In the build-up to its second season finale, acclaimed hacking drama Mr. Robot has received praise from critics and cyber security experts alike for its gritty storytelling, modern themes and brilliant cast.
The show has also gained a following in the cyber security industry because of its accuracy when it comes to showing how hackers do what they do best.
To celebrate another brilliant series of the show, a group of cyber security experts have come together to choose their favourite hack from the series, and explain how businesses can prevent these kinds of attacks from occurring.
Social engineering and insider threats need more than just security tech
Mr. Robot is a rarity, because it actually portrays a relatively realistic hacker with a set of real world skills.
There’s no hyper-typing, no false tech, no weird jargon, just serious tech that match the seriousness of the drama.
This is in great part due to the terminal work by a team of advisors lead by Kor Adana and Marc Rogers (aka CJunky).
Even the episode names in season two reflect the level of detail achieved. Whilst the first season’s episode titles ended with a different video file extension, in season two each name ends with the file extension for a different type of encrypted file.
The use of social engineering and insider threats are by far the best repetitive themes throughout the show.
From Elliot posing as a victim’s banker to extract information (S01E01-eps1.0-hellofriend.mov & more), to the insider threat seen most recently through Angela’s hack of E Corp (S02E04-m4ster-slave.aes) and the FBI, these examples show how hard it is for companies to curtail these threats.
Protecting against these types of attacks requires more than just the tech needed to monitor and control data egress in the infrastructure.
It also requires a strong IT security culture in the enterprise that is adopted by all, and continuously reviewed through a strong training programme.
Response time is critical when it comes to a DDoS attack
The very first episode’s DDoS attack was one of the best-portrayed hacks.
When E Corp suffered a DDoS attack at the hands of fsociety, the fictional multinational’s critical applications were crippled.
>See also: How real is the risk of visual hacking?
Even with Elliot’s expertise and a private jet to get the team direct access to the data centre, the attack lasted for at least 5 hours.
This might sound like a relatively quick recovery time, but a 2015 survey from IDC found that the average cost of critical application failure was between £375k and £750k per hour, so every second of downtime really does count.
Once again the level of detail is impressive, and the recovery time in the Mr. Robot DDoS attack is quite realistic if the organisation is well prepared.
In reality, DDoS attacks can be far more difficult to defend against.
Typically, they are carried out to blackmail organisations and the attackers won’t stop after the first wave is blocked.
In this case, the hacker launches a second wave, perhaps using a slightly different type of attack. This process goes on until the victim negotiates or agrees to the attacker’s demands.
For businesses looking to bolster their protection against DDoS attacks, the key to effective DDoS protection is the ability distinguish real users from malicious requests, so that suspicious traffic can be blocked or challenged – but this is not easily done.
The first challenge is to detect the nature of the attack. Then, organisations must respond in a way that blocks the meaningless traffic.
In order to do this successfully the three most important layers of defence are the ISP, the next generation firewall and the web application firewall, as each of these can protect against different types of DDoS attack.
Unfortunately, companies have historically underestimated the importance of a web application firewall, which led to a spike in application-level DDoS attacks.
They are extremely difficult to protect against without the right technology.
Manage connected devices to avoid a smart home hijacking
At the beginning of season two, the writers introduced the series’ first smart home attack.
These attacks have more physical consequences.
Imagine coming home after a long day at work to your ultra-modern smart home, ready to unwind, only to be driven out by a hacker who has taken control of your house.
This was a reality for Mr. Robot character Susan Jacobs, who had her thermostat, lighting, TV and audio system and garage doors hijacked by malicious attackers.
Like most consumers, Susan probably thought that these connected devices empowered her to have more control over her home life.
In reality, modern IoT continues to be defined by complexity, which leaves it open to both cyber criminals and privacy intrusions.
While manufacturers focus on end user experience, there needs to be a more joined-up approach to security and privacy, including a strong focus on device, service and user identity management.
>See also: Top 10 most devastating cyber hacks of 2015
Without device focused identity and access management, the Mr. Robot scenario could become much closer to fact than fiction.
The major problem facing the smart home is that there is currently typically no correlation between the identity of the homeowner and the identities of the various smart systems, if those smart systems have identity capabilities at all.
It is essential that these connected systems have the necessary registration, sign in and pairing processes that people have, to allow for the management of operations or data they collect or make available.
As connected devices continue to be introduced into both the home and the workplace the pairing relationship between a device, a person and a cloud service must be established and continually monitored, so that only the homeowner, or a 3rd party trusted by the homeowner, can control the devices and the data they hold.
A simple CD can be the cause of a disastrous attack
It’s a simple CD that presents one of the greatest real world threats for businesses.
When Ollie accepts a CD from a stranger on the street and places it into his computer, the malware planted on the CD enables an attacker to access his computer, extract sensitive data from the device and even hijack the webcam.
Using this information the hacker blackmails Ollie and Angela, forces them to insert the CD into a corporate device at Allsafe, hacks their system and causes irreparable damage to the company.
Unfortunately these scenarios are all too common in the real world.
Intel’s recent ‘Grand Theft Data’ report found that 43% of data breaches were caused either accidentally or maliciously by employees.
Whether by accident or design, news of employees inserting malicious devices, clicking on phishing links and downloading harmful files highlights just how difficult it can be to keep a handle on data.
>See also: The 2016 cyber security roadmap
However, now that a wide range of tools that are available blaming human error or ignorance is no longer good enough.
With the right secure file-transfer technologies, security systems, processes and, most importantly, staff training, organisations can eliminate the risk of malicious devices making their way into the IT system.
Public Wi-Fi is insecure – but people are still using it
The hack from Mr. Robot’s sublime first episode is still the best in the series, as it highlights a real issue with insecure public Wi-Fi networks.
The ease with which Elliot hacks into the Wi-Fi of a coffee shop – in the first scene – is not surprising.
Research from Xirrus shows that although 76% of people know that public Wi-Fi is not secure, 62% use it regardless of the security implications.
Shows like Mr. Robot only heighten the awareness of public Wi-Fi vulnerabilities and should make us all aware that every time we connect to public Wi-Fi, we put our data at risk and potentially open ourselves to identify theft.
Business offering public Wi-Fi should be aware there are people out there – unlike Elliot – that hack Wi-Fi networks purely for personal gain, with the intent to commit fraud and to steal money from unsuspecting victims.
And it seems users make it easy for these crackers.
According to research from Xirrus, 84% of people use unsecured public Wi-Fi to access their emails, while over 66% log onto social media, and over 40% either work or shop online.
In each of these cases we’re accessing and sending personal, sensitive and even financial data over unprotected networks.
Additionally, business owners should think about offering secure personal area networks (PANs) that significantly improve Wi-Fi security in places such as coffee shops, hotels, and transport hubs.
PANs go beyond the encryption that you’d expect on a VPN and still allows customers to connect quickly and simply, without having to navigate a long list of technical steps.
Sourced by (in order of subheading) Thomas Fischer, global security advocate at Digital Guardian, Wieland Alge, VP and GM, EMEA at Barracuda Networks, Simon Moffat, senior product manager at ForgeRock, Michael Hack, Ipswitch SVP of EMEA operations, and Shane Buckley, CEO at Xirrus