{"id":21869,"date":"2020-11-27T09:36:37","date_gmt":"2020-11-27T09:36:37","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/three-italian-jobs\/21869\/"},"modified":"2020-11-27T09:36:37","modified_gmt":"2020-11-27T09:36:37","slug":"three-italian-jobs","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/three-italian-jobs\/21869\/","title":{"rendered":"Hack the lights: The Italian Job in terms of cybersecurity"},"content":{"rendered":"<p>Protagonists, or their opponents, taking control of a city\u2019s transportation management system is standard movie fare. The characters\u2019 aim is to create either a traffic jam for pursuers or a getaway route for themselves. <em><a href=\"https:\/\/www.kaspersky.com\/blog\/hackers-movie\/37028\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Hackers<\/a><\/em>, <em>Live Free or Die Hard<\/em> and <em>Taxi<\/em> are a tiny sample of the artistic incarnations of this hacking scheme. The once-original set-piece has long since turned into a Hollywood clich\u00e9.<\/p>\n<p>The trope most likely began with the 1969 British film <em>The Italian Job<\/em>. Unsurprisingly for that era, it was the only cyber-related incident in the movie. But the traffic sabotage plot point spawned many imitations, including in two remakes of the original picture, one by Hollywood (<em>The Italian Job<\/em>, 2003) and one by Bollywood (<em>Players<\/em>, 2012).<\/p>\n<p>In its various iterations, the traffic-light scene remains pivotal. Thus, by comparing the three versions, we can trace the evolution of moviemakers\u2019 and moviegoers\u2019 attitudes about critical infrastructure hacks.<\/p>\n<h2>The Italian Job (1969), the British way<\/h2>\n<p>The future-oriented Turin is depicted basically as a smart city of the time. In the movie, a supercomputer controls every traffic light from a single center, where data from traffic cameras is also collected. The mastermind behind the robbery, who dies early on, bequeaths to main character Charlie Croker a detailed plan for a daring heist, along with malware for the supercomputer and an unexplained gadget that can disable cameras.<\/p>\n<p>The program\u2019s origin is unknown; someone probably got hold of the original source code and modified it with chaos in mind. Of course, in 1969 not only was there no Internet, but even local area networks were not properly rolled out. The only way to install the malware onto the computer is to sneak into the building and manually swap the magnetic tape in the drive. That requires the services of Professor Peach, supposedly the top computer expert in the country.<\/p>\n<p>To get into the traffic control center and change the program, the computer needs to be stopped. Croker takes on the mission, hurling his bicycle into a power substation and cutting off not only the traffic control center, but also most of the rest of the city (and plunging a lavish mafia feast into darkness).<\/p>\n<p>Now Peach enters the game, removing the tape reel from the drive and loading another. With the power out, that\u2019s really all that\u2019s left to do, anyway. So, they got a computer expert just to perform the task of a lab assistant. In case you missed that absurdity, that tech genius is played by funnyman Benny Hill.<\/p>\n<p>The next phase of the plan is to knock out the cameras. To throw the traffic control center off the scent, and conceal the actual robbery, the criminals plant some devices \u2014 probably jammers, but the details are not revealed \u2014 on trash cans and roofs in the vicinity of the cameras. Traffic cameras in those days could not transmit wireless signals, but the mysterious gadgets manage to disable the cameras.<\/p>\n<p>The result: Everything goes like clockwork. The cameras switch off, the traffic lights start blinking, the city roads are paralyzed, and Peach is arrested for indecent behavior on public transportation (don\u2019t ask).<\/p>\n<h3>British version: Takeaways<\/h3>\n<h4>Cybersecurity<\/h4>\n<ul>\n<li>The film displays a rather dismissive attitude toward the physical security of critical infrastructure. Both the power substation and the traffic control center are practically unguarded. The attackers get to the drive without a hitch and successfully replace the tape.<\/li>\n<li>The computer accepts the substitute program without question. That\u2019s actually excusable; <a href=\"https:\/\/en.wikipedia.org\/wiki\/Code_signing\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">code signing<\/a> wasn\u2019t invented until much later.<\/li>\n<\/ul>\n<h4>Perception<\/h4>\n<ul>\n<li>Computer hacking is perceived as something highly complex. To fool the computer, the gang spends a lot of energy recruiting the best computer expert in the land (only to have him change a tape reel).<\/li>\n<li>There is no attempt to explain the technical side of things; instead, black-box gadgets miraculously disable the cameras.<\/li>\n<\/ul>\n<h2>The Italian Job (2003), the American way<\/h2>\n<p>The Hollywood version, in my view, cannot be considered a direct remake of the British film. Sure, the characters have the same goal (to steal gold bars), and the chase scene is practically a carbon copy of the original, but the motivations are very different. Psychology and morals aside, they still have to mess around with cameras and traffic lights. But these criminals do not have to look for a specialist; they already have a computer genius on the team: Lyle, whose day job happens to involve 3D modeling of buildings for planning and coordinating robberies. That\u2019s your digital transformation at work. In 2003, having a computer specialist on the team is considered pretty normal.<\/p>\n<p>What\u2019s more, the American version of the movie requires a bit more hacking. First, the criminals try to hack into a phone company\u2019s remote monitoring system, convince its employees that it is a legal wiretapping operation, and ultimately redirect the audio stream to their own listening post. Lyle has experience with the latter, having spent years eavesdropping on his ex.<\/p>\n<p>But the main hack is unchanged. Getting inside the Los Angeles Automated Traffic Surveillance and Control Operations Center in 2003 is way easier than getting into Turin\u2019s system was in 1969 \u2014 the center is connected to the Internet and even has a graphical user interface (GUI). Lyle sits at his laptop and tries to figure out the password \u2014 manually. He enters password after password without success, until at last the magic words \u201cAccess Granted\u201d appear on the screen.<\/p>\n<p>The operations center predicts traffic flow and automatically changes traffic lights based on camera captures. But it has a manual mode too, and Lyle uses that to take control of the lights. As a demonstration, he changes all of the lights at one intersection to green, causing an accident. But he quickly switches the lights back, and the center writes off the incident as a glitch.<\/p>\n<p>The gang\u2019s plan is to make a wave of green that lets them speed through while gridlocking the rest of Los Angeles. On the day of the robbery, a somewhat dazed Lyle sits on a baggage carousel at Union Station armed with a laptop and router, monitoring the situation on the roads, changing signal lights (not only on the road, but also in the subway), and paralyzing the control center by displaying the message \u201cYou\u2019ll never shut down the real Napster\u201d on every screen. (As a comic plot element, Lyle claims that he invented the Napster peer-to-peer network and that <a href=\"https:\/\/en.wikipedia.org\/wiki\/Shawn_Fanning\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Shawn Fanning<\/a> stole his idea. Lyle likes to call himself Napster. He does, to be fair, resemble the stereotypical computer whiz kid.)<\/p>\n<p>Thanks to the well-coordinated operation, the gold is stolen, everyone gets away, and the dastardly villain falls into the hands of the Ukrainian mafia, whose path he manages to cross.<\/p>\n<h3>US version: Takeaways<\/h3>\n<h4>Cybersecurity<\/h4>\n<ul>\n<li>If the password for remote access to a system can be picked manually, it\u2019s a bad password.<\/li>\n<li>Critical infrastructure needs to use a secured Internet connection and should not be controllable through a Web-based GUI. And it should go without saying that staff should not fix its gaze on an idiotic message instead of trying to do something about it. Even the fictional Italians of 34 years before were more clued-in!<\/li>\n<\/ul>\n<h4>Perception<\/h4>\n<ul>\n<li>By 2003, hacking is a common occurrence, so pulling off the heist relies on more than just disabling a few traffic lights. In this nonremake remake, penetrating the traffic control center is a standard operation that arises naturally during the planning phase.<\/li>\n<li>Lyle\/Napster is forever explaining what he\u2019s doing and how. What he says is nonsense, of course, but the point is that the moviemakers wanted to root the on-screen events in some version of reality.<\/li>\n<\/ul>\n<h2>Players (2012), the Indian way<\/h2>\n<p>The Indian filmmakers tried to extract the best bits of both versions of <em>The Italian Job<\/em> and spice it up with Bollywood glam, including racing, singing, dancing, high-minded morality and, of course, hacking. The plot is admittedly pretty wild: Russia is returning to Romania some gold that the Romanian government hid in Russia before the German invasion in 1915. Nasty Russian army officers are transporting the gold, the even nastier Russian mafia is hunting it, and a group of noble Indian robbers wants to steal the gold and use the funds to build a school for orphans.<\/p>\n<p>Naturally, the smash-and-grab operation needs the best hacker in the world. And he needs a real hacker handle: in this case, it\u2019s Spider. One problem, no one knows where to find him. Fortunately, the main character\u2019s girlfriend has a master\u2019s degree in computers with a gold medal and a master\u2019s degree in ethical hacking (sure, why not?). She breaks into the systems of \u201cthe best hacker in the world\u201d and discovers that he actually lives nearby. Having kidnapped him, they persuade him to take part in the raid.<\/p>\n<p>According to the plan, the kidnapped hacker has two tasks to perform. First, he must hack into the Russian army\u2019s website to get information about the officers carrying the cargo. Second, he has to hack a satellite monitoring the movements of the train with the gold in real time (and paralyze the control center).<\/p>\n<p>He copes with both tasks easily by tapping a few keys on a laptop \u2014 but he turns against the gang, snatches the gold for himself, and runs. That leaves the job of disabling the traffic lights to the master ethical hacker. Incidentally, she does so in exactly the same way, with a quick drum roll on the keyboard to gain control of the traffic lights.<\/p>\n<h3>Indian version: Takeaways<\/h3>\n<h4>Cybersecurity<\/h4>\n<ul>\n<li>There is no cybersecurity to speak of. All systems can be hacked remotely, without preliminary preparation \u2014 just tap away on the keyboard, the faster the better.<\/li>\n<\/ul>\n<h4>Perception<\/h4>\n<ul>\n<li>Hackers are magicians.<\/li>\n<\/ul>\n<h2>The Italian Job: Conclusion<\/h2>\n<p>In all three movies, the criminals try to avoid bloodshed, and in the last two, they are even guided (partly) by noble intentions: revenge for a teacher\u2019s murder and desire to build a school for orphans. However, they never stop to think about the consequences of gridlocking a huge city, including for firefighters, ambulances, and the like. And that means civilian casualties. Even though the robbers are portrayed as good guys, it\u2019s hard to sympathize with them.<\/p>\n<p>As for cybersecurity, the image of the \u201cgenius hacker\u201d has changed dramatically over half a century. If earlier the hacker was a gifted but strange, otherworldly kind of guy, now a hacker is depicted as a self-confident, near-omnipotent technowizard. Seizing control of traffic lights has evolved from a complex technical operation to a standard trick that is taken for granted. The reality, of course, is very different. Hacking a city\u2019s traffic control system is <a href=\"https:\/\/www.youtube.com\/watch?v=0P3llrMWgzQ\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">far harder than it seems on the silver screen<\/a>.<\/p>\n<p>The omnipotence of hackers in movies negatively affects perceptions of the threat of critical infrastructure break-ins. According to our colleagues at Kaspersky Security Awareness, the cinematic stereotype of the genius hacker harms the security of real companies. People are so sure that bad actors can do anything that they don\u2019t bother with maximum protection, leaving unnecessary loopholes.<\/p>\n<p>That\u2019s why we strongly recommend security awareness training for employees that shows them how things are in the real world. For example, our <a href=\"https:\/\/k-asap.com\/en\/?icid=gb_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____kasap___\" target=\"_blank\" rel=\"noopener\">Kaspersky Automated Security Awareness Platform<\/a> provides lessons that separate fact from fiction.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kasap\">\n","protected":false},"excerpt":{"rendered":"<p>We trace how the perception of hackers has evolved based on the classic traffic-light-hacking scheme in three versions (British, American, Indian) of The Italian Job.<\/p>\n","protected":false},"author":700,"featured_media":21870,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1836,2360],"tags":[732,3079,1196,2471],"class_list":{"0":"post-21869","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-critical-infrastructure","10":"tag-kaspersky-automated-security-awareness-platform","11":"tag-movies","12":"tag-truth"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/three-italian-jobs\/21869\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/three-italian-jobs\/22158\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/three-italian-jobs\/17636\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/three-italian-jobs\/8787\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/three-italian-jobs\/23783\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/three-italian-jobs\/20650\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/three-italian-jobs\/24314\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/three-italian-jobs\/23467\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/three-italian-jobs\/29568\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/three-italian-jobs\/9113\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/three-italian-jobs\/37841\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/three-italian-jobs\/16043\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/three-italian-jobs\/16762\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/three-italian-jobs\/14234\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/three-italian-jobs\/25839\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/three-italian-jobs\/12306\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/three-italian-jobs\/29666\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/three-italian-jobs\/26442\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/three-italian-jobs\/23129\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/three-italian-jobs\/28458\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/three-italian-jobs\/28274\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/truth\/","name":"truth"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/21869","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/700"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=21869"}],"version-history":[{"count":0,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/21869\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/21870"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=21869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=21869"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=21869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}