Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

December 19th, 2011

Avast talks about ‘The Girl with the Dragon Tattoo’

It’s no surprise that conversation at Avast is focused on computer security. The Tuesday release of the new film, The Girl with the Dragon Tattoo, has sparked even more talk, because of the tortured heroine, hacker Lisbeth Salander. The movie is based on the first of the best-selling “Millennium Trilogy” crime novels by the late Swedish author Stieg Larsson. It revolves around journalist Mikael Blomkvist who hires the mysterious Lisbeth to help solve a cold case of a missing teenager from decades ago.

Lisbeth works as an investigator from her ordinary laptop. She gains access, and complete control in some cases, to the contents of whomever’s computer she wants and uses information from emails, work documents, bank statements, and browsing history, to satisfy her curiosity, advance the case, and ultimately to loot bank accounts.

I sat down with Jindrich Kubec, senior virus analyst at the AVAST Virus Lab, to talk about hacking, finding information on the internet, and literary license.

(Spoiler alert: elements of the story are about to be revealed)

Deborah Salmi: What I find interesting about this hacker extraordinaire, is that she used some techniques besides hacking to get information she wanted. Once, she used a pirate copy of a card key to break into an office.

Jindrich Kubec: Yes, that could happen with simple mag-stripe cards. ATM debit/credit as well, but RFID (radio frequency identification) proximity cards are harder to clone, though not impossible. Cards with asymmetric keys should not be clonable.

OK, here’s a common one – she found a computer password on a piece of paper hidden underneath the blotter on a guy’s desk and used it to retrieve confidential documents.  Anyone could do that!

Simple techniques work. Human error accounts for about 30% of the $18 billion in data loss from US companies. People write passwords on a sticky note or use the same ones multiple times, which puts them at risk for stolen data.

But I have a gazillion passwords to remember.

Something like avast! EasyPass, which has only one master password to remember, makes managing passwords easier. Lisbeth would not have been able to crack the master password.

In another scene, Lisbeth is hanging around the entrance to an apartment building with a key code entrance. She looks over an old lady’s shoulder and sees the numbers to the combination as she punches them in.

All the old lady needed to do was to put her hand over the keyboard as she typed the numbers. Again, real simple stuff.

I thought you said Lisbeth was a brilliant hacker.

I’m getting to that part. But first, I want your opinion on something. A car ran over Lisbeth’s laptop. She was angry, but all her files were backed up so it wasn’t a disaster. She decided to buy an Apple PowerBook. What do you think about that?

I can’t comment on the choice of laptop. I’m not a big fan of Apple. (laughs) But it’s good that she backed up her files. Hardware failure is the most common cause of data loss. You can replace hardware, but some files are irreplaceable. avast! BackUp protects your valuable photos, music and documents. It even works with Apple computers. (winks)

One more non-hacking bit. Lisbeth impersonates a social welfare secretary to dig out information from people over the telephone.

Yep, good old social engineering. It’s happening a lot this holiday season with charity phone scams. But all of this is physical (in)security or social engineering. If I can get into your apartment, you’re done for, unless you have your computer’s hard drive encrypted by TrueCrypt or something like that.

Then I’m done for… Now we get to the hacking parts. Lisbeth hacks another bad guy’s private information, and finds that he has millions in a secret offshore account.

How many bad guys are in this story?

Um…at least three.

Oh. Well, this is very hard to believe. For access to my personal bank account, and I don’t have any secret offshore account, you’d need to have my chip card + pin or my access code + cellphone + password or, in the most paranoid setup, chip card + pin + cellphone. And the chip card can’t be cloned, as far as I know. Again, for storing of the password and pin, avast! EasyPass could be used.

Lisbeth used a hidden camera to record the same bad guy assaulting her. Then she used the video to blackmail him.

Sounds like a real uplifting Christmas movie. Can’t we watch It’s a Wonderful Life, instead?

James Stewart’s character wants to commit suicide on Christmas eve.

OK, whatever. Lisbeth would have done better to use a wireless camera which immediately sends the signal somewhere else, so if the bad guy found the camera it wouldn’t matter.

An interesting piece of technology that plays a vital role later in the story is the electronic cuff Lisbeth gets from fellow hacker Plague. She uses it to hack into a bad guy’s computer and create a complete copy of his hard-drive on a separate server. What do you know about this device?

I don’t have a clue what it represents, but I suspect “literary license.” An electronic cuff is a non-existent device.

To find out secrets about people, all Lisbeth needs is for them to have a computer with an internet connection, an email address, and maybe a personal website. Is it that easy?

I don’t believe so. There are too many variables. If she was looking for someone whose surname is Smith, she’d be lost. You need to connect lots of dots and sometimes you just need to make an educated guess if two people with the same name are the same person – but that fails when you have someone with a rather common name and/or a boring life.

But, you are quite easy to track. Give me a few minutes, and I can find out a few things… (taps on the keyboard)

Like what?

I know where you work.

That’s not too hard.

I know where you worked before.

You don’t have a Facebook account, but you have a Twitter account, stumbleupon.

I know how you look, at least a few years back. (smiles)

I know your age.

Watch it…

But I’ll skip it since you’re a lady.

I know your home address.

I know where you lived, where you spent time, and what you’re a fan of.

So you DO have a Facebook account…

That’s enough. I get your point.

So you can find information on people, even without paying or hacking, but I wouldn’t call any of that secret or even personal. But, I could have used the info for creating something targeted to convince you to do something.

Sounds sneaky.

And people put much more personal information on Facebook, for example, than you. Like when they are away from their house on vacation. Lots of things.

Enough about me. At one point, Lisbeth thinks it’s OK if she gets dumped from the case because she is able to access everyone’s computer and follow what they do. Is that possible?

It’s oversimplified, but there is malware that allows you to see what the victim is typing or take control of their system, for example. Avast protects against ‘wiretapping’; the so-called RATs (Remote Administration Tool) programs. And we protect people from having their password guessed when they use our avast! EasyPass.

Lisbeth’s motivation for hacking is that she enjoys digging into the lives of other people and exposing their hidden secrets. It is like a complicated computer game.

Yes, this is old motive, see Wikileaks or Anonymous.

Lisbeth broke into her partner’s laptop by using a program that can crack Word’s encryption protection. Fan sites say that she uses a program called “Asphyxia.”

The name is made up. There are few similar products for this though. I remember the ones from Elcomsoft because the dude was arrested in the USA, as he broke DMCA (The Digital Millennium Copyright Act), if I’m not mistaken.

In the past, the built-in encryption in Office sucked. Most probably because they wanted to provide at least some protection, but weren’t able to provide anything better because of USA export laws. I don’t know how the situation changed, or if the laws are more tolerant now. But since Office 2007, documents are protected by AES-128 cipher, which is fairly strong. I haven’t heard that it was already broken, so I’d say it’s safe.

Lisbeth’s partner thinks she must have Asberger’s syndrome or some ability to see patterns and understand abstract reasoning. That’s what makes her such a good hacker.

Ah, everybody now has to have some OCD (obsessive-compulsive disorder) or something. Some people in the company may say they have Asperger, but I just think they’re nerds with bad social skills. (smiles)

For the big finish, Lisbeth used the electronic cuff she bought from Plague, and successfully hacked the bad guy’s computer. She took control over it with access to all his financial records and banking information. She studied his finances carefully, and then stole millions of dollars from him.

Yes, this is highly improbable too. I sometimes have trouble getting my own money from the bank.

  1. December 22nd, 2011 at 10:55 | #1

    long post and very informative, but it seems more exciting if I had the opportunity to see firsthand the film.

  2. Tech
    December 29th, 2011 at 12:53 | #2

    Well, I’m not with all arsenal, but some of them for sure.
    1. A password manager.
    2. TrueCrypt (when will avast enter in the cryptography field?).
    3. avast! Backup (thanks Trevor).

    Hey… You didn’t talk about antivirus and firewall :)

Comments are closed.