SPOILER ALERT
The 2004 film Catwoman, starring Halle Berry as Patience Phillips (and Catwoman), has been voted as one of the worst films of all time, and has won multiple Razzies (Golden Raspberry Awards) – Halle Berry accepted hers while holding her Best Actress Academy Award. Now, however, it has a bit of a cult following. It did at least feature an African American woman as the lead, in a superhero film, possibly for the first time, and came long before Black Panther. Whether it deserves either accolades or condemnation, it certainly features some of the worst cyber-physical security seen in a film by a corporate giant. So what can we learn about cyber-physical security from the film?
The weakest link
The plot is based around the cosmetics firm Hedare Beauty and its development and product launch of a new face cream that reverses the affects of aging. Clearly, a big corporate player, the firm has a massive team at their headquarters that includes artist Patience working on PR, but also a massive research and industrial complex, developing testing and manufacturing its products. Now, cyber-criminals do not just include hackers out to cause anarchy or extort money from people, they also include people working for companies, sometimes supported by their countries, doing industrial espionage: trying to steal research and development secrets. By stealing the designs or product formulae of their competitors, such companies aim to save the massive time and development costs of doing it themselves. They then quickly produce rip-off products to steal the market. Gaining secrets can also gain criminals advantage through insider trading, buying and selling shares, so making money on the back of secret information about what is about to happen. Companies, therefore, have to take industrial espionage seriously, and that means taking cyber-security seriously too.
In Catwoman, the company, Hedare Beauty, have the normal kinds of industrial secret but also a big nasty one too, so their bosses have even more reason to put a lot of effort into security. They certainly have lots of heavies with guns looking to shoot people. However, their physical security is actually totally lax.
This is first seen when Patience’s love interest, Detective Tom Lone, merrily walks into the corporate headquarters and up to her open plan desk where she is working on the product launch to ask her for a date. How did he get in? Why isn’t anyone accompanying him in such a sensitive area especially days before a crucial launch? Where is his visitor’s pass and why isn’t he being challenged. Perhaps this can be put down to being a cop (perhaps he waived his badge about) but still someone senior should have accompanied him surely (and is returning Patience’s purse (his excuse) really a good enough reason to bypass security whoever you are?)
However, even if we let that go, later Patience has to deliver some artwork by midnight to the boss out at the industrial complex. That is where the real secrets, good and bad, are. When she gets there the foyer is locked and dark with no one on duty. In many thrillers, the heroes have to use sophisticated gadgets, amazing technical or physical skill, or subterfuge to overcome the massively sophisticated hi-tech security. Patience, by contrast, just wanders round the back looking for another way in and finds a fire door ajar. This allows her to both enter and ultimately make it to the heart of the building where secrets are being discussed. As a result she overhears (if accidentally) something she should not hear…
Perhaps the most important principle of cyber-security is that it is as weak as its weakest link. You can have all the high tech multi-factor biometric authentication systems, impossible to crack encryption, experienced and well-trained former SAS guards patrolling the foyer, and so on, but if you leave a back door open then the criminals will just ignore all your high tech security and walk in through that one back door. That is exactly what Patience does. There is no point as, for example, I have seen in real life, checking everyones access cards on a main gate, when there is an un-manned side gate. The criminals aren’t going to even try to enter through the front gate. Likewise, if you have a weak point in your cyber-security system, it does not matter how massively strong the rest is.
It is also better to think not of just cyber-security, anyway, but of cyber-physical security. The weakest links can just as easily be to do with physical security as with the computerised part – like the open door Patience found, or letting someone claiming to be a Detective to walk around anywhere in the building. Once the “Detective” is in, they can gather information to launch other attacks from other weak points they now have access to (like passwords written on post-it notes, an access card left on someone’s desk, or computers left unlocked, for example). So poor physical security can be the weak link allowing a backdoor into the computer system.
Another point from the film is that, whether cyber security or physical security, just being “inside” (a computer or a building) should not give access to everything. As you move through a building or through a computer system, there should be more locks to get through, more authentication tests to pass, with different levels of access for different people
Patience should never have got into the building, but even if she had, she shouldn’t have got further than the corridor. Luckily (!) for her, she did with the ultimate result that she gained superhuman powers and became Catwoman, so perhaps sometimes bad security is not all bad (if only in a world where people can gain superpowers from cats).
More on …
- Cyber Security
- including more cyber security at the movies
- Computer Science at the movies
Magazines …
Subscribe to be notified whenever we publish a new post to the CS4FN blog.
cs4fn 