Mr. Robot eps2.4m4ster-s1ave.aes – the security review

MR

I was a bit worried I wouldn’t have much to write about this week when watching the first 20 minutes or so of this week’s episode.

Without giving too much away, it was well-crafted, delightful, and extremely confusing, but there wasn’t much of a technical nature in there at all – aside from a clear send-up of early 1990s America Online ads. (I don’t have much nostalgia for AOL, but I probably still have some of their free disks around the house deployed as beverage coasters.)

Once things got moving, however, there were some great security moments in this episode, so let’s take a peek.

WARNING: SPOILERS AHEAD – SCROLL DOWN TO READ ON

“Owning the Feds was never going to be easy.”

As mentioned last week, Angela’s mission was to infiltrate the FBI from the inside by dropping a Femtocell. The goal of the Femtocell was to force all FBI phones to connect to it, so fsociety would have easy access to the FBI’s network, passwords, and email.

Of course, as we saw this week, dropping the Femtocell itself wasn’t easy to pull off, especially for a newbie hacker-in-training like Angela. There was a bit of setup work she needed to do before physically plugging the device in – we did see the fsociety team do their best to walk Angela through some of the key setup steps, like running commands in OpenWRT.

Although the fsociety team seemed prepared enough to deal with difficulties on the technical side, it’s the human element that may have thrown a wrench in the works on this hack. Angela gets stopped by an FBI agent who notices she was on a floor where she didn’t belong.

The fsociety team quickly works to find out who he is and give Angela an opportunity to escape. It seems that she may have slipped away, but her presence and clearly ill-at-ease reactions undoubtedly raised some red flags. (Judging by the preview for next week’s episode, she didn’t fly under the radar.)

Working as an agent for fsociety while still working as an E-Corp employee makes Angela an insider threat, a particularly insidious problem to stop. An insider threat is someone with privileged access and knowledge who goes rogue or uses their access to cause harm from the inside out. Of course, that level of access means they can often wangle their way around safeguards that would keep an intruder out.

The procedures the FBI had in place show that they were taking some precautions. The FBI agent’s reaction to Angela being on the wrong floor and spending lots of time in the bathroom, which some might write off as paranoid, was entirely appropriate when trying to mitigate the possibility of an insider attack.

Looking for anomalies in the behavior of employees, such as visiting areas where they normally don’t go or poking around on servers where they shouldn’t be, is one of many ways organizations try to detect insider attacks in progress. Still, with the human element in play, it’s a hard problem to solve. Whether or not Angela’s ploy to distract the agent with a lunch date actually worked remains to be seen.

Rubber Ducky, you’re the one

Fsociety’s Mobley gives Angela a backup plan in case she’s unable to drop the Femtocell – to plug in a Rubber Ducky to a laptop for a few seconds. It may sound like Sesame Street, but Rubber Ducky is a hacker tool.

The Rubber Ducky looks like a run-of-the-mill USB flash drive, but it’s actually a programmable keyboard device. Rubber Ducky can type flawlessly (no mistakes!), with programmably-perfect timing (no password characters in the wrong field!) and super-fast (how does 1000 words per minute sound?), while the hacker sits around looking innocent.

In this case, Mobley’s Rubber Ducky was set up with Mimikatz, an open-source password stealer that can grab a memory dump of password data from a Windows computer. The idea is that the Rubber Ducky gets plugged in, Mimikatz runs, grabs the passwords, and hides any trace of its existence all within a few seconds. So, Angela can just plug the USB device in, wait a few seconds, yank it out and walk away.

It’s not quite as easy as that, of course. To dig around in memory as it does, Mimikatz generally needs administrator or system-level privilege. Although some home users log in with administrator privilege all the time, fewer and fewer organizations still allow their users to have admin rights full-time, if at all.

I’m presuming fsociety planned for this and included a privilege escalation exploit in their script before launching Mimikatz. But if they didn’t, or if the privilege escalation doesn’t succeed, well, best of luck Angela.

Clearly using a Femtocell is preferable to the risk and complexity involved here, and it doesn’t look like the Rubber Ducky was needed. Either way, all fsociety needs is one success. If the user they target is logged in with admin privileges and Mimikatz grabs their credentials, that could be all the foothold they need to get from that computer to the rest of the network. Even though fsociety might have a greater chance of success with a Femtocell, they could very well hit a home run with a Rubber Ducky attack, too.

While Angela’s preparing to pwn the FBI, we see Darlene making herself comfortable at a nearby hotel, using a combination of social engineering and digital lock-picking to get in to her room of choice.

It was only for a second or two, but I believe we saw Darlene use a hotel key hack. The proof of concept for a digital lockpick was demonstrated at Black Hat four years ago – and that digital lockpick hardware is now so small that it fits inside a dry erase marker.

What next?

This episode ends on a bit of a cliffhanger. We hear Darlene walking Angela through using Kali Linux and SSHing into a machine on the E-Corp LAN (likely the Femtocell). I’m assuming we’ll find out next week if she was successful.

What did you think of this week’s episode?

Were you a fan of the early 90s sitcom references at the beginning, complete with 4:3 aspect ratio? (ALF’s appearance was weird and fantastic. I wonder if we’ll see him again on Mr. Robot?)