JavaScript disabled. Please enable JavaScript to use My News, My Clippings, My Comments and user settings.

If you have trouble accessing our login form below, you can go to our login page.

If you have trouble accessing our login form below, you can go to our login page.

Hollywood hackers: how the silver screen gets it wrong

Date

Andrew Ramadge

Angelina Jolie in <em>Hackers</em>.

Angelina Jolie in Hackers.

Video game graphics, silly buzzwords and even two people typing frantically on the same keyboard at once – Hollywood has often had a bit of fun when it comes to computer hacking.

Chris Gatford, the director of penetration testing company HackLabs, has seen all the clichés. After all, they're based on his line of work. "Companies hire us to test computer security by trying to break in," he says.

But while many Hollywood hacking scenes are pure fantasy, others are closer to reality than you might think. Fairfax Media asked Mr Gatford to compare three security situations often seen in movies and TV shows to his experience in real life.

David (Matthew Broderick) and Jennifer (Ally Sheedy) in film still from Wargames.

David (Matthew Broderick) and Jennifer (Ally Sheedy) in film still from Wargames.

 

Cracking passwords


The password slot machine from the film WarGames.

There are two familiar ways to crack a password in Hollywood movies. The first is to guess it based on personal information about the user, such as the name of a child or favourite pet.

The other is to use a make-believe hacking system known by pop culture nerds as the Password Slot Machine, which will reveal the characters of the password one at a time and in no particular order.

Mr Gatford says neither method is particularly realistic. In fact, when it comes to getting into a protected network, the most important part is finding a list of usernames. After that, guessing one of the passwords is easy.

"It's funny. When you've got a network and you're doing password guessing, one of the easiest ways is to do an automated guess of the usernames," he says.

"Once you've got the user list, without fail, we'll always find at least one weak password."

The first passwords Mr Gatford looks for are ones that match the username. Next he looks for the phrase "Password1" and then the name of the company with the numeral 1 after it.

"Weak usernames and passwords are still the number one method for us gaining access to very sensitive information," he says.

Even if that strategy fails, Mr Gatford says there are other ways to get around password-protection without having to resort to guessing.

"You always chuckle when you see scenes in movies where they're trying to get past these complex passwords, when in the real world we just walk up to it and boot it with a different operating system," he says.

And yes, one of Mr Gatford's colleagues really did once get in with the username "admin" and password "admin".

 

Hacking the bank


Harrison Ford somewhat unrealistically hacks bank accounts in Firewall.

When it comes to the Hollywood cliché of the bank hacker who adds a few zeroes to his or her account balance, Mr Gatford is a little cagier – but, he says, it is possible.

"It's certainly not out of the realms of possibility," he says.

The big difference between the silver screen and reality is that such an operation would likely take weeks or months rather than a few minutes.

"It's like anything – more time, it's more likely it will come off," says Mr Gatford.

"Hollywood doesn't have the luxury of showing the background work. Like, if you've spent two weeks trying to get that particular (security) exploit working, or a social engineering payload to one person's desk for them to run to give you the access that you need."

The phrase "social engineering" refers to the human element of IT security – the person using the computer who might unwittingly run a fraudulent program or give out information to the wrong person. Mr Gatford says that factor is one of the risks most commonly overlooked by Australian organisations.

But human error isn't just a drawback for banks in this situation – it may also be a problem for hackers, specifically when it comes to navigating the complicated computer systems used by large organisations.

"Understanding complex IT environments at the best of times, even when you're supposed to be doing your job, is quite hard," says Mr Gatford.

"In most organisations, internal employees can often struggle to understand the intricacies and getting from A to B.

"But once again, if you're there long enough and if you know the right people..."

 

Tracking mobile phones


Sherlock Holmes tracks his enemies' movements by their mobile phones in Sherlock.

Of all the Hollywood security clichés, mobile phone tracking is probably the most accurate. In fact, thanks to smartphones equipped with GPS, it's something that many of us now let our friends do for fun.

Mr Gatford says law enforcement have long had the ability to pinpoint mobile phones by accessing information from signal towers.

"That technology has been around for quite some time and they can triangulate positions quite well. They can certainly get to somebody via that method," he says.

Since the launch of the iPhone and other smartphones equipped with GPS, users have been able to see each other's location as well – with permission. There are several popular apps that will tell you if your friends are nearby.

However Mr Gatford says the rise in GPS tracking has also led to some slip-ups that even Hollywood would struggle to imagine, such as the case of a hacker who was tracked down by authorities after posting a photo of his girlfriend's breasts on the web – without realising the camera recorded the location where the shot was taken.

"It's just hilarious. You can't make that stuff up," he says.

Mr Gatford says that GPS is one example of life imitating art, and technology allowing ideas which would have once just been science-fiction on the screen to become real.

"We're starting to see technology actually enable some of the crazy ideas that the movies have been coming up with over the last 20 odd years."

45 comments

  • My two favorite Hollywood IT stuff ups are:

    1. People hacking away at a keyboard and never needing to use a mouse... ever! Clearly they have mastered every keyboard shortcut known to man.. and;

    2. The make believe UI / operating systems... I must be in the minority of people using windows on my machines..

    (oh, and we laughed out loud during an episode of Hawaii 5-0 when a bloke was using wifi only face-time on an iphone to talk to his son whilst being driven around in the back of a car.. that was a big fail)

    Commenter
    User
    Location
    Melbourne
    Date and time
    April 27, 2012, 10:30AM
    • RE: #2, unless of course he was using a wifi hotspot from another device = /

      Commenter
      jojo
      Date and time
      April 27, 2012, 11:14AM
    • Clearly everyone is using that hacker OS 'You-nicks' without a mouse!

      ps. google facebreak for 3g facetime

      Commenter
      Gesus
      Date and time
      April 27, 2012, 12:01PM
    • To be honest, #1 is not really a 'fail' as you can use a keyboard without a mouse... everything you need a mouse for has some keyboard shortcuts. Some computer nerds or whiz could type their way to heaven without ever needing a mouse.

      Commenter
      Jigga
      Location
      Sydney
      Date and time
      April 27, 2012, 12:23PM
    • Just did a quick poll in the office full of IT professionals.

      General consensus is any hacker who knows his stuff wouldn't need a mouse; none of us use it.

      Commenter
      rar222
      Date and time
      April 27, 2012, 12:24PM
    • Well dumb terminals didn't have mouses - they didn't come out until 1984.
      And you never use them on Unix or Novell DOS, which is what most networks run on.

      Favourite is the (unconnected!) Commodore 64 used on "Police Academy 2" for a GPS.
      And the Atari Portfolio (32kb of RAM) used to hack in to an ATM on Terminator 2.

      Commenter
      nullzone
      Date and time
      April 27, 2012, 12:40PM
    • I love how people cite a "lack of mouse usage" as a sign that it's unrealistic. I don't use a mouse at all on my laptop. And it's not all about "keyboard shortcuts". A command-line based tool is often more efficient than trying to hunt for buttons & menus.

      Not to mention that a Command-Line environment takes a lot less time to load than waiting for Windows to boot up.

      Commenter
      Matt
      Location
      Canberra
      Date and time
      April 27, 2012, 12:52PM
  • Since this article is based on information most IT-savvy people either know or could easily find out, couldn't this it have been written without making it seem to be an advertisement for "Mr Gatford", whose name was mentioned 12 times?

    Oh, and you left out the single most common method of hacking, which is pretty much never mentioned by Hollywood - making use of SQL injections and other software security holes and exploits which remain unpatched in thousands of corporate systems.

    Commenter
    DM
    Date and time
    April 27, 2012, 10:45AM
    • Hollywood hacking is a laugh, I like it. Also great are the various GUIs and sound effects within. Youtube 'numb3rs IRC' for a funny clip btw.

      Commenter
      barry
      Date and time
      April 27, 2012, 11:05AM
      • @User - we had a couple of penetration testers, from Hacklabs actually, and they didn't use Windows.

        @DM - But this is about Hollywood vs real life. Not real life vs real life. I have never heard Hollywood talking SQL injections either.

        Commenter
        Jean
        Location
        Melbourne
        Date and time
        April 27, 2012, 11:17AM

        More comments

        Comments are now closed
        Featured advertisers