Cybersecurity errors at Nakatomi

Many families spend the holidays watching favorite movies together, in lots of cases the same ones year after year, making Christmas and New Year’s traditions. Some people love Christmas comedies, others favor melodramas. As for me, my favorite Christmas movie is Die Hard. After all, 60% of John McClane’s encounters with terrorists take place on Christmas Eve, and I’m far from the only person associating the action classic with the holiday.

Sure, with Live Free or Die Hard (aka Die Hard 4.0), we got a plot really focused on critical infrastructure cybersecurity — and we’ll come to that in due course — but look closely and you’ll see plenty of examples of both good and shocking cybersecurity in the first movie as well.

After all, the Nakatomi Corporation uses the most cutting-edge technologies of the day: a mainframe that synchronizes with Tokyo-based servers, a computerized lock on the vault, and even a touch-screen information terminal in the lobby (don’t forget, we’re talking 1988 here).

Physical security at Nakatomi Plaza

Security issues jump out right from the start. John McClane, our protagonist, enters the building and addresses the security guard, mentioning only the name of his wife, whom he came to see. He never says his own name or shows any form of ID. Even providing his wife’s name shouldn’t get him in, though; their marriage is on the rocks and she’s reverted to using her maiden name at work.

Instead of challenging the intruder, the careless guard simply points him in the direction of the information terminal, then the elevators. So, basically anyone can enter the building. What’s more, as the action progresses, we repeatedly see non-password-protected computers in the building, all open to evil-maid attacks.

Access to engineering systems

It is not long before criminals enter the building, kill the guards (just two are on watch Christmas eve), and take control of the building. Naturally, all of the engineering systems in Nakatomi Plaza are controlled from one computer, which is in the security room, right next to the entrance.

The sole hacker among the terrorists, Theo, taps a few keys and bam, the elevators and escalators stop working and the garage is blocked off. The computer is already on (although the room is empty) and has no protection against unauthorized access — the screen isn’t even locked! For a company employee (in the security department) to leave the screen unlocked is simply unforgivable.

Network security

The first thing that the terrorists demand from the president of Nakatomi Trading is the password for the company’s mainframe. Takagi, thinking the villains are after information, drops an interesting tidbit about the company’s security practices: Come morning in Tokyo, he says, any data the attackers gain access to will be changed, undermining blackmail attempts. We can draw two conclusions from that:

  1. Nakatomi’s information systems in Tokyo keep track of who gains access to what and when. That is a fairly well-implemented security system. (Of course, it’s possible Mr. Takagi is bluffing.)
  2. Moreover, Takagi seems to have absolutely no knowledge of time zones. In Los Angeles, night has just fallen (the intruders enter the building at dusk, and during the conversation in question, we can see through the window that it’s dark out). Therefore, it’s got to be at least 10:30 the next morning in Tokyo.

Nakatomi’s workstation security

The gangsters explain that they aren’t exactly terrorists, and they’re interested in access to the vault, not information. Takagi refuses to give the code, suggests the villains fly to Tokyo to try their luck there, and dies for his efforts.

Murder aside, the interesting bit lies elsewhere. A close-up of Takagi’s workstation reveals that its operating system, Nakatomi Socrates BSD 9.2 (clearly a fictional descendant of the Berkeley Software Distribution), requires two passwords: Ultra-Gate Key and Daily Cypher.

As the names suggest, one is static and the other changes daily. Right here is a shining example of two-factor authentication, at least by 1988 standards.

Access to the vault

Seven locks protect the vault. The first is computerized, five are mechanical, and the last is electromagnetic. If hacker Theo is to be believed, he’ll need half an hour to crack the code of the first lock, then two to two-and-a-half hours to drill through the mechanical ones. The seventh automatically activates at that point, and its circuits cannot be cut locally.

Leaving aside that highly dubious notion (my physics may be rusty, but electricity is usually supplied through wires, which can always be cut), let’s move on to the next glaring flaw: If the vault security system can send a signal to activate a lock, why can’t it notify the police about an unauthorized entry attempt? Or at least sound an alarm? Sure, malefactors cut the telephone lines, but the fire alarm manages to transmit a signal to 911.

Ignoring that, it’s quite interesting to watch how Theo cracks the code. Inexplicably, on the first computer he tries, he gains access to the personal file of the (unnamed) chairman of the investment group, including information about his military service. Remember that in 1988, the Internet as we know it does not exist, so the information is likely stored on Nakatomi’s internal network, in a shared folder.

According to information in the file, this unnamed military man served in 1940 on the Akagi (a real Japanese aircraft carrier) and took part in several military operations including the attack on Pearl Harbor. Why would such information be stored publicly on the corporate network? Weird — especially because the aircraft carrier also serves as a hint for the password to the vault!

The same computer helpfully translates Akagi into English as Red Castle, and wouldn’t you know it, that’s the password. Maybe Theo did a ton of homework and got lucky, but even in theory, the process went awfully quickly. It’s not clear how he knew in advance that he could do it in half an hour.

Here, the scriptwriters must have forgotten about Daily Cypher, the regularly changed, and thus more interesting, second password. The lock opens without it.

Social engineering

The criminals occasionally employ social-engineering techniques on the guards, fire department, and police. From a cybersecurity perspective, the call to 911 warrants particular attention. McClane triggers the fire alarm, but the intruders preemptively call the rescue service, introduce themselves as security guards, and cancel the alarm.

A little later, information about Nakatomi Plaza — in particular, telephone numbers and a code presumably for canceling the fire alarm — appears on a 911 computer screen. If the attackers were able to recall the fire-fighting crew, they got that code from somewhere. And the guards were already dead, so the code must have been written down and kept somewhere nearby (judging by the promptness of the recall). That’s not recommended practice.

Practical takeaways

  • Don’t let strangers in, even on Christmas Eve, and especially if the building is full of computers holding valuable information.
  • Periodically remind employees to lock their computers. Better still, set systems to lock automatically after a short duration. Taking part in a cybersecurity awareness course is also an excellent idea.
  • Don’t share documents containing password hints, or store them in shared locations.
  • Use randomly generated, hard-to-guess passwords for access to highly valuable data.
  • Store passwords (and alarm cancellation codes) securely, not on paper notes.

Postscript

We were initially going to look at both Christmas movies in the series, but having rewatched Die Hard 2, we concluded that it’s really about a fundamental failure in the airport information infrastructure architecture. The terrorists dig up the conduit lines running under a nearby church and seize control of all airport systems, including the control tower. Back in 1990, some of those systems would not have been computerized at all. Alas, it is not possible to get to the bottom of it without a detailed in-movie explanation, but everyone’s too busy dying (hard or otherwise) to provide one.