10 cybersecurity lessons learned from Season 2 of Mr. Robot
The second season of Mr. Robot had us thrilled during the last two and a half months, as we found out Fsociety's plans and the whereabouts of Elliot, Darlene, Cisco and the rest of the gang, followed closely by the Dark Army and the FBI agent Dominique DiPierro.
Cybersecurity and hacking are just plot devices the series uses to achieve its goals, but they play a major role in the series, which has already won the respect of the InfoSec community because it takes such good care of technical details. Now, with Season 02 almost over, we want to do our own reality check on the hacking scenarios we saw.
Here are 10 security lessons we learned from Mr. Robot Season 02.
1. Insider threat can be found in the most obvious places
If there is one that scares a company's CISO, it's the possibility that any given attack could have come from within the organization. Someone with resentment or bad intentions who has access to privileged information and does not need to overcome as many obstacles as an external attacker can be dangerous and hard to control if the right measures are not placed beforehand. As ESET Senior Security Researcher Stephen Cobb has stated, it is hard for any organization to keep secrets when a trusted insider decides to expose them. Therefore, we can assume external attackers are not always the biggest threat.
Elliot is a clear example of that, given that at the beginning of the series he worked at a cybersecurity company called Allsafe protecting the assets of one big client: E Corp. Later, we found out he actually wanted to destroy that company by exploiting knowledge of its weak spots, so his secret agenda was to tear it down from the inside. He was pulling the act of the Trojan horse: hiding in plain sight.
To prevent security incidents within the company, it is important to find the weak points and then get advice on the best ways to plug those gaps: control access and permissions for each employee and keep a record of what comes in and what goes out of the network.
2. Social engineering is still useful for attackers at so many levels
Social engineering techniques have been a constant through the life of internet security, and include any form of psychological manipulation used by cybercriminals to gather information, conduct fraud or gain illegitimate access to victims' computers.
Mr. Robot season 02 showed us two clear examples:
- In episode 9, Angela needs to connect the (already programmed) Rubber Ducky to some E Corp executive's PC in order to steal useful information for her lawsuit against the company. But first she needs to make the man's secretary leave her desk, so she can sneak into his office. With a solid script based on her knowledge of the company –where she also works– she accomplishes her mission. This is also another example of an insider threat.
- In episode 10, Elliot pretends to be a NYPD agent to get the location from where Tyrell Wellick appears to be making phone calls. In order to do that, he follows the emergency procedure he found on the Internet, downloads a form and sends it via fax using an open source fax server, and convinces the police operator that he needs this information for an urgent case in which a citizen is in danger.
3. Protecting IoT devices is still a challenge
During this season, we have seen some examples of what can happen if the devices that are part of Internet of Things (IoT) are not protected the way they should be. Perhaps the most notorious is the moment when members of Fsociety take over the home automation system of Susan Jacob's house, in episode 1.
Darlene and her fellow (not so well intended) hackers make Susan run away from her own house by creating a nightmare of switching lights and sounds, which allows Fsociety to use the place as their own headquarters throughout the season.
Imagine if this started happening on a daily basis and cybercriminals started occupying people's houses…
Also related to IoT security are the conversations between Dominique DiPierro and Alexa, her digital assistant, given the intimate nature of the topics she discusses with this system. In the event that an attacker could compromise the system and access the records, he would have valuable personal information that could be used for further attacks based on Social Engineering or even blackmail the victim.
However, none of this should prevent users from enjoying technologies like these. The examples above were probably included in the series to show there is still a long way to go in terms of protecting IoT devices and to show how important it is to use them with caution. Developers and companies need to bear in mind the risks and build in security from the very beginning.
4. All mobile devices must be updated and protected to avoid malware and exploitation of vulnerabilities
Smartphones in Mr. Robot's universe are anything but safe. In fact, episode 8 shows us a flashback to when one of Fsociety's members (Mobley) was the victim of an attack perpetrated by another member of the group (Trenton), who exploited a real vulnerability in Android called Stagefright and was able to take control of Mobley's device. We can assume after that, he became more aware of mobile security.
Another example is the attack against the temporary offices of the FBI, which was based on the exploitation of other vulnerabilities in Android, along with the use of a malicious femtocell to intercept communications and get information from the agents without them noticing. This allowed Fsociety to leak a confidential conference call that angered the public.
Therefore, installing the latest updates and patches, and using a mobile security solution is the first step to creating a safe mobile policy in work environments.
5. Adequate password management has to become a habit
Despite all the advice given over the past few years about how to have a safe password policy, we still see users choosing "123456" or "password123" because they are easier to remember. But we know this means they are easy to guess by cybercriminals, especially considering the latest password leaks.
In the series, Susan Jacobs is as careless as can be, since she has a Post-It with her email password on her desk. We need to stop these bad habits, so remember to always use a strong and unique password for each platform you sign up to, and make them easy to remember but hard to guess, combining capitals, spaces, symbols and numbers in creative passphrases that you can then store in a password manager, to avoid forgetting them.
6. USB drives can be used as attack vectors
Apart from being a useful storage tool, USB sticks can be used in targeted attacks as long as there are users willing to plug them in even when they have just found them on the floor or were handed one by a stranger. Once they are connected to a computer, the attacker has a wide range of possibilities.
The easiest one is to hide malware in seemingly innocent files, as we saw in episode 1 when Darlene inserted an autorun.inf in a stick. This allowed execution of a malicious file automatically whenever the drive was plugged into the USB port.
There are also more advanced techniques that can be more successful, such as the use of tools like Rubber Ducky, a special USB drive that allows an attacker to program commands that will be executed automatically upon plugging it in. This way, the attacker can get private information and hashed credentials. This is what Angela does in the E Corp executive's office.
7. Encryption can protect data even in complex situations
When Susan Jacobs unexpectedly shows up at her own house, which Fsociety members have been using as headquarters, they confiscate and then examine her devices to get any useful information to blackmail her and buy her silence. However, had Susan encrypted the files stored in her devices, Fsociety's forensic techniques would not have worked.
There are still many users who believe encryption is complex and not entirely necessary, but that tends to change after a loss of personal information. Encryption is actually a good practice and will not allow access to data to anyone without the appropriate key.
8. Ransomware is here to stay
In episode 1, Darlene prepares an attack using a variant of Cryptowall, capable of spreading through the network once it has infected a victim. The use of this kind of malware to force E Corp to pay a ransom is simple but effective, especially if we take into account that the company does not have backup copies of many of its records, because they were erased in the attack against Steel Mountain in season 1.
Once again, ransomware shows its versatility and the ways it can affect companies and users adversely. Therefore, everyone should follow these 11 tips to protect against ransomware.
9. Always pay attention to default passwords
In episode 5, Darlene managed to erase all footage of the security cameras in the FBI temporary office. Although we are not shown the technique she used, it is highly possible it has something to do with a previous knowledge of the manufacturer and the system used, brands and models of the devices, potential vulnerabilities to exploit or usernames and passwords from someone with permission to manage the videos.
This example reminds us of the Insecam story in 2014, when the website broadcasted live footage from 70.000 cameras connected to the Internet without their owners noticing, just because they had not changed the default password. Now the number of cameras streaming on that site has been trimmed, but this incident has proven how vulnerable devices connected to internet can be if they are not carefully protected. With this type of information and an unchanged password, cybercriminals could find their way to the devices with services like Shodan and then access them remotely.
10. Cryptocurrency, a constant in Dark Web transactions
Episode 3 reminded us of the almost inevitable relation between cryptocurrency and cybercrime, since they are used in day-to-day operations of the Dark Web and also to collect the monies that victims of ransomware pay. Ray's business, Midland City, is an example of the first case: a hidden market where the most obscure things are traded.
The fact that cryptocurrency is decentralized also makes it an element of financial speculation in the series; in episode 11, E Corp plans to impose its E Coin to replace Bitcoin, claiming it could be centralized and offering the government the possibility to monitor transactions through a backdoor, unlike what happens with Bitcoin.
Cryptocurrencies are not intrinsically malicious, but rather tools that can be used with different intentions. Users who choose to use them must protect their wallets and, in the meantime, influential figures and organizations will have to work harder to improve Bitcoin collaboratively.
Conclusion
Showing these types of events related to security in a series that reaches massive audiences, and not only attracted the InfoSec community but also the public in general, is a good way to reveal how neglectful can some companies be when launching web services and applications and the mistakes users and manufacturers keep making.
Fsociety's doings, regardless their motivations, are not that far from the ones any attacking group could actually do if it is willing to compromise a company's security or even destroy it. Thus, knowing how to prevent that is left to security professionals and users.
Article by Sabrina Pagnotta in collaboration with Josep Albors from WeLiveSecurity