VERT at the Movies: Cybergeddon | The State of Security

While I was teaching, one of my students asked if I had seen Cybergeddon, a film distributed by Yahoo! in 2012. I had not, so I decided it would be fun for VERT to watch the film and review it, since my hobby is writing film reviews for RotundReviews.

Cybergeddon is not talked about as much as it should be given some of the background around it. It should be noted that while we’ll reference it as a film, it was originally distributed as a web series comprised of nine episodes and then later merged into a film. The film was distributed by Yahoo! and sponsored by Norton, which provided actual virus code to add to the film’s realism. The film was produced with a budget of $6M, which is pretty much the same budget that Donnie Darko is estimated to have had a decade earlier.

The series was created by Anthony E. Zuiker, best known as the creator of CSI: Crime Scene Investigation. He won the Pioneer prize at the 2013 International Digital Emmy Awards for his then-groundbreaking work connecting Silicon Valley and Hollywood with this film. It wasn’t just big names behind the scenes; the film had some big name stars, as well. Missy Peregrym was the film’s lead and has starred in series such as Reaper, Rookie Blue and FBI. Peregrym won a  Streamy Award for her work in Cybergeddon. The series also featured Manny Montana, a well-known television actor who has appeared in Graceland, Good Girls and Conviction.

In Cybergeddon, an FBI Agent (Peregrym) is framed for a crime as revenge for her investigations and must team up with a hacker in order to clear her name and prevent a major crime. The film is a rather well-paced thriller that holds your attention. While it may not be a top-of-the-line film and there definitely could have been improvements to the script, it is, at the end of the day, it’s a decent film that is entertaining to watch. I asked my team for their thoughts, and here’s what they had to say:

In a nutshell, Cybergeddon is the story of an FBI agent framed for using a sophisticated “phantom zombie network” to create widespread mayhem and disruption. Although it may have been short on technical realism and there are still a few plot points I’m unclear on, the film didn’t fail to keep me amused. Whether it was the FBI agent calling out “I recognize this code” while staring at a waterfall animation of 0’s and 1’s or the computer hacking animations of a multi-dimensional hyperspace, Cybergeddon did not disappoint. Cutting through the preposterous visualizations and over-the-top dialogue, Cybergeddon also hits upon some valid concerns which were only slightly realized back at the time of its 2012 release. The film involves a sophisticated worm that is able to propagate so thoroughly that virtually no systems were left uncompromised. The operator of the worm could then unleash absolute chaos with the click of a few keys. While the presentation is a bit absurd, the risk of a successful malware campaign disrupting society in meaningful ways is more realistic than many of us would like to believe. In the years since this film, we’ve seen a few examples between Mirai, WannaCry and NotPetya, to name a few. The capacity for hacking to disrupt society and put people in physical jeopardy cannot be understated and must not be ignored.

Overall, I found Cybergeddon to be a fun watch, and I would give it 3/5.

Craig Young, Principal Security Researcher

Cybergeddon – a world-wide collapse of various computing infrastructure – is not an event that I’d ever want to live through. The movie, however, was quite enjoyable. As usual, the film industry definitely spikes up the fiction factor when creating a movie like this. However, the folks involved with putting this movie together definitely did a few things that were spot-on in the real world. For example, they captured the real-world aspect of people using very insecure passwords. In one scene, Chloe states that Frank’s password is ‘password.’ Frank was perplexed as to how she knew it, but Chloe responds that ‘password’ is one of the most common passwords ever used. That, unfortunately, turns out to be a very true statement in the real world. There are other aspects of the movie that capture real-word aspects of computers and cybersecurity. I really got a kick out of seeing the brief glimpses of assembly language and decompiled executables on the “big screen.” Watching Chloe hack her way out of custody with a smart phone made me giggle – that was a situation that would be very hard to achieve.

Overall, I give this movie a thumbs up.

Lane Thames, Principal Security Researcher

Watching Cybergeddon was a surprisingly enjoyable experience. It was a bit cheesy and predictable at times, but that didn’t detract from a generally interesting story. While of course the depictions of cyber security weren’t entirely accurate or realistic, for a casual viewer with no knowledge on the subject, I think the movie did a good job presenting it in a way that was oversimplified but not outright wrong. I did think there were some useful security tips sprinkled throughout the movie such as them showing reasons why you should have a strong password and why you should lock your phone. I especially liked the way it was pointed out how easily we give away our information online and how that information could be used for nefarious purposes. The only part I felt did a real disservice to the viewer was the casualness with which the characters plugged unknown USBs into their PCs. I’d like to believe that they were plugged into computers intended to safely handle malicious USBs, but that wasn’t clearly portrayed in the movie, and it did nothing to discourage this bad habit. Overall, though, I liked Cybergeddon. 

It entertained me with its story, and it was amusing in its depiction of cyber security rather than ridiculous.

Darlene Hibbs, Senior Security Researcher

Cybergeddon is an enjoyable movie – if you do not pay attention to the technological detail. This movie reminded me of the television show 24 where Jack Bauer had Chloe O’Brian instantly gain access to computer systems that would have been segmented from the internet. This movie was similar because the actors from Cybergeddon interacted with systems that should have been firewalled or segregated from the internet. These actors were able to instantly gain access to networks and control devices to move the plot along. The ability to instantly develop an exploit with an unfamiliar system is unrealistic. An automated exploit usually takes a fair amount of time to develop and to do something specific. Furthermore, to access systems from the internet, it would require that organizations did not properly configure a firewall and instead left ports open to vital systems. To be fair, the movie had a social engineering aspect. The criminals were able to exploit the human element by using the telephone and by claiming to be from a particular company. This demonstrated the real world because you should not trust an unknown party on the telephone.

Overall, I would rate this movie 3.5 out of 5.

Andrew Swoboda, Senior Security Researcher

At the beginning of the movie at FBI Cyber Nerve Center in Washington D.C., Chloe Jocelyn, Senior Special Agent, is given a USB stick by her coworker. She says, “I need your eyes on this,” and she plugs it into her computer that is clearly her office/work computer. In real life, in a highly secure environment, you would never pass around data on USB drives and plug them into your computer, especially after Stuxnet. (It was introduced via USB flash drives.) Wired has a great article on “Why the Security of USB Is Fundamentally Broken.” The article says, “The short-term solution to BadUSB isn’t a technical patch so much as a fundamental change in how we use USB gadgets. To avoid the attack, all you have to do is not connect your USB device to computers you don’t own or don’t have good reason to trust—and don’t plug untrusted USB devices into your own computer.”

Many hardening frameworks such as DISA require that the functionality of external USB thumb drives be disabled.

John Wenning, Policy and Compliance Analyst

Overall, I found Cybergeddon to be a genuinely fun action-thriller type of movie. It had a good flow to the action once it got going and didn’t dump me out of the immersion outside of one occurrence where the Rabbit character went on a monologue about how malware spreads so easily because of how the average person interacts with technology. That said, one of the earliest glaring cybersecurity issues I caught in the movie was when our main character just plugs in a USB drive that a co-worker gave her. They work in a federal office in a cybersecurity-specific division, and I find it hard to believe that there aren’t rules related to passing USB sticks around and plugging them into government computers without at least a sandbox. I’ll just pretend to ignore that in the same scene the character was playing a first-person shooter on that government computer, as well.

All told, I’d give it an 8/10; it lost points for doing things no security professional would ever do.

Ary Widdes, Security Researcher

Cybergeddon is a digital crime thriller that depicts what would happen if a sophisticated polymorphic worm were to be released on to the world’s computers and destroy all technology as we know it. I’ve got to hand it to them, I thought the movie was going to be boring with just a bunch of cyber security terms thrown in here and there with no substance. Well, there were a lot of cyber security terms thrown around, but most of it had substance, and the movie was actually not boring. Instead, it was a very fun watch. There were several parts during the movie that made me cringe security-wise. For example, in the FBI HQ, there were tons of sticky notes plastered everywhere with information on them that could contain passwords or sensitive information that should not be out in public viewing. Another instance was when the lead FBI agent was given a USB drive and without a second thought plugged it into her work laptop that was connected to the office network. With this action, she sets in motion the malware that will soon become a massive botnet controlling hundreds of millions of computers.

With security in mind, here are some things that should be done to maintain proper security in a workplace:

1. Don’t leave sensitive information or passwords on sticky notes around your work area. 
2. If you leave your work area, make sure your workstation is locked.
3. Never plug mysterious USB drives into work place systems. As you can tell from the movie, they could contain malware or other nefarious programs. 
4. Treat system updates on workstations with time sensitivity. It’s better to update your systems sooner rather than later to have the proper security patches in place.

Overall, I enjoyed the movie. It covered many different layers of security that ring true in the real world.

Matthew Jerzewski, Security Researcher

One true-to-life aspect of Cybergeddon occurred at the start of the series. Our protagonist, Agent Chloe Jocelyn, is pulled out of the War Room and is placed under arrest for suspicion of cyber terrorism. It appears she is an insider threat. Although in the show these details are fabricated, some of the indicators can point to a potential insider threat. These include signs of addiction (in this case, gambling), massive debt, large funds transfers and contact with adversaries. Especially when working with sensitive or classified information, these factors need to be considered when choosing the access controls for employees in regards to integral systems. If an employee is in massive debt, they are at risk of being incentivized to operate against their company’s values and steal information or expose company resources to adversaries.

Often security professionals focus on enemies being outside the company, but we have to keep ourselves aware of who is in the company, as well.

Josh Swartzell, Security Research Assistant

The frequent mention of plugging in a random USB flash drive into a computer in the comments above should give a pretty clear indication that it is a big faux pas. If you ever find yourself in that situation, I would suggest the same advice that people give should you find yourself on fire. STOP yourself from plugging in the drive. DROP the device from your hand. ROLL your chair away from the computer and think about what you are doing.

Overall, as you can see, the team found it fun to watch. It’s a shame that it didn’t get the attention that it deserved and that it hasn’t been picked up by any streaming services. I think that it should be considered as good as if not better than most of the “hacking” films that have been released thus far. It will never be War Games, Sneakers or Hackers for me, but those are the movies I grew up with. I did find it to be more enjoyable or, at least, as enjoyable as Live Free or Die Hard, Operation Takedown, Firewall and Blackhat.

If you get the chance, check the film (web series). It was well done for that topic at that time.