Don’t limit your actions to the virtual world
Audacity triumphs
No system is safe
In this article, I am documenting the events and dialogues from the movie WHOAMI - from which I’ll be sharing some important cybersecurity lessons.
The main character of the story is Benjamin Engel, and this is his story.
The very first hack shown in the movie is about getting hold of the Law exam papers. These are stored on the central server of the university. However, during the process of retrieving the files, Benjamin gets caught by the security guard and receives 50 hours of community service. And there, he meets another hacker.
The character of Max is very interesting. Despite his looks and sometimes overly screaming personality, he seems to have a reflective mind. He sees and observes things that generally people never take note of in their entire lives. He asks Benjamin about his specialties - DDoS attacks, Botnets, phishing, or just a script kiddie. Benjamin then tells him that he hacked a university server using a zero-day exploit.
Let's take the example of a shopping app. There is a limit to how much traffic an app or a site server can handle. So, a DDoS attack or Distributed Denial of Service attack occurs when a hacker overwhelms these servers with fake requests, hence denying legitimate users from accessing the website or app. The lowering amount of 'real' traffic may result in loss because thousands of users lose connection to the service.
DDoS is different from DoS or Denial of Service attacks on the basis that a DOS attack usually comes from a single system but DDoS attacks use multiple machines or vectors in the process. A DoS can occur on a busy day, such as on a 4th of July sale by legitimate users as well. Usually, they are prepared to handle more traffic, whereas a DDoS attack is totally unannounced and can cause more damage.
There are different types of DDoS attacks depending on which layer of the network is being targeted. Let’s see the two broadest categories
Overwhelming a web server by sending a huge amount of requests than it can handle. For example, SYN attacks, DNS reflecting, etc.
These types of attacks often target a particular application or software that the website uses. HTTP flood is a common example of such attacks.
Usually, a single computer cannot send enough traffic. So we need a bunch of computers to perform a significant attack and it can be done using botnets.
A botnet is a collection of devices that have been infected with a bot that can be used to control them. The size of a botnet ranges from a few hundred to a few thousand and can also reach a million.
Suppose you find a bug in a system. It’s called a zero-day because the minute it's discovered, the company has zero days to fix it. So they will have to fix it within a day. One could write a program to exploit that bug or vulnerability and that’s called a zero-day exploit.
In February 2020 AWS (Amazon Web Services) was DDoSed with a peak traffic volume of 2.3Tbps. Although there have been attacks larger than this it’s the largest attack to be publicly acknowledged.
There are many reasons for these types of attacks. The one depicted in the movie is called, Hacktivism, where a group of hackers try to demolish the brand name of big companies or get some sort of revenge. Other reasons may include unethical practices to turn down a system, or governments declaring cyber war. But it’s better to not go there.
Benjamin arrives at a party. And Max makes it look like it’s his house and his party but it actually wasn’t. There he meets two other people, Stephen, and Paul. To show them what he’s really capable of, Benjamin opens what seems like an Apple laptop in the room and types a few commands that are clearly visible on the screen. After a while, he hacks into the system and turns off all the lights. It was pretty cool.
This is another account of what Max and Benjamin talk about. And I think it’s my favorite part of the movie. ‘Security. Everyone wants security. Security doesn’t exist. Once you understand this, it's like you have the world served on a plate. The main vulnerability isn’t in applications or servers. Man is the main security flaw. The most effective of all hacking methods, the great art of deceiving: Social Engineering. Man is by default trusting and confiding…’
As their friendship develops the group now plans to hack a conference and replace their event’s video. Benjamin believes that invisibility is his superpower. No one notices him because he looks ordinary. He easily goes past the crowd and to the main access point. They succeeded in hacking the conference by connecting their Wi-Fi network and thus getting access to their system. After this, Benjamin suggests a name for the group - CLAY or Clowns Laughing at You.
From this part, we see full-on Hactivism. Attacking big organizations and revealing their true identity to the world. First, they started by hacking a news channel while it was running the stock of a financial company, called DAX. It’s really interesting to see the laptop screen at this point. There is a video called nosystemissafe.mp4 that they broadcast on the news.
Next was a big pharma company where they played a message ‘WE KILL ANIMALS’ on their office buildings. It was pretty cool.
Despite their efforts, MRX still thinks that they are not good enough.
So, they decide to try something even bigger. They decided to hack into the Federal Intelligence Service or BND, The German Secret Service. They start with something easier to hack into. A human vulnerability. They go to a dump yard of the building and in a huge pile of papers they manage to find a birthday card with a cat picture on it and the name of the sender and recipient.
A lady who likes cats.
Lure her with cats.
However, they still couldn’t get access to the server so they plan to visit the BND headquarters and hack their printers. And they succeeded. The next day there were piles of papers everywhere with messages written on them
‘Clay was here. No System is Safe.’
In order to perform this next big hack, they take another character into their story. Hanne Lindberg, lead cybercrime investigator of Europol is visiting BND and has been investigating fri3nds. Benjamin makes Hanne believe that he is delusional due to the carefully crafted holes in his story that force her to reach that conclusion herself. She lets him get away after he gives her the identity of fri3nds and MRX. In time, she would know that she has been fooled but she also got what she wanted and hence would never try to reveal what happened.
And that ends the story.
The main emphasis of the movie is that hacking is not about just sitting behind a desk and trying to break into the system. If you want to do something bigger, you’d need to actually go out there. And you’d probably need more than a single individual. And in reality, 90 percent of attacks are targeting employees instead of machines via social engineering. Because humans are bound to make errors that are easier to hack than the systems. The rest of the hacking methods comprise a tiny portion of total cyber threats.