October 11, 2017

What Mr. Robot can teach us all about security

Tips

Mr. Robot has won the hearts and captured the minds of a lot of people around the globe by showing a captivating view of the information security world — and how vulnerable we all are to cyberattacks. When you see how main character Elliot and the hacker group fsociety hack whole corporations, never mind just regular accounts, it starts to seem like nowhere and nothing is safe.

But if you look more closely, you’ll notice most of the hackers’ victims in the series exposed themselves to danger by their own ignorance or carelessness. In this post, we look at where they went wrong and come up with some rules to follow if you never want to contemplate a video featuring a Guy Fawkes mask obscuring the face of a person who has your data.

Why are we using Mr. Robot as an example? Mainly because most security experts think the hacking methods shown in this series are very true to life.

Use strong passwords

Elliot hacks the accounts and gets access to the information of both acquaintances and strangers with very little effort — by using brute force, whereby a program tries all possible combinations of characters until it finds a match, or using a simpler version of it called a dictionary attack. The more popular and simpler the combination of characters and words, the faster the program will discover it.

WARNING! SEASON 1 SPOILERS AHEAD!

The pilot episode finds Elliot hacking the account of his therapist, Krista, whose password — Dylan_2791 — is her favorite singer and her year of birth with the digits reversed. Elliot has to know just a little bit about a person or use public information from their social media.

He hacks the accounts of his colleague Ollie Parker, whose password is “123456Seven” (Ollie works in a cybersecurity company, so his choice of password is rather revealing). After hacking one account, Elliot easily gains access to all the others — you know that everything on the Internet is interconnected, right? To make sure this doesn’t happen to you, use passwords properly.

Don’t trust other people with your devices

You wouldn’t lend your phone to a stranger in a hoodie, but more generally, never give anyone else access to your digital devices. In that same episode, Elliot asks Krista’s boyfriend if he can use his phone to make a call. He then calls himself, thus getting the phone number — and ultimately, access to a boatload of information about the guy.

In episode three, Tyrell Wellick, chief technology officer for E Corp, gets root access to an employee’s Android phone (control of the system, actually) by adding himself as a privileged user by means of an app with a hidden icon when the employee leaves the room for just a few minutes. The takeaway here: Don’t leave your phone or computer unattended, check which programs are installed on those devices, and regularly scan the system using a security solution that detects hidden software. And, of course, make sure to set passwords to unlock all your devices.

Keep private information to yourself

Don’t give anyone your confidential information, especially over the phone. After getting the phone number of a man previously mostly unknown to him, Elliot uses social engineering: Posing as a bank employee, he calls the man and tells him there is a threat to the security of his account. He requests certain specific information — allegedly to solve the problem — such as the answers to his security questions.

By the end of the conversation, the man starts getting suspicious, but by then Elliot already has enough information to add likely words to the password-hacking program’s glossary and hack the account within minutes using a dictionary attack. We’ve already talked about password security, but also don’t forget that you should never give important information — for example, by answering security questions — over the phone to any “bank employees” who might call you.

Don’t insert unknown removable media into a computer

Elliot thinks his colleague Ollie is stupid — not without reason; he’s lax with basic cybersecurity. After choosing a simple password (remember, use strong passwords), he commits a more serious error: He inserts a disc, supposedly a music CD from a street rapper, into a computer.

The rapper is actually a member of a hacker group, and software installed from the disc allows the hackers to start tracking Ollie through his webcam and take control of the system. That includes access to personal files, which gives the intruders fodder to blackmail him.

Here’s another example: In episode six, Elliot tosses a flash drive into a prison parking lot, where a guard picks it up and inserts it into a work computer. Luckily for the guard, the computer’s antivirus prevents it from launching the malware on the flash drive.

Be careful about what you post on the Internet

Anyone can see all of the things you share online and use them against you. In episode two, Elliot turns drug traffickers over to the police, and their own tweets are used as evidence against them.

Overall, Mr. Robot is an excellent fictional illustration of why you need to know cybersecurity basics in real life. At least in those terms, it’s both realistic and informative, showing the real challenges of protecting your data and private life.

By the way, Season 3 is just about to start. Enjoy the show!