Star Wars: A New Hope – 5 information security lessons

Unless you have literally been living on a remote, desert-like planet in a galaxy, far far away, spending your days looking out over the horizon as two suns start to set, then you might have missed a ridiculous level of buzz about a certain new Star Wars movie.

Indeed, the world has gone positively potty over The Force Awakens, the seventh and latest instalment in what is now a possibly endless franchise. Without giving anything away about the plot (this feature is entirely spoiler free), the J.J. Abrams directed film has been declared a triumph by critics all over the world. In short, from what we’ve read, it’s both a fitting tribute to the original trilogy and a triumphant start to what will be the next chapter of the saga.

Like most Star Wars fans, ahead of going to the cinema, we’ve made an effort to rewatch all of the movies – not that we needed an excuse to revisit this captivating world – and in doing so, we inadvertently uncovered some interesting information security insights, specifically from the first ever flick, A New Hope. Stranger things have happened, so stay with us.

After some further scrutiny (i.e. we watched the movie again and again), it became all too clear that there’s a lot that can actually be learnt from this magical space opera. So, here we are … a Star Wars-inspired cybersecurity feature. Enjoy, and may the force be with you.

  1. Do not underestimate the power of end-to-end encryption

If you want to ensure that the details of your communication remain hidden from prying eyes, so that only the sender and the receiver have access to it, then end-to-end encryption will serve you well.

The Rebel Alliance is big on encryption. Princess Leia needs to get a message to her “only hope”, Obi-Wan Kenobi, and, attune to the fact that the Empire is hot on her heels, she duly encrypts her plea for help (as well as the Death Star blueprint) and hides it in everyone’s favorite little droid, R2-D2.

Leia understands that if R2-D2 is captured, she can feel somewhat confident that the sensitive data will remain secure –  in other words, while it might now be in the hands of the bad guys, it’s still unreadable. Only Obi-Wan has the key needed to decrypt the message, meaning the princess’ secret plea for his assistance can only ever be unlocked by the Jedi Master.

  1. You must learn the ways of social engineering to stay secure

Social engineering is an effective form of manipulation that allows cybercriminals to deceive victims. From an information security point of view, it’s used to covertly gather sensitive information and/or gain access to devices and accounts, usually for fraudulent reasons.

The Jedi are, in some ways, masters of social engineering (used, of course, for the greater good of the galaxy). We first get a glimpse of this when Obi-Wan, accompanied by Luke Skywalker, is stopped by stormtroopers on their way to meet Han Solo and Chewbacca.

When they are asked for identification, the former Jedi hermit swiftly, with a subtle wave of the hand, rebuts the request. The stormtroopers have no idea what’s happened; they think all is well. However, they have been duped. Had they been aware of social engineering techniques, like Jabba the Hutt in Return of the Jedi, then Obi-Wan might have had to resort to bypassing security in another way.

  1. I find your lack of faith in your vulnerabilities disturbing

Even the most comprehensive security systems have their vulnerabilities, which is why it is important to constantly assess the means by which you’re protecting your assets to uncover hidden or overlooked flaws.

General Tagge is all too aware of this. In a meeting with his colleagues and superiors he cautions that the data breach experienced by the Empire might leave them open to an attack.

“They might find a weakness and exploit it,” he warns, appreciating the fact that because the information that was accessed is highly sensitive, it presents a grave danger.

“Any attack made by the rebels against this station would be a useless gesture, no matter what technical data they have obtained.”

However, this analysis of the situation isn’t shared by all. General Motti, for example, underestimates the threat: “Any attack made by the rebels against this station would be a useless gesture, no matter what technical data they have obtained.”

While the Death Star is pretty heavily protected, a small vulnerability, overlooked by the Empire, is discovered: a thermal exhaust port that is connected to the space station’s reactor core is exposed. If you can gain entry through that small opening, well, it’s game over.

  1. I sense the presence of a something I can’t quite put my finger on (trojan horse)

Star Wars

A trojan horse is a type of malicious software that purports to be anything but. In other words, as in the Greek mythology from which it gets its name from, the superficial and seemingly innocuous nature of it belies the devastating and harmful package that is lurking below the surface.

The crew of the Millennium Falcon, when caught in the Death Star’s tractor beam – after discovering the planet Alderaan has been destroyed – possess all the hallmarks of a trojan.

Although the Empire is initially cautious about what they have just beamed into the battle station – the equivalent of downloading a corrupted link – the check they perform doesn’t spot the hidden crew, meaning they have no idea that they have been contaminated.

“Great shot kid! That was one in a million!”

While Darth Vader kills Obi-Wan – i.e. they have finally spotted the malicious software and attempted to contain it – it is too late. The tractor beam is disabled, the Millennium Falcon escapes, the Rebel Alliance gets hold of the Death Star blueprint and … well, you know the rest: “Great shot kid! That was one in a million!”

  1. The password protection and 2FA is not strong with this system

If you don’t invest in strong passwords and two-factor authentication (2FA) solutions, then, coupled with an open access policy to your network – as opposed to only senior employees possessing the rights to this – you’re likely to experience some sort of data breach, big or small and intentionally or otherwise.

R2-D2 – who faces stiff competition from BB-8 these days – makes easy work of the Death Star’s lack of password protection. Not only is he able to plug himself into the battle station’s central computer, he is able to locate specific information with very little effort (specifically Leia’s location).

Moreover, later on, when the heroes are trapped in the trash compactor, R2-D2 is once again able to effortlessly locate the kind of data and controls he needs to cause disruption. To all intents, there is nothing by way of security to stop him in his tracks.

However, had the Empire anticipated the threat of a cyber expert; had strong passwords in place; and had invested in two-factor authentication, then the ending of a New Hope would have been remarkably different.

Author , ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.