Mr. Robot and the Real World of Cyber Security

Earlier this month, an estimated 1.4 million people watched the season finale of Mr. Robot on USA Network. If you have yet to hear about this series, it is an invigorating analogy of what can happen when the wrong people decide they have sufficient reason to take down, basically, the entire internet. Those of us with a little computer networking background might initially say “yeah right, that’s impossible.” And in reality it may be impossible.

Yet, in the series it is very possible. The primary character, Elliot Alderson, takes the secretive lead of a hacking group called fsociety. His day job happens to be at a major cyber security firm called AllSafe that is charged with protecting the largest company in the world, E Corp (AKA Evil Corp). Fsociety’s goal is to take down Evil Corp and in the process kill the entire internet to free people of corporate greed. Elliot is able to do this with the help of insiders he meets working for AllSafe. In the end, a very powerful piece of malware is released into the internet which permanently erases hard drives after it spreads itself to the network.

Real World

New malware introduced this year has security researchers on high-alert. Macs that can be remotely infected with “firmware” malware that cannot be deleted and malware that when detected destroys user data are two primary examples. In June, Kaspersky Labs, a major player in anti-virus, was also hacked using an unknown flaw in Microsoft Word. Kaspersky filed an official report on the incident claiming the malware was spread using the Microsoft Software Installer files. It appears hackers are utilizing techniques that even IT professionals trust as normal activity.

Who to Trust?

If it is possible to create a highly intelligent computer virus like Stuxnet, which was designed to take down a specific Iranian nuclear facility in 2010, it may actually be possible to create something that can take down the entire internet. Mr. Robot creator, Sam Esmail, has brought up a good point with the series: How do we to a trust a cyber security firm to not hire people that are really cyber vigilantes? This is particularly difficult because even with background checks and thorough interviewing there is no way to really tell what they do on their own time without invading their privacy.

Trust is very difficult now. Even people with Top Secret (TS), full-scope polygraphs clearances cannot be 100% trusted (think Edward Snowden). The government-sponsored investigation against them was only a snapshot in time. It does not account for unknown future changes to that person’s life. However, overall these people have had the upmost level of scrutiny placed on their personal lives, not to mention they have much more to loose than someone outside the government.

What does this have to do with Mr. Robot, you ask? If AllSafe had only hired TS full-scope cleared or previously cleared employees, Elliot would not have gotten the job there and thus would probably not have had the resources to successfully carry out his mission. In the real world, large companies like Chase, Apple, Microsoft, and Wal-Mart all hire firms to evaluate their cyber security position. Who are these cyber security firms hiring?

Home Life

This brings up a good question though. Who is your local Internet Service Provider (ISP) hiring to install internet service to your house? The people installing internet are a small vulnerability in relation to what people are purchasing after the internet is installed. Companies like LG, Nest Labs, Phillips, Samsung, Vizio, and Whirlpool all sell products that can beacon a signal outside of your home. This being the Internet of Things (IoT) people keep talking about. The IoT is actually a really big deal, because people love convenience and don’t typically care enough to research the security behind it.

Internet of Things Vulnerabilities

TechInsider reported in August a company out of Austin, Texas called Praetorian that is mapping out all the IoT devices visible to their drone flying above the capital city. They have found that many of the devices are utilizing unsecured methods of connecting to the internet. This being the case, elite hackers can easily find out where a CEO lives and maneuver from his/her personal home to the enterprise.

This leads to one inevitable fact, we as a society have to take our head out of the sand and keep up to date on what we use in our business AND our home.

Justin C. Ryan, Contributor for CyberTexas Foundation
www.cybertexas.org