Mendoza, Charles Glynn B.

BSA-IV
Blackhat, the hacker movie directed by Michael Mann and starring Chris Hemsworth,
could spread awareness of digital threats.
The hacker flick Blackhat definitely uses the language of cybersecurity, real terms like:
malware, proxy server, zero day, payload, RAT, edge router, IP address, PLC, Bluetooth, Android,
PGP, bulletproof host, and USB, to name just a few.
So, the plot of the movie builds on a solid premise. And most of the hacking you see
performed in the movie is within the realm of the possible (some of it is downright plausible, like
spear-phishing with a .PDF file and the use of USB drives as an attack vector). For me, that means
the movie could work as an awareness raising exercise, for example, for anyone in the C-suite who
still doesn’t get that things like this can happen to their companies if there are holes in their
security.
I think the movie works as a reminder of how vulnerable the world’s industrial
infrastructure is to attacks on network systems and the abuse of code. The plot involves a couple
of infrastructure items that could be weaponized to devastating effect through manipulation of
digital controls (not just the obvious one in the opening sequence).
Unfortunately, the way the plot is played out in Blackhat diminishes the technical accuracy
(a common failing of hacker flicks). Just consider the coding: too much of it happens too fast to
be realistic. Yes, I know it’s just a movie but some admirable flashes of realism were undercut by
the improbable speed of execution of some of the hacks. While I enjoyed the nod given to the very
real phenomenon of malicious code recycling, the speed with which a booby-trapped .PDF was
put together was a tad ridiculous, a lost opportunity to create some race-against-time tension by
showing how tedious and time-consuming some aspects of malware creation and distribution can
be.
The lessons that can be learned from the movie are the following:
1. Always enforce media controls: you don’t want any old USB drive inserted in your
systems, at least not without solid knowledge of where it came from and a thorough scan for
malware upon insertion. Make sure autorun is disabled on windows devices.
2. Be very careful with any email attachment: ask yourself who sent it and why. Does it
make sense that someone sent you this file? Err on the side of caution and call or text to confirm.
Make sure all attachments are scanned with anti-malware. (For more on recognizing phishing
messages read David Harley.)
3. Don’t rely on digital information: whenever possible, supplement digital versions of
reality with your own five senses. Whether you are navigating a car or plane or boat, or running
an industrial process, or monitoring security, bear in mind that digital feeds can be compromised.
They may feed you bad data, intentionally or accidentally. Situational awareness means using your
eyes and ears as well as digital indicators (just because your car’s GPS says your route goes over
the river doesn’t mean the road does).