Mr. Robot may be doing more to make Americans cyber aware than any official awareness campaign has so far. The popular, award-winning series focuses on Elliot Alderson, a young programmer, who works as a cybersecurity engineer and is recruited by “Mr. Robot” to join a group of hacktivists—fsociety—targeting a company, E Corp.
For Cybersecurity Awareness month, Security Management Cybersecurity Editor Megan Gates sat down with OneLogin Lead Product Marketing Officer Al Sargent to discuss some of the most successful Mr. Robot hacks and how they can be prevented.
“I think Mr. Robot has done a really good service for the cybersecurity community because it makes these issues…realistic and, even though it’s realistic it’s very fun to watch,” Sargent says. “So it’s a great way for people to learn more about cybersecurity issues and how they can address them.”
1. Password Cracking
This is essentially where you guess what someone’s password is based on what you think some of their interests are. It’s a form of combining social engineering with brute force, Sargent says.
For example, Elliot’s psychiatrist’s password was Dylan2791, which is her favorite musical artist and the year she was born backwards. Elliot was able to crack her password in 24 seconds.
“What would take maybe years or centuries to crack, might take mere minutes or even seconds to crack when you put in certain terms,” Sargent explains. “And Elliot is able to pull this information off of social media profiles and using other sources.”
Some measures companies can take to prevent this kind of attack is by enforcing stronger password requirements, such as requiring passwords use more characters, frequent password changes, and multifactor authentication, such as using a smartphone to approve a login attempt.
One way to create a good password, Sargent explains, is to think of a sentence that makes sense to you. For instance, if you’re a baseball fan, it could be “itsanevenyearletsgoGiants2010.”
“Now, if you’re a Giants fan, that makes a lot of sense because the Giants have won the World Series on even years 2010, 2012, and 2014; unfortunately, not this year,” Sargent says. “If you write that out, it’s very easy for you to remember. But if you look at the number of combinations, it’s very hard for a computer to crack because it’s many, many characters.”
And because the password is rooted in a topic that you’re passionate about, it makes creating a new, strong password easier when you need to change it.
“In the case of baseball, you could say, ‘IwishtheCubshadntbeatentheGiantsthisyearhopewillnextyear” and when it’s time to rotate your password again next month, you could be talking about something around the players you hope the Giants can recruit next year,” Sargent adds.
“It’s something you’re passionate about, so it’s something you can really remember,” he says. “But it’s hard for a password cracker. And that’s the key thing; people don’t think about passwords as passions, but it really is important to combine the two to make something memorable for you and hard for a computer to guess.”
2. Zombie accounts
The next common type of attack uses what’s called a Zombie account, a user account that remains active even though the user should not have access to it.
For instance, E Corp fires its senior vice president of technology, Tyrell, who is very angry with what happened and could potentially use his access to E Corp’s network to do a great deal of damage.
“Because he was senior VP of technology, Tyrell had access to a lot of privileged information,” Sargent says. “Now the thing is, once somebody is let go from a company, especially when they’re angry—as Tyrell was—you want to be able to deprovision them very quickly.”
This means that human resources staff need to work closely with IT to ensure that when an individual is fired or resigns from a company, that person’s technology access is cut off—just as their access might be to a physical building.
Nearly one in three phishing emails were opened in 2015, and about 12 percent of targets then went on to click the link or open the attachment in that email, according to Verizon’s 2016 Data Breach Investigation Report.
Mr. Robot showcases this method of attack in Season 1 Episode 3 when Elliot hacks his girlfriend's account because he wants to know more about her, so he phishes her.
“Phishing is very much a constant worry, not just in Mr. Robot but in corporate environments because there are now very well constructed phishing attacks,” Sargent says. “It’s no longer the email from the Nigerian prince; it’s the email from someone who might be the CEO asking the CFO to do something and it seems like a very well-constructed email.”
This specific type of phishing attack is known as a Business Email Compromise (BEC) scam, which have seen a 1,300 percent increase between January 2015 and June 2016, according to the FBI.
For more on how to prevent BECs and phishing attempts, read Security Management’s October Cybersecurity Department “Spoofing the CEO.”
4. Physical Access
Sometimes to really pull off a successful hack, you need physical access to a critical facility.
This is demonstrated in Season 1 Episode 5 when Elliot pretends to be a Silicon Valley billionaire asking for a tour of a Steel Mountain facility, which stores all of E Corp’s records. He gains access and uses that to install a Raspberry Pi computer into the HVAC system, which can override temperature controls and melt all of E Corp’s back-up tapes.
To prevent this type of attack, companies should take a look at who has physical access to the servers that support their network and try to limit that access.
“As Elliot said in the episode, ‘People make the best exploits,’” Sargent explains. “So, we as OneLogin employees can’t get a tour of a data center. And we don’t even know the physical machines that are running our service.”
Amazon has tens of thousands of machines running in its data centers, which then run virtual machines that provide OneLogin’s service.
“We don’t know what machines provide our service. And if we don’t know, hackers don’t know,” Sargent says. “That makes it very hard to hack and makes it basically impossible to hack by gaining physical access because A) how do you get into a facility? And B) how do you even know, out of the tens of thousands of machines, which one at any given time is running the virtual machines?”
5. DDoS Attacks
Distributed denial-of-service (DDoS) attacks occur when systems flood the bandwidth or resources of a targeted system. These kinds of attacks are often the result of a botnet (multiple compromised systems) being used to flood the targeted system with traffic.
In Season 1 of Mr. Robot, Elliot single-handily saves E Corp. from a DDoS that’s been propagated by fsociety. To prevent this kind of attack taking down OneLogin’s service, Sargent says it houses its service in multiple Amazon Web Services (AWS) regions and in multiple AWS availability zones in multiple states within the United States, as well as in Germany and Ireland.
“Additionally, we have multiple active DNS providers, so that way if one DNS provider gets overloaded through a DDoS, we have another DNS provider that can help us out,” Sargent says. Domain Name Servers (DNS), work like a phone book for the Internet and facilitate requests to specific webpages.