{"id":28461,"date":"2020-12-22T15:53:11","date_gmt":"2020-12-22T13:53:11","guid":{"rendered":"https:\/\/www.kaspersky.co.za\/blog\/die-hard-cybersecurity\/28461\/"},"modified":"2020-12-22T15:53:11","modified_gmt":"2020-12-22T13:53:11","slug":"die-hard-cybersecurity","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/die-hard-cybersecurity\/28461\/","title":{"rendered":"Cybersecurity errors at Nakatomi"},"content":{"rendered":"

Many families spend the holidays watching favorite movies together, in lots of cases the same ones year after year, making Christmas and New Year\u2019s traditions. Some people love Christmas comedies, others favor melodramas. As for me, my favorite Christmas movie is Die Hard<\/em>. After all, 60% of John McClane\u2019s encounters with terrorists take place on Christmas Eve, and I\u2019m far from the only person associating the action classic with the holiday.<\/p>\n

Sure, with Live Free or Die Hard<\/em> (aka Die Hard 4.0<\/em>), we got a plot really focused on critical infrastructure cybersecurity \u2014 and we\u2019ll come to that in due course \u2014 but look closely and you\u2019ll see plenty of examples of both good and shocking cybersecurity in the first movie as well.<\/p>\n

After all, the Nakatomi Corporation uses the most cutting-edge technologies of the day: a mainframe that synchronizes with Tokyo-based servers, a computerized lock on the vault, and even a touch-screen information terminal in the lobby (don\u2019t forget, we\u2019re talking 1988 here).<\/p>\n

Physical security at Nakatomi Plaza<\/h2>\n

Security issues jump out right from the start. John McClane, our protagonist, enters the building and addresses the security guard, mentioning only the name of his wife, whom he came to see. He never says his own name or shows any form of ID. Even providing his wife\u2019s name shouldn\u2019t get him in, though; their marriage is on the rocks and she\u2019s reverted to using her maiden name at work.<\/p>\n

Instead of challenging the intruder, the careless guard simply points him in the direction of the information terminal, then the elevators. So, basically anyone can enter the building. What\u2019s more, as the action progresses, we repeatedly see non-password-protected computers in the building, all open to evil-maid<\/a> attacks.<\/p>\n

Access to engineering systems<\/h2>\n

It is not long before criminals enter the building, kill the guards (just two are on watch Christmas eve), and take control of the building. Naturally, all of the engineering systems in Nakatomi Plaza are controlled from one computer, which is in the security room, right next to the entrance.<\/p>\n

The sole hacker among the terrorists, Theo, taps a few keys and bam, the elevators and escalators stop working and the garage is blocked off. The computer is already on (although the room is empty) and has no protection against unauthorized access\u00a0\u2014 the screen isn\u2019t even locked! For a company employee (in the security department) to leave the screen unlocked is simply unforgivable.<\/p>\n

Network security<\/h2>\n

The first thing that the terrorists demand from the president of Nakatomi Trading is the password for the company\u2019s mainframe. Takagi, thinking the villains are after information, drops an interesting tidbit about the company\u2019s security practices: Come morning in Tokyo, he says, any data the attackers gain access to will be changed, undermining blackmail attempts. We can draw two conclusions from that:<\/p>\n

    \n
  1. Nakatomi\u2019s information systems in Tokyo keep track of who gains access to what and when. That is a fairly well-implemented security system. (Of course, it\u2019s possible Mr. Takagi is bluffing.)<\/li>\n
  2. Moreover, Takagi seems to have absolutely no knowledge of time zones. In Los Angeles, night has just fallen (the intruders enter the building at dusk, and during the conversation in question, we can see through the window that it\u2019s dark out). Therefore, it\u2019s got to be at least 10:30 the next morning in Tokyo.<\/li>\n<\/ol>\n

    Nakatomi\u2019s workstation security<\/h2>\n

    The gangsters explain that they aren\u2019t exactly terrorists, and they\u2019re interested in access to the vault, not information. Takagi refuses to give the code, suggests the villains fly to Tokyo to try their luck there, and dies for his efforts.<\/p>\n

    Murder aside, the interesting bit lies elsewhere. A close-up of Takagi\u2019s workstation reveals that its operating system, Nakatomi Socrates BSD 9.2 (clearly a fictional descendant of the Berkeley Software Distribution<\/a>), requires two passwords: Ultra-Gate Key and Daily Cypher.<\/p>\n

    As the names suggest, one is static and the other changes daily. Right here is a shining example of two-factor authentication, at least by 1988 standards.<\/p>\n

    Access to the vault<\/h2>\n

    Seven locks protect the vault. The first is computerized, five are mechanical, and the last is electromagnetic. If hacker Theo is to be believed, he\u2019ll need half an hour to crack the code of the first lock, then two to two-and-a-half hours to drill through the mechanical ones. The seventh automatically activates at that point, and its circuits cannot be cut locally.<\/p>\n

    Leaving aside that highly dubious notion (my physics may be rusty, but electricity is usually supplied through wires, which can always be cut), let\u2019s move on to the next glaring flaw: If the vault security system can send a signal to activate a lock, why can\u2019t it notify the police about an unauthorized entry attempt? Or at least sound an alarm? Sure, malefactors cut the telephone lines, but the fire alarm manages to transmit a signal to 911.<\/p>\n

    Ignoring that, it\u2019s quite interesting to watch how Theo cracks the code. Inexplicably, on the first computer he tries, he gains access to the personal file of the (unnamed) chairman of the investment group, including information about his military service. Remember that in 1988, the Internet as we know it does not exist, so the information is likely stored on Nakatomi\u2019s internal network, in a shared folder.<\/p>\n

    According to information in the file, this unnamed military man served in 1940 on the Akagi<\/em> (a real Japanese aircraft carrier<\/a>) and took part in several military operations including the attack on Pearl Harbor. Why would such information be stored publicly on the corporate network? Weird \u2014 especially because the aircraft carrier also serves as a hint for the password to the vault!<\/p>\n

    The same computer helpfully translates Akagi<\/em> into English as Red Castle<\/em>, and wouldn\u2019t you know it, that\u2019s the password. Maybe Theo did a ton of homework and got lucky, but even in theory, the process went awfully quickly. It\u2019s not clear how he knew in advance that he could do it in half an hour.<\/p>\n

    Here, the scriptwriters must have forgotten about Daily Cypher, the regularly changed, and thus more interesting, second password. The lock opens without it.<\/p>\n

    Social engineering<\/h2>\n

    The criminals occasionally employ social-engineering techniques on the guards, fire department, and police. From a cybersecurity perspective, the call to 911 warrants particular attention. McClane triggers the fire alarm, but the intruders preemptively call the rescue service, introduce themselves as security guards, and cancel the alarm.<\/p>\n

    A little later, information about Nakatomi Plaza \u2014 in particular, telephone numbers and a code presumably for canceling the fire alarm \u2014 appears on a 911 computer screen. If the attackers were able to recall the fire-fighting crew, they got that code from somewhere. And the guards were already dead, so the code must have been written down and kept somewhere nearby (judging by the promptness of the recall). That\u2019s not recommended practice.<\/p>\n

    Practical takeaways<\/h2>\n