Cyber Security training from QA

Is Mr. Robot a good representation of real-life hacking and hacking culture?

QA Cyber Security Trainer, James Aguilan, looks at several scenarios featured in the hit US TV series Mr. Robot and how they may represent real-life hacking.


James Aguilan | 19 February 2018

Mr. Robot Elliot
Illustration by Alex Wells: follow on Twitter & Instagram

Mr. Robot is an American Drama Thriller television series that depicts hacking culture. Elliot, cybersecurity engineer and hacker, is recruited by an anarchist to join a hacktivist group called 'fsociety'. The group aims to destroy all debt records by encrypting the financial data of the largest corporation in the world. This blog post focusses on several scenarios and how it may represent real-life hacking.

 

Scenario 1: Eavesdropping a coffee shop public WIFI (Man-in-the-middle attack)

In the beginning, Elliot confronts a man who owned a coffeeshop. He confesses that he intercepted the WIFI network traffic. Knowing that most public WIFI networks that are unencrypted, this is completely possible. Anyone can join the network, and anyone who joins the network can eavesdrop using simple web traffic analysing tools such as Wireshark. Any communication that is not properly encrypted, including email or your browsing data, can be viewed by attackers. To prevent falling victim to a man-in-the-middle attack, avoid using unsecure public WIFI networks. Additionally, if you must use public WIFI, use a VPN and make sure your traffic is encrypted by looking at the green lock in the upper URL bar.

 

Scenario 2: Elliot exposes child pornography site owner in the dark web (Hijacking Session or Brute Forcing Cookies)

Elliot gained access to e-mail, figures and pictures. He figures out that the owner runs a childporn website on the Tor network. Tor can be used to maintain anonymity on the internet. How he exactly hacked him is not mentioned. He did mention that, “whoever is in control of the Tor exit nodes, is also in control of the network”. When you intercept traffic, you can launch an exploit against the Tor browser when JavaScript and plug-ins aren't disabled. NSA FoxAcid program tries to exploit Tor users. However, how he got control to the exit nodes and how many exit nodes is not mentioned. So that a single person could have controlled enough exit nodes to do this could be dubious. Assuming either unencrypted network traffic or a way to get his SSL certificate accepted by users without raising suspicion or a known vulnerability, such as brute forcing cookies and hijacking the session of a logged in user, intercepting information when controlling the exit nodes can take a very long time. In addition, breaking TOR anonymity or sniffing TOR traffic in a targeted and systematic way requires advanced state actor capabilities and funding. Typically, it is very opportunistic, and mainly applies to applications that do not use SSL. This scenario is therefore quite impractical and unrealistic.

 

Scenario 3: Elliot hacks personal accounts (Social Engineering)

Elliot got the password by using a custom script and using a combination of a wordlist and a brute force attack. This password was based on her favourite artists and the year she was born but written backwards. A lot of people have this type of information on social networks sites and reuse password these days. These types of attacks exist in real life and this could be possible as well. Even with today’s advanced security solutions, hacking into personal accounts such as email, dating services, and social media is relatively easy. The attack is usually based on brute force attempts to crack your password. This is unfortunately still effective, especially with ready-made, off-the-shelf tools that are available to anyone who wishes to launch such an attack. Choose strong passwords for your accounts, do not share the same password across accounts, and apply two factor authentications when possible.

 

Scenario 4: E-Corp servers are attacked as a diversion to another attack on the servers (DDoS)

Needless to say, this is realistic. a Distributed-Denial-of-Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. They target a wide variety of important resources and present a major challenge to making sure people can access important information, thus effecting daily business operations. DDOS attacks at 3AM and E corps is down for one hour, resulting in a total revenue loss of approximately 13 million dollars. In reality, DDOS attacks can cause severe revenue losses. The average distributed denial-of-service (DDoS) attack costs a business roughly 40,000 dollars per hour. This technique has been used in several past real-life security incidents, most notably the Sony PlayStation breach in which the account information of 77 million users was stolen under the cloak of a large-scale coordinated denial-of-service attack. Network protection is not enough. You must also protect your data.

 

Scenario 5: E-Corp servers are infected that crashes the servers on boot up (Rootkit)

Elliot recommended restarting the services that are not coming back up. After rebooting the services, there was a destination unreachable error for the IP-addresses of the servers. After that a connection rejected, because of too many connections error was shown. A custom script was used for a port scan to uncover which users were logged in. It was determined the hackers broke into the server. Elliot mentions that the attack was coming from IP-addresses from everywhere around the world and Elliot's boss suggested to use load balancer to redirect the traffic to counteract the DDOS attack. However, Elliot doesn't think that it is just a DDOS attack, but that there's a rootkit inside the server as well. They redirected the traffic to another server and update some network settings. After that Elliot checked the running processes at the infected server and inspected some files – he uncovers a rootkit install. A rootkit is a software that is made hard to detect and remove and can completely take over the system, install/change/delete everything it wants. These rootkits run as part of the operating system itself with the highest privileges and can modify start up code like Master Boot Record (MBR) and crash the server on every restart. Removal of kernel-mode rootkits often results in reinstallation of the operating system. Therefore, it is advisable to back up your server data regularly.

 

Conclusion

Mr. Robot is a great TV series and it offers some real-world advice on how to keep your data and systems secure. Overall, it provides a realistic depiction of what is possible. Mr. Robot has been widely praised for its technical accuracy by numerous cyber security firms and bloggers who dissect and comment on the technology and the technical aspects of the show after every episode. The only issue is how fast he hacks. Granted, the speed at which Eliot Hacks isn't possible with standard computers, the process is pretty realistic. The speed of Eliots hacking is to fit in a typical tv episode. Typically, a hacker would need to spend some serious time finding potential security issues that can be exploited. Social Engineering takes time and brute force attacks take time. With somewhat complex passwords, it can take months to directly crack a password.

 

Cyber Security training from QA

QA have uniquely positioned themselves to help solve the Cyber skills gap from our CyberFirst and Cyber Apprenticeship programmes and Cyber Academies to Cyber Challenges, Training and Certifications and Consultancy for Cyber Security.

They offer end-to-end Cyber training and certifications from Cyber Awareness to deep dive Cyber Programmes and solutions; from Cyber Investigations, Cyber Crisis Management, Proactive Security to Offensive Defence. QA only employ world leading Cyber trainers who have the expertise to deliver bespoke Cyber solutions, GCHQ accredited courses and proudly the CyberFirst programme. This is all to support in tackling the UK's National Cyber Security skills shortage.

QA also have state-of-the-art CyberLabs, where companies can simulate real-life Cyber-attacks on their infrastructure, helping them to prevent & combat breaches without risking their own network.

Take a look at QA's CyberLabs

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.