Network News

X My Profile
View More Activity

Untraceable or Uncatchable?

On Friday, I caught a showing of "Untraceable," a horror/thriller flick about a serial killer who relies on computer insecurity to help him broadcast his crimes onto the Internet.

Far too many hacker movies completely flub the technical details, and from viewing the trailers I was certain this one would as well. But the film actually got most of its Internet facts right (nevermind the bit where the bad guy remotely hacks a car, or the laughably inaccurate point-and-click trap-and-trace capabilities of the FBI agent played by actress Diane Lane). Still, it wasn't that great of a flick.

But one theme of Untraceable I thought was noteworthy was the power that cyber criminals wield with legions of hacked computers at their fingertips. I think the movie also helps frame a healthy debate over whether the most-wanted cyber criminals are in fact untraceable or just uncatchable.

First, a quick synopsis of the film (spoiler alert: It's entirely possible that some portion of what follows will ruin an important surprise of the movie). The psychopath in the movie murders his victims for everyone to see in real-time by streaming live video of his captives' plight to an Internet site. The victim in each murder is confined to some kind of automated death-inducing apparatus whose operation is hastened commensurate with the increase in hits on the site from curious visitors.

The film's engine of death is a cutting-edge type of "botnet," or amalgamation of hacked PCs that are remotely controlled by criminals, typically for use in sending spam or hosting scam Web sites.

In the old days (pre-2006), crooks hosted fraudulent or illegal Web sites at static Web site addresses that could be targeted and darkened by Internet service providers or law enforcement. Nowadays, criminals are increasingly turning to so-called "fast-flux" botnets to keep their scam pages online indefinitely.

Let's say the fraudster's site is "scammer.com." With fast-flux, the numeric Internet address attached to scammer.com changes every few seconds or minutes. For example, if Alice visits scammer.com at 10 a.m., and Bob types the same Web site name into his browser a few minutes later, Bob will see the same content as Alice did, but the content will be served from a different compromised computer within the botnet.

From the bad guy's perspective, the beauty of this approach is that by the time law enforcement officers or ISPs deep-six the Internet connection of a customer PC found to be used in a fast-flux scheme, the fast-flux site content will have long ago moved to yet another hacked PC.

The single constant in this scheme is the domain name that is used to hand off the visitor's request to any one of thousands of PCs that could serve up the content. While law enforcement can pressure domain registrars to revoke the registration for Web site names found to be used in fast-flux networks, the scammers can simply register another domain, or switch to a registrar that is far less responsive.

I purposefully avoided reading critics' reviews prior to seeing the movie, but when I was researching show times I came across an article at MTV.com that quoted an ex-FBI agent as panning the film's premise, essentially saying that the idea that people can be anonymous online is an illusion.

The story quotes former FBI special agent Ernest Hilbert: "There's been a number of sites I've gone after where people have done a similar things. These would all be things that the FBI would eventually figure out and track back. [It would] probably take upwards of a couple months, locking it down to each particular thing."

Hilbert is technically correct. Nothing is untraceable online. But the reality on the Internet today is far less cut and dry. If they apply enough resources and pressure, law enforcement investigators can eventually trace the origin of these fast-flux sites back to the "mother ship," the very servers responsible for pulling all the strings. But that accomplishment means little if U.S. authorities can't convince the law enforcers in the mother ship's host country to prosecute or at least pull the plug on the bad guys.

The unfortunately reality is that U.S. law enforcement and private security professionals already have traced the origins of some of these fast-flux fraud networks, only to find that they originate in countries where we have little political or legal influence.

Right now, the bad guys are using fast-flux networks mainly to fleece Americans. Maybe one day true psychopaths will use them in a way depicted in this film. I've always maintained that the problems of Internet and computer network (in)security won't seep into the public consciousness until people start dying because of security vulnerabilities.

When this happens, however, it will more likely be the result of weaknesses in the digital systems that control essential public utilities such as the power and water utilities, complex systems that for a variety of reasons are increasingly being connected to the Internet. This is not as far-fetched as some would have you believe. The CIA last week divulged that hackers had darkened cities in other nations by attacking weaknesses in the computers that controlled distributed power networks.

Anyway, I can't recommend seeing this film, chiefly because I found it frankly insulting (not to mention gruesome): By virtue of watching the movie, we are led to believe that each of us is yet another tiny cog in the distinctly American voyeurism machine that churns out these kind of unfathomable sociopaths.

David Perry, director of education for computer security firm Trend Micro, said he, too, thought the movie came closer than perhaps any other to getting the technical details right. Still, Perry said, he wouldn't recommend the movie to a friend.

"It's really sad that the first hacker movie to not be completely laughable from a technical perspective is a movie that nobody is going to see," Perry said.

By Brian Krebs  |  January 28, 2008; 1:01 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Just Say No To Work-At-Home Money Mule Scams
Next: Best Buy Digital Photo Frames Shipped With Virus

Comments

...says "Just Say No, as it's frankly insulting (not to mention gruesome): By virtue of watching the movie, we are led to believe that each of us is yet another tiny cog in the distinctly American voyeurism machine that churns out these kind of unfathomable sociopaths."

Two thumbs down.

Posted by: DOUGman | January 28, 2008 1:28 PM | Report abuse

I saw Diane Lane on some talk show or other last week, talking about this movie. She claimed that the remote car hack had actually occurred, for real, in two specific cases (one in Canada, one in Italy). I laughed out loud. There are cases where the nav systems - often based on Windows - have been hacked in cars, but, to my knowledge, and based on some googling, I don't believe it's accurate that a real remote control hack like that in the movie has actually occurred. Gotta love Hollywood and misinformation...

Posted by: Ben | January 28, 2008 1:44 PM | Report abuse

A $6B fix...

- http://online.wsj.com/article/SB120147963641320851.html?mod=googlenews_wsj
Jan. 28, 2008 WASHINGTON - "President Bush has promised a frugal budget proposal next month, but one big-ticket item is stirring controversy: an estimated $6 billion to build a secretive system protecting U.S. communication networks from attacks by terrorists, spies and hackers. Administration officials and lawmakers say that the prospect of cyberterrorists hacking into a nuclear-power plant or paralyzing Wall Street is becoming possible, and that the U.S. isn't prepared. This is "one area where we have significant work to do," Homeland Security Secretary Michael Chertoff said in a recent interview..."

.

Posted by: J. Warren | January 28, 2008 3:10 PM | Report abuse

I´m looking forward to watch this movie, maybe it´s just another action flick, with no argument, but what are these movies about? just to entretain peole who go and watch them, so, it´s ok

Posted by: veronica | January 28, 2008 4:08 PM | Report abuse

Thanks for the movie review, Brian.

What a dumb plot!

If you want to see far more gruesome and real violence, there's pleny of Iraq war blogs, al-Queda web sites, and WWII concentration camp footage online.

The movie is nothing more than an updated version of the elaborate scenes where the evil mastermind tries to kill James Bond with a laser, shark tank, or strapped to a bomb of some kind.

I suspect this movie will become another money-losing flop. Look for it in the $2 DVD bargain bin at K-Mart within six months.

Posted by: Ken L | January 28, 2008 4:15 PM | Report abuse

...."I suspect this movie will become another money-losing flop. Look for it in the $2 DVD bargain bin at K-Mart within six months"

All the more reason to d/l and rip...saves me ~$50+ per flick and not to mention wasted time. :P

I had a conversation with someone about the crap of movies being created these days, along with all the depressing subjects on the History channel. Nothing inspiring comes out of Hollywood or MSM these days, its all negative. Well, except Billy Bob Thornton and the Astronaut Farmer. :)

T.

Posted by: TORRENTmaster | January 28, 2008 6:37 PM | Report abuse

Brian,

You really shouldn't use potentially valid domain names in academic examples, as have here with "scammer.com". There is an established best practice, dating back to 1999, for domain names that you wish to use solely for exemplary purposes:

http://www.faqs.org/rfcs/rfc2606.html

It would have been better to use a subdomain of .example.com or .invalid.

Posted by: antibozo | January 28, 2008 7:30 PM | Report abuse

The remote car disable hack isn't as laughable as implied in this blog - already OnStar has a remote disable coming as soon as 2009.

http://abcnews.go.com/Business/Autos/story?id=3706113

Why do we think that law enforcement is the only one that can ever control the off switch? Does the switch thrower first have to take an oath to uphold the law? The movie makes a good point, although a bit over the top.

Posted by: moike | January 28, 2008 9:01 PM | Report abuse

moike,

Agreed; I'd say it isn't laughable at all.

OnStar's remote disable was discussed on Schneier's blog last October:

http://www.schneier.com/blog/archives/2007/10/onstar_to_stop.html

Posted by: antibozo | January 29, 2008 12:11 AM | Report abuse

I have an early version of the film's script. In this version, Marsh's car has "Northstar", which is pretty obviously a fictionalized version of "OnStar". I understand that she has OnStar in the finished film, so perhaps that was used as a placeholder until the filmmakers could get the rights. In any case, this script has her saying "He hacked into my Northstar!" rather than "he hacked into my car's computer!"

Posted by: Insider | January 29, 2008 2:23 AM | Report abuse

The idea of fast-flux sounds pretty fascinating. It's comforting to think that it is possible to track illegal websites back to their hosts.

In my opinion, the movie plot seems awkward (the psychopathic murders), but it might be a decent movie to watch if only for the thrills of learning some internet facts and discovering what hackers can actually do to unprotected computer systems. I have seen quite a few bogus hacker movies in the past.

It's amazing how much information hackers can steal about one's internet activity because personal computers tend to store so much personally identifiable information, including deleted files.

In fact, just a few days ago I scanned my laptop for files containing senstive internet activity and was shocked at what I found out. My experience with computer security can read in my blog.

http://evidenceeraserreview.blogspot.com/

Posted by: dolapo soboyede | January 29, 2008 4:01 AM | Report abuse

I must be missing something (hey, I am from Europe) but the first and uttermost problem is that once the server(s)/botnet(s)/you-name-it are outside the US, there is little (best case) to plain dead rock nothing (usual case) which can be done to track someone.

Posted by: WS | January 29, 2008 7:30 AM | Report abuse

> dolapo : Hee Hee! Did your Evidence Eraser detect itself as Adware?

http://www.sophos.com/security/analyses/evidenceeraser.html

(Blog created on 28 January 2008, domain Niftydollar.com created on 22 January 2008)

Posted by: Moike | January 29, 2008 8:55 AM | Report abuse

>WS: once the server(s)/botnet(s)/you-name-it are outside the US, there is little (best case) to plain dead rock nothing (usual case) which can be done to track someone.

Actually, it depends on the local authorities and network administrator. In some countries the laws are equivalent and the criminal would be identified by local law enforcement, just as in the US. In other countries, some of those activities are not illegal, the abuse desk may have a 14 day backlog. And in the case of an RBN-like organization where the network administrator condones the activity, a criminal can operate nearly at will - just as shown in the movie.

Posted by: Moike | January 29, 2008 9:13 AM | Report abuse

I'll say this- the carhack is only laughable for the time being. Someone will figure out how to utilize it on a universal level and the more you say it's not possible, the more it will entice intelligent minds to get to work on proving you wrong. Wireless transmissions are wireless transmissions, physics are physics. Keep curious on the subject and keep an open ear out for the day it happens.

In a letter to Off The Hook, the movie [and I'm surprised it wasn't covered in this blog] seems to have a lot of propaganda against net neutrality, that there's the implication of "if only we had a filtered internet this stuff wouldn't happen". I suppose that those in power will continue to want more power.

Posted by: SkriptAsylum | January 29, 2008 10:34 AM | Report abuse

True hackers (versus Script-Kiddies and Spam Wannabe's) have no problem staying anonymous on the internet.

Can anyone say anonymous relays and encryption? (for starters)

I don't care how many agents you have running around. There are so many ways to circumvent their tactics and resources that it has become a joke to those that run in those circles.

Much like pirated software and music, the idea of getting around the system is much more alluring than getting paid to help keep it from happening because everyone knows that the instant you close a door, another one opens... and with a "Virtual" world, if no door exists, they can always make a new one.

Posted by: LL | January 29, 2008 4:05 PM | Report abuse

> In a letter to Off The Hook, the movie [and I'm surprised it wasn't covered in this blog] seems to have a lot of propaganda against net neutrality, that there's the implication of "if only we had a filtered internet this stuff wouldn't happen". I suppose that those in power will continue to want more power.

AGREED. Misinformation and misdirection are some of the key types of deception that Those In Power use to keep their authority. You don't have to lie when you play off of the general public's ignorance. You can just tell them what COULD happen and by doing that the public will be eager to sign laws to forfeit more of their freedom/rights and put their security into the hands of a governing power that has less control over the situation than you'd like to believe.

It's very much like the advertisements after the war against al Qaeda started, stating that if you buy drugs you're supporting terrorism.

The government lies. It always will lie to force its desires upon the people. It programs you; it wants to tell you how to think and what to believe. This movie breeds further ignorance, despite some of the realistic bits they've implemented. By mixing technological facts with technological fiction, people start to believe the bull over reality.

There's the window for freedom's failure.

Posted by: barcodedmaggot | January 30, 2008 12:27 PM | Report abuse

I must hire that movie, have a peek & see how good the tech bits are.
andyinwa@hotmail.com

Posted by: andyinwa | January 30, 2008 7:52 PM | Report abuse

Actually, this story has been done right and done well before on a weekly series of all places. In the "Mikado" episode of Chris Carter's Millennium, some teenage boys stumble across a webcam snuff video in progress. When the number of site hits match a number painted on the wall behind the victim, the murder occurs. Frank Black enlists a computer geek and uses his uncanny profiling abilities to track the killer, but he or she ultimately escapes capture, ala the Zodiac killer. Five star entertainment and righteous technological information.

Posted by: Jim | January 31, 2008 4:50 PM | Report abuse

About the $6 billion dollars the US government is going to pore in to provide for ''Internet security'' within the US (and maybe abroad too?), it's part of the actual plan that is slowly but relentlessly being implemented for the greatest power in the world to become a dictatorship within its own borders... beware fellow Americans !

Posted by: acrackinthewall | February 4, 2008 1:25 PM | Report abuse

Great pickup on the millenium episode. That's top notch.

Posted by: stgenerations | February 5, 2008 3:16 PM | Report abuse

@stgenerations: "Great pickup on the millenium episode. That's top notch."

That's "millennium". "Millenium", if it were a word, would mean something like "a thousand anuses", which is almost certainly not what you mean.

Amusingly, Mazda makes a car called the "Millenia".

Posted by: aeschylus | February 5, 2008 11:35 PM | Report abuse

The heavy storm would have likely precluded the remote "Northstar" hack. The villain hacking into FBI offices to the extent of broadcasting his heinous crimes to them is absurd because he would have had no way of knowing the classified government protocols used by the FBI and other agencies that are beyond the reach of public network access. Heat lamp purchases, inordinate residential electricity use, etc., could have been pinpointed independent of Cyberspace considerations, especially as they knew the crimes were being committed locally. Otherwise, the movie was engrossing and a nail-biter. The hits hastening the victims' deaths was a particularly twisted ingredient. This movie was a thriller, not a mere crime drama.

Posted by: doctordialogue | February 11, 2008 2:35 AM | Report abuse

I like to correct every little error people type or make because I have nothing else to do!

Posted by: aeschylus | February 26, 2008 12:49 PM | Report abuse

The previous comment, obviously, is not my writing.

Posted by: aeschylus | February 26, 2008 7:42 PM | Report abuse

there is the professional world of warcraft power leveling here. welcome.

Posted by: jimelyyes | May 2, 2008 12:09 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company