Five Mr. Robot Hacks you can block with IDaaS

September 21st, 2016   /     /   security and compliance

The TV show Mr. Robot was nominated for six Emmys, winning one, and the season 2 finale is coming tonight. If you’re not familiar with the show, it’s a groundbreakingly realistic portrayal of computer security.

With all the hype around it—especially from the IT community—I knew I had to make a priority of watching it. It didn’t take long for me to see what all the hype was about. I’m now fully hooked! As fellow fans know, one of the reasons the show is so enjoyable is because of how realistic the hacks are in the show. In fact, sometimes I find myself hitting pause and reading man pages to understand what’s happening. The show is essentially a case study on hackers and how they work—required viewing for anyone in security.

Fans enjoy a replica Mr. Robot set at SXSW 2016. Photo credit to Cory Doctorow.

As I watched Elliot hack friends, acquaintances, his psychiatrist, various lowlifes, and of course E Corp, I couldn’t help but think that some of the exploits featured in the show could have actually been prevented if only the individuals or the companies were using an IDaaS like OneLogin.

Warning: Season 1 spoilers ahead!

Password Cracking

This is one of Elliot’s favorite tactics. He’s able to brute force his way into his target’s accounts mainly because they have bad passwords. Combined with social engineering, where he adds things like birth year, favorite artist, favorite sports team to his program, Elliot is able to get in within seconds.

For example his psychiatrist’s password was Dylan_2791 (favorite artist and year she was born backwards) and he cracked that in 24 seconds. Angela’s not-so-awesome boyfriend Ollie’s password was the easiest to hack: 123456Seven. And Tyrell’s password is his wife’s maiden name and Sweden’s independence date. As Elliot puts it, “bad noob practice”.

How OneLogin helps

When using an IDaaS solution like OneLogin, you can enforce password complexity, rotation, and uniqueness; and require Multi-Factor Authentication (all the time, or just for higher-risk situations such as logging in from outside the office) across all apps in your organization. Even better, apps with SAML capabilities don’t have a password, so password cracking is impossible.

Zombie Accounts

One of the major climaxes of season 1 is when Tyrell gets fired from E Corp. After all he’s done to try to get the position of CTO, it’s quite remarkable to see him let go. We’re not sure exactly what happens after this, but needless to say Tyrell is angry, and potentially could wreak a lot of havoc with E Corp. When someone gets let go from a company, especially when they’re angry, you want to make sure their access to company data is revoked immediately. Otherwise you have “zombie accounts” that represent a potential backdoor into your organization. Now, in Tyrell’s case there’s probably not a lot you can do (he’s a hacker after all), but for normal employees there’s a lot you can do to prevent access once someone is terminated.

How OneLogin helps

OneLogin provides visibility into what apps the company has, who’s using them and how often, and allows you to automate user deprovisioning through our realtime offboarding, ending their active sessions and disabling future access. We take realtime incredibly seriously: our Active Directory Connector uses AD Change Notification Subscriptions, our AD connectors can be clustered for high availability and throughput, and we use sockets for blazing fast connections from on-premises AD to our Cloud Directory.

You can even connect HR apps such as WorkDay and UltiPro, so that when an employee’s status is marked from “current” to “former” in the HR app, their entitlements immediately change in OneLogin. For apps with provisioning APIs, OneLogin will then automatically deactivate accounts. And for those apps without provisioning APIs, OneLogin will soon provide an automatically generated offboarding checklist for each employee that an IT admin can follow to ensure no users fall through the cracks.

Phishing

In season 1 episode 3, Elliot mentions that he hacked Shayla by using what he called a “simple” phishing attack. In classic Elliot style, he hacked her just so he could “know” the person next door.

Phishing can be a constant worry in corporate environments. Now matter how much you train employees to watch for phishing attacks, there are likely still going to be users that get tricked by them.

How OneLogin Helps

Many phishing attacks focus on stealing credentials by tricking the user into inputting them on a fake page. When your users use SSO through OneLogin to access their apps, they have no credentials they can use to login to any of the apps directly. The only allowed login is a trusted login via the OneLogin site, most often with no credentials ever going over the wire (i.e. with SAML or OpenID authentication). In this scenario, it is highly unlikely that a phishing scheme on any of these apps would be successful.

On top of that, integrations with SIEMs like Splunk, ELK, and SumoLogic enable security teams to see if users are accessing apps in a suspicious way — for example, a user accessing an app from New York and San Francisco with a five minute period — indicating that an account has been compromised.

Physical Access

In season 1 episode 5, Elliot pretends to be a Silicon Valley billionaire asking for a tour of the Steel Mountain backup facility that stores E Corp’s records. Once his tour is underway, he eventually makes his way to the controls for the HVAC and is able to install a tiny Raspberry Pi computer that can override the temperature controls, in the hopes of making the temperature inside the facility hot enough that all the backup tapes will melt. Later in that episode, Angela inserts a CD into Ollie’s work computer, infecting AllSafe’s network with malware and making it vulnerable to attack.

Physical access to systems always presents a potential security risk, since it provides additional ways to modify those systems as part of a larger attack.

How OneLogin Helps

Some people see on-premises systems as safer than cloud systems, but the reality is that they are often located in busy office buildings where a hacker can blend in, with plenty of employees who can potentially be conned into providing physical access to servers, routers, laptops, and other devices. As Elliot says, “people always make the best exploits”.

As an IDaaS cloud service, OneLogin runs in Amazon datacenters with high levels of automation and security, meaning fewer people that can be exploited to provide physical access. Even we, OneLogin employees, cannot get a tour of an AWS datacenter, let alone see the physical machines running our service.

DDoS Attacks

One of the first times we realize just how brilliant Elliot is at his job is when we see him single handedly save E Corp from a very elaborate fsociety distributed denial of service (DDoS) attack.

How OneLogin Helps

If your company is using its own hosted login service, then you probably know how difficult it is to have it available 24/7, make it robust with support for different MFA vendors, and keep it safe from attacks such as DDoS. While OneLogin doesn’t protect SaaS apps themselves from DDoS attacks, OneLogin’s service has multiple levels of redundancy to address DDoS, starting with multiple Active/Active DNS providers, and multiple AWS Regions and Availability Zones on multiple continents. We know just how important it is for our service to be accessible at all times to your end users. (See our historical uptime)

Conclusion: Hacking is all about people

Mr. Robot does a great job of showing us that at the root of it, hacking is not just about sophisticated systems and software or flaws in code, but about flaws (or “bugs” as Elliot calls them) in people. Whether it’s flaws in the hackers, like Elliot, Darlene, and Angela trying to take down E Corp due to personal tragedies in their own lives; or flaws in those being hacked, like Ollie being blackmailed to give the Dark Army the ability to hack AllSafe.

As IT professionals, it’s our job to protect our customers from those that might want to cause our company harm, or by those inside the organization inadvertently exposing company data through poor security practices. Using an IDaaS solution is a simple step that can address a wide range of security risks.

About the Author

Al Sargent started coding at age 10, wrote his first computer game at 12, and by 13, got sent to the principal’s office for skipping class to code. Decades later, he’s now Sr. Director of Product Marketing at OneLogin. He loves the process of crafting stories about technology: understanding customers and users, what they care about, and how they use software in their jobs and lives. Prior to OneLogin, Al helped create the world’s first software-testing cloud, Sauce Labs; drive the fastest-growing business unit at VMware; advance market-changing open source technologies such as Spring and Cloud Foundry; and build a new software category — Software Analytics — at New Relic.

View all posts by Al Sargent