Hacking into Hollywood

Johannesburg, 15 Apr 2008

Johnny Long, known to most simply as j0hnny or j0hnnyhax, is a professional hacker who has also published several books on how it's done.

The most surprising thing about those books isn't how difficult it is, but how easy it is. Without an ounce of leet skills or tech wizardry, companies, government agencies and individuals can have their computers or networks compromised.

Perhaps most well known for his book Google Hacking, he has just published a book entitled No Tech Hacking, co-written with Jack Wiles and edited by Kevin Mitnick. Like Mitnick in 2006, Long has been invited to speak at the ITWeb Security Summit 2008, a three-day conference starting on 6 May at Vodaworld in Midrand.

His latest book points out that information is power, and information can be obtained in all sorts of ways.

If he were asked to compromise a large organisation or government outfit, with a brief to discover, or destroy, a given piece of data, he says he'd rely less on technology and more on human weakness.

"Despite all the best computer software and hardware, there's a human somewhere that holds the keys to the kingdom. Personally, I'd opt for social engineering or other 'no-tech' hacks to get at the goods."

His previous book, Google Hacking, is more infamous, partly because he has compiled a list of such hacks in a database available online. Some searches return error messages that disclose far too much about the server hosting a Web application, such as exact version numbers or other details needed to match known vulnerabilities to the server profile. Others reveal to password files that are available to the Google search spider, which an attacker can decrypt at their leisure, and still others offer ways to use Google search terms to establish a foothold for executing code on a remote server.

"Google hacking is pervasive, it affects nearly every Web-based application," says Long. "But understand that the technique is most often used as reconnaissance. Not every Web application squirts out passwords and sensitive medical data."

Ironically, he says, large companies may have more resources to devote to security, but they also have more hardware and software strewn about the network that can get lost.

"Smaller companies are certainly at risk, but at the same time they have a better idea of where their assets are, what they need to protect," he says. "Larger companies and organisations sometimes have a hard time nailing down where all their stuff is. Attackers often target lost, forgotten machines."

Though he works for the penetration testing team at Computer Sciences Corporation, known as the Strike Force, his ambitions are set higher. He has his sights set on a job consulting to movie studios.

"Hollywood gets quite a bit wrong, and that's frustrating, especially to those in the know," he says. "Insiders know that truth is much cooler than fiction, but Hollywood thinks it needs to be dumbed down or spiced up to be cool. Modern movies are getting better, but there's a lot of room for improvement. Hollywood should hire technology consultants that have credibility, and pay them lots of money."

It would indeed be amusing to discover a film that everyone dismisses as yet another example of a clueless scriptwriter with a ludicrous hacker plot device, yet leaks a real hacker technique or exploit to an unsuspecting public.

And that's exactly what he's after: "Fun. I got into the security field because it was fun. I plan on keeping it that way."

* Johnny Long is a keynote speaker at the ITWeb Security Summit 2008, which takes place from 6 to 8 May. For more information, click here.