While I doubt that John Hughes made one of the best movies of all time with the intention of it being a guide on Data Protection, I rewatched Ferris Bueller’s Day Off a few days ago and couldn’t help but notice that it’s a beautiful illustration of Data Privacy, Open Source Intelligence (OSInt), Cyber Security and Persuasion. Our budding grey-hat analyst, Ferris, can teach us a lot about these subjects, even 34 years on. Data Protection moves pretty fast. If you don’t stop and look around once in a while, you could miss it.
Overall, the movie involves a lot of deception and persuasion, and you can clearly see a number of Cialdini’s “Principles of Persuasion” (reciprocity, commitment/consistency, social proof, authority, liking, and scarcity) being employed by the characters. For example, Ferris often relies on likeability. In one of the first scenes, he relies on likeability to sell his deception, and when his parents leave he has free reign of the system – much like the tactics an attacker may employ against a business. This three-part post will relate nine iconic scenes to modern hacking techniques to illustrate how these may take place in a business.
Spoiler Alerts – If you haven’t watched Ferris Bueller’s Day Off, go and watch it before reading.
Advanced Persistent Threat
To Ferris’ parents, effectively he may be considered an Advanced Persistent Threat (ATP). That is a threat that gains access and remains undetected for an extended period of time. By Ferris’ own admission in the opening scene, he’s been off school 9 times that year. He lists a number of components of his deception and why it works, particularly paying attention to faking a fever. By faking a fever, he would raise more alarms than simply sticking to the basics, which could land him in a doctor’s office – exposing the deception.
This is similar to how network scans operate on a business. You can have a great Intrusion Detection System, however, scans can be run in stealth modes – taking longer to complete but flying under the radar without setting off alarms.
In an improbable (at the time) but definitely plausible (especially nowadays) attack, Ferris manages to access the school network and reduce his absent days to “2”. This is important as he’s not going down to “0”, which would raise suspicion from his parents who know he’s been off already. Hackers employ techniques to cover their tracks so that you may think your Intrusion Detection System is firing false positives. When Rooney (the principal) notifies Mrs. Bueller of Ferris’ absenteeism, she doesn’t believe it and puts it down to a false positive. Ferris then covers his tracks to match this assumption.
Authority and the Availability Heuristic
In this grand plan, the two threat actors (Ferris and Cameron) contact the school to convince Rooney to let Sloane (Ferris’ girlfriend) off school for the day. They make up a story that Sloane’s grandmother has died. Rooney doesn’t believe this, and releases a tirade on Cameron (who he thinks is Ferris) until such time as Ferris calls in at the same time. This is a use of Authority (the perceived father figure demanding authority over Rooney) and a cognitive bias known as the availability heuristic (Rooney, in a bind, relying on immediate information at hand). By Ferris phoning in at the same time as Cameron, Rooney’s own bias confirms that Cameron is in fact Sloane’s father, by virtue of the fact that it cannot be Ferris on the line. He then bows to authority and allows Sloane to leave.
To be continued…
Next week I’ll continue diving into the examples of persuasion and engineering used in this movie, stay tuned! To ensure that you don’t miss an article from the blog, sign up for my newsletter here.