing mayhem and destruction. It looks fascinating and I plan to at some point see it and hopefully review it on the site.

In the meantime here are the hacker movies (in no particular order) I have seen and what I've thought of them.

Hackers - 1995

Very entertaining movie. It's been a while since I've seen it, but there a lot of very memorable scenes that I can recall. It was also referenced at the most recent DEF CON by Wesley McGrew when he hacked the pineapples people tried to use at the security conference.

Sneakers - 1992

I recently watched this movie for the first time and I was a little disappointed that I've missed out on this wonderful movie for the past two decades. It uses a lot of techniques pen testers use today to break into an organization and it's got a top notch cast. Robert Redford, David Strathairn, Dan Aykroyd, Timothy Busfield, Mary McDonnell and Donal Logue. I'm pretty sure the logo for the Blackhat conference comes from this movie.

Swordfish - 2001

I've read on Twitter that the hacking scenes in this movie are bullshit (I haven't watched it since getting into infosec) and they probably are, but that doesn't make it any less entertaining. The hacking part of the movie is simply there to push the story along to John Travolta shooting people while standing in a sports car and helicopters making buses fly. I watched this movie several times in my younger years.

Die Hard 2 - 1990

It might be a little bit of stretch to call Die Hard 2 a hacker movie, but I just watched it recently and think it's totally a hacker movie. A rogue military group takes over Dules airport to free a drug lord being extradited to the U.S. They hack into Dules airport tower and seizing control of all the systems. There's not a lot of actual hacking, but there is quite a bit of social engineering that provides a nice twist towards the end of the movie.

Live Free or Die Hard - 2007

This Die Hard actually did have quite a bit of hacking included in the movie and for the life of me I don't remember a whole lot about the movie. I thought it was a solid movie, though of course not as good as the other Die Hard movies. I'll be watching it again some time in the near future.

Office Space - 1999

In an interview I was once asked to name my three favorite movies. This was one of the movies I answered with and as expected I didn't get the job. This movie isn't about hacking but it's one of the key elements of the film when Peter, Michael and Samir upload a virus to try and rip off the company their about to fire. It's a good example of insider threat now that I think about it. It's still one of my favorite movies of all-time and if employers can't handle that, that's their problem.

The Matrix - 1999

I'm still not sure if this should be considered a hacking movie, but it uses hacking as the gateway into the real world and out of the dream state that is the Matrix. It's a visual stunning, action packed movie that still holds up to today. The other movies, not so much.

Tron - 1982

This falls along the same lines as The Matrix. A visually stunning movie that uses hacking as a gateway into another world. Tron: Legacy (2010) is even more stunning, but like the Matrix sequels falls short of the original. The soundtrack is good though.

The Italian Job - 2003

There's quite a bit of hacking from "The Napster" (Seth Green) as well as some social engineering. I would have to watch the movie again (it's free on Amazon Prime, at the moment), but from what I recall there wasn't a lot of messing about with hacking techniques. Lyle (Seth Green) was in and out and probably highlighted a weakness in traffic equipment that has become a bit more relevant today. Though, it seems to be used more as a prank than for a brilliant plan to steal a ton of gold bars.

The Social Network - 2010

Facebook all started with the hacking of the Harvard network by Mark Zuckerberg, according to the movie. The hacking seemed pretty legitimate in the movie, though I'll need to go to the judges on that one. It played a small role at the beginning of the movie and that was about it. Then it turned into a programmer and developer movie. I thought the movie was good and enjoyed it thoroughly. Like a few other movies that only have small parts of hacking this probably should make the list, but it's on the Wikipedia list so there's that.

What about you?

What are some movies you enjoyed or hated that included hacking? What did I miss and what should I see? Which ones incorporate the best hacking techniques?

Happy New Year!

This post first appeared on Exploring Information Security.

Console infosec links December 31, 2014

Grinches steal Christmas for Xbox Live, Playstation Network users - Eric Bangeman - ars technica

Hacker group Lizard Squad took credit for the DDoS attack via Twitter, promising to back off once they get a sufficient number of retweets. "Get this tweet 2,000RTS and make sure to follow @iBeZo if you want us NOT to hit XBOX and PSN #offline for the rest of the night! RT," the group tweeted Christmas night.

Darkode - Ode to LizardSquad (The Rise and Fall of a Private Community) - MalwareTech

With darkode as a cybercrime hotspot, it's not really a huge surprise that people working in the security industry gained interest in getting access. Researchers such as Xylitol and Brian Krebs dedicated a big part of their blogs to having the inside scoop on darkode, and although admins were very proactive in seeking out and banning security researchers; there was always another hacker to pay off or account to hijack, resulting in numerous threads hating on researcher and Brian Krebs becoming a meme. 

Who's in the Lizard Squad? - Brian Krebs - Krebs on Security

The core members of a group calling itself “Lizard Squad” — which took responsibility for attacking Sony’s Playstation and Microsoft‘s Xbox networks and knocking them offline for Christmas Day — want very much to be recognized for their actions. So, here’s a closer look at two young men who appear to be anxious to let the world know they are closely connected to the attacks.

This post first appeared on Exploring Information Security.

NSA infosec links December 30, 2014

Over 700 Million People Taking Steps to Avoid NSA Surveillance - Bruce Schneier - Schneier on Security

Even so, I disagree with the "Edward Snowden Revelations Not Having Much Impact on Internet Users" headline. He's having an enormous impact. I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)

NSA waiting until Christmas Eve to reveal its embarrassing self-audit - Kevin Collier - The Daily Dot

The report is a collection of documents, heavily redacted, arranged by quarter, and ranging from the end of 2001 to the end of 2012. They largely catalog individual instances where a National Security Agency employee illegally or mistakenly used the agency’s powerful technology to search an American or a foreigner in the U.S. without a warrant, was caught, reprimanded, and the information deleted.

Prying Eyes: Inside the NSA's War on Internet Security - SPIEGEL Staff - SPIEGEL Online International

Today, NSA spies and their allies do their best to subvert the system their own military helped conceive, as a number of documents show. Tor deanonymization is obviously high on the list of NSA priorities, but the success achieved here seems limited. One GCHQ document from 2011 even mentions trying to decrypt the agencies' own use of Tor -- as a test case.

This post first appeared on Exploring Information Security.

Hacking infosec links December 29, 2014

Hacker Lexicon: What Is an Air Gap? - Kim Zetter - WIRED

Air gaps generally are implemented where the system or network requires extra security, such as classified military networks, the payment networks that process credit and debit card transactions for retailers, or industrial control systems that operate critical infrastructure. To maintain security, payment and industrial control systems should only be on internal networks that are not connected to the company’s business network, thus preventing intruders from entering the corporate network through the internet and working their way to sensitive systems.

Hacker Lexicon: What Is a Backdoor? - Kim Zetter - WIRED

Generally this kind of backdoor is undocumented and is used for the maintenance and upkeep of software or a system. Some administrative backdoors are protected with a hardcoded username and password that cannot be changed; though some use credentials that can be altered. Often, the backdoor’s existence is unknown to the system owner and is known only to the software maker. Built-in administrative backdoors create a vulnerability in the software or system that intruders can use to gain access to a system or data.

Marketing Just Isn't Ready for Hackers - Peter Herzog - Dark Matters

The infosec staff that came through had been talking about it being a potential toehold in the company to reach other systems. But when they saw the compromises didn’t go further than a few servers in marketing, they concluded it was just an employee who brought the infection in from home and that they caught it in time.

But did they?

This post first appeared on Exploring Information Security.

Policed infosec links December 24, 2014

Pirate Bay Has Been Raided and Taken Down: Here's What We Know - Kim Zetter - WIRED

“There were a number of police officers and digital forensics experts there. This took place during the morning and continued until this afternoon. Several servers and computers were seized, but I cannot say exactly how many,” Swedish prosecutor Fredrik Ingblad told Radio Sweden.

The FBI Used the Web's Favorite Hacking Tool to Unmask Tor Users - Kevin Poulsen - WIRED

Now Metasploit has a new and surprising fan: the FBI. WIRED has learned that FBI agents relied on Flash code from an abandoned Metasploit side project called the “Decloaking Engine” to stage its first known effort to successfully identify a multitude of  suspects hiding behind the Tor anonymity network.

The Limits of Polic Subterfuge - Bruce Schneier - Schneier on Security

The facts are these. In June, Two wealthy Macau residents stayed at Caesar's Palace in Las Vegas. The hotel suspected that they were running an illegal gambling operation out of their room. They enlisted the police and the FBI, but could not provide enough evidence for them to get a warrant. So instead they repeatedly cut the guests' Internet connection. When the guests complained to the hotel, FBI agents wearing hidden cameras and recorders pretended to be Internet repair technicians and convinced the guests to let them in. They filmed and recorded everything under the pretense of fixing the Internet, and then used the information collected from that to get an actual search warrant. To make matters even worse, they lied to the judge about how they got their evidence.

This post first appeared on Exploring Information Security.

InfoSec links December 22, 2014

Hacker Lexicon: What is a Zero Day - Kim Zetter - WIRED

Zero-day vulnerability refers to a security hole in software—such as browser software or operating system software—that is yet unknown to the software maker or to antivirus vendors. This means the vulnerability is also not yet publicly known, though it may already be known by attackers who are quietly exploiting it. Because zero day vulnerabilities are unknown to software vendors and to antivirus firms, there is no patch available yet to fix the hole and generally no antivirus signatures to detect the exploit, though sometimes antivirus scanners can still detect a zero day using heuristics (behavior-tracking algorithms that spot suspicious or malicious behavior).

Finally, a New Clue to Solve the CIA's Mysterious Kryptos Sculpture - Kim Zetter - WIRED

The 12-foot-high, verdigrised copper, granite and wood sculpture on the grounds of the CIA complex in Langley, Virginia, contains four encrypted messages carved out of the metal, three of which were solved years ago. The fourth is composed of just 97 letters, but its brevity belies its strength. Even the NSA, whose master crackers were the first to decipher other parts of the work, gave up on cracking it long ago. So four years ago, concerned that he might not live to see the mystery of Kryptos resolved, Sanborn released a clue to help things along, revealing that six of the last 97 letters when decrypted spell the word “Berlin”—a revelation that many took to be a reference to the Berlin Wall.

How the World's First Computer Was Rescued From the Scrap Heap - Brendan I. Koerner - WIRED

When the Army declared ENIAC obsolete in 1955, however, the historic invention was treated with scant respect: its 40 panels, each of which weighed an average of 858 pounds, were divvied up and strewn about with little care. Some of the hardware landed in the hands of folks who appreciated its significance—the engineer Arthur Burks, for example, donated his panel to the University of Michigan, and the Smithsonian managed to snag a couple of panels for its collection, too. But as Libby Craft, Perot’s director of special projects, found out to her chagrin, much of ENIAC vanished into disorganized warehouses, a bit like the Ark of the Covenant at the end of Raiders of the Lost Ark.

This post first appeared on Exploring Information Security.

InfoSec links December 18, 2014

Spike in Malware Attacks on Aging ATMs - Brian Krebs - Krebs on Security

This author has long been fascinated with ATM skimmers, custom-made fraud devices designed to steal card data and PINs from unsuspecting users of compromised cash machines. But a recent spike in malicious software capable of infecting and jackpotting ATMs is shifting the focus away from innovative, high-tech skimming devices toward the rapidly aging ATM infrastructure in the United States and abroad.

This Fake Log Jams Your Phone So You'll Shut Up and Enjoy Nature - Andy Greenberg - WIRED

Artist and coder Allison Burtch has created a new device to save us from our cellphones and ourselves. It comes in the form of a 10-inch birch log that jams cellular radio signals, and it’s called the Log Jammer. Packed with about $200 of hardware including a power source, a circuit board of her own design, voltage control components, an amplifier, and an antenna, it can produce radio noise at the 1950 megahertz frequency commonly used by cellphones. It’s powerful enough to block all cellphone voice communications in a 20-foot bubble, and its log-like exterior is designed to unobtrusively create that radio-jamming zone in the great outdoors.

'Replay' Attacks Spoof Chip Card Changes - Brian Krebs - Krebs on Security

The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question haven’t even yet begun sending customers chip-enabled cards.

This post first appeared on Exploring Information Security.

InfoSec links December 17, 2014

Pro-Privacy Senator Wyden on Fighting the NSA From Inside the System - Kim Zetter - WIRED

He was surprised again when, six months later, USA Today published a different story revealing for the first time that the NSA was secretly collecting the phone call records of tens of millions of Americans, records that US telecoms were willingly handing over without a warrant. Two of the three identified telecoms denied the allegations, and the story quickly died. But its ghost lingered on, neither fully confirmed nor denied, haunting Wyden. It took another seven years for a document leaked in 2013 by Edward Snowden to end the speculation and finally confirm that the bulk-collection phone records program existed.

Facebook, Google, and the Rise of Open Source Security Software - Cade Metz - WIRED

Arpaia is a security engineer, but he’s not the kind who spends his days trying to break into computer software, hoping he can beat miscreants to the punch. As Sullivan describes him, he’s a “builder”—someone who creates new tools capable of better protecting our computer software—and that’s unusual. “You go to the security conferences, and it’s all about breaking things,” Sullivan says. “It’s not about building things.”

Dark Hotel: A Sophisticated New Hacking Attack Targets High-Profile Hotel Guests - Kim Zetter - WIRED

Kaspersky researchers named the group DarkHotel, but they’re also known as Tapaoux by other security firms who have been separately tracking their spear-phishing and P2P attacks. The attackers have been active since at least 2007, using a combination of highly sophisticated methods and pedestrian techniques to ensnare victims, but the hotel hacks appear to be a new and daring development in a campaign aimed at high-value targets.

This post first appeared on Exploring Information Security.

InfoSec trickery links December 16, 2014

Whisper CTO says tracking "anonymous" users not a big deal, really - Sean Gallagher - Ars Technica

The Guardian was exploring a potential editorial relationship with Whisper, and staff from the news organization spent three days at Whisper’s offices in Los Angeles. While there, the Guardian team witnessed Whisper employees using an in-house geolocation tool to track posts made from various locations and found that the company is tracking specific Whisper users believed to be “potentially newsworthy,” including members of the military, government employees, and employees of companies such as Disney and Yahoo. The company also shares information about posters and their locations with the Defense Department, FBI, and the UK’s MI5, the Guardian’s Paul Lewis and Dominic Rushe reported.

Now Everyone Wants to sell You A Magical Anonymity Router. Choose Wisely - Andy Greenberg - WIRED

Maintaining your privacy online, like investing in stocks or looking good naked, has become one of those nagging desires that leaves Americans with a surplus of stress and a deficit of facts. So it’s no surprise that a cottage industry of privacy marketers now wants to sell them the solution in a $50 piece of hardware promising internet “anonymity” or “invisibility.” And as with any panacea in a box, the quicker the fix, the more doubt it deserves.

How to Tell Data Leaks from Publicity Stunts - Brian Krebs - Krebs on Security

Fortunately, there are some basic steps that companies, journalists and regular folk can take to quickly test whether a claimed data leak is at all valid, while reducing unwarranted damage to reputation caused by media frenzy and public concern. The fact-checking tips come in a paper from Allison Nixon, a researcher with Deloitte who — for nearly the past two years — has been my go-to person for vetting public data breach claims.

 This post first appeared on Exploring Information Security.

Doing shady things - infosec links December 10, 2014

DEA Sets Up Fake Facebook Page in Woman's Name - Bruce Schneier - Schneier on Security

A woman has her phone seized by the Drug Enforcement Agency and gives them permission to look at her phone. Without her knowledge or consent, they steal photos off of the phone (the article says they were "racy") and use it to set up a fake Facebook page in her name.

Verizon's 'Perma-Cookie' Is a Privacy-Killing Machine - Robert McMillian - WIRED

The company—one the country’s largest wireless carriers, providing cell phone service for about 123 million subscribers—calls this a Unique Identifier Header, or UIDH. It’s a kind of short-term serial number that advertisers can use to identify you on the web, and it’s the lynchpin of the company’s internet advertising program. But critics say that it’s also a reckless misuse of Verizon’s power as an internet service provider—something that could be used as a trump card to obviate established privacy tools such as private browsing sessions or “do not track” features.

Be Wary of 'Order Confirmation' Emails - Brian Krebs - Krebs on Security

If you receive an email this holiday season asking you to “confirm” an online e-commerce order or package shipment, please resist the urge to click the included link or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.

This post first appeared on Exploring Information Security.

InfoSec breach links December 8, 2014

I'm back. I passed my Spanish course and will have some thoughts on that experience next week. I still have two final projects to complete for two other classes so the posts for this week will be simple and probably mostly link dumps. I have been keeping up with security news and saved several links from this past month. Needless to say, some of them are quite dated, but it's interesting look at all the security stuff that happens in a month to two-month time-frame.

Malware Based Credit Card Breach at Kmart - Brian Krebs - Krebs on Security

“Yesterday our IT teams detected that our Kmart payment data systems had been breached,” said Chris Brathwaite, spokesman for Sears. “They immediately launched a full investigation working with a leading IT security firm. Our investigation so far indicates that the breach started in early September.”

Banks: Credit Card Breach at Staples Stores - Brian Krebs - Krebs on Security

According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.

Sony Got Hacked Hard: What We Know and Don't Know So Far - Kim Zetter

As so often happens with breach stories, the more time that passes the more we learn about the nature of the hack, the data that was stolen and, sometimes, even the identity of the culprits behind it. A week into the Sony hack, however, there is a lot of rampant speculation but few solid facts. Here’s a look at what we do and don’t know about what’s turning out to be the biggest hack of the year—and who knows, maybe of all time.

This post first appeared on Exploring Information Security.

InfoSec privacy links October 23, 2014

How to restore privacy - fix macosx

It appears that Apple's Spotlight app, which helps search for various items, on Max OS X Yosemite devices sends your search data to Apple. This website will show you how to disable the features that send this information. I went ahead and disabled everything, because I don't use Spotlight. For more information click here. To open Spotlight, simply swipe down on the home screen.

Bahraini Activists Hacked by Their Government Go After UK Spyware Maker - Kim Zetter - WIRED

Not long after the phantom Facebook messages, Ali discovered spyware on his computer—a powerful government surveillance tool called FinFisher made by the UK firm Gamma International. Human rights groups and technologists have long criticized Gamma International and the Italian firm Hacking Team for selling surveillance technology to repressive regimes, who use the tools to target political dissidents and human rights activists. Both companies say they sell their surveillance software only to law enforcement and intelligence agencies but that they won’t sell their software to every government. Gamma has, in fact, denied selling its tool to Bahrain, which has a long history of imprisoning and torturing political dissidents and human rights activists.

More Crypto Wars II - Bruce Schneier - Schneier on Security

I'm not sure why he believes he can have a technological means of access that somehow only works for people of the correct morality with the proper legal documents, but he seems to believe that's possible. As Jeffrey Vagle and Matt Blaze point out, there's no technical difference between Comey's "front door" and a "back door."

This post first appeared on Exploring Information Security.

Google offers new two-factor authentication option

You Can Now Protect Your Google Accounts With a Physical Key - Eric Limer - GIZMODO

I've never had a problem with how Google's two-factor authentication works. There are two options, receive a text message with the two-factor code or install an app that syncs with the Google account. Both methods are fairly easy to use and add a significant amount of security to Google accounts. Now, though, it appears there is a third option, which includes hardware. The hardware will have to be purchased and then enabled for a Google account, but it makes it much easier to interact with a Google account via Chrome or Chrome OS.

I'm a little concerned at the fact that it's a hardware option, because it could be lost or stolen. I imagine that you can disassociate the device from the account if it's lost, but if it's used sparingly there could be a large period of time between the lost device and discovery. And if someone steals the device and happens to have the password to my account it seems like it would be much easier for them to get into my account with hardware that supposed to make it more convenient for me to login. Sure my phone can be lost or stolen, but I'll know about it pretty quickly and it does have a lock on it. And yes, my phone passcode could be cracked, but it is adding another barrier to someone getting into my account vs. a piece of hardware that's triggered by the push of a button. That's not to say that I think this option is bad; it's just that I don't find the current process all that annoying. Regardless, I think a third option is a good thing, because more options for security is a very good thing.

This post first appeared on Exploring Information Security.

InfoSec links October 20, 2014

Finding a Video Poker Bug Made These Guys Rich -- Then Vegas Made Them Pay - Kevin Poulsen - WIRED

Williams could see that Kane was wielding none of the array of cheating devices that casinos had confiscated from grifters over the years. He wasn't jamming a light wand in the machine's hopper or zapping the Game King with an electro­magnetic pulse. He was simply pressing the buttons. But he was winning far too much, too fast, to be relying on luck alone.

Signed Malware = Expensive "Oops" for HP - Brian Krebs - Krebs on Security

Earlier this week, HP quietly produced several client advisories stating that on Oct. 21, 2014 it plans to revoke a digital certificate the company previously used to cryptographically sign software components that ship with many of its older products. HP said it was taking this step out of an abundance of caution because it discovered that the certificate had mistakenly been used to sign malicious software way back in May 2010.

Everything you need to know about the POODLE SSL bug - Troy Hunt - troyhunt.com

Which brings us to POODLE. Whilst I doubt we’ll see the same mass hysteria as we did last month, it is (and will continue) hitting the news and like the other two biggies this year, it’s serious enough to warrant attention and obscure enough to result in wild speculation and a general misunderstanding of the underlying risk. Let me share what I know based on the questions I’m hearing.

This post first appeared on Exploring Information Security.

InfoSec links October 15, 2014

WPScan Vulnerability Database A New Wordpress Security Resource - Michael Mimoso - Threatpost

It’s not unlikely that a developer may be at a loss as to the security of a particular plug-in, or the disclosure of a devastating flaw in the core WordPress code that could expose a website to attack. During last weekend’s BruCon in Belgium, U.K.-based security researcher Ryan Dewhurst released the WPScan Vulnerability Database, a one-stop shop for the latest WordPress, plug-in and theme vulnerabilities that he hopes becomes an indispensable resource for pen-testers, administrators and WordPress developers.

The Criminal Indictment That Could Finally Hit Spyware Makers Hard - Kim Zetter - WIRED

The case involves StealthGenie, a spy app for iPhones, Android phones and Blackberry devices that until last week was marketed primarily to people who suspected their spouse or lover of cheating on them but it also could be used by stalkers or perpetrators of domestic violence to track victims. The app secretly recorded phone calls and siphoned text messages and other data from a target’s phone, all of which customers of the software could view online until the government succeeded to temporarily close the Virginia-based site (.pdf) that hosted the stolen data.

Developers of hacked Snapchat web app says "Snappening" claims are hoax - Sean Gallagher - ars technica

Posters to 4Chan’s /b/ forum continue to pore over the contents of thousands of images taken by users of the Snapchat messaging service that were recently leaked from a third-party website. Meanwhile, the developer behind that site, SnapSaved.com, used a Facebook post to say it was hacked because of a misconfigured Apache server. The statement also gets into the extent of the breach, while playing down reports that personal information from the users involved was also taken.

This post first appeared on Exploring Information Security.