Hollywood hackers: how the silver screen gets it wrong
Angelina Jolie in Hackers.
Video game graphics, silly buzzwords and even two people typing frantically on the same keyboard at once – Hollywood has often had a bit of fun when it comes to computer hacking.
Chris Gatford, the director of penetration testing company HackLabs, has seen all the clichés. After all, they're based on his line of work. "Companies hire us to test computer security by trying to break in," he says.
We're starting to see technology actually enable some of the crazy ideas that the movies have been coming up with over the last 20 odd years.
But while many Hollywood hacking scenes are pure fantasy, others are closer to reality than you might think. Fairfax Media asked Mr Gatford to compare three security situations often seen in movies and TV shows to his experience in real life.
The password slot machine from the film WarGames.
There are two familiar ways to crack a password in Hollywood movies. The first is to guess it based on personal information about the user, such as the name of a child or favourite pet.
The other is to use a make-believe hacking system known by pop culture nerds as the Password Slot Machine, which will reveal the characters of the password one at a time and in no particular order.
Mr Gatford says neither method is particularly realistic. In fact, when it comes to getting into a protected network, the most important part is finding a list of usernames. After that, guessing one of the passwords is easy.
"It's funny. When you've got a network and you're doing password guessing, one of the easiest ways is to do an automated guess of the usernames," he says.
"Once you've got the user list, without fail, we'll always find at least one weak password."
The first passwords Mr Gatford looks for are ones that match the username. Next he looks for the phrase "Password1" and then the name of the company with the numeral 1 after it.
"Weak usernames and passwords are still the number one method for us gaining access to very sensitive information," he says.
Even if that strategy fails, Mr Gatford says there are other ways to get around password-protection without having to resort to guessing.
"You always chuckle when you see scenes in movies where they're trying to get past these complex passwords, when in the real world we just walk up to it and boot it with a different operating system," he says.
And yes, one of Mr Gatford's colleagues really did once get in with the username "admin" and password "admin".
Hacking the bank
Harrison Ford somewhat unrealistically hacks bank accounts in Firewall.
When it comes to the Hollywood cliché of the bank hacker who adds a few zeroes to his or her account balance, Mr Gatford is a little cagier – but, he says, it is possible.
"It's certainly not out of the realms of possibility," he says.
The big difference between the silver screen and reality is that such an operation would likely take weeks or months rather than a few minutes.
"It's like anything – more time, it's more likely it will come off," says Mr Gatford.
"Hollywood doesn't have the luxury of showing the background work. Like, if you've spent two weeks trying to get that particular (security) exploit working, or a social engineering payload to one person's desk for them to run to give you the access that you need."
The phrase "social engineering" refers to the human element of IT security – the person using the computer who might unwittingly run a fraudulent program or give out information to the wrong person. Mr Gatford says that factor is one of the risks most commonly overlooked by Australian organisations.
But human error isn't just a drawback for banks in this situation – it may also be a problem for hackers, specifically when it comes to navigating the complicated computer systems used by large organisations.
"Understanding complex IT environments at the best of times, even when you're supposed to be doing your job, is quite hard," says Mr Gatford.
"In most organisations, internal employees can often struggle to understand the intricacies and getting from A to B.
"But once again, if you're there long enough and if you know the right people..."
Tracking mobile phones
Sherlock Holmes tracks his enemies' movements by their mobile phones in Sherlock.
Of all the Hollywood security clichés, mobile phone tracking is probably the most accurate. In fact, thanks to smartphones equipped with GPS, it's something that many of us now let our friends do for fun.
Mr Gatford says law enforcement have long had the ability to pinpoint mobile phones by accessing information from signal towers.
"That technology has been around for quite some time and they can triangulate positions quite well. They can certainly get to somebody via that method," he says.
Since the launch of the iPhone and other smartphones equipped with GPS, users have been able to see each other's location as well – with permission. There are several popular apps that will tell you if your friends are nearby.
However Mr Gatford says the rise in GPS tracking has also led to some slip-ups that even Hollywood would struggle to imagine, such as the case of a hacker who was tracked down by authorities after posting a photo of his girlfriend's breasts on the web – without realising the camera recorded the location where the shot was taken.
"It's just hilarious. You can't make that stuff up," he says.
Mr Gatford says that GPS is one example of life imitating art, and technology allowing ideas which would have once just been science-fiction on the screen to become real.
"We're starting to see technology actually enable some of the crazy ideas that the movies have been coming up with over the last 20 odd years."