[Spoiler Alert] This article and podcast involve technical plot points from Mr. Robot Season 2. If you haven’t watched it yet, check it out on USA Network, Amazon, or iTunes before coming back to read or listen.
Most hit TV shows don’t include accurate depictions of highly technical computer work, but USA’s Mr. Robot is a notable exception.
This psychological thriller follows Elliot, a hacker and engineer, who is part of the hacktivist group fsociety. And the hacks in the series aren’t just for show: the depictions often show how cyberattacks can impact people and businesses in the real world, making Mr. Robot a great way for anyone to learn about cybersecurity.
Corey Nachreiner, CTO at Seattle based WatchGuard Technologies, has been following the series closely and reviewing the show’s technical accuracy in GeekWire’s “Mr. Robot Rewind” series. He joined GeekWire editor Todd Bishop on the GeekWire radio show and podcast to explain key scenes from the show, as a window into the world of hacking.
Nachreiner also share tips on how computer and smartphone users can protect themselves against common attacks and tricks like ones in the show, and precautions they can take against being hacked.
Listen to the show here, and keep reading for an edited transcript.
Todd Bishop: Corey, let’s jump right in now with our first clip.
E Corp CTO: Unbelievable. What are their demands, again?
E Corp General Counsel: $5.9 million. $5.9 million to be delivered to Battery Park City, 9pm tonight, no police. If we want to pay the ransom, the FBI will not sanction it.
E Corp CTO: We cannot negotiate with these people.
E Corp General Counsel: We can’t afford this hack right now, and frankly, I think we can find 5.9 million in between our couch cushions. It’s nothing.
TB: Oh boy, ransomware. I got to tell you, I read these stories in the news, and it scares the crap out of me. So for people who don’t know what ransomware is, what is it? And then let’s get into what this clip is about.
Corey Nachreiner: Sure, so at a high level ransomware is kind of a type of malware, so a malicious computer program, but it’s a type of malware that’s somehow trying to either lock up your computer so you can’t use it, or more recently lock up the data on your computer so you can’t use it, and really the whole goal of it is to extort you. It tries to make it so you can’t get something that you need on your computer, and then says, if you want it back pay this X amount of money.
TB: In this case, in “Mr. Robot” it’s a bank that gets held up, essentially, by ransomware, and the part that we did not play there was they said it would take maybe five days for their system administrators to figure this out. What happens in reality in the real world when ransomware is inflicted on someone?
Nachreiner: Exactly. The ransomware that is really affecting people, the scary one that’s really blown up in the past few years, is something called Crypto-Ransomware, and that’s the kind that’s actually not trying to lock up your computer, but it literally locks your files, so all it does is it searches your computers for certain files, things that are going to contain information you want to keep, and it uses industry standard encryption, really hard encryption that the NSA couldn’t crack. In fact, I would suggest that one inaccuracy in the show is if ransomware is using AES encryption you’re not going to crack it in five days.
TB: AES encryption, what does that stand for?
Nachreiner: That’s a standard of encryption that uses a certain bit level to make it really strong. The way experts measure encryption is really by how many thousands of years it would take to crack. Some of the old encryption standards one called DES. I won’t tell you what the acronym is, but it was 56 bit. We expect that nation-states, people with big enough computer systems, can crack that in a day, but something like AES still would take thousands of years to crack.
TB: So what should companies, or people, do if they’re hit by something like this?
Nachreiner: Well, really, you don’t want to be hit, but the first thing you should do is find out what you were hit by because the one thing I want to point out is just like skills of people in business, there’s skills of hackers. Some ransomware doesn’t use the best encryption, they make mistakes, so depending on what you get you might find one that can be cracked. Or you might find one where researchers have kind of taken over the bad guys infrastructure, and they can recover your files, but there will be cases where you will get one where you’re just not going to get your files back unless you have a backup, so really, there’s the tip.
TB: Have a backup, so that you don’t have to worry about it, especially, if it says file level encryption, right? Not locking you out of the system entirely.
Nachreiner: Yeah, and frankly, the locking out of your system is easy to get past. It’s really the file one that’s causing these bad guys to make money, and really hurting businesses. So the tip here is backup. It sounds like such a simple tip. We all talk about it, but I mean let’s admit it. Human nature, how many of us say, okay, I need to backup everyday, et cetera. For businesses it’s absolutely critical. I mean ransomware — why it’s scary is hospitals have been hit by this. It’s encrypted patient records, and that means they don’t know what drugs the patient is allergic to, so it’s literally shut down hospitals for days causing them to divert patients, so you have to handle this.
TB: At a personal level, it seems like there’s really no excuse financially anymore to not have a regular backup regime on your computer. I just got a couple of two terabyte hard drives for like 75 bucks this past week, each. I mean the storage is available now that you can do this reasonably.
LATEST IN A SERIES: Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, is reviewing episodes of Mr. Robot on GeekWire. The show airs on USA Network on Wednesdays at 10 p.m. Join the conversation on Twitter using #MrRobotRewind, and follow Corey @SecAdept.
Nachreiner: And frankly, it affects everyone equally. I just mentioned the hospital case, it causes businesses big money, but think if you’re a mom that had your first baby, and you just transferred all your SD card images to a computer. That’s what they’re going after, too, and that’s why this is a threat that actually affects everyone in the world equally.
TB: Of course, the ultimate solution is to have $5 million in your couch cushions.
TB: At least according to the clip. So what about the accuracy of how ransomware was portrayed in this clip? First of all you’ve got one bank employee arguing with the bank executive about whether to do it. I assume that debate happens inside companies when this happens.
Nachreiner: Oh, certainly, and by the way one thing that a show viewer might not catch is that we also learn that the IT guy helping with this ransomware is actually Mobley, who is one of fsociety, and he’s pretending he doesn’t know what’s going on. But really he was the one that brought a USB key, and plugged it into the system.
TB: Okay, so you had a member of this hacktivist group, as they call it, inside the bank, working for the bank?
TB: Oh man, how often do hacks happen from the inside like that?
Nachreiner: That’s always a question that goes up and down in the industry. We call this insider attack versus external. Insider attacks definitely exist, but I would say today external attackers are more common, whereas, 10 years ago inside attacks were more common.
TB: Do you have a sense for why that’s the case?
Nachreiner: I think it’s because it’s becoming easier. There’s toolkits. The criminalization, the organization of criminals where now they have easy toolkits. They don’t have to be sophisticated technical experts, and they found the value of doing this, so they’ve really kind of monetized and organized this type of external attacking.
TB: Much easier to use one of those toolkits than to go through the hiring process, then six months later execute your attack. Much more complicated process to do that.
Nachreiner: Now to the technical accuracy, by the way, the ransomware itself they showed some tools and screens for generating what tools they used — pretty darn accurate. They even did a call-out to a real piece of ransomware called CryptoWall which is one of the most significant pieces out there that is affecting people, so that is accurate. For a second they showed you the screen you would see if your computer was hijacked, and this is usually a screen that typically is asking you as a victim to pay bitcoin to someone. So that’s where maybe the accuracy falls down.
TB: It wouldn’t be cash in an envelope.
Nachreiner: Exactly, and it wouldn’t be $5 million either because these guys realize that if I’m attacking a normal user I’m probably only going to ask for like 500 bucks worth of bitcoin, but I do that over and over, and it still can get big.
TB: You’re going after a bank here. You got to set your sights high, Corey, come on.
Nachreiner: On top of that this was eCorp, so what Darlene was doing fit with the story. I think it was more the idea of not getting the cash, but embarrassing this company, so even though that’s not what you see in real life ransomware it absolutely fit with the story.
TB: Okay, let’s just jump right back in with our next clip.
Ray’s former IT guy: They keep emptying the bitcoin wallets. The server keeps crashing, and I don’t know how to stop it. I only know basic network security measures. You have to find someone who can migrate a site to another, more secure location and set it up with a system of hot and cold wallets. Please.
TB: Wow, that guy sounds like he’s under some major duress there, Corey. So he’s getting beat up.
Nachreiner: Yeah, so if you don’t watch the show there are some criminals, and you may not know they’re criminals because – spoiler alert – they actually work for people you don’t think would be criminals, but there’s some guys that are physically abusing him to be their IT guy for this underground site.
TB: Okay, so it may have been difficult to hear him, but he was talking about something called hot and cold wallets, and bitcoin. Bitcoin is the cryptocurrency, so the whole idea of digital currency, but hot and cold wallets, what is that?
Nachreiner: So to get into that we have to cover bitcoin a little bit. Bitcoin is a virtual cryptocurrency, and when we say cryptocurrency really there is no money anywhere. There’s never any physical thing. It’s just this public transaction space that is all controlled by people having cryptographic keys that identify them and their transactions. So long story short when you have bitcoin you don’t have a thing, but what you do is for different addresses of bitcoin you own you have a public and a private key. And what people may not realize is we put those keys in what we call a wallet, but that private key is really all the bad guy needs to take your bitcoin. So it’s really all about you making sure no one gets access to that key.
TB: So you have a hot wallet and a cold wallet?
Nachreiner: Exactly, so really all the differences between a hot and cold wallet is a hot wallet is a digital wallet where you have your keys that has connection to a network versus a cold wallet which is one that you went away from a computer and a network.
TB: In this case how does that figure into the plot, and why would he tell the person whose torturing him, I guess, or beating him up least they need to create a hot and a cold wallet?
Nachreiner: The thing is anytime you have an online trading space whether it’s a legitimate bitcoin exchange, or whether it’s an underground forum where you’re buying and selling who knows what on the underground with anonymous bitcoin, if you have this sort of automated trading system you need this idea of a hot wallet, a network connected system that has all your bitcoin information, so that it can make automated transactions between members of, say, your underground forum. So it’s really important for these sites. By the way, Silk Road, you may have heard of Silk Road. This is actually a real underground forum that existed in the past — it recently was shut down by the FBI — where they traded God knows what, all kinds of different things that are illegal in many countries. And they used this currency to anonymize it, but there’s a big security challenge here for these criminals, or even for good guys that run bitcoin exchanges because as soon as you put enough information to make these automated transactions you give a bad guy opportunities to steal your bitcoin, so it’s a balancing act between how much money you want to expose for them versus how much you want to save. And apparently, the bad guys that were beating this guy up had a lot of bitcoins stolen.
I was going to say one additional thing, by the way. I think cryptocurrency is interesting, and possibly the future, but do you know it has these sort of security problems? Recently the Department of Homeland Security kind of commissioned a study. 33% of the bitcoin exchanges that have been open since bitcoin first came have been hacked, and many bitcoin owners have had all their coins stolen. So it’s kind of a problem you have to think about with bitcoin. Over and over we see repeatedly these coins getting stolen from the exchanges that are supposed to automate our transactions.
TB: Very interesting. Let’s listen now to our next clip.
Elliot: At my fingertips, the zero-day is wrapped in code like a Christmas present, then becomes an exploit, the programmatic expression of my will. Step three: A reverse shell, two-stage exploit. The ideal package. Load the malware into a femtocell delivery system, my personal cell tower that’ll intercept all mobile data. Similar to my first time, when I found myself staring at late book fees, employee names, member addresses.
TB: I love that. I think that might be one of my favorite phrases ever from a show. “A programmatic expression of my will.” They should put that on T-shirts for engineers and start-ups.
Nachreiner: It is beautiful. That has to be Esmail. And by the way, I know a lot about hackers, but I don’t know many that so artistically and eloquently describe coding zero-days as Elliot just did.
TB: Right, so let’s explain what you just said. Elliot is the main protagonist in the story. Sam Esmail is the showrunner, the person in charge of the show who clearly has a very deep understanding and appreciation for technology and hacking.
Nachreiner: For sure.
TB: Absolutely. Okay, so let’s break that down. He talked about a femtocell? Explain this for us, Corey.
Nachreiner: So a lot of people may not have heard of femtocells, but these are actually devices that help our cellular networks. You’ve probably, maybe one day signed with a particular seller provider, then moved, and realized oh, you don’t have service in your living room because you just picked a place where they don’t happen to have towers. So a femtocell is a device that these carriers devised where they actually act like a mini cellular tower. If you have say Verizon you’re not getting cell service in your house, but you have a wired Internet connection. You plug this into your wired Internet connection. You now have a little mini cellular tower in your house that your phone can connect to, but then uses the Internet to actually communicate with your carrier’s network.
TB: In this clip Elliot is talking about executing a zero-day. I do know that a zero-day is an exploit, like a piece of malicious code that’s released before there’s a patch available to prevent that attack.
TB: A patch could be like updating Windows.
Nachreiner: It could be updating Windows, it could be updating your Chrome browser, it could be updating your phone software, and in this case it was actually the latter. Earlier we had seen that Elliot had found that the FBI had started using Android phones, and he’s implying here that he knows some zero-day vulnerability in Android devices. So he’s coding up an exploit for that, but his problem is many of these exploits, I can’t just know your phone number and send you something that will take it over. I might have to get you to do something whether it be open a file, go to a website, so the question is how can he trick FBI employees to do something, and that’s kind of where the femtocell comes in.
TB: In what way? Does he make them think that they’re on a different network?
Nachreiner: Exactly, so that’s kind of the goal. What we’ll see in other episodes after this particular one is fsociety — using Angela’s help, and other protagonists’ help — actually implant this femtocell in an area where FBI is doing investigation. They way these cellular towers work is your phone will connect to any one. It connects to the strongest one, and uses that to get out to a network, so the femtocell is a way to force these phones to connect to his tower, and that’s where he has all the control. Even if he has to get you to do something, once a person has what we call in the industry a man in the middle capability, he can replace everything you do. You can be going to a website that’s perfectly legitimate, but he can be injecting code in that that’s also forcing you other places, and that’s kind of implied how he exploits that zero-day vulnerability.
TB: This is very interesting stuff, and it’s very scary. When somebody hears about these things, and they’re just an average business owner, or a regular old user, somebody who has an Android phone, what can we do about it to prevent ourselves from falling victim to these kinds of attacks?
Nachreiner: The good news is that there’s lot of hope, by the way. There’s lots you can do, and before you even get technical I think awareness is the first step. One of the reasons I love this show is just making a person that doesn’t think about this thing aware that these things can happen. In season one, we saw people just lay around USB keys, and if you see a USB key and you pick it up you’re like, cool, I got a new toy I can plug into my computer. After watching the show now you’re aware that there might be some danger there, so first of all, just knowing about this thing will affect your behavior, and hopefully, make you take better actions online.
TB: The other one I remember from Season One was when Elliot borrowed somebody’s phone, and was able to make a call, get his number, do all sorts of nefarious things just from borrowing a phone.
Nachreiner: That’s another great example. There will be technical tips I can give you, but non-technically just understanding these things can happen. Being a little bit skeptical, alone, is going to help you quite a bit.
TB: What about on the technical side? Are there two or three things that every single person needs to do to make sure they’re secure?
Nachreiner: Absolutely. One I would tell everyone that’s super simple is patching. We talked about zero-day, the truth is most of the attacks online are people taking advantage of flaws that have been fixed sometimes years ago. So simply keeping your software up to date. When your iPhone tells you there’s a new version of iOS do you want to install it now? Say yes. When Windows does it, do the same thing. So that alone is quite a big step — it makes it a lot harder for attackers to force your computer to do something it shouldn’t.
TB: In general antivirus, spyware, malware, adware?
Nachreiner: Exactly. I have two different advice. One for a home user — I highly recommend what we call a software firewall, an antivirus solution. A lot of folks have what they call security suites that combine all this together, so if you’re just a home user install one of those on your computer. Now businesses have a bigger struggle because they are getting targeted, and they’re the ones that have to worry about this more advanced layer of attack that we often see on “Mr. Robot,” and for them it really is about layered security.
I can go into nerdy detail — antivirus is a must — but they also need this thing called advanced threat protection, things that can find even trickier viruses that are kind of getting past old systems. They need intrusion prevention systems, that can detect when people are exploiting the zero-day vulnerability. They need data loss prevention to see when people are actually exfiltrating data. The simplest way to talk about that is there’s a lot of folks, like I mean, what I do at WatchGuard is where a network security appliance vendor that creates a unified threat management system, so it’s a security appliance that puts all those layers in one place to make it easier for businesses to manage.
TB: We’ve got two clips left, and the next one takes place in a diner. For people who have not been following the show through this season, including me actually, can you help set up this scene? What’s going on at this point?
Nachreiner: This is actually a flashback. We see two characters we already know, and we actually know they’re part of that hacktavist group we talked about before.
Nachreiner: Exactly, and at this point they don’t know each other, though. Frankly, one of the characters, Mobley, is actually trying to hit on the other character Trenton, but then she is doing something behind the scenes which I think we’ll talk about.
TB: OK, good, so let’s listen now. By the way, watching the clip I had no idea he was trying to hit on her which probably speaks to another issue in the technology community, but anyway, okay, here we go.
Darlene: Oh, the old malicious browser benchmark trick. I see you already own this newb’s whole system. I like it. Didn’t your mom ever tell you not to surf websites that have an embedded Stagefright exploit?
TB: Lots of great phrases there to talk about, so she was basically rebuffing his efforts to pick up on her?
Nachreiner: She was basically hacking him. I mean when he was trying to kind of start up a conversation because he was interested, meanwhile, she behind the scenes was starting up an exploit. You might have heard the term Stagefright. This was a marketing name for a real vulnerability that affected Android phones. Behind the scenes she is working on using that, and in a second she socially engineers him to do something, so that she can take over his phone.
TB: So she socially engineers him to do something. What does she do?
Nachreiner: You heard Darlene reference the old malicious browser benchmark trick.
TB: Oh yeah, of course, everybody knows the old malicious browser benchmark trick.
Nachreiner: By the way, I hadn’t heard that, but there are definitely social engineered tricks to get people to a website you control. So what she used was an opportunity to talk about the phones, I believe she uses iPhone, he uses Android. He’s saying, “oh, Android is so much better,” kind of sticking his foot in his mouth, so she said, let’s see whose phone is faster, I have this benchmarking site you can go to. Meanwhile, it’s a site she controlled, and that’s where she had her Stagefright exploit waiting for him.
TB: So this may be like the third rail of security discussions, but let me ask this. Which is more secure, iOS or Android?
Nachreiner: Wow, you’re just starting a flame war and the trolls are going to come out. I have a real world answer, and a generic answer. The truth is both phones have vulnerabilities. Don’t think Apple is bulletproof. In fact, bad guys see tons of value now that Apple has market share, and they’re going after Apple. Most recently there was a huge nation-state level attack where three unknown zero-day vulnerabilities in iPhones were used to spy on iPhones, so both phones have vulnerabilities, and they both can have problems. But there is one thing that does kind of protect Apple users, and that’s kind of Apple’s closed garden.
TB: The app store.
Nachreiner: Exactly. If you look at Google mentality they’re very much do whatever you want. Not only do we have the store for you, but we encourage you to use every part of our phone. Apple, of course, is a little more restrictive. They want to control what’s in their environment, have a perfect environment which from a consumer level can be maybe bad, too, but from a security level they have people vetting every detail about every app, so it’s much harder to get bad stuff in their environment.
TB: Right. On Android people talk about sideloading apps.
TB: You’re not getting them through the Google Play store. You can load them, and that’s perfectly fine on Android.
Nachreiner: You cannot do that at all with iOS unless you jailbreak where you’ve already defeated your security in the first place.
TB: So lesson here: Don’t fall for the old malicious browser benchmark trick.
Nachreiner: More specifically, if someone asks you to visit a site, someone that you don’t know, think about it a little before you visit that site.
TB: Okay, very good. All right, let’s listen to our next clip.
Speaker 1: Okay, this is a Rubber Ducky. All else fails, you find an FBI laptop anywhere on the floor. They’re usually Panasonic Toughbooks. Plug this guy in, wait 15 seconds, then yank it, okay? Thanks to a tool called Mimikatz, it’ll pull all cached passwords and domain info in and save them on this. Won’t give us everything, but might help lead us somewhere. Just a backup plan.
TB: Okay, did he say a rubby ducky? A rubber ducky? What did he say there?
Nachreiner: Rubby Ducky you’re the one.
TB: That’s right.
Nachreiner: So Rubber Ducky is actually a real tool. One thing a lot of users everybody uses USB devices. You have a storage key that you put files on. You have a USB keyboard, you might have a USB wireless card.
TB: I plug my external drive into my computer with the USB port.
Nachreiner: If you’re into VR your Oculus has a USB port, but what you don’t realize is there’s little software codes being sent to your computer telling the computer what type of USB device that is, and hackers have figured out ways to trick this. So I could take a storage device, but I could then tell the computer this is a keyboard, so the Rubber Ducky is actually a commercialized automated keyboard. You plug this USB key in. It tells the computer, Hi, I’m a keyboard, but now you as a bad guy can have automated scripts run. Anything you, Todd, could do on your computer I could have a script do it in like 10 seconds. In many cases hiding it from you. So plug this thing in, now I have full control of your computer.
TB: Big lesson here. If you don’t know what’s on the USB key, if you don’t know what the website is, don’t do it.
Nachreiner: Yes. Be careful what you interact with. The other thing to know about this: there is some good news for this kind of Rubber Ducky hack. Most people lock their computer screen. When you leave maybe your screensaver kicks in in five minutes, and you have to put in your username and password again. There’s nothing special about this Rubber Ducky that allows it to defeat that. One simple tip, by the way, is make sure to lock your computer screen when you’re not at it because then even these devices have to get past that authentication before they can really do the bad stuff they’re designed to do.
TB: What’s your advice on this topic for folks on passwords? I know that there’s the central tools that you can use. One password, those kinds of things. If you don’t do that — or maybe you would just say do that. What’s your advice?
Nachreiner: I would definitely say central password. First, what you might be hearing in the community are passwords are dead, and it’s because of all these password breaches — there’s just three at the beginning of this week, big companies including one in Russia lose millions of passwords — but the truth is what’s happening is people are stealing databases. It’s not always the passwords themselves, and I don’t think we’ll ever be able to get away from passwords as just being one factor, even though we have all these Hellos and biometrics, so my real tip is multi-factor authentication. Use two different things besides your username. It’s really easy nowadays, like with Windows you could have a password, but then Hello sees your face.
TB: This is the feature in Windows 10 I believe, where they actually can scan your iris, or recognize your face.
Nachreiner: Exactly. There’s tons of programs now that we have a mobile phone having to have another device that we plug in as another token.
TB: Like a fob.
Nachreiner: Yeah, that would be hard and expensive, and no one wants to do that, but now our phone acts as that thing. So just going to Gmail and setting up Mobile two-factor. Even if someone steals your password who cares? They can’t really get everything unless they get that second factor, and you can change your password by then.
TB: Cyber security is also a big theme in politics right now. In fact, just this past week there was an example of President Obama, and Vladimir Putin from Russia talking about this in a very high profile way. I want to get your take on this. Let’s listen now to a clip from President Obama.
President Obama: Look, we’re moving into a new era here where a number of countries have significant capacitors, and frankly, we got more capacity than anybody body offensively and defensively. But our goal is not to suddenly, in the cyber arena, duplicate a cycle of escalation that we saw when it comes to other arms races in the past, but rather to start instituting some norms, so that everybody is acting responsibly.
TB: All right, so that was President Obama speaking at a news conference this week. You can tell he was about to say we don’t want to repeat the cycle of escalation that we had in the nuclear arms race which really drives home — and it was interesting that he did not say that, although, he wanted to clearly — but it drives home the notion that the stakes are very high here in terms of cyber attacks by countries. And it’s happening, right, Corey?
Nachreiner: It’s been happening. In fact, the only thing I’ll disagree with this is he says we’re coming into a time. We’ve been in this time for five years. Many of the listeners probably heard when we talked about Stuxnet years ago which by the way is largely suspected to be a U.S. version of a cyber attack for a politically motivated reason, and whether that’s good — in fact, the idea is this was an attack that went after uranium enrichment plants in a nondemocratic country. So you might think good, that’s helping stop nuclear weapon proliferation, but that really to me was kind of a public Pandora’s box of showing the world, hey, governments out there here’s a new way to carry out some of your intelligence campaigns, and maybe even some offensive campaigns.
TB: The context for this recently is the cyber attacks on the Democratic National Committee which exposed all sorts of embarrassing things resulted in the resignation of the leader of that group. Are you convinced? Is there any question in your mind that Russia was behind that attack?
Nachreiner: Well, one, you’re asking a security expert, so we can never deal in absolutes. We’ll also talk about how hard attribution is. The reason cyber attacks are such an asymmetric and difficult weapon is because it’s very easy for bad guys to hide behind lots of things. Now all that said, I would say the DNC hack has a very high probability of being Russia. There are many well-known forensic groups that have studied the guise, studied the techniques used in this attack. You got to realize they’re like technical computer IP addresses you can look at, but those will never go back to Russia, so there’s never going to be the smoking gun, but what these guys do is they look at what’s called TTP’s, or Tools, Tactics, and Procedures. They put together all kinds of pieces of information that tie to motive. It seems verily sure that a couple of Russian groups, two intelligence agencies were probably behind that particular attack.
TB: Where is this headed? Is this going to be the next arms race in the cyber arena?
Nachreiner: I think to some extent it already is. I will say, by the way, to Obama’s general sentiment: I agree. We need to, as a global community, put some sort of rules and engagement around this. I think that’s a must. The issue is actions speak louder than words. While he’s saying that, meanwhile, every big country is carrying out these sort of things. They’re not just building defensive teams. You heard him in the next sentence say, ” oh and by the way, the U.S. has the best offense and defense out there,” which is kind of escalating the race in some ways, so they’re not just working on defense. And it brings up many questions to me because in cyber security you can’t be offensive while you’re defensive, and if you like, I can give you a specific example.
We mentioned zero-day earlier. Zero-day is a flaw that there’s no fix for, and if you’re the first and only person to know that you can exploit the heck out of it, and people never know, or they can’t protect themselves really in many cases. The problem is as soon as you have governments that have offensive teams it becomes in their best interest to find and hoard zero-day vulnerabilities. This means the new flaw in iPhones that can crack the encryption, so they can do that data for intelligence reasons. This means maybe finding the flaw in Internet Explorer, so they can get other states intelligence actor to come to a website and get infected. If that flaw exists and you found it it’s only a matter of time before other people do. So they don’t tell people about these flaws, they don’t help the industry patch them, and they put everybody in the world at risk including their own state.
TB: In that case it’s our taxpayer dollars, basically, funding that against our own interest as technology users.
Nachreiner: They’re thinking, oh, this is an offensive benefit, but they’re creating a defensive detriment to their own citizenship. So I really think we need stronger rules on what offense means, and I really think governments — you know, I’m not naïve. There will be intelligence operations, but we need to focus on defense. We need to focus on protecting citizens of the world, so that no one can hack each other.
TB: What are the implications for elections and election technology?
Nachreiner: That’s a good point. Recently there was actually some voter registration hacks. The FBI put out one of their flash alerts, and they warned voter registration election states around the United States that bad guys have been hacking these systems. Now this is voter registration. This is not the voting system.
TB: It’s not the ballot.
Nachreiner: Exactly. The good news is every state takes ballots differently. Almost all of them are mostly offline. Even the electric systems we use which have been shown to be hackable they’re not physically connected, so you’d have to be local, plus a lot of them have paper backup, so what they do is they take X number of paper ballots, and compare it to the vote, so as far as the election I don’t think a nation-state sponsor will change the results of our election. Now, meanwhile, obviously it’s possible to steal personal information and things like that. I think the way information warfare is going we see the movies showing oh, maybe they’ll blow up our power plant. That could be technically possible, but I think if you look at motivation it would be much better to put doubt into systems to do political and information warfare.
By the way, the one other thing I want to point out to the election system is I want to warn the world against every time we see a hack pointing the finger at the latest actor. I mentioned the DNC hack was probably Russia, and now people are starting to suggest that perhaps this other attack, or specifically, there were two attacks is Russia, too. Now while there have been little pieces of evidence to show that at least in one case they were using the same kind of script kiddie tools that Elliot could show on “Mr. Robot,” which is not what a nation-state would do. So while we do want to attribute these attacks we need to be careful. We need to be evidence based, and I think governments need to start sharing more of the evidence when they say, “oh, this is so and so nation-state.” Because it’s so hard to attribute, we need to be careful that we’re not kind of using this as a hammer for some sort of political motivation, or for defense funds, or whatever.
TB: So Corey, wrap it all up for us here. We’re nearing the season finale of “Mr. Robot” Season Two. How are you feeling about the show at this point? Is it still as accurate as you thought during Season One?
Nachreiner: Oh, absolutely, you can tell. By the way, we mentioned Sam Esmail, the writer, director, and showrunner. There is also a guy named Kor Adana, which is really their tech consultant. He has a team where he’s now recruited from well-known hackers to be going to all the security conferences I do as well, so you can see they’ve actually inserted even more layers of detail for people to find including a lot of Easter eggs. If you’re a nerd out there pay attention to all the IP addresses in the show because there’s other details hidden for you to find there. So the show is getting even more technically accurate, but I’d argue that they’re still doing a great job of explaining enough that even a non-technical viewer can really appreciate it, and learn a few tips from it.
TB: So they’re actually going to like Black Hat conferences, and picking up things that then they’re putting in the plot.
Nachreiner: Absolutely, in fact, half of these hacks have Black Hat presentations behind them including one of the recent cellular hacks. By the way, I got the pleasure of going to DEFCON this year, and Kor Adana, the showrunner had a panel there with his consultants which was fantastic.
GeekWire airs on KIRO Radio in Seattle (97.3 FM) at 7 p.m. Saturdays and 1 p.m. Sundays, except when pre-empted by live sports. The show runs every weekend on GeekWire.com. Get every episode using this RSS feed, or subscribe in iTunes, SoundCloud and Stitcher.