A mixed review for cybercrime documentary | SC Media

A mixed review for cybercrime documentary

January 29, 2008
Last Thursday evening, I joined about 100 other IT security folks at the Tribeca Grand Hotel in New York's Tribeca neighborhood to watch "The New Face of Cybercrime," a short documentary meant to offer a mainstream-type perspective of the complex problem of internet-based crimes.

From that end, the film - presented by Fortify Software - might have missed the mark. But I think it does do a good job of succinctly explaining the major issues as they relate to corporations these days -- mainly that cybercrooks are after the data, they are professional in organization and that many security postures are not set up to defend against this new style of attack.

As you can probably guess, considering Fortify is in the source code analysis space, the film largely focused on vulnerabilities as they relate to software and applications and the vendor-driven mood of the film is clearly evident, even though it was directed by an Academy Award winning director named Frederic Golding.

The film opens with an anonymous hacker looking at an AOL page that suffers from a cross-site scripting vulnerability, allowing him to "inject anything I want onto the page." The production goes on to discuss that the application - not the network - is what needs to be safeguarded.

Possible solutions are offered, including an interesting one from Ted Schlein, a partner with venture capital firm Kleiner, Perkins, Caufield and Byers and a Symantec veteran, who suggests that applications may eventually be able to be vaccinated so they are "impervious to attack." 

The film didn't get too risky and explain in detail how these various personal information-yielding attacks exactly go down, but it was awful tempting to know when they showed a group of researchers sitting around a computer screen that contained the credit card information and Social Security numbers of a group of victims.

Presumably, because Fortify could be held liable for the film's contents, they didn't want to go there.

The film only runs about 25 minutes - so clearly it can't cover everything - but it does leave out some of the better known  and still quite timely attack scenarios, such as phishing.

One ironic note from the movie: JCPenney CEO Mike Ullman is interviewed, preaching the virtues of information security and the dangers organizations face. Of course, we learned last week that a missing computer tape contained the personal information of some 650,000 Penney customers. Kinda funny, and unrelated to the specific threat the film focused on, but it goes to show you, a breach can - and will - happen to anyone.

Clearly the need to bring awareness about cybercrime was a big driver behind the film.

"I think there needs to be a language that everyone understands so we can begin to address the issues that affect the common man," Golding said before the movie started.

I'm not sure if the film created that language - and it will only be available from Fortify, not on Netflix, so widespread distribution is not an option - but it served as another step toward getting the word out to the mainstream public on some of the dangers we face today, dangers that most Americans do not even know about.

As Golding said, when he first started on the film, he had no idea what IT security vulnerabilities, threats and risk even meant. Now, I'm sure, he does.

Following the showing, a seven-person panel debated some pertinent items, including whether software vendors should be held liable for breaches that occur because of bug-filled programs. An interesting discussion that is sure to continue...

Later on, during a cocktail reception, Jim Routh, CISO of The Depository Trust & Clearing Corp., told me the video will make an excellent tool for bringing corporate executives up to speed on the issues at hand. Others think it could serve as a useful employee training tool.

It is fast moving, nicely edited and keeps your attention. So, even though the end-user may not get a heck of lot of useful tips that they can apply to their everyday work, it certainly beats a boring lecture.

Oh, one final thing I just thought of that was funny. When the film failed to immediately start,  someone in the audience yelled, "Projector's been hacked."

Guess you had to be there...
prestitial ad