Episode 5 of USA Network’s Mr. Robot: ‘Exploits’ (S1.E5 eps.1.4_3xpl0its.wmv), like the episodes that came before it, has been congratulated for its realistic interpretation of hacking. But in this installment, rather than sophisticated hacks involving numerous computers, hacking software and complicated code, it was humans that were mostly exploited, not machines. First a security card reader is cloned in order to get inside Evil Corp’s data center, Steel Mountain, and later a phone identity is faked so someone receives a very distressing text message. As protagonist Elliot tells the viewer: humans are often the most powerful piece of malware. “People always make the best exploits,” he said. Social engineering, the method of fooling people into giving you their information, or exploiting their weakness, or laziness, to find that information, is believed to be the most frequently used method to get into a corporation’s network these days.

Too easy

You can purchase a password cracker online such as rainbow tables, which uses an index of pre-generated lookup tables that reduces the amount of brute force cracking you need to do to crack a password. As the series Mr. Robot often depicts, people can be very lazy when it comes to their passwords, or shamefully predictable – something our lonely protagonist has been exploiting throughout the show.  A survey by TeleSign conducted in the U.S. and U.K. revealed that 75 percent of the 2,000 respondents duplicated their passwords, and 40 percent of those people had had security incidents in the past year. Almost half of the respondents in the survey used passwords that were more than five years old. As for the most popular passwords, well, that is worrying: 12345, password, 123456, qwerty, 12345678.

Dr. John McAfee proved in his latest Get McAfee’d installment about the Ashley Madison hack last week that you don’t need a hash cracking rainbow table, or any kind of clever social engineering trick, to get into the system. He simply called Ashley Madison posing as a non-existent international enforcement agency and received the password (“keys to the kingdom”) of the head of the Communications Department at the company’s data center. It took 30 seconds to make the call.

A lot happens from the inside

“Hackers are patient and opportunistic, one thing they can exploit is other people’s laziness to do their work,” John Casaretto, a security analyst, explained to me when discussing Mr. Robot and how people tend to use the same, simplistic passwords for email accounts, bank accounts, Facebook accounts, etc. “One of the best things illustrated about Mr. Robot is the amount of social engineering that goes on,” he said, explaining that the leveraging of an insider to slip something into a network to collect information about targets, and then using that to launch their attack, was very realistic.

He goes on to say, “You see this when Elliot uses this information cracking passwords, when phones are hacked into, and when attacks are launched from inside a company. In the real world, these techniques are the most difficult to overcome, because of the human factor. In fact, most technical hacks are not incredible works of technical genius. It’s phishing; it’s getting key accounts in an environment; it’s stealing credentials and so on. A lot happens from the inside.”

As for an outside attack, Casaretto said a target will typically find out things like the software version and operating system version. “Then they will systematically go down the list of latest vulnerabilities,” he said, adding, “The reason for this is because most departments run on the thin side of resources and tend to be behind the latest releases. Sometimes they are unable to take on downtime, sometimes they don’t have the tools to patch many systems, and sometimes it’s just a sloppy shop.” Hackers, he said, count on systems that are unpatched for a great deal of outside attacks.  That means routers, networks, operating systems, database, anti-malware systems, and more. “Security has managed to build a great technological wall, but all walls develop cracks and holes, and some threats slip in with the people that are permitted past the wall in the first place. That’s the threat we see illustrated in Mr. Robot.”

The conversation

Casaretto then told me a tale about a discussion he had with “one of the most important and intelligent security minds in the world.” With an air of mystery he said that what he learned in this conversation he can never forget, and yet, never share. “Next to me were two other extremely brilliant security minds and at the end of this talk – let’s just say I gave myself two days of nothing digital and no phone,” he said, explaining that it’s an important matter in the show that fSociety chooses physical locations rather than meet online.

“It says that even the best in the business trust nothing that is digital or electronic in nature, that sometimes the most secure way to exchange information does not involve computers at all.  This was not a simple tool to put actors in a room for better scenes. Whoever is responsible for that call gets it – identity and validation matter in the security equation,” he added finally, leaving me quite curious as to what was said during that conversation and who was doing the talking.

Protect yourself

If you’re reading this and you use the password 123456 for five accounts you might want to think about getting more creative, or if you’re the person who gave John McAfee the password he needed, you might also want to think about tightening security. Biometrics could transform the security issue (that’s the way Windows 10 is going), but people need the supported devices which have scanning capabilities, and even then, the Hacking Putin’s Eyes story might give some people cause for concern. There’s also the option of third party security password managers which generate secure passwords that can be saved in the cloud and will automatically log you in to websites.

Photo credits: CWCS Managed Hosting via Flickr, USA Network