Hollywood's 5 biggest hacking myths

Press Enter and watch the magic happen -- as if! Why does Hollywood's portrayal of hacking have to be so far off the mark?

Hollywood's 5 biggest hacking myths
Pexels (Creative Commons BY or BY-SA)

If you’ve ever hacked for a living -- wearing a white hat, I hope -- you probably can’t stand the unrealistic light most shows and movies shine on hacking and hackers.

On the big and small screens, supergenius hackers enjoy instantaneous success and always manage to stay one step ahead of the law. Typically they’re portrayed in one of two views: Either they dress like refugees from a cyberpunk fashion show and have hot model girlfriends, or they’re solitary fat guys juiced up on energy drinks hacking away in their trashed bedrooms.

The dirty secret is that hacking tends to be tedious work -- not exactly Hollywood fare.

Yet Hollywood has worked its magic on the minds of the masses. Many times I’ve had friends get upset that I couldn’t instantly crack their wireless network or Facebook account when they forgot their passwords. I’ve even seen newbies on a penetration testing team surprised that we don’t immediately break into every server we come across without a little research first.

In real life, hacking is 95 percent monotony and 5 percent excitement, where focused dedication is more than a virtue. It’s almost the only trait that matters.

So much for the reality-based community. Courtesy of Hollywood, here are the hacking misfires that bug me most.

1. Instant password guessing

Many if not most movies with hacking scenes show the protagonist under lethal pressure to crack the master password in less than a minute. A perfect example is 2001’s "Swordfish," in which the evil character played by John Travolta holds a gun to the head of the hacker leader, Stanley, played by Hugh Jackman.

Stanley sweats bullets under threat, typing different passwords so fast it’s obvious he can’t be typing anything coherent at all. At the last second, after trying hundreds of different passwords, he pulls the right one out of thin air.

Has any computer system in any movie ever locked out an attacker after a certain number of password tries?

In other hacker movies, the protagonist seems to guess the correct password right off the bat. The hacker looks around the office, sees a picture of the CEO playing golf, and seems to know that “Titleist” is the right password. While trying words associated with the victim’s hobby is a well-known guessing technique, I’ve never seen anyone get it right on the first pass.

Real password guessing usually takes hundreds (if not hundreds of thousands) of attempts. If account lockout isn’t enabled, hackers can use automated dictionary-hybrid programs to do all the guessing. Today, because most passwords are complex and run eight characters or more in length, manual guessing isn’t very fruitful.

In fact, today, most password “guessing” is really password cracking. Cracking starts by capturing the password hashes first (which takes superadmin access), then using a brute-force or dictionary automation program to convert the hashes into their plaintext equivalents. Or to be truly modern about it, the passwords aren’t guessed or cracked at all. Instead, the attackers use the captured hashes, with no conversion necessary, to authenticate to other computers.

2. Cross-platform hacking

One the most cringe-inducing moments of all time appeared in 1996’s “Independence Day," when Jeff Goldblum’s character writes and inserts a computer virus into the mothership’s computers, which then brings down the shields and leads to the aliens' downfall.

When I first saw that scene, I wondered: "Gee, did he use Cobol or C++?" It’s ridiculous to think an alien race would use computer systems that could run our programs. Their systems wouldn’t use the same character sets, language conversion tables, or built-in instructions on their CPUs. In real life, most malware programs have a hard time running on different versions of the same operating system, much less on different operating systems or platforms.

I’ve seen movies in which a hacker on a Unix computer writes code for a Microsoft Windows victim. While that could actually be done, it would be 99 percent wasted effort. Real malware writer codes their creations on the same platform as the target system.

3. All systems are interconnected

Another incredibly unrealistic portrayal: One malware program or command manipulates dozens of disparate systems all at once. Sandra Bullock’s nemesis in 1995’s “The Net” provides a case in point. After spurning a would-be paramour turned murderer, Bullock’s character suffers an attack that erases her online life (no mortgage record, no driver’s license, no credit cards, no paycheck).

The best part? Her antagonist does it with a couple of commands! He even erases all paper trails and backups, not to mention everyone’s memory of her.

It’s laughable on many levels, not the least of which is how interconnected the movie seems to think all these systems are. With minimum effort, dozens of unrelated systems are accessed and manipulated. In real life, you can’t find a single environment where all such systems talk so well together. Go to any organization -- a government department, a corporation, a bank, a hospital -- and you’ll invariably find a hodgepodge of systems that IT wishes could seamlessly talk to each other.

In real life it takes months for a company to erase the trail of a single entity, and that’s when they own the systems, have the passwords, and know what they’re doing. If the bad guy really could do what he seems to be doing in “The Net,” he could earn millions working for corporations. He would be a data god!

4. All information pops up instantly

When any information is requested, the “computer nerd” types in a single command, and the answer comes back in seconds. This seems to happen several times a week on crime shows.

The protagonist will ask something like, “Where is the bad guy using his ATM card right now?” Ta-da, the screen immediately returns the exact address. Or “How many murders were committed in the upper boroughs by a guy using a knife and wearing pink shorts?” Voila, the answer is 12.

Contrast this with asking your own log management system how many logons Roger had today. You can easily wait two to three minutes for the answer -- with no guarantee the answer will be accurate.

5. Every program is a hacker’s dream program

Almost every hacker movie shows s great, custom-made program with an incredible graphical UI perfect for whatever the hacker is doing. In real life, almost all the programs used by hackers are created by someone else, used by millions of other hackers, and have a horrible UI.

You get a CLI and a set of commands that demand an unnatural amount of human memory to recall. The commands often wrap around from one line to the next.

Fact is, you don’t even need the most up-to-date program. Most successful hacks target vulnerabilities and exploits many years old. When I was a full-time penetration tester, rarely did I break in using a brand-new vulnerability. It was far more common to find a flaw from five to 10 years ago that had never been patched.

One show gets hacking right

You can always tell when a show cares about how it portrays hacking, but there’s nothing quite like the USA Network’s "Mr. Robot." Although the protagonist is a supergenius -- who, yes, frequently enjoys instantaneous success -- every typed command or program is a real typed command or program. What he does could really happen, albeit with the normal Hollywood hyperbole.

I remember when I saw the first few episodes. I was filled with glee to see all the realness. It proved that Hollywood could produce a hacker-driven drama using actual hacker commands and tools. Not only that, but the show is a wild success.

I hope others follow the path blazed by "Mr. Robot." Think of those hardcore contingents of loyal, upscale fans! I’m not holding my breath, though. Reality always demands more tedious work than most people want to watch.

Copyright © 2016 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.