Saturday, January 17, 2015

Why Blackhat Is Hacking Done Right



Weve all seen hacker movies that feature utterly preposterous situations and technology. Were looking at you, Hackers, Swordfish, and The Net.

But Blackhat, a high-tech Bourne-type thriller is surprising plausible, and seems almost rooted in reality.

The plot is fairly straightforward: formerly incarcerated Nick Hathaway (Chris Hemsworth) is pitted against a malicious hacker causing nuclear disasters, stock market crashes and other mayhem. If Hathaway catches this blackhat hacker, his criminal record is wiped. The chase is on, and it makes for an exciting movie.

The thing is: the situations described are very real, and even likely. Some of them have already happened.

SPOILER: Dont read further if you want to stay away from movie details

SCADA Systems

In the movie, a malicious hacker (called a blackhat) infiltrates industrial computer systems and plants malware to take control of critical internal infrastructure. These systems are typically referred to as SCADA (Supervisory Control and Data Acquisition) systems, or industrial control systems, and they run everything. Were talking power, water, oil, communications, manufacturing, transportationbasically everything that keeps our economy moving. In the real world, defending these industrial control systems is a major concern for U.S. security agencies.

At the start of the movie, the blackhat uses his malware to force a water pump failure at a nuclear power station. This results in a reactor meltdown. Sensational for sure, but how likely is it that something like this could happen? Well, something like it already has.

Stuxnet

In 2010, thousands of nuclear centrifuges at Irans Natanz uranium enrichment facility started to spin too quickly and were damaged, and the countrys nuclear enrichment program experienced significant setbacks. The cause behind the damage turned out to be a piece of custom-written malware named Stuxnet.

Just like in Blackhat, custom-written malware can be used to damage critical infrastructure.

Stuxnet was probably written by the United States or Israel. It likely spread to the Natanz computer network via an infected USB drive, and was written so that it would only deliver its payload if it was on a computer in Iran using variable-frequency drives that was running a specific type of industrial control software. This was software written for a very specific purposeto slow down Irans ability to make a nuclear bomb.

Just like in Blackhat, custom-written malware can be used to damage critical infrastructure. Its difficult and expensive to do, but it has happened. Its also probable that these types of events will occur in the future.

And if you think weve got a handle on cyber security, you need only look at news reports of data breaches at Target, Home Depot, Adobe, JP Morgan Chase, Ebay, TJ Maxx, the U.S. military, or the 2014 Sony data breachthe largest hack in historyto know that the fight is ongoing.

Internet of Things

The vulnerability of industrial systems becomes even more concerning when you consider the Internet of Things. This is the idea that more things (like centrifuges, water pumps, heaters, air conditioners, eye glasses, watches, refrigerators, etc.) are going to have the ability to connect to networks. Theyll be able to send and receive data, receive updates and be remotely configured.

From a consumers perspective, this is great news! Everything will be smart, just like your phone. The great thing about smart phones, of course, is that they operate more like a pocket-sized computer than simply a telephone. The downside: theyre also a lot more vulnerable to malicious hackers.

Blackhat deals with larger threats to national security, but what if hackers decide to target individuals: What happens when your new smart car or smart house gets hacked?

No, all you luddites out there, the answer isnt to abandon all technology and stick with dumb things. The answer is to build security into products (software with security in mind), behave more securely (why would you ever put a strange USB into your computer?), follow reasonable security advice like using strong passwords and support laws that strengthen the security of critical industrial systems.

The movie gives us a realistic look at the vast implications of cyber security threatsthreats that are more real that most people probably realize. These could make the movie not so much a thriller but a horror film.

Dr. Randy Boyle is a professor of cyber security at Longwood University in Farmville, Va.

Source: http://www.thedailybeast.com/articles/2015/01/17/why-blackhat-is-hacking-done-right.html



No comments:

Post a Comment