The cyber crime thriller Blackhat, directed by Michael Mann and starring Chris Hemsworth will hit theaters on Friday, January 16, 2015. The Science & Entertainment Exchange got a chance to talk to cyber security consultant Michael Panico, who worked on the film. Panico led an FBI Fly Team that dealt with cyber intrusions against the United States and our Allies. Since 2006, he has been working with Microsoft and other Fortune 500 companies to help secure their networks. He is also the principle of Code Four Consulting for film and television. His areas of expertise include digital forensics, incident response, and cyber crime investigations. Here’s what he had to say about working on the film and how you can protect yourself and your information.
The Exchange: How did you get into this career?
Michael Panico: I first started with cyber security when I was an FBI agent here in Los Angeles. I was on a cyber squad for five years. Later I was a supervisor at FBI Headquarters in the Cyber Division. That’s how I came to be involved in the field.
The Exchange: Tell us a little bit about how you got involved with the film.
Panico: I received a call from the casting director. They were given my name by a friend of mine who is a federal prosecutor who also specialized in cyber crimes.
The Exchange: Can you talk about what you did for the film specifically?
Panico: I was a technical consultant on the film and I helped with all aspects of the production. Although I did not coach the actors, basically I did everything else. I was there for the first day of principal photography and I stayed through the entire shoot and was the on-set advisor. So any questions the team needed answered—I helped with set design, set decoration, props, visual effects—a lot of the commands that are typed on screen are the result of Michael [Mann] and the VFX department consulting with me about what a hacker would actually type in that situation. They are real Linux commands. I consulted with Michael on some of the story points. In the script there were certain plot points and he would ask me how would this actually occur. So I was basically trying to deliver some reality or detail in those scenes to make them authentic—for the most part, most of the things I was involved in had to do with the investigation of the hacks and what types of tools and techniques the FBI or in this case, the FBI with the assistance of the blackhat hacker, would do use investigate that kind of a crime.
The Exchange: What are some of the things they would do?
Panico: What we talked about a lot was the review of malicious code and the sorts of things that you would look for if you were hit with a piece of malicious code. How you would actually retrieve that code, what tools you would use to look at it, what sort of things you might expect to find that would be considered a lead or a clue.
The Exchange: Obviously this film is very timely with everything that’s been going on in the tech world. Is this the new way to go after people and companies?
Panico: It certainly seems that way. I think one of the themes in the film is what I would consider asymmetry. Asymmetric warfare is a term that national security people like to talk about. It’s the idea that a particular individual or a small group of individuals with computers can create a lot of damage to a larger entity like a nation state or a corporation all the way on the other side of the world. So you have nation states with a very powerful military who can suffer attacks on their economic and industrial base from small groups of hackers who are not well resourced. You know, a group of hackers, all they really need is access to the Internet and a $500 laptop to cause damage to a larger, more powerful, more well-resourced entity that’s remote to them. So I think that is the future. I think we’re seeing that already. I don’t know if we really know the whole story yet, but I think we saw at the end of the year last year with the Sony incident, that potentially we have something new in the era of warfare, which is a nation state attacking a corporation, a private corporation. If it is, in fact true that it was North Korea, that would represent a very interesting development in the history of warfare. One of the main inspirations for the film is the Stuxnet virus. That was a piece of malware that disrupted Iranian centrifuges that prevented them from being able to enrich uranium. So again, instead of bombing an area—and again, I would underline, if it is in fact true that (the speculation was that it was the United States or the Israeli secret intelligence services)—if that were the case, that would also represent a very interesting new frontier in warfare, because now you have, instead of a physical kinetic attack on the power plant, you have a cyber attack, which in some respects is a lot more elegant and can be a lot more targeted.
The Exchange: Before we end, we want to ask you about the average person and how they can protect themselves.
Panico: That’s a great question and I’ve been asked it a lot. I’m glad that I get the question because it’s important. You know, in this profession we talk a lot about risk mitigation. You’re never going to be 100 percent secure and your online life exposes you every time you interact with a website or login to something. When you provide your information to someone else, you’ve lost control of that information to a certain extent. I think first and foremost, I think you should be very judicious in who you give your information to. What’s a little bit problematic about that is one would think that with the bigger, more reputable companies, you would be more secure, but that hasn’t been the case. That’s one of the issues with cyber security. Major corporations get hacked and get millions of credit cards and personal information stolen. I don’t know that there’s an easy way to make that judgment about whether the entity you’re entrusting your information with is secure or not, but I think the less sprawl that you have, the fewer number of sites that you put your information on, the better. For a more tactical version of that answer, use complex passwords, try to use long passwords, try not to use the same password at every different site because if you lose it at one place, the hackers already know that they can go around and see if they can find your login at other sites. In keeping with the first piece of advice, if you receive emails with links in them and you don’t know who the sender is, be really careful about clicking on those links. Those people are trying to get you to go to websites that you would not normally go to, so they can install malware on your computer.
The Exchange: We’re going to change all our passwords right now!
Panico: You really should!