GeekWire Radio: Behind the scenes of ‘Mr. Robot’ — understanding the tools and tactics of a hacker

 Christian Slater as Mr. Robot, and Rami Malek as Elliot Alderson  (Photo by: Christopher Saunders/USA Network)

Christian Slater as Mr. Robot, and Rami Malek as Elliot Alderson (Photo by: Christopher Saunders/USA Network)

BY TODD BISHOP 

This week on GeekWire, we explore the world of hacking through the hit USA Network show “Mr. Robot.” Our guest is Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, who has been analyzing the technical aspects of the show in a series on GeekWire called “Mr. Robot Rewind.”

The Mr. Robot analysis begins in the second segment of the show, at 9:20 in the audio player below. Download the MP3 here, and continue reading for a full transcript of the discussion.

Elliot Alderson: “I like coming here because your WiFi was fast. I mean, you’re one of the few spots that has a fiber connection with gigabit speed. It’s good. So good, it scratched that part of my mind, the part that doesn’t allow good to exist without condition. I started intercepting all the traffic on your network. That’s when I noticed something strange. That’s when I decided to hack you.”

Todd Bishop: That was a scene from Mr. Robot, a series on USA Network that will have its finale next week. It’s a thrilling show and fun for anyone to watch but it also provides a rare and highly accurate window into the current state of computer security and hacking. In short, you can learn a lot from it and that’s exactly what we’re going to do this week. Our guess is Corey Nachreiner, he is the CTO at Seattle-based Watch Guard Technologies. He’s been analyzing the technical aspects of the show in a series on GeekWire called “Mr. Robot Rewind.” Corey, it’s great to have you on.

Corey Nachreiner: Yeah, it’s great to be here, Todd. It’s been a lot of fun.

Todd Bishop: We’ve been loving your series and so I’m really looking forward to talking to you about Mr. Robot and learning something about computer security too. This series has captured the attention of a lot of people. What initially drew you into the show?

Corey Nachreiner: Historically, besides being a security geek, I’ve always been kind of a pop culture media geek. Back in my day when War Games came out, I loved it, it really got me into trying to learn about hacking. But over time, the media really hasn’t portrayed information security well. Lately, every time a new thing comes out, whether it be the Black Hat movie, the old Firewall movie, I went all in to see if is this it. When Mr. Robot came out, it’s a new opportunity for them to do that. I have to admit, I missed the first episode when it aired live but I had a friend that immediately texted me, knew what I did for a living, say, “Corey, you’ve got to check this show out.”

What hooked me when I first watched it was actually that clip you played. That’s really the first scene, him going into a café and talking to that guy. Everything about that scene, even though it’s subtle, even though they don’t get into technical details, you could tell right away the show runner knew what he was talking about. He had hacking culture down.

 "Even though it’s subtle, even though they don’t get into technical details, you could tell right away the show runner knew what he was talking about. He had hacking culture down."

Todd Bishop: Overall, how accurate is Mr. Robot from a technical standpoint?

Corey Nachreiner:  I would have to say it’s great. Nerds like me get excited when you see an SSH login in Matrix. That was just one tiny scene. We’re so used to hacking from Swordfish where there’s glitzy, 3D graphics happening and all kinds of crazy stuff that really is not reality as far as computer security. With Mr. Robot, a part of the series was trying to find the flaws as well, it’s hard to find them. I really have to get down to nitpicking and what I really loved about the show is not only is it technically accurate but I feel, I know about information security but I feel people that may not know as much as me, they’re still kept up to speed without being bored by some of the hidden details that are being showed to you.

Todd Bishop: Absolutely. People who knows computer security can enjoy it as much as people who don’t.

Corey Nachreiner: Exactly. It’s that adult joke in the Pixar that you get, but your kids can still enjoy the Pixar movie without it.

Todd Bishop: What is the biggest mistake they’ve made? Can you think of even one giant mistake they’ve made?

Corey Nachreiner: To me, the biggest mistake — and we might be talking about it later — but the thing that pulled me out immediately from the show was they referenced a root kit. Up until that point, they talk about lots of security and technology terms and they’re right on but somebody asked what’s a root kit and the immediate description of it was off to me. Not a huge technical mistake but it was to me the most glaring one. Right away, I was like, “Wait, that’s wrong.” All the other stuff is really nit-picky.

Todd Bishop:  How should people feel after this about the security of their businesses and their own person data?

Corey Nachreiner: I think its accuracy goes down to some of the attacks you see happening a lot are not necessarily always on traditional computer systems. … They’re on mobile devices. They’re on the internet of things. The truth is, we have a big problem there. Innovation and the stuff we do with technology, I’m a super fan of technology, I love the innovation. The fact that I have a watch that monitors my health and can report to me via Bluetooth but we really are creating this complex interconnected world and we haven’t thought a whole lot about security yet.

I think it might help the general public realize that hey, all this technology is awesome but as we’re innovating, maybe we need to balance that a little bit with considering the ramifications of some of this complexity.

Todd Bishop: That’s great. Let’s jump in. Let’s listen to a scene from Mr. Robot and then we’ll ask you about it.

Tor networking and exit nodes

Elliot: You’re using Tor networking to keep the servers anonymous. You made it really hard for anyone to see it. But I saw it. The onion routing protocol, it’s not as anonymous as you think it is. Whoever is in control of the exit nodes is also in control of the traffic which makes me the one in control.

Todd Bishop: All right, Corey, so what is Tor networking?

Corey Nachreiner: Good question. Elliot sorts of explains it enough for newbies to get it. Tor stands for The Onion Routing protocol. Basically, as people are browsing the internet everyday, there’s something called an IP Address that identifies your computer. If you browse normally, everybody sees that. It’s actually, people think they’re anonymous on the Internet but it’s pretty easy to geolocate you with this IP address. Tor is essentially just a technology that anonymizes you using a lot of techniques.

Todd Bishop: He also made reference to exit nodes, and whoever is in control of the exit nodes is also in control of the traffic. What does that mean?

Corey Nachreiner: Yeah, you have to understand a little how Tor works. Basically, you’re going through a number of proxies. I call it a peer-to-peer network for privacy. You start with the entry node which is a random computer the Tor client gives you. You do some encryption on top of that and that first entry node or the guard node, it knows your IP address but then it connects to a second computer using further encryption. The second computer doesn’t know your IP address. Then they do another layer where they connect to a third computer. That is the exit node. The key here is, in the Tor network, the entry node knows your IP but doesn’t know what you’re doing. The exit node has no clue what your IP address is or who you are but it does have to share your information with the internet so it does see what you’re doing online, what sites you’re going to, especially if you’re not connecting to secure sites.

Todd Bishop: If you control that exit node, you’re in control.

Corey Nachreiner: Exactly. There’s a lots of ways that black hats can actually do man-in-the-middle attacks. An exit node on the Tor network is something anyone can set up. You can become an exit node. If you’re malicious, you can just monitor all the traffic, inject malicious traffic into the responses and totally own the person that thinks they’re anonymous.

Todd Bishop: All right. Let’s dive back in with our next excerpt from Mr. Robot.

Social engineering

Elliot: Can I borrow your phone? Mine is dead. I need to call my mom. Thank you. … No answer, thanks anyway.

Todd Bishop: That is a scene from Mr. Robot, with Rami Malek playing Elliot Alderson, the hacker at the center of the show. Corey, what is going on there? Why was he asking for that guy’s phone and what does it say about the larger world of hacking?

Corey Nachreiner: That’s social engineering. You often think of hacking and think of technical attacks. A lot of the series we did on GeekWire, we’re talking about very technical attacks. But a big part of information security is this social engineering, which is hacking a human’s mind, a traditional con-man. In that particular scene, Elliot didn’t want to make a call to his mom. He was trying to target this person for something he does later in the episode or I think maybe the second episode. He basically wanted to get the phone so he could call his own number and then he deleted the call because he wanted to have that victim’s phone number on his phone.

You never think about this. I’ve had this happen before on the bus where a random person is like, “Hey, I don’t have a cellphone. I don’t know when the bus is going to get there. I need a ride. Can I use your phone to call?” In this case, it’s probably a normal person. At first, when some random person ask you for a phone, you’re a little worried, but I think human nature, if somebody asks you with confidence and acts it out right, human nature is just, “Yeah, you can use my phone for a second.” An easy trick you can do to get information out of people that they don’t realize the value of.

Todd Bishop: What does he do later on with that phone number, knowing that phone number?

Corey Nachreiner: That’s a great question. Later on, when he’s trying to really hack this person, he does a classic trick. He calls up that phone as tech support and he says, hey, “We noticed your accounts have been hacked.” He knew a little bit of information about Michael so he said, “You do live at this place, right?” That tricks Michael, too. It makes him feel like the person really is calling from a company because he knows about him. Then he says, “Oh, before we go further with this, can I get your security questions so I can confirm you.” It was another social engineering trick to get more information out of Michael to eventually crack his passwords.

Todd Bishop: What should people do in cases like this? Because this is just one example of social engineering and there’s actually many of them in this show. What can people do to fight back against it?

Corey Nachreiner: This is a hard question but awareness is the first thing. Realizing that this is happening. People are getting these sorts of calls all the time where someone will call you up and say, “I’m a Microsoft rep. Your computer seems to have technical glitches. Let me connect with remote desktop and I’ll help you fix it.” Have some skepticism. They’ve validated you by asking security questions. You can validate them or maybe say, “Let me hang up on you but give me a number to call you back.” That way, you can make sure it’s a real Microsoft number and not some random situation.

Todd Bishop: It’s funny that you say that. That’s an actual situation. There are cases where people call up and say, “Hi, it’s Microsoft support calling.” It’s a scam.

Corey Nachreiner: Exactly. It is happening in the real world.

Todd Bishop: By the way, Corey, what does WatchGuard do? Can you give us your 30-second elevator pitch?

Corey Nachreiner: Sure. We’re a network security company for businesses. We create an appliance that basically has tons of security layers and an appliance that’s easy for a business to put in their network and protect themselves.

Todd Bishop: You would be fighting the Elliot Aldersons of the world.

Corey Nachreiner: To some extent, yes. Elliot actually works for a security company similar to, not specifically like WatchGuard but he works for a security company which is kind of weird. While he has good intentions, he’s breaking the law quite often.

DDoS attacks and rootkits

Todd Bishop: Let’s jump right in with our next clip.

Elliot: I don’t think this is just a DDoS attack. I think they got a rootkit sitting inside the servers.
Angela: What’s a rootkit?
Lloyd: It’s a malicious code that completely takes over their system. It can delete system files that strop programs, viruses, worms.
Angela: How do we stop it?
Lloyd: That’s the thing, it’s fundamentally invisible. You can’t stop it
.

Todd Bishop: Let’s pull that one apart. First, what is a DDoS attack?

Corey Nachreiner: That just stands for distributed denial of service. A denial of service attack is a class of attack where I’m not trying to take over your computer or your website or whatever, I’m trying to do something that makes it so it doesn’t work. Nowadays, distributed denial of services are when an attacker might control a network of 100,000 victim computers and he might just send a website overwhelming traffic so that your e-commerce site can’t stay up any longer.

Todd Bishop: Then the other part of that was root kit. We talked about this a little bit in the first segment. This might be one area where their explanation might not have been precisely on the mark. What is a rootkit?

Corey Nachreiner: I’ll definitely tell you what a rootkit is. I will say one thing that’s accurate about this is, Elliot and them say that perhaps the DDoS attack is not the real strategy here. In this case, the DDoS attack was kind of to get people’s attention for the real attack where they’re infecting a server.

Todd Bishop: They sort of got their attention over on one side and then actually made a real attack somewhere else.

Corey Nachreiner: Exactly. What I didn’t like about this definition: A rootkit started as a set of tools you would download after you owned a computer way back in the ’90s. But nowadays, it’s got a much more specialized description or definition than that. What they say on the show is basically it’s malware, it’s something that once it has control over your computer, it can delete files and do whatever. That to me is a definition of malware.

But nowadays, a rootkit is a special technology you can add to your malware that does a Jedi mind trick on your computer. What I mean by that is, when malware installs on your computer, it puts files in Windows, but rootkit technology can do all kinds of technical tricks to make Windows not see the file. Even though it’s there, even though you have antivirus running, when the antivirus gets to that file, the rootkit will kernel tricks to say you don’t see this file. This is not the file you’re looking for. It can do the same for network connections or for processes. So it really helps you hide on the computer you’ve already infected.

Todd Bishop: If somebody gets a root kit on their network or on their system if they’re a company, what do they do?

Corey Nachreiner: It’s very, very difficult. I use the word kernel level root kit. If you actually get a kernek level root kit, you’re at a operating level on the computer that’s higher than the operating system itself. Really, the only way to find that is it tends to be an offline scan where if I have a Windows computer, I don’t boot into Windows. … I use a USB disk to boot into Linux. That way, the rootkit can’t get its hooks into my operating system and then when I scan it, I can actually find it.

Todd Bishop: In the end, was this scene generally accurate? How would you characterize it?

Corey Nachreiner: I think the attack was very, very accurate. The only thing that wasn’t accurate was rootkit and the reason it slapped me in the face so much is just because everything else in this show is so right on. In the end though, I think the decision maybe not to go into the definition I just did on the rootkit was a good one because they’re talking to a non-technical audience. To give the definition I did is something you probably couldn’t do in 15 seconds on your TV show.

Todd Bishop: One of the things that I really enjoy about this show is how eye opening it is to the perspective of the hacker. Sitting there watching Elliot do all these things, you realize, these people are empowered. They are in control. They know the tools of the modern world and they’ve mastered them. They’re almost like the 21st century sorcerers.

Corey Nachreiner: Magicians.

Todd Bishop: Yeah, absolutely. But then you’ve really think about it, when it’s not a drama or something that’s entertaining you, in the real world, you’re the potential victim.

Corey Nachreiner: Absolutely.

Todd Bishop: What are some practical tips for people out there seeing what’s going on and wanting to protect themselves.

Corey Nachreiner: We’re in the day and age where you do need to think about cyber security. There’s lots of simple tips you can do but gone are the days where someone can use email and not worry about security software like antivirus and stuff like that. A hacker is someone that takes the system designed to do one thing, and when you find that way to get the system to do something totally different than what it’s designed for, it’s very, very empowering.

But you have to realize, there’s a dangerous side to that. That gives you an asymmetric power. What I mean by that is suddenly this one technical person suddenly can create an effect that is way beyond the scope, normally to do some physical damage, you have to be big enough to have an army behind you. Now, this lone attacker can suddenly do really, really big, disastrous things. That’s a little scary to me. Even though often we side with Elliot and maybe his weird ethics — we like the idea that he wants to save the world, but imagine when somebody’s political ideas and ethics differ from yours. Then it becomes a little bit less empowering and more scary.

Todd Bishop: One of the things that Microsoft did with Windows 10 was to go from notifications of updates to just updating people behind the scenes, whether it’s features or security updates. Could that have an overall positive effect if people are updating their systems more frequently?

Corey Nachreiner: Absolutely. I highly recommend if your computer is just running a desktop, whether it be Windows, OS X or using Adobe software, all of them have automatic updates. You can choose to have those to have those installed without any interaction at all. If you’re a consumer, definitely do that. I would say for the businesses out there, if you have a production server out there, sometimes updates can cause unintentional consequences, so they sometimes can’t accept the automatic updates but I think for consumer world, for the internet of things, especially, when you have devices like watches that you don’t really realize need updates, you should have them automatically applied.

Todd Bishop: We’re talking with Corey Nachreiner. He is CTO at WatchGuard Technologies, a Seattle-based company, and he’s been analyzing the USA Network show Mr. Robot. We’re going to keep Corey around for a special podcast extra. If you’re on the radio, we’re going to say farewell. But if you want to hear more, go to KIRORadio.com or GeekWire.com and look for the podcast for this show.

All right. We’re now on the podcast extra version of the show which means I guess we can play all of the uncensored clips from Mr. Robot.

Corey Nachreiner: There’s a lot of them, by the way. It’s a pretty dark show.

Todd Bishop: Yeah, it’s more of an HBO style, for sure. … Let’s listen to our next clip.

Honeypots and air-gapped networks

Gideon: We’ve air-gapped your private network, implemented a honeypot, reconfigured all firewalls and systematically …
Tyrell: Wait, wait, wait. A honeypot for what?
Gideon: A specific server involving the last Fsociety attack, CS30. I know we checked it out but if there’s even a chance the hackers are still in the network, the honeypot will ensure that they can’t cause any damage. They’ll log into the decoy server we’ve set up thinking they’re on your main network.

Todd Bishop: A honeypot. I’ve heard this term before. What does it mean?

Corey Nachreiner: It’s not one of those portable toilets.

Todd Bishop: It’s not a Winnie the Pooh reference.

Corey Nachreiner: Exactly. A honeypot is a real thing. In a nutshell, it’s a decoy server. As people started attacking networks, the security experts figured if we put up a server that doesn’t really have value and it’s easiest target in the network of the one exposed, that’s the one the attackers will go to. You either use it as a canary in the coal mine, meaning if you see someone attacking it, you know there might be a bad guy on your network. Or researchers, security researchers like those at Watch Guard, we use it to monitor what hackers do. Typically, it’s a server that emulates like a web server and email server and other things and it allows you to connect to it and as soon as attackers are starting to do something bad, you immediately can see that traffic.

Todd Bishop: I would think that hackers would be on to this. Wouldn’t they just say, “That’s the honeypot. I’ll go for the one that’s more difficult to crack.

Corey Nachreiner: Absolutely. I mean, what honeypots often catch are the automated attacks that are scripted because most honeypots cannot interact all the way down doing everything a normal server would do. There’s eventually a point where you do a command and it’s not going to be responding the way you expect. To me, the one thing, there’s nothing inaccurate about the way they talk about a honeypot but what they are doing is taking a real server that served a real purpose that Elliot was already on and they said they replaced it with a honeypot. Elliot would immediately know if this computer which was part of a production network would suddenly not connecting in the ways it used to. It would be very hard barring totally virtualizing the server, copying it and putting it into a very similar network, in my opinion to confuse someone like Elliot.

Todd Bishop: Very interesting. The other thing that they said was “We’ve air-gapped your private network.” What in the heck is that?

Corey Nachreiner: Air gap — that’s old-school security. The reason we never were worried about nuclear power plants being hacked is because even though they use computers and have vulnerabilities, they didn’t touch any network. They were totally offline, nowhere near the internet. That’s changed, by the way. There’s now actually energy plants, industrial systems that have online connection. There’s even been cases where people can jump that air gap as you actually see in some parts of Mr. Robot.

Todd Bishop: Let’s listen to our last clip.

Two-factor authentication

Elliot: In 90 seconds, this code will change if I don’t log with it on my computer before then. 60 seconds. Whiterose is right. We run from one deadline to the next.

Todd Bishop: That one is maybe a little bit harder to interpret without seeing the scene but essentially he was running into the office of his boss. What was his bosses’ name?

Corey Nachreiner: Gideon.

Todd Bishop: Gideon, yeah. Picked up his phone and got the code and then Elliot ran back to his computer and entered the code just in time to log into his account. This is two factor authentication.

Corey Nachreiner: Two-factor authentication or multi-factor authentication. Exactly. This totally jibes with the fact that Gideon’s the CEO of Allsafe, the security company, and as we know from past history, Elliot hacks his friends and his coworkers and his enemies and he had already gotten a lot of information from Gideon. He knew Gideon’s password from previous hacks. But two-factor authentication is the thing that saves you if someone hacks one of your factors. Because Gideon cares about security, you add some other tokens. When I log on besides just entering a password, I have to use my fingerprint or I have to get this second code that a specialized device gives me, or nowadays, it could be just Gmail SMS’ing, texting you a message on your phone. That’s the problem, even though he knows Gideon’s password, he needs the second factor to get onto Gideon’s account.

Todd Bishop: This one actually harkens back to one of the previous things that we talked about which was social engineering because without giving away a spoiler, there is a major distraction happening in the scene.

Corey Nachreiner: Exactly.

Todd Bishop: Then Gideon essentially was leaving the room with his phone in the room still.

Corey Nachreiner: Exactly. In some cases, you might say he circumvented two factor but he didn’t really. Two factor worked, the thing was he had to steal that phone and it was the social engineering aspect, the using the distraction that allowed him to get to it.

Todd Bishop: In this case, he basically was able to get around two factor. But is two factor generally relatively secure for people to do?

Corey Nachreiner: It’s pretty good. There’s always ways around everything. The reason multi-factor is such a good thing is in security, there’s no silver bullet. There’s ways to crack passwords. There’s ways to actually break in and hijack fingerprints or biometric readers and there’s ways to get the second factor from a phone including even malware that has infected Android phones in the past and actually grabbed the SMS message for the attacker without doing this sort of actually looking up the second factor yourself. The more layers you put together, adding these multiple factors lessens the risk, it’s never going to be perfect but it definitely lessens it a lot.

Todd Bishop: How much are looking forward to the finale of this show? By the way, we should say, it was the delayed. It was going to be this past week and apparently there was a scene that was similar to the tragedy in Virginia which was … oh my gosh, that was horrendous. It will be interesting to see if they’ll change that scene actually, but at any rate …

Corey Nachreiner: Once you hear about the tragedy, that they made the absolute right decision but it will be interesting to see what they changed. I have heard the show runners said that scene, even if it was changed in slight ways, it’s not going to affect the overall theme of the episode. The one other thing, if there’s listeners out there looking forward to the last show like me, I’ve heard by a number of people that actually talked to the consultants and the show runners to stay after the credits, just like a Marvel movie, don’t stop the show when the credits roll because they’re going to add some sort of little teaser at the end of that will continue the story and maybe give you hint into the second season.

Todd Bishop: Interesting. It’s funny because in the show, at least when you watch it online, they run Evil Corp ads and then Fsociety breaks in. At first you think you’re watching an E Corp ad and then Fsociety breaks in. It’s very much reminiscent of Anonymous.

Corey Nachreiner: Very much. For sure. Part of the reason I love the accuracy is they know that culture so well. They know Anonymous and they even throw in subtle things like there’s a site called 4chan, it’s probably not a site I recommendy our users go to. But Anonymous grew up on 4chan. Every subtle hint they add to this episode shows how much they know hacking culture.

Todd Bishop: Great. We’ve been talking about Mr. Robot with Corey Nachreiner, the CTO of WatchGuard Technologies. I have one last clip. We’ve been talking about how accurate this show is. With apologies to everybody out there in Redmond, I wanted to play this clip.

Scene from Mr. Robot: Before this, I worked at an NGO. Before that, I worked at Microsoft for a year which felt like a decade. (Laughter)

Todd Bishop: Talk about technical accuracy.

Corey Nachreiner: Yeah, they get our industry quite well.

Todd Bishop: Well, this is great stuff. Corey Nachreiner from WatchGuard Technologies, Thank you very much for being on the show.

Corey Nachreiner: Oh gosh, anytime, Todd. This was a lot of fun.

Todd Bishop: Be sure to check out Corey’s series, Mr. Robot Rewind on GeekWire. He’ll be summing up the season one finale next week. Be sure to join the conversation with Twitter using the hashtag #MrRobotRewind. You can follow Corey @secadept on Twitter. Until next week, I’m Todd Bishop. We’ll talk to you next time on GeekWire.

GeekWire airs on KIRO Radio in Seattle (97.3 FM) at 7 p.m. Saturdays and 1 p.m. Sundays, except when pre-empted by live sports. The show runs every weekend on GeekWire.com. Get every episode using this RSS feed, or subscribe in iTunes, SoundCloud and Stitcher.

http://www.geekwire.com/2015/geekwire-radio-behind-the-scenes-of-mr-robot-understanding-the-tools-and-tactics-of-a-hacker/