Lessons from the Michael Mann, Chris Hemsworth movie?


Blackhat, the hacker film directed by Michael Mann and starring Chris Hemsworth, can spread awareness of digital threats. If this is a learning opportunity, what are the lessons?

Blackhat: Lessons from the Michael Mann, Chris Hemsworth movie?

The Hacker Movie Black hat definitely uses the language of cyber security, real terms like: Malware, Proxy Server, Zero Day, Payload, RAT, Edge Router, IP Address, PLC, Bluetooth, Android, PGP, Armored Host and USB to name a few. But how real is the plot of Black hatwith its malware-induced scenarios of physical and financial mayhem?

I went to a screening of the film with some of my colleagues at ESET to see if there were any useful lessons to be learned from this latest contribution to the hacker film genre (for an overview of this genre from a security expert’s perspective, see Hacker movies we love and hate of Dark Reading).

Spoiler alert: No spoilers intended. I think I can talk about Black hat without giving anything away, but if you’re particularly sensitive to spoilers, you might want to go see the movie first. I cannot guarantee that reading what follows will not affect your viewing experience.

First the good news, the basic premise of Black hat is good, at least in principle. Even if you don’t believe in Chris Hemsworth as a hacker or can’t get over Michael Mann’s obsession with handheld video, you have to admit that the movie got some things right:

  • The use of malicious code to cause physical damage is real (Stuxnet).
  • The use of malware and/or manipulation of fraudulent stock price data is real (Rustock, pump and dump scams triggered by spam).
  • The use of convicted criminal hackers by the FBI and other law enforcement agencies is real (Sabu, Adrian Lamo).
  • NSA Hacking Could Happen (Snowden).
  • The bad guys’ bluetooth messaging system was pretty clever.

So, the plot of the film is based on a solid premise. And most of the hacking you see done in the movie is within the realm of possibility (some of it is completely believable, like phishing with a .PDF file and using USB drives as an attack vector). To me, this means that the film can work as an awareness exercise, for example, for any boss who doesn’t yet “get it” that this sort of thing can happen to their companies if there are holes in their security ( that janitor in the bank building scene apparently missed the company’s security awareness session on spotting social engineering attacks).

I also think the film works as a reminder of how vulnerable the world’s industrial infrastructure is to attacks on networked systems and misuse of code. The plot features several infrastructural elements that can be weaponized to devastating effect by manipulating digital controls (not just the obvious ones in the opening sequence).

Unfortunately, the way the plot plays out Black hat reduces technical accuracy (a common drawback of hacking moves). Put aside the love interest, which I felt came too quickly, and the gunfights, which are certainly too much “hot” for a hack story. Just think about coding: too much of it happens too fast to be realistic. Yes, I know it’s “just a movie”, but some delightful glimpses of realism were undermined by the incredible speed at which some of the hacks were executed. While I enjoyed the nod given to the very real phenomenon of malicious code recycling, the speed at which the trapped .PDF was put together was a little ridiculous, a missed opportunity to build some race-against-the-clock tension by showing how much Tedious and time-consuming aspects of creating and distributing malware can be.

Which brings us to the question of how well Black hat works like a movie. Does it really sell the basic premise that our world is threatened by rampant criminals and nation-state hacking? Honestly, I don’t know the answer because it will depend on how you feel about the acting and filming. I’ve already mentioned the latter (my feelings about Mann’s use of video echo those of Peter Debrugge, chief international film critic for Diversity). But I’ll hold off on what I think of the acting and let the viewers decide how well they think it worked.

Before I look at the lessons your organization can learn from Black hat, I’ll answer two hacker-related questions: Is Chris Hemsworth too good-looking to be a hacker? and is it plausible that a hacker is well trained in martial arts and gunplay? As it happens, I know some good-looking guys who combine impressive hacking skills with a strong interest in martial arts and firearms. One of them went through a period of participation in live fire exercises. And I know a computer forensics expert who is a sniper with a three-letter agency. Being in good physical shape and hacking are certainly not mutually exclusive. One could even argue that Mann deserves some credit for defying the hacker stereotype of a pale-faced, sleazy geek. On whether Mr. Hemsworth is the right choice for the lead role Black hatI’ll leave that up to you to decide when you’ve seen the movie.

1. Always enforce media control: you don’t want an old USB drive being inserted into your systems, at least not without a solid knowledge of where it’s coming from and a thorough scan for malware on insertion. be sure automatic start is disabled on Windows devices.

2. Be very careful with any email attachment: ask yourself who sent it and why. Does it make sense that someone sent you this file? Err on the side of caution and call or text to confirm. Make sure all attachments are scanned with anti-malware software. (For more information detection of phishing messages read David Harley.)

3. Understand the radio risks: the more we rely on wireless communications, the more efforts bad guys will make to mess with them, intercept traffic to steal credentials and data, perform man-in-the-middle attacks, disrupt service, impersonate legitimate access points. (See my note on Software Defined Radio (SDR) in No warning signs visible section of this article.)

4. Don’t rely on digital information: whenever possible, supplement digital versions of reality with your own five senses. Whether you’re driving a car, plane, or boat, or managing an industrial process, or monitoring security, be aware that digital emissions can be compromised. They can give you bad data, either intentionally or accidentally. Situational awareness means using your eyes and ears as well as digital indicators (just because your car’s GPS tells you your route goes over the river doesn’t mean the road does).

5. Empower employees to defeat social engineering attacks: from asking visitors for identification to confirming the legitimacy of phone requests for sensitive information, every employee should be told it’s okay to err on the side of skepticism. Indeed, skepticism about digital communications can serve us well in all walks of life (as anyone familiar with my colleague David Harley’s posts on scams and scams can confirm, lo link to many of them).

Update: I have only seen Black hat once, so I’ve probably missed some teachable moments – please leave a comment and let me know if you saw anything noteworthy or if you disagree with my assessment of the film.

Comments are closed.