Episode 5 of Mr. Robot’s third season was a nail-biter. After translating the German quote at the beginning of the show ("Beginning is hard. Beginning is easy. Persistence is an art."), our team of technologists discussed social engineering, asset and ID management, hardware security modules, and more. (The chat transcript has been edited for brevity and clarity.) This week's team of experts include:
- Bill Budington: a long time activist, programmer, and cryptography enthusiast, and a security engineer and technologist at the Electronic Frontier Foundation.
- Jen Helsby: SecureDrop lead developer at Freedom of the Press Foundation.
- Jason Hernandez: a technologist who studies surveillance and works in IT, and is the tech editor for North Star Post.
- Harlo Holmes: a digital security trainer at Freedom of the Press Foundation.
- Zachary Julian: a Senior Security Analyst at Bishop Fox, a security consulting firm.
- Matt Mitchell: a hacker who leads cryptoharlem, which aims to teach basic cryptographic tools in the inner city. He also trains newsroom journalists (at Global Journalist Security), activists & human rights defenders in digital & operational security.
Yael: So Elliot’s going to get fired. He walks into work and can't get on his email…but somehow he can get on a backend system using his buddy's computer?
Bill: He may have a password for that system. It was SSH. When Elliot is first trying to gather data about the Dark Army hack, he uses PuTTy (an SSH client for Windows) to SSH to 220.127.116.11. When you browse there, it forwards you to https://ycg67gca.bxjyb2jvda.net/ssh/terminal/… it's a dummy terminal that only really responds to the commands cd and ls (but the typical flags don't work). You can list the log files that Elliot sees, but you can't cat them. So you can navigate around and see files, but you can't read out the files.
Yael: I want to know why he can get on a backend system when he's locked out of the account, though. Shouldn't he lose access to everything? Like his key card stopped working and he can't get his email.
Jen: Looks like he's using his buddy's account. Kibana is logged in on his buddy's machine and then he SSHs into a machine using the username of samsepi01.
Harlo: Sam Sepiol. The return of Elliot's "master social engineering" avatar. I think this first scene should be shown by HR to any new hire at a company about what not to do regarding security.
Yael: He used that name before, right? When was that?
Harlo: The last time he went full-on Sneakers. The episode when he planted the RPI in the bathroom wall.
Zachary: I assume they locked his E Corp domain credentials but Kibana/SSH used separate credentials.
Jason: I think it would be less likely that Elliot would be locked out of a random server available over SSH. It's quite an undertaking to have every system part of the same federated authentication platform in a large corporation.
Zachary: Actually a very real-world example of how asset and ID management is hard.
Yael: It's kind of a pain in the ass. Like even outside of firing employees, it's like when I block someone on my personal Facebook, they instantly send me hate mail on my Facebook business page.
Matt: When you get fired, IT will usually freeze your account which includes LDAP, so most systems are off limits. But SSH to your own machine, that wouldn't be a problem.
Bill: Even if it's behind a corporate firewall, his “friend’s" machine would still be behind it. So within accessible range of the SSH server.
Jason: Also, there's some poor opsec on HR's part doing the firing, cutting his accounts before walking him out.
Yael: Oh, I thought every company did that. That's how people find out they're fired. It makes it harder for them to send hate mail about the company and cc: all.
Matt: I have seen it both ways. It’s sometimes common to cut accounts first. The timing isn’t always fluid. It’s to avoid employees finding out they are fired and deleting the planet or stealing intellectual property. Are we on to social engineering? Cause I like how he picked the older woman sniffing liquid eraser.
Harlo: YES THIS PART.
Bill: That tech-savvy grandma that was awesome. Elliot’s prejudices blown up.
Yael: Stereotyping will slow your social engineering shit down.
Harlo: Friends don't let friends remote control desktop.
Yael: Ha, the older lady told on him for using GoToMyPC!
Bill: When Elliot is on that guy's terminal, he navigates to 18.104.22.168:5601. That's the Kibana system they set up for remote monitoring. It forwards to https://ycg67gca.bxjyb2jvda.net/app/kibana/#/dashboard/Priority-Host_Monitoring.
Yael: In general, I thought Elliot's social engineering and social engineering fails were pretty amusing. Especially when he tried to get into that meeting.
Bill: Yeah that was key. Starts talking about chocolate donuts. In reality, most social engineering attempts fail. Like at HOPE, during the Social Engineering talk that Emmanuel does, they often have to call five or six different businesses to actually get some information. But it's the weakest link that matters, you know?
Yael: I saw someone do a really good job in the Social Engineering Village at the last DEF CON. Even though the lady she called was starting to get suspicious, she still gave her a ton of info.
Jason: There's usually not much downside to a failed social engineering attempt… you just act confused.
Yael: Yeah, and honestly there are a lot of weirdos at big corporations. I think Angela was actually more suspicious than Elliot was.
Jason: Angela was going into a controlled area.
Yael: What are some good social engineering tips for Elliot and Angela? What should they do better next time? IF THERE IS A NEXT TIME.
Yael: Yes, she’s great! Okay, so the big hack this episode was Angela getting the signing keys from the HSM and then giving them to a delivery guy.
Harlo: I think the delivery guy is just a delivery guy, but the mission was pretty cool!
Yael: Didn't she need the delivery guy to sign the firmware and redeploy?
Harlo: I mean, he would deliver the hard drive to the Dark Army who would then do what they gotta do (i.e., he's a Dark Army delivery guy).
Yael: Okay, so who wants to explain what an HSM is? Or what Angela was doing?
Matt: An HSM is a Hardware Security Module. It's a physical device like a rack mount server that handles encrypted key management.
Zachary: TL;DR the Dark Army was originally going to deploy backdoored firmware on the UPS to do stage 2. Elliot tried to prevent that by reconfiguring the UPS to only run signed code. So now Angela needs to recover the private keys from the E Corp HSM so they can sign their backdoored code.
Bill: Yeah, in the beginning of the episode Elliot mentions that the Dark Army had tried to blow up the backup building, but failed. That's because of the protections Elliot setup.
Jen: It's a little crazy if they run unsigned code on such important infrastructure.
Jason: I think it's another case of difficult asset management. Who even knows that UPSs run firmware and might be able to load unsigned code?
Yael: Okay so they were going to get the batteries to explode, Elliot set up protections to stop it, so they wanted to put the old version back up?
Bill: But the protections were I guess to ensure that any software execution required code signing.
Yael: Why wasn’t Angela supposed to miss any steps?
Jason: HSMs are complex devices and the procedure for exporting keys (if it exists) is very complicated, and they're sometimes rigged to destroy keys or do something else bad if there's any tampering.
Zachary: Interesting the instructions to back up the HSM mention a PED, which I'm not familiar with but I believe is 'PIN entry device,' the thing she grabbed from the cabinet under the HSM rack. They based it off a Luna HSM.
Yael: So after Angela gives the drive back to Dark Army, what do they still have to do?
Bill: Redeploy the malware and blow up the building. I think that's it right?
Yael: Do they have to be in the building?
Bill: No, I think it's remote, but they don't really specify. Once they have the HSM signing keys, they can deploy it however they want.
Jason: It seems like Dark Army just needs to be on the general corporate network. It doesn't seem like there’s isolation.
Yael: What can Evil Corp do to stop this from happening?
Jason: E Corp could just unplug the UPSs from the network. This could build to a dramatic "pull the ethernet cables" scene.
Harlo: This reminds me of something in current events… hmmm, what could it be…
Yael: I did think it was funny when Elliot called in the bomb threat in an obscure, technical way and the lady didn't know what he meant by UPS.
Zachary: Side note, this is pretty nuts after Angela steals the HSM backup:
https://www.reddit.com/r/MrRobot/comments/7bqvs3/spoiler_anyone_else_notice_on_tonights_episode/. Definitely looks like Elliot.
Jason: I wonder if Elliot could revoke the signing key if he got access to the HSM (assuming the UPSs check some revocation service)?
Zachary: After seeing that Reddit post, it seems like he got back to the 23rd floor, so yeah, I assume he is trying to reach the HSM as well.
Jason: There are a bunch of logs and trails that the FBI will eventually be able to piece together what happened from.