As a once weekly movie goer, it’s been disappointing having to settle for the “big screen” experience from my living room couch. (Although, the lower “ticket price” and much less buttered popcorn has been a good trade-off.)
I joined Impelix in January 2020, only a couple months prior to the lockdown, and since then, I’m watching movies and their machinations from home through a new lens. Every cinema security failure stands out. Sort of like when you buy a red car, all you see on the road is other red cars. Unexpectedly, this has added some entertainment value (often with me laughing at the movie, not with it), and even more unexpectedly, revealed applications to our work.
This movie buff would like to share three of my favorite security failures from movies, and the real-world lessons we can take from them.
Movie Security Failure 1
Mischief in Stuttgart
The first fail on my list comes from a scene in Marvel’s The Avengers (seventh on the list of highest grossing films of all time). Loki, in possession of the coveted Tesseract, and Clint Barton, a.k.a. Hawkeye, under the mind control of the Lord of Mischief, crash a German soirée in Stuttgart. And mischief is definitely on their minds.
Seeking to steal the iridium necessary to stabilize the Tesseract, Loki (appropriately dapper for the occasion) captures Dr. Heinrich Schafer, who has access to a nearby facility safeguarding the metal. With a sleek device purpose-built for the grisly task, Loki dramatically (ahem) locates one of the doctor’s eyeballs to scan it, immediately sending along the biometric marker to Hawkeye, who’s waiting at the iridium vault’s entryway. With his own sleek device, Hawkeye presents the eyeball, now digitized and projected as a hologram, for the vault’s security scanner and, voilà, without any additional authentication, gains access to the iridium.
Lesson: Enable Multi-factor Authentication
Nowadays, single-factor authentication simply doesn’t cut it to keep out attackers — particularly those who are demigods. But fear not. It doesn’t require the powers of an Avenger to achieve the necessary protection. According to Microsoft, adding a second layer of authentication to enable MFA (multi-factor authentication) blocks 99.9% of account hacks. (It’s worth noting, according to Verizon, that 80% of breaches are the result of credential attacks.)
Adding a second layer of authentication to enable MFA blocks 99.9% of account hacks.
Unfortunately, Dr. Schafer didn’t get that memo about MFA. Then again, if he had, Loki may have been forced to locate another part of his body …
Movie Security Failure 2
Weakness from “The Watchmen”
Directed by Zack Snyder, The Watchmen was released in theaters in 2009. It was an incredibly faithful adaptation, nearly frame by frame, of the original comic masterpiece written by Alan Moore and illustrated by Dave Gibbons — incidentally, the only graphic novel named to TIME’s Top 100 Novels list.
The story is set in an alternate-reality 1985: President Richard Nixon is serving his fifth term. The Watergate scandal never happened. Personal PCs did, though.
And it’s at the PC of retired superhero and genius billionaire Adrian Veidt (alias Ozymandias) that the recently unretired Nite Owl and Rorschach find themselves, having snuck into his office, suspicious that Adrian may have information about the assassin who is targeting the former capes in their circle. Now cliché in such movie scenarios, the duo must guess the password to gain access to the files (under the assumption that the so-called “smartest man in the world” has protected his most sensitive information with a password that is guessable.)
And indeed, he has. In fact, the password is simply the Egyptian name for his superhero moniker. Face — meet palm. 🤦♂️ (Instead of stupidity, I’ll chalk this up to hubris from a man who sells action figures of himself.)
Lesson: Use Strong Passwords
If the first rule of Fight Club is don’t talk about Fight Club, then the first rule of Password Management is never, ever create a password using personal details (those that are less and less confidential in this age of social media oversharing). Oh, and don’t talk about it.
If the first rule of Fight Club is don’t talk about Fight Club, then the first rule of Password Management is never, ever create a password using personal details.
Ole’ Ozymandias certainly isn’t the only one guilty of using a weak password. The number one most common password of 2020? “123456.” That’s just lazy. Look, if you’re going to use a weak password of numerals, at least be cute with, say, 867-5309 (“Jenny, Jenny, who can I turn to?”) And wouldn’t you know it, “password” (yes, the word itself) is number four on the list.
All of which should horrify IT and cyber security professionals, if not shock them.
You may have heard this before, but it bears repeating:
- Make passwords long
- Mix upper and lower-case letters, numbers, and symbols
- Never reuse passwords
- Maybe hit the easy button, and use a password generator
This way, you’ll keep Nite Owl guessing for a very, very long time. (And keep him away from Jenny.)
Or better yet: consider getting rid of passwords altogether. As our CTO has predicted, 2021 is “The Year of Passwordless.”
Movie Security Failure 3
Gone Phishing
It’s only fitting that we round out this list with another Asgardian. In 2015, propelled to leading-man status by his turn as Marvel’s Thor, Chris Hemsworth starred in Blackhat, a thriller directed by Michael Mann with a cyber warfare plot. It bombed at the box office. (Not to say that cyber warfare is silver screen kryptonite … but maybe. And good thing for Chris, a red cape and hammer awaited him back at the records-smashing Marvel Cinematic Universe.)
One thing the movie did get right (well, by Hollywood standards) was its portrayal of hacking.
As CSO tech journalist Maria Korolov notes, “The social engineering was real.”
Hemsworth’s character, Nicholas Hathaway, released from prison by the FBI, is tasked with rooting out an elusive fellow hacker based in Southeast Asia to earn his freedom. In a twist of events, this requires him to hack the NSA itself.
To do so, Hathaway goes phishing — to be exact, spearhead phishing — a highly targeted form of social engineering. His bait? A convincing email to an NSA official, posing as his boss, prompting him to download a PDF containing malware (in this case, a keyword logger). Hook, line, and sinker!
“This happens,” writes Korolov. “The Sony hack reportedly started with a phishing email. People are always clicking on things they shouldn’t — even people who you’d think would know better.”
Lesson: Prevent Phishing with Training
According to ZDNet, it’s estimated that BEC (business email compromise) attacks were responsible for half the money lost to cyber criminals in 2019, and almost $700 million is lost to these attacks every month. 😱
Like real estate and location, phishing prevention starts with training, training, and more training. It sounds simple, but it’s effective. Training employees to spot suspicious emails, even doing so in a protected environment, goes a long way in preventing attacks and potentially millions in losses.
Like real estate and location, phishing prevention starts with training, training, and more training.
Some phishing prevention guidelines:
- Be suspicious of password reset requests
- Never share your credentials
- Hover first to examine links before clicking
- Google search purported claims of Nigerian royalty
These are all habits users can learn to adopt with the proper training. “The More You Know,” right?
Conclusion
Movies are the best. Perhaps not the best at realistically portraying hacking, or logical security in general for that matter, but they’re definitely the most inspiring medium of our time and powerful in their representation of our most beloved characters and stories. And even if their accuracy is lacking, we can certainly learn artful lessons to better secure our internet-connected real world from bad actors (rimshot!) with mischief on their minds.
