Does ‘Mr. Robot’ Reprogram the Hollywood Hacker Mindset?
USA Network’s new show, “Mr. Robot,” is a fusion of hacktivism, outsourced managed IT security and a somewhat anarchistic effort to rebalance the wealth and power on the planet. As with other recent movies and shows that portray the mysterious world of high-tech hacking, there is often a separation of real-world methodologies and Hollywood glam. So how does “Mr. Robot” stack up, and what can we glean from it?
Perhaps the word refreshing is an odd choice, but that is the term that comes to mind. Rather than relying on shot after shot of frantic typing and electric pulses streaming through a circuit board to build suspense, the show brings a more realistic portrayal of hacking and cybersecurity, making the characters the focus and letting the technology support the story. It may seem counterintuitive, but by letting the security practices advance the story rather than be the story, it’s ultimately a more satisfying viewing experience.
The main character, Elliot, played by Rami Malek, is a white-hat cybersecurity practitioner by day and black-hat hacker by night. Against the backdrop of some questionable life choices, much of his black-hat work is small in scale and focused on righting wrongs — until he meets the mysterious Mr. Robot. And then things get interesting.
One of the things Elliot excels at is social engineering, and the pilot episode shows at least three examples of how it works. Whether it was weak passwords made of combinations of the target’s favorite band and year of birth or terms like “123456Seven,” Elliot is a master of piecing together information from social media profiles to break into accounts. He borrows a cellphone under the guise of calling his mom to grab additional personal information and even makes calls posing as a representative of a fraud department at the target’s bank.
In real life, practices like these make it vital for corporate password policies to ban reuse between corporate and personal systems. It’s bad enough that your social media accounts could be compromised, but it also endangers your clients’ personally identifiable information (PII) all because you or your employees had difficulty managing a multitude of passwords.
Going beyond password reuse, user education to combat social engineering is a bit harder since of the fundamental human nature to be helpful. Well-intentioned employees can become inadvertent insiders with a few simple clicks in an email or by trying to answer questions from a “confused” caller. Rigorous corporate training can help, but it is a constant struggle; you can learn more in the latest report from the IBM X-Force research and development team.
Distributed Denial of Service
Distributed denial-of-service (DDoS) attacks have been in the top two most popular attack vectors for breaches in the past four years. Popular media would have you believe that DDoS is used only to slow network traffic and disrupt business, so it was a pleasant surprise in “Mr. Robot” to see DDoS used as a cover-up for network infiltration and for the cybersecurity team to come to that conclusion relatively quickly. The show also truly embraced the distributed aspect of the event by referencing attacks coming from multiple countries, not just implying one attacker sitting in his basement, typing and practicing his evil laugh.
While there are a number of security solutions and practices you can employ to protect your network, recovering and mitigating DDoS requires the right mix of processes, people and technology to defend your infrastructure from both volume-based and application-based DDoS attacks.
Tor and All-Powerful Encryption
Without revealing too many spoilers, at the start of the show, we see Elliot confront the owner of a local coffee shop about his illicit private Web server running in the Tor network. Tor is an anonymizing service that serves as a gateway to the Dark Web, a semiprivate Internet where illegal marketplaces and underground forums reside. In the show, Elliot monitors Tor exit nodes, or the servers where encrypted, anonymized traffic resurfaces to the public Internet. By doing so, he was able to intercept unencrypted traffic used to incriminate the shady shop owner.
We hear a lot about encryption, with respect to both the privacy benefits and the risk that it can obfuscate terrorist and criminal activity. There is also some misconception in movies and TV about magic of encryption. Sometimes encryption is seen as a silver bullet, impervious to detection or discovery, and sometimes it is seen as some elite marker where only a true cybercriminal can break through. In reality, it is a little of both.
As designer vulns like FREAK and LogJammer have shown, not all encryption was created equally. Older encryption methods can be easily cracked and are no longer secure. As also illustrated in “Mr. Robot,” even using modern updated encryption like that used by the Tor network still has weak points where data can pass unencrypted and be vulnerable to eavesdropping or attack.
Domo Arigato, ‘Mr. Robot’
Mr. Robot doesn’t treat the audience like they are idiots; the word “firewall” is never once uttered in the entire pilot episode. The show expects viewers to keep up with lingo like rootkits, IRL and Tor exit nodes, not to mention recognize the absurdity of executives running Linux. While that’s refreshing for those of us in the business of cybersecurity, it may turn off less savvy viewers. On the other hand, a cyber Robin Hood with a dusting of Chuck Palahniuk’s “Fight Club” and the ennui of Henri the Existential French Cat is a refreshing addition to this summer’s programming.