What Matthew Broderick Taught Me About Cyber Security

One of McLeod Governance’s favorite films is the 1983 action movie WarGames.

It’s a deceptively simple story.

The opening scene depicts two United States Air Force officers who, unbeknownst to them, experience a nuclear missile launch simulation.

One of the men is unable to turn the key simultaneously with his partner to launch the missiles.

The man’s refusal to perform his duty is enough to convince computer programmers at the North American Aerospace Defence Command (NORAD) that the human element needs to be removed from the “loop” and that command of the missile silos needs to be maintained from NORAD itself.

Control is given to a supercomputer, WOPR (War Operation Plan Response), which is programmed to predict possible outcomes of a nuclear war.

High schooler David Lightman (played by Matthew Broderick) is a digitally proficient geek who wants to play an unreleased computer game — and impress a pretty girl (Ally Sheedy).

So he does something most Americans didn’t have a word for back then: He starts hacking.

Little does he know, the “computer company” he’s infiltrated is actually a military installation running WOPR and the game — Global Thermonuclear War — is real.

Naturally, only Lightman can stop it from setting off World War III.

Disaster is narrowly averted when Lightman manages to teach WOPR about the futility of war by getting it to play endless drawn games of tic-tac-toe against itself.

The WOPR then cycles through all the nuclear war scenarios that it has devised, which all end with no winner.

WOPR learns that “the only winning move is not to play” and simply ceases playing.

In the end WOPR decides it would prefer “a nice game of chess.”

At the time I remember thinking – as a 15 year old boy – that it was a great piece of fantasy.

Come forward 30 years (yes I am approaching 45!), and the concept of cyber attacks is very real not only in the US Government but with all organisations.

WarGames
as we know, is no longer fantasy.

***

The United States Government Accountability Office – the audit and investigative arm of the United States Congress – a number of years ago released a very good overview of the challenges in establishing a comprehensive framework for the prevention, detection and mitigation of cyber attacks.

The report remains one of McLeod Governance’s most referred to reports in terms of what an organisation can do to protect itself from malicious cyber access.The issue of cyber attacks doesn’t have the same profile these days as it once did and it is this very complacency that a cyber attacker – whether driven by malice or adventure – will seek to exploit.The report provides a number of interesting cyber attack examples.

In June 2003, the U.S. government issued a warning concerning a virus that specifically targeted financial institutions. Experts said the BugBear.b virus was programmed to determine whether a victim had used an e-mail address for any of the roughly 1,300 financial institutions listed in the virus’s code. If a match was found, the software attempted to collect and document user input by logging keystrokes and then provide this information to a hacker, who could use it in attempts to break into the banks’ networks.

In August 2006, two Los Angeles city employees hacked into computers controlling the city’s traffic lights and disrupted signal lights at four intersections, causing substantial backups and delays. The attacks were launched prior to an anticipated labor protest by the employees.

In October 2006, a foreign hacker penetrated security at a water filtering plant in Harrisburg, Pennsylvania. The intruder planted malicious software that was capable of affecting the plant’s water treatment operations.

In May 2007, Estonia was the reported target of a denial-of-service cyber attack with national consequences. The coordinated attack created mass outages of its government and commercial Web sites.

In March 2008, the Department of Defense reported that in 2007 computer networks operated by Defense, other federal agencies, and defense-related think tanks and contractors were targets of cyber warfare intrusion techniques. Although those responsible were not definitively substantiated, the attacks appeared to have originated in China.

***

It is never too late to consider whether your organisation is at risk.A good place to start is to ensure that you have in place mechanisms for the following types of cyber attacks as listed in the GAO report:Denial of service – A method of attack from a single source that denies system access to legitimate users by overwhelming the target computer with messages and blocking legitimate traffic. It can prevent a system from being able to exchange data with other systems or use the Internet.

Distributed denial of service
 – A variant of the denial-of-service attack that uses a coordinated attack from a distributed system of computers rather than from a single source. It often makes use of worms to spread to multiple computers that can then attack the target.

Exploit tools – Publicly available and sophisticated tools that intruders of various skill levels can use to determine vulnerabilities and gain entry into targeted systems.

Logic bombs – A form of sabotage in which a programmer inserts code that causes the program to perform a destructive action when some triggering event occurs, such as terminating the programmer’s employment.

Phishing
 – The creation and use of e-mails and Web sites—designed to look like those of well-known legitimate businesses, financial institutions, and government agencies—in order to deceive Internet users into disclosing their personal data, such as bank and financial account information and passwords. The phishers then use that information for criminal purposes, such as identity theft and fraud.

Sniffer – Synonymous with packet sniffer. A program that intercepts routed data and examines each packet in search of specified information, such as passwords transmitted in clear text.

Trojan horse – A computer program that conceals harmful code. A Trojan horse usually masquerades as a useful program that a user would wish to execute.

Virus – A program that infects computer files, usually executable programs, by inserting a copy of itself into the file. These copies are usually executed when the infected file is loaded into memory, allowing the virus to infect other files. Unlike a computer worm, a virus requires human involvement (usually unwitting) to propagate.

Vishing – A method of phishing based on voice-over-Internet Protocol technology and open-source call center software that have made it inexpensive for scammers to set up phony call centers and criminals to send e-mail or text messages to potential victims, saying there has been a security problem and they need to call their bank to reactivate a credit or debit card, or send text messages to cell phones, instructing potential victims to contact fake online banks to renew their accounts.

War driving – A method of gaining entry into wireless computer networks using a laptop, antennas, and a wireless network adaptor that involves patrolling locations to gain unauthorized access.

Worm – An independent computer program that reproduces by copying itself from one system to another across a network. Unlike computer viruses, worms do not require human involvement to propagate.

Zero-day exploit – A cyber threat taking advantage of a security vulnerability on the same day that the vulnerability becomes known to the general public and for which there are no available fixes.

***

Over the years, WarGames has written itself into the cult lore of Silicon Valley.

A number of years ago, Google hosted a screening where geeks and nerds cheered Broderick’s denial of service acrobatics.

“Many of us grew up with this movie,” Google cofounder Sergey Brin told the packed house.

“It was a key movie of a generation, especially for those of us who got into computing”.

DOWNLOAD REPORT

Download PDF

Subscribe to Receive Our Email Updates

  • This field is for validation purposes and should be left unchanged.