The major theme of this week’s Mr. Robot episode revolved around vulnerabilities. As much as we sometimes try to deny it, we all have weaknesses. Cybercriminals, being the intelligent people they are, unfortunately often use their smarts for evil. They know that it is human nature to have weaknesses since no one is perfect, and they exploit these weaknesses using a tactic called social engineering.
“People make the best exploits”
Whether directly or indirectly, humans and the software they create can be exploited via their weaknesses and vulnerabilities.
FSociety penetrates Steel Mountain, E Corp’s data security center, by exploiting human weaknesses. We first see this happen when Elliot exploits Bill Harper, a sales associate at Steel Mountain, by dismantling his self-worth and telling him that no one in his life really cares about him. Elliot then requests to speak to someone who matters and Bill, disheartened and humiliated, calls his supervisor.
To FSociety’s surprise, Trudy comes instead of Wendy, the supervisor they were expecting and were prepared to utilize to get into the next level of Steel Mountain. This slightly throws off FSociety for a few seconds, but they make a quick comeback by doing a bit of online research. They learn that Trudy’s weakness is her husband and use a Linux distribution called Kali to send her a text message appearing to be sent from her husband saying that he is in the hospital. I researched more about this tool and found out that when using it, it is possible for anyone to spoof SMS and make messages appear as if they are from a number the recipient knows — a trick that is also employed in fraud emails.
The interesting thing about this, though, is they say they do not have Trudy’s number, just her husband’s number. Yet, they type her number into the program to send the message.
Windows 10 will be launching in T-minus seven days and will be offered for free within its first year of availability to Windows 7 and 8 users. Not only will the beloved Start button be back in Windows 10, but Windows 10 will also include a personal assistant, Cortana. What’s more, the new operating system will introduce many promising security features and a new browser.
Hello there, Windows Hello and Passport!
Windows Hello is biometric authentication that either scans your face, iris or fingerprint to access your Windows 10 device – very secret agent-like security! By doing so, Windows Hello eliminates the chance of hackers stealing your password to access your device, simply because you will no longer have a password to begin with!
Windows Passport also eliminates the use of passwords to access your online accounts. For now, Microsoft will work with the Azure Active Directory and has joined the FIDO alliance to subsequently support password replacement for other consumer, financial and security services. Windows will verify that you are truly the one using your device through a PIN or via Windows Hello, and then it will authenticate Windows Passport so you can log in to websites and services without ever using a password. Combined use of Windows Hello and Windows Passport would mean that a hacker would not only have to physically steal your device, but also kidnap you to access your accounts.
You will, of course, need hardware that is capable of infrared scanning your face or iris, or that has a built-in fingerprint reader to use Windows Hello. Microsoft has already confirmed that all OEM systems with Intel® RealSense™ 3D Camera (F200) will support Windows Hello’s facial unlock features.
This week’s episode was a little confusing for me – and I’m not only referring to the trippy dream Elliot has while going through his drug withdrawals.
It seems I wasn’t the only one who had questions about the hacks in this week’s episode; Forbes published an interview they did with Michael Bazzell, Mr. Robot’s technical consultant and cyber crime expert explaining the hack attack on E Corp that Elliot comes up with at the beginning of the show.
In the article, Michael Bazzell explains how Elliot plans on destroying E Corp’s data storage facility, using Raspberry Pi. Sounds like a very yummy method – too bad there’s an “e” missing at the end of “pi”! Michael explains that Raspberry Pi is a very small computer that can be accessed via the Internet through its built-in cellular chip. Using this, Elliot wants to control the facility’s climate control system to overheat it, thus melting E Corp’s tape-based back up.
While Forbes focused on the more complex hacks that targeted large corporations like E Corp and Allsafe, I was intrigued by the two physical hacks in the show.
The first “IRL” hack is when two members of FSociety hack a minivan – keep in mind that FSociety does everything in their power to not leave a trail, so they need a stolen car to get to E Corp’s data facility center in order to prevent being caught.
The FSociety guys casually sit on a sidewalk and wait for someone to park and lock their car. Using what looked like an old radio to me but is more likely a transmitter, they were able to send a command to unlock the car – politely thanking “mom” for giving them the opportunity to steal her car. Once inside the car, they connect the car to their laptop using a cable and ran the code to get the car started.
I asked my colleague, senior malware analyst Jaromir Horejsi, what he thought of the hack:
All they needed was the cable and specialized control software for cars. This software can access data from sensors in the car and it can control the car’s behavior. With that, they just had to connect everything together and select their desired actions. – Jaromir Horejsi
Elliot, Mr. Robot’s anti-hero cyber-security engineer by day and vigilante hacker by night, has been having a life-style crisis. In episode 3, Elliot longs to live what he calls a bug-free life, otherwise known as a regular person.
However, he is quickly pulled back into F Society’s hold when emails exposed during the threatened data dump revealed that E Corp executives had knowledge about the circumstances which led to his father’s death. We will leave the intrigues and plot theories, especially if Mr. Robot is real or a figment of Elliot’s imagination, to the internet. Right now, let’s look at the hacks highlighted in this episode.
At minute 7:40, you see Elliot in the hospital after Mr. Robot had pushed him off the high wall they were sitting on in the previous episode. His psychiatrist, Krista, is in the hospital and explains that the police wanted to do a drug panel, but Elliot refused. Elliot admits he has been taking morphine. Krista says the only way she can approve his release from the hospital would be if he commits to a bi-monthly drug test. Elliot starts thinking about how he will get around this problem by hacking the hospital’s IT. The IT department is lead by one single person, William Highsmith, with a budget of just $7,000 a year. According to Elliot, he uses useless virus scans, dated servers and security software that runs on Windows 98. It’s one of the reasons why Elliot made that particular hospital his primary care facility, since he can easily modify his records to look average and innocent.
Stefanie: Wow, wouldn’t it be an unusual that a hospital would actually use old infrastructure and have little budget for their IT? I also found it a bit odd that they have just one IT guy, I mean healthcare data is REALLY sensitive and definitely one of the last things I would want to have accessed by hackers!
This morning, our colleagues who work on our Avast SecureLine VPN product informed us that there was a significant increase in downloads in the U.S. This made us curious, as we didn’t have any specific campaigns running that would explain this dramatic spike in downloads. In the App Store, we jumped tothe 6th spot in the utilities category (and as we were coming from the 200th spot, this says a lot)!
We decided to turn to Twitter to see what was going on and discovered that teenagers were the cause of the trend. This shouldn’t have really surprised us, as teens are trendsetters and experts at dispersing viral content via social media channels.
Another week, another Mr. Robot episode! Last Wednesday the second episode of Mr. Robot aired (Ones and Zer0s). This episode did not disappoint! It was dark, gloomy, but also included lots of technical things that made us once again question: How can this affect me?
This week I sat down with freelance security and privacy journalist, Seth Rosenblatt, to discuss the episode.
At the beginning of the show, Elliot has a bit of an involuntary meeting with E-Corp now interim CTO, Tyrell Wellick. After this meeting, Elliot goes home and hacks Tyrell. What he notices is that E-Corp mail servers haven’t been patched since “Shellshock” and that Tyrell does not use two-factor authentication nor does he have a complex password. Elliot realizes that this was all too easy and that Tyrell must have wanted Elliot to hack him. He then goes nuts and burns his chips and SIM cards in the microwave, tears apart his hard drive, destroys his mother board.
Stefanie: Lots of interesting stuff happened in this scene! Can someone hack me like Elliot hacked Tyrell? What is the Shellshock vulnerability and can it still affect me as a personal user?
Seth: If Tyrell wanted Elliot to hack him, he made it pretty easy for an experienced hacker like Elliot. I bet many people, who do not put a lot of thought and effort into their online security, can be easily hacked. The fact that E-Corp hadn’t patched their servers since Shellshock seemed a bit odd, but again this was maybe intentional to make it easy for Elliot to hack, in the hopes of blackmailing him later on. In terms of the average user, Shellshock is a vulnerability that affects systems using BASH (a Unix based command processor used by Unix- based systems such as Linux and Mac). Patches for Shellshock have long been issued, so if you update your operating system regularly you have nothing to worry about.
Last night the pilot episode of MR. ROBOT, a new thriller-drama series aired on USA Network.
The show revolves around Elliot who works as a cyber security engineer by day and is a vigilante hacker by night.
I watched the episode and then sat down with Avast security expert Pedram Amini, host of Avast’s new video podcast debuting next week, to find out if someone like you or me could be affected by the hacks that happened in the show.
In the second minute of the episode we see Elliot explaining to Rajid, owner of Ron’s Coffee, that he intercepted the café’s Wi-Fi network, which lead him to discover that Rajid ran a child pornography website.
Stefanie: How likely is it that someone can hack you while you’re using an open Wi-Fi hotspot?
Pedram: Anyone with a just a little technical knowledge can download free software online and observe people’s activities on open Wi-Fi. We went to San Francisco, New York, and Chicago for a Wi-Fi monitoring experiment and found that one-third of Wi-Fi networks are open, without password-protection. If you surf sites that are unprotected, meaning they use the HTTP protocol, while on open Wi-Fi, then anyone can see, for example, which Wikipedia articles you are reading, what you’re searching for on Bing, and even see what products you are browsing for on Amazon and eBay, if you do not log in to the site.
Stefanie: Wow! That’s a bit frightening… How can I protect myself then?
VPN service Hola, which has millions of users, recently came under fire for not being as up front with their users as they should have been. In the past weeks it has been revealed that Hola does the following:
- allows Hola users to use each others’ bandwidth
- sells their users’ bandwidth to their sister company Luminati (which recently helped facilitate a botnet attack)
- and, according to Vectra research, Hola can install and run code and additional software on their users’ devices without their users’ knowledge.
If you are an Hola user or if you know someone who uses Hola, please make sure you/they are aware of this.
Devastation. The feeling you get when you realize your mobile phone is missing. All those photos, contacts, and other data- gone forever. Why? Because it wasn’t backed up.
Just in time for World Backup Day, Avast conducted a global survey to find out whether or not people back up data on their mobile devices. We received responses from 288,000 users in countries including the United States, Germany, India, Mexico, and Russia.
In order to get an idea of which kinds of data users store on their devices, we began the survey by asking respondents for what purposes they use their mobile devices aside from making calls and sending text messages. In response, we found that
- Two out of ten people use their mobile device to take photos
- 18% browse the Internet
- 17% listen to music/watch videos
- 16% use social networking apps like Facebook and LinkedIn
Why do people not back up their data?
Put simply, most people don’t think it is necessary to back up their data. Globally 36% and nearly half of Russians do not think it is necessary (48%).
Almost a quarter of the world attributes not backing up their data to laziness (24%). Thirty-two percent of Indian people admit that they are too lazy to do a back up.
Thirty-six percent of British respondents claimed not to back up their data because they believe their data is not valuable, compared to only 22% of global respondents citing this as their reason for not backing up their mobile data.
What is more valuable to mobile users: hardware or data?
Now that we established that lots of people don’t care about their data, are too lazy to prevent its loss, or don’t think its worth the trouble, we then asked users what they would be more upset about losing: their data (that has not been backed up) or their device (the hardware).
Globally, 64% of people would be more upset about losing their data that has not been backed up rather than the device itself. Respondents in Mexico backed up this claim most significantly, with 78% of Mexican users claiming they would be more upset about losing their data than losing their hardware.
Which data are people worried about losing?
Across the board, users were most heavily concerned about losing the contacts stored on their mobile device (25%) and photos (21%). Despite these concerns, 37% of respondents said they do not back up their data. Brazilians are the least likely to back up their data (45%), yet 64% of Brazilians would be upset about losing it.
Why you should back up your mobile data
We use our mobile devices to make important calls, capture valuable moments, browse the web, to use our favorite apps and so much more. Anything can happen to your mobile device in a split second; it could fall into the toilet, go missing (either through loss or theft) or even get run over by a car! Yet, as we discovered, many do not back up the data they consider indispensable.
How to back up your data
You can back up your data in many ways: by connecting your mobile device to a PC (like nearly one-third of global users do. See below.), connect to a Cloud service (like Dropbox, iCloud, or Google Drive) or use a mobile back up app like Avast Mobile Backup.
When people actually do back up their data, how do they go about it?
The majority of those who do back up their data back it up on a monthly basis (41%), while another 8% back it up on a daily basis.
Most people back up their data by connecting to a PC (32%) — only 17% back up their data to the Cloud. When we inquired about this difference in numbers, 46% of users expressed their reluctance to back up to the Cloud due to privacy concerns. Germans were the most concerned about their privacy when it came to Cloud back up (61%), with Spanish (58%) and American (57%) respondents close behind them.
March 28th, 2015 – It was a gray and chilly Saturday morning when some of Avast’s fittest gathered to run in the 17th edition of the Sportisimo Prague Half Marathon. As the biggest running event in the Czech Republic, this year’s race drew in over 12,000 participants. Thirteen brave Avastians ran the event’s full 21 kilometers and 12 (also brave) Avastians ran in relay teams. The relay teams consisted of four members, three of whom ran five kilometers and a fourth who ran six. The Avast runners chose to support the Committee of Good Will – Olga Havel Foundation, an organization that works to support handicapped, abandoned and discriminated individuals in their integration into society.
Let the race begin
The race took place in Prague’s historic city center along the Vltava River. Both the start and end points of the race were positioned in Jan Palach Square, named after Jan Palach, a student who immolated himself to protest the Soviet occupation of Czechoslovakia in 1969. At the starting line, I found myself stretching and warming up next to thousands of fellow participants. As we eagerly waited for the race to begin, some sort of miracle occurred – the sun’s rays made their way through the clouds, warming our cold bodies and lifting our spirits. Then, at noon, the starting pistol was fired and we began the race, appropriately accompanied by the sounds of Bedrich Smetana’s “The Moldau”. This celebrated piece of classical Czech music evokes the sounds of the Vltava River, the body of water that served as the backbone of the race.
Step out of your comfort zone
The Prague Half Marathon was the first official race that I’ve taken part in. I ran five kilometers as part of one of Avast’s three relay teams. Intimidating is definitely a word one could use when describing the experience — when the race began, literally thousands of people ran past me and it soon became somewhat of a struggle to keep up in the constant stream of runners. However, it was great having my colleagues there for moral support. During the first kilometer, one of my colleagues passed me, giving me a cheerful greeting en route to complete the race’s full 21 km.
As I ran, I let the Vltava’s breeze cool me off while I basked in the sun’s warmth and admired Prague’s breathtaking views. Within just two kilometers, I had passed some of the city’s most famous sites, including the Charles Bridge, National Theater, and Dancing House. Out of the corner of my eye, I could even see the Prague Castle on the other side of the river. Upon reaching the five kilometer mark, I handed my baton chip over to my teammate, who continued on and crossed the Vltava to meet our third runner.
Each of the Avast relay teams completed the half marathon in just under two hours. The individual runners, who ran the full length of the race, all finished within two and a half hours. To top it all off, Avast’s fastest runner, Adam Simek, came in 88th place out of the 12,500 runners who participated, completing the half marathon in a remarkable one hour and 18 minutes!
A message to my fellow Avast runners: You guys all did an amazing job and I hope you have all recuperated from the run I look forward to running with you again next year!