19.8 C
London
Sunday, September 24, 2017
Home Tags Mr. Robot

Tag: Mr. Robot

Could this be The One that makes the franchise awesome again?
The high-water line in information security gets higher each year. Just as we think we’ve finally figured out how to defend against attacks, then attackers come up with something new and we are right back to trying to figure out what to do next. For example, ransomware has surged in the last year.

Although that kind of malware has been around for years, the current model of encrypting user files to hold data hostage came about just recently.
Infections quadrupled in 2016, with the FBI estimating an average of 4,000 attacks a day.

A recent IBM survey of 600 business leaders in the United States found that one in two had experienced a ransomware attack in the workplace, and that companies paid the ransom 70 percent of the time.

As a result, criminals are on track to make nearly $1 billion this year from ransomware, IBM X-Force said. And there’s been seemingly no end to hackers getting into corporate databases. Just ask Yahoo. Or the Democratic National Committee.

Even the FBI was able to find a firm to hack into the Apple iPhone 5c, which for a while seemed unhackable. For IT and security professionals, this endless fire fighting gets exhausting. Old threats come back in new forms, and new attacks keep making the list of things to worry about even longer. Malicious word macros are back.

Exploit kits still love Flash.
SMS text messages with one-time codes for second-factor authentication proved hackable.
It all makes you want to give up and curl up in a dark corner. But 2016 wasn’t all bad news for enterprise security, and there are some wins that give hope for a more secure future. 1. We’re looking at passwords in a better light Authentication, especially how we use passwords, was a recurring theme with every data breach. Yes, password reuse is still a problem and weak passwords like “password1” and “123456” are still a thing, but we are seeing more people use password managers to secure their online accounts and fingerprint sensors to lock their physical devices. “Biometrics will no longer be seen as novel in 2017, but necessary,” said Daniel Ingevaldson, CTO of security company Easy Solutions. There are fingerprint sensors on the market today with security features including TLS 1.2 and 256-bit encryption, anti-spoofing technologies, live-or-dead detection, and match-in-sensor architectures, said Anthony Gioeli, a vice president at Synaptics’s biometrics division.

Apple has had hardware-secured fingerprint sensors in its mobile devices for several years, and now in its newest MacBook Pro.
Samsung and Google use similar technology in their latest smartphones.

And Microsoft has built in support for biometrics in Windows 10 and beefed up the security in this year’s Windows 10 Anniversary Update. The National Institute of Standards and Technology is also tackling the problem.

The draft version of the Digital Authentication Guideline document includes new guidance on password policies, such as allowing for longer passwords; allowing spaces and other characters; removing special character requirements (such as what combination of letters, numbers, and non-alphanumeric characters must be used); and doing away with password hints. NIST also said in the draft that sending unique passcodes via SMS messages should not be used as part of a two-factor authentication scheme, and that stronger authentication schemes should be adopted. Although the guidance is still in draft form and the official public comment period doesn’t start until early 2017, IT departments can use it to start thinking about how to improve authentication, such as rolling out multifactor authentication and changing password requirements. Another bonus: NIST’s Mary Theofanos said mandatory password changes don’t make sense, so IT departments can now work on alternative methods — and stop torturing users. 2. We may finally be taking IoT security seriously Last year, we could see the ransomware wave coming.

This year, it’s internet of things (IoT) security — or the extreme lack thereof — that is clearly on the horizon. The distributed denial-of-service (DDoS) attacks this fall, which spread through home security cameras, VCRs, and other connected devices, took down the internet and seemed to be the industry wakeup call that finally worked. Made up of compromised IoT devices, the Mirai botnet launched large attacks against French service provider OVH, the website of security blogger Brian Krebs, and networking company Dyn. The last time DDoS was the big story, it was about hacktivists and online pranksters targeting financial websites and other visible targets.

This time, botnets are launching large, multivector attacks that can exceed 1 terabit per second — and interrupt internet access for millions.   Security experts have been warning for some time about the millions of devices that are connected to the internet without even the most basic security features, so the Mirai attack shouldn’t have been a surprise.

And with Mirai’s source code publicly available, it is safe to assume there are other IoT botnets waiting in the shadows to strike. With all these devices connecting to the internet, we are ripe for an IoT worm, said Lamar Bailey, senior director of security research and development at Tripwire.

Fixing the problem will require a lot of coordination, creativity, and persistence, but perhaps people are actually seeing the risks. The silver lining is that the Mirai attack was a “fairly cheap lesson in what a compromised IoT [threat] would look like while there’s still time to do something about it,” said Geoff Webb, vice president of solution strategy at Micro Focus.

But IoT vendors need to get serious about security fast — and consumers should avoid their products until they do. 3. We’re getting other benefits on the coattails of new security technology It’s always a good sign when adopting something for security reasons winds up having other benefits. New protocols like Transport Layer Security (TLS) 1.3 and HTTP2 will make the web safer, but there are clear performance improvements as well.
It’s very likely the uptick in adoption of TLS 1.3 and HTTP2 by web developers will be spurred by the increased speeds the protocols enable, said Ryan Kearny, CTO of networking company F5 Networks. “In 2017, the increase in web speed will spur rapid adoption of TLS 1.3 —- and that will, in turn, make the web more secure,” Kearny said. 4. We’re getting more realistic about security Security was one of those things people never really understood.

TV shows and movies didn’t help, with slick graphics and fancy dramatizations of what hacking supposedly looks like.

Then, along came the TV show “Mr. Robot,” and the show’s star, Rami Malek, winning an Emmy for his portrayal of Elliott Alderson. “Out of all the attempts that Hollywood has made to tell a compelling story using cyber as the backdrop, Mr. Robot is the most complete,” said Rick Howard, CSO of networking security company Palo Alto Networks. If nothing else, nonsecurity professionals now have a better understanding of just how bad things can get.
It’s no longer just that one weak password, one link in an email, or that one old software application that hasn’t been updated.

There is no need to oversensationalize the security issues in “Mr. Robot” — the reality is bad enough. That better understanding should help users understand why they need to pay more attention to at least security basics.

And why they keep getting breach notices from the likes of Yahoo and Dailymotion. But it doesn’t help that there’s still a culture of silence about breaches among security pros and the companies they work for. No one likes to talk about their failures or to be a headline.

But because no one is sharing what mistakes were made, the same breaches keep happening over and over. That’s why the formation of new Information Sharing and Analysis Centers (ISAC) is a positive — though small — development, a sign of realism creeping into the security professionals’ culture, too.

Although existing ISAC and commercial information-sharing platforms are expanding to include more enterprises, they need to become even more widespread. Developers have plenty of places where they can post code snippets and get programming help.
IT and security professionals should have forums where they can share their security stories, ask questions without judgment, and learn about what worked for their peers, said Jeannie Warner, a security strategist at WhiteHat Security. “The bad guys have Tor, Reddit, and other social networks to share information and tools.

The good guys need to adopt theirs just as freely,” Warner said. It’s easy to see information security as a never-ending stream of attacks. Perhaps the most distressing thing about the year’s outages and breaches is the fact that there is an awful lot happening that IT doesn’t know about.
Security experts frequently warn that just because there is no evidence of a breach doesn’t mean there isn’t a breach.

That was definitely true at Yahoo: The internet company disclosed two gigantic breaches, but the scariest thing wasn’t the number of victims — it was the fact that they happened years ago and no one even suspected. “We went years with billions of records being sucked out from right under our noses and we didn’t even know it,” wrote security expert Troy Hunt. He called the current mindset “conscious incompetence,” where we know we have a big problem.

That’s a better place to be than the previous stage, where the prevailing attitude was, “It won’t happen to me.” The big question is knowing where to go next. “How much more are we going to discover over the next year? Or not discover at all?” Hunt asked.
If we’re finally getting real about security, and come out of the shadows, we should finally begin to make real progress. 5. We may finally get security promises we can bank on As consumers, we demand money back when we are not satisfied with a product’s performance or functionality.

But IT typically doesn’t get that option with security products. Only 25 percent of U.S.
IT security decisionmakers said their primary security vendor is willing to guarantee their product by covering the costs of a breach, including lawsuits and ransoms, according to a recent survey by endpoint security company SentinelOne.

But most IT security professionals in the survey said they would like security vendors to offer a guarantee their products would deliver on their promises — and 88 percent claimed they would change providers if a competitor offered such a guarantee. “The industry has reached a tipping point, where security vendors will need to guarantee that their products will hold up against cyberattacks and assume responsibility if they fail to do so,” said Jeremiah Grossman, chief of security strategy at SentinelOne. “Customers are tired of paying additional fees to address security breaches, especially when they have already paid for security defenses in the first place.” There are now a handful of companies that offer security guarantees.
SentinelOne’s guarantee covers $1,000 per endpoint, or $1 million per company payout, in the event of a successful ransomware infection after installing SentinelOne’s Endpoint Protection Platform.

Cymmetria covers the costs incurred in notifying victims, hiring attorneys, bringing in digital forensics investigators, and repairing the damage in case of an advanced persistent threat gaining unauthorized access, moving laterally through the network, and stealing protected information from compromised systems in organizations that have deployed Cymmetria’s MazeRunner cyber-deception platform.

Trusona and WhiteHat Security also have similar product guarantees. As we’ve seen over the past few months, even security products can have vulnerabilities.

But in several of the cases, the mistakes seemed fairly basic, even avoidable — not at all at the level of what a security provider should be delivering. Providing product guarantees should wring out such sloppiness from security providers, because they’ll finally pay a real price for their own neglect. “It’s high time people in our industry started putting their money where their mouth is and taking responsibility for what they sell, assuring what they do works,” said Gadi Evron, Cymmetria’s CEO.
Here's what topped the Dark Reading page-view charts from the security industry's brightest minds, coolest rock stars, and up-and-coming leaders. The hacking thriller Mr. Robot may have been snubbed by the 2017 Golden Globe Award nominating committee this month, but security researcher Sarah Vonnegut’s blog -  5 'Mr. Robot' Hacks That Could Happen in Real Life - about the award-winning season one, pulled in the highest numbers of readers of all the contributed content we published in 2016. Vonnegut, an application security community specialist at Checkmarx, offered a reality check to anti-hero Elliot’s premier season hacking prowess, and garnered a whopping 14,738  page views from Dark Reading fans of the show.   Other 2016 favorites from our roster of contributors include:  Rethinking Application Security With Microservices Architectures (6,804 views, 4/15/2016)Ranga Rajagopalan, Chief Technology Officer, Avi NetworksThe advantages offered by the container model go against many of the assumptions of traditional security mechanisms. Here are 5 new concepts & 4 best practices you'll need to understand. Security Portfolios: A Different Approach To Leadership (6,802 views, 8/11/2016) Adam Shostack, Founder, Stealth Startup How grounding a conversation around a well-organized list of controls and their goals can help everyone be, literally, on the same page. Part seven of an ongoing series. How To Stay Safe On The Black Hat Network (6,722 views, 7/28/2016) Neil R. Wyler (Grifter), Threat Hunting and Incident Response Specialist, RSABlack Hat attendees may have changed their titles and now carry business cards but hackers gotta hack and there's no better place to do it than Black Hat. The Secret Behind the NSA Breach: Network Infrastructure Is The Next Target (6,683 views, 8/25/2016) Yoni Allon Research Team Leader, LightCyberHow the networking industry has fallen way behind in incorporating security measures to prevent exploits to ubiquitous routers, proxies, firewalls, and switches. Anatomy Of An Account Takeover Attack (6,389 views, 2/23/2016)Ting-Fang Yen, Research Scientist, Datavisor, Inc.How organized crime rings are amassing bot armies for password-cracking attacks on personal accounts in retail, financial, gaming, and other consumer-facing services. 20 Endpoint Security Questions You Never Thought to Ask  (5,696 views, 10/26/2016)Joshua Goldfarb. VP & CTO - Emerging Technologies, FireEyeThe endpoint detection and response market is exploding! Here's how to make sense of the options, dig deeper, and separate vendor fact from fiction. 5 Soft Skills Young Cybersecurity Professionals Need to Get Ahead (5,615 views 6/14/2016)Todd Thibodeaux, President & CEO, CompTIAToday's employers aren't looking for recruits who can maintain firewalls and mitigate risk. They want well-rounded professionals who can apply security expertise across the business to yield bottom-line results. Why Social Media Sites Are The New Cyber Weapons Of Choice (5,387 views, 9/6/2016)Nick Hayes, Analyst, ForresterFacebook, LinkedIn, and Twitter can't secure their own environments, let alone yours. It's time to sharpen your security acumen. Changing IoT Passwords Won't Stop Attacks. Here's What Will (5,173 views, 11/7/2016)Paul Madsen, Senior Technical Architect, Ping IdentityThe solution will take an industry-wide effort, it won't happen overnight, and the problem is not the users' fault! Do you have a favorite contributor commentary of 2016? Share it in the comments! Related Content: Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio More Insights
The hackers bragged about accessing private email accounts of top government officials. Federal authorities this week arrested two North Carolina men accused of hacking into the private email accounts of top officials at the CIA and other national in...
EnlargeNBCUniversal Warning: This piece contains minor spoilers for the most recent episode of Mr. Robot (S2E9) reader comments 1 Share this story Time and time again, Mr. Robot has proven to be a show that prides itself on extreme attention to detail. Whether it involves hiring ex-FBI employees as consultants or tracking down the duo behind the Full House theme, the series wants to ground its high-stakes story in a healthy dose of realism.  “The notion of there being an E-Corp, a conglomerate in charge of 70 percent of the world’s debt, is a big pill to swallow," Kor Adana, staff writer and the show's lead tech producer, told Ars recently. "The way I see it, anything we can do to ground the show in reality with all the other tools at our disposal, the better it is to sell this version of reality." In the series' latest episode, hero-hacker Elliot Alderson launches an attack script called crackSIM from a real-world device—Pwnie Express' PwnPhone—to allow him to eavesdrop on a cell phone call.

As superhuman as the attack seems, it's yet another realistic portrayal from Adana and his team. Yes, this hack is technically possible.
It's also possible for an attacker to eavesdrop on a cell phone call.

But this being a ~50 minute cable series, creative license does ultimately rear its head.

And unfortunately, the hack Elliot used wouldn't work to do the eavesdropping as we understand infosec today.
Instead, the show (rightfully) took a few artistic liberties when demonstrating how such an attack would happen. Download video PwnieExpress / NBCUniversal A Pwnie party Ars got a bit of a preview of the attack from the folks at Pwnie Express.

As they discussed with us on this week's Decrypted podcast (embedded below), the company was contacted by the producers of Mr. Robot to take part in the plot. Pwnie was able to take a small role in discussing what is and isn't capable with the series staff during production, and ultimately the team was thrilled with the results. (After all, as the clip above shows, Elliot calls the phone the ultimate hacking device. Later in the episode, this attack earns him the title of "master" from a group of international hacker mercenaries called the Dark Army.) We've gone hands on with the Pwn Phone in its previous incarnation and once even used a similar device on an NPR reporter (don't worry, he agreed to it).

But since the Pwn Phone plays such a prominent role in this hack on this show, we wanted to talk with Pwnie's vice president of marketing Dmitri Vlachos and director of product development (and former Air Force cyber operator) Yolanda Smith about this "crackSIM" attack.

Even if it's been fictionalized, could someone pull off what Elliot was doing in the real world? Enlarge / The original Pwn Phone, with its external Wi-Fi adaptor case jacked into its USB port, as we saw it in 2014. CrackSIM is not included by default on the Pwn Phone, and that's because it is a fake program scripted by Elliot within the show's universe.

But Smith said there's research that suggests the capability of crackSIM, which broke the encryption on the SIM card, is plausible. Research presented by Karsten Nohl of Security Research Labs at last year's Black Hat demonstrated that if an attacker had physical access to a SIM card, a hard disk full of pre-computed potential keys, and full knowledge of what the response from a phone for an Over The Air (OTA) update message would be, it was possible to grab a single 56-bit DES encryption key from the SIM.

Even SIMs that use Triple DES encryption sometimes downgrade their key to just normal DES when the service they're connected to requests it.

This is the sort of attack that is used in "Stingray" boxes, devices used by law enforcement to track cell phones and intercept their calls. However, Elliot's hack took only seconds.

And that is where, as Smith put it, the show took a bit of "dramatic license." Elliot also appears to clone the SIM card to use it to intercept calls and listen in on his targets rather than intercepting the call Stingray style—a hack that would just give the attacker the ability to imitate the victim and take control of the hacked phone's number rather than intercepting calls.

That's precisely what happened earlier this year when someone took over Black Lives Matter activist DeRay McKesson's phone number and got access to his Twitter account and other accounts through password resets authenticated from the hijacked number. When asked how she would pull off the hack herself, Smith said that the most likely route would be to exploit a known weakness in the SS7 phone network routing protocol. An attacker could, using the victim's phone number, essentially route all the calls to that number through a proxy, allowing "man-in-the-middle" monitoring of calls and SMS messages. (Black Hat, DEFCON, et al: If you're listening, we're ready for next year's Mr. Robot panel.) Another real world alternative would require proximity to the victim—using a femtocell to intercept the calls.

A hacked femtocell would allow direct monitoring of the call without having to crack the SIM, because the femtocell decrypts signals it receives to route them over the Internet. Regardless of the series' staff stretching the truth a tad, the fact that a cable television show is going through the trouble of featuring the Pwn Phone in the first place, and working with consultants and PwnieExpress to ensure the highest degree of realism possible speaks volumes about Mr. Robot and overall interest in modern day infosec. Hopefully, the days of CSI: Cyber-types are long behind us. Note: PwnieExpress enjoyed its Mr. Robot experience so much that the company is promoting the unexpected publicity by offering a giveaway of a Pwn Phone through a contest. Pwnie is also posting links to downloads that will let individuals turn their own Android devices into Pwn Phones. Hear more from the PwnieExpress team about their big cameo (and from one of the writers responsible for last week's episode, Lucy Teitler) on our latest Decrypted podcast.
If you have feedback, show ideas, or even questions for future weeks, get in touch through the comments section, on iTunes, or via e-mail. Host Nathan Mattise will totally upvote your comments in exchange for iTunes ratings.

Listen Direct Download URL (latest episode): Decrypted, Ep. 9: How do you write answers for Mr. Robot's big questions?" Listen or subscribe on Stitchr Listen or subscribe on Soundcloud Subscribe via RSS Subscribe via the iTunes store Also look for Decrypted in podcast listings of the Google Play Music store
If you’ve ever hacked for a living -- wearing a white hat, I hope -- you probably can’t stand the unrealistic light most shows and movies shine on hacking and hackers. On the big and small screens, supergenius hackers enjoy instantaneous success and always manage to stay one step ahead of the law. Typically they’re portrayed in one of two views: Either they dress like refugees from a cyberpunk fashion show and have hot model girlfriends, or they’re solitary fat guys juiced up on energy drinks hacking away in their trashed bedrooms. The dirty secret is that hacking tends to be tedious work -- not exactly Hollywood fare. Yet Hollywood has worked its magic on the minds of the masses. Many times I’ve had friends get upset that I couldn’t instantly crack their wireless network or Facebook account when they forgot their passwords. I’ve even seen newbies on a penetration testing team surprised that we don’t immediately break into every server we come across without a little research first. In real life, hacking is 95 percent monotony and 5 percent excitement, where focused dedication is more than a virtue. It’s almost the only trait that matters. So much for the reality-based community. Courtesy of Hollywood, here are the hacking misfires that bug me most. 1. Instant password guessing Many if not most movies with hacking scenes show the protagonist under lethal pressure to crack the master password in less than a minute. A perfect example is 2001’s "Swordfish," in which the evil character played by John Travolta holds a gun to the head of the hacker leader, Stanley, played by Hugh Jackman. Stanley sweats bullets under threat, typing different passwords so fast it’s obvious he can’t be typing anything coherent at all. At the last second, after trying hundreds of different passwords, he pulls the right one out of thin air. Has any computer system in any movie ever locked out an attacker after a certain number of password tries? In other hacker movies, the protagonist seems to guess the correct password right off the bat. The hacker looks around the office, sees a picture of the CEO playing golf, and seems to know that “Titleist” is the right password. While trying words associated with the victim’s hobby is a well-known guessing technique, I’ve never seen anyone get it right on the first pass. Real password guessing usually takes hundreds (if not hundreds of thousands) of attempts. If account lockout isn’t enabled, hackers can use automated dictionary-hybrid programs to do all the guessing. Today, because most passwords are complex and run eight characters or more in length, manual guessing isn’t very fruitful. In fact, today, most password “guessing” is really password cracking. Cracking starts by capturing the password hashes first (which takes superadmin access), then using a brute-force or dictionary automation program to convert the hashes into their plaintext equivalents. Or to be truly modern about it, the passwords aren’t guessed or cracked at all. Instead, the attackers use the captured hashes, with no conversion necessary, to authenticate to other computers. 2. Cross-platform hacking One the most cringe-inducing moments of all time appeared in 1996’s “Independence Day," when Jeff Goldblum’s character writes and inserts a computer virus into the mothership’s computers, which then brings down the shields and leads to the aliens' downfall. When I first saw that scene, I wondered: "Gee, did he use Cobol or C++?" It’s ridiculous to think an alien race would use computer systems that could run our programs. Their systems wouldn’t use the same character sets, language conversion tables, or built-in instructions on their CPUs. In real life, most malware programs have a hard time running on different versions of the same operating system, much less on different operating systems or platforms. I’ve seen movies in which a hacker on a Unix computer writes code for a Microsoft Windows victim. While that could actually be done, it would be 99 percent wasted effort. Real malware writer codes their creations on the same platform as the target system. 3. All systems are interconnected Another incredibly unrealistic portrayal: One malware program or command manipulates dozens of disparate systems all at once. Sandra Bullock’s nemesis in 1995’s “The Net” provides a case in point. After spurning a would-be paramour turned murderer, Bullock’s character suffers an attack that erases her online life (no mortgage record, no driver’s license, no credit cards, no paycheck). The best part? Her antagonist does it with a couple of commands! He even erases all paper trails and backups, not to mention everyone’s memory of her. It’s laughable on many levels, not the least of which is how interconnected the movie seems to think all these systems are. With minimum effort, dozens of unrelated systems are accessed and manipulated. In real life, you can’t find a single environment where all such systems talk so well together. Go to any organization -- a government department, a corporation, a bank, a hospital -- and you’ll invariably find a hodgepodge of systems that IT wishes could seamlessly talk to each other. In real life it takes months for a company to erase the trail of a single entity, and that’s when they own the systems, have the passwords, and know what they’re doing. If the bad guy really could do what he seems to be doing in “The Net,” he could earn millions working for corporations. He would be a data god! 4. All information pops up instantly When any information is requested, the “computer nerd” types in a single command, and the answer comes back in seconds. This seems to happen several times a week on crime shows. The protagonist will ask something like, “Where is the bad guy using his ATM card right now?” Ta-da, the screen immediately returns the exact address. Or “How many murders were committed in the upper boroughs by a guy using a knife and wearing pink shorts?” Voila, the answer is 12. Contrast this with asking your own log management system how many logons Roger had today. You can easily wait two to three minutes for the answer -- with no guarantee the answer will be accurate. 5. Every program is a hacker’s dream program Almost every hacker movie shows s great, custom-made program with an incredible graphical UI perfect for whatever the hacker is doing. In real life, almost all the programs used by hackers are created by someone else, used by millions of other hackers, and have a horrible UI. You get a CLI and a set of commands that demand an unnatural amount of human memory to recall. The commands often wrap around from one line to the next. Fact is, you don’t even need the most up-to-date program. Most successful hacks target vulnerabilities and exploits many years old. When I was a full-time penetration tester, rarely did I break in using a brand-new vulnerability. It was far more common to find a flaw from five to 10 years ago that had never been patched. One show gets hacking right You can always tell when a show cares about how it portrays hacking, but there’s nothing quite like the USA Network’s "Mr. Robot." Although the protagonist is a supergenius -- who, yes, frequently enjoys instantaneous success -- every typed command or program is a real typed command or program. What he does could really happen, albeit with the normal Hollywood hyperbole. I remember when I saw the first few episodes. I was filled with glee to see all the realness. It proved that Hollywood could produce a hacker-driven drama using actual hacker commands and tools. Not only that, but the show is a wild success. I hope others follow the path blazed by "Mr. Robot." Think of those hardcore contingents of loyal, upscale fans! I’m not holding my breath, though. Reality always demands more tedious work than most people want to watch.
Well, Elliot turned out to be in an institution...of sorts. Why is he jailed? Is Tyrell really dead? What's with Angela being so mean to her dad? PCMaggers Chandra Steele, Victoria Song, and Eric Griffith chatted for half an hour (or a Sam Esmail-ish half hour) on Slack today about this week's Mr. Robot. Read on for our discussion. Matthew Buzzi, Rob Marvin, and Pete Haas will be back next week. Or else. If you're behind, see our chat about episode six.
If you're really behind, watch Mr. Robot season one on Amazon Prime.

Also check out Chandra's recent conversation with Carly Chaikin, who plays Darlene.

And check out Evan Dashevsky's chat with Kor Adana, the show's "technology producer" and a former hacker himself, in the video below.
Steele [10:32 AM] are you ready to robot? Song [10:32 AM] yah, tho buzzi and rob are out Steele [10:32 AM] Are they still doing the show? Song [10:32 AM] no they just didn't watch last night Buzzi [10:33 AM] I was up til 3 writing the No Man's Sky review, watching 2 episodes after was.... Not a good idea Steele [10:33 AM] Buzzi knew I would not be in the office so he had no fear No Man's Sky gets you a pass Buzzi [10:33 AM] Otherwise I'd have broken kneecaps, Ray-style Griffith [10:33 AM] I watched this morning, dutifully. Steele [10:33 AM] Eric made great sacrifices, Buzzi So the rest of us will commence speaking about the show...now Griffith [10:34 AM] I got out of bed at 8am! Exhausting! Steele [10:34 AM] Think of how early Elliot gets up in prison! Griffith [10:34 AM] Prison? WHA??? Song [10:34 AM] Which, ding ding ding, not a mental hospital. Griffith [10:34 AM] that was the big twist. not a hospital Song [10:35 AM] Also, Ray...was the warden? Steele [10:35 AM] Not a mental hospital but still an institution Song [10:35 AM] Not an orderly? Steele [10:35 AM] I assume the warden or a guard Griffith [10:35 AM] No, I think Ray was a fellow inmate running a blackmarket oh, or maybe a guard, yes. Steele [10:35 AM] But he had an office Griffith [10:35 AM] that makes more sense. Steele [10:35 AM] And thought he'd help Elliot What kind of help seems questionable Griffith [10:36 AM] what matters most is Leon works for Whiterose.
In prison! guarding Elliot! Song [10:36 AM] That whole reveal was questionable Steele [10:36 AM] And the old "my dead wife was the one running the Silk Road" shtick Song [10:36 AM] "I didn't look at what the site sold" "until you" questionable Steele [10:36 AM] Everything about Ray is questionable Including why he'd let himself get caught And play chess when he's not that good Griffith [10:36 AM] I think anything said, not just seen, in Elliot's story, is filtered Song [10:37 AM] That might be mighty generous Steele [10:37 AM] Yeah, even Elliot knows we're fed up with it Song [10:37 AM] Ray was played up to be a Bad Dude, and he turned out to be a Sad Dude. Steele [10:37 AM] With his monologue at the end Griffith [10:37 AM] But he did great monologue deliveries.
I'll give him that. Song [10:37 AM] Elliot always does monologues well I just...the reveal that he was in prison was at least better than a mental hospital because it asks the question--well what did Elliot confess to or do to get there Steele [10:38 AM] As far as monologues go, the one I least believe was the Mr. Robot one about Tyrell's death Tyrell is not dead Griffith [10:38 AM] Tyrell is shot. but not dead. Steele [10:38 AM] Though his marriage is Song [10:38 AM] He's not dead but he's sure getting a divorce Ha. Yes. Steele [10:38 AM] What does Joanna want? Song [10:38 AM] Great minds. Griffith [10:38 AM] Not sure you can get a divorce without both parties! Song [10:38 AM] I'm sure she doesn't want to get doused with blood Steele [10:38 AM] In New York it is now easier to get a divorce Griffith [10:39 AM] As I well know! It wasn't easy when I did it! I think Tyrell might need to sign something. Song [10:39 AM] True--if he's dead she doesn't need to file for divorce Griffith [10:39 AM] That said... pretty sure everyone's got to be present/alive. Steele [10:39 AM] But being dead might preclude it Griffith [10:39 AM] if he's dead, she'd have to wait 7 years. (or maybe that's a thing only in the movies) Steele [10:39 AM] I hope Joey Bada$$ remains alive Ninja Joey Bada$$ Song [10:40 AM] Also the reveal that Elliot's mother is his prison guard Steele [10:40 AM] Dark Army Joey Bada$$ That woman watches a lot of TV for a prison guard Griffith [10:40 AM] They even went for the fake digital blood when Leon kicked the guy he'd stabbed, as if it was Walking Dead. Song [10:40 AM] But overall—satisfied or dissatisfied with the prison reveal? Steele [10:40 AM] Once the skinheads showed up I realized it was prison and not a mental institution Song [10:40 AM] It's not like it was a twist since most saw it coming. does that make it better or worse? Steele [10:41 AM] I was dissatisfied in a way Griffith [10:41 AM] While it was no surprise at all, I was satisfied.

Because we all knew Elliot was lying. We've always known it. Steele [10:41 AM] Maybe because we've been through this sort of reveal before Song [10:41 AM] The other thing is, I don't get the sense this is the "Twist" of the season Griffith [10:41 AM] Also, the way it was shot to reveal all the scenes--maybe Esmail is a better director than he is writer! Steele [10:41 AM] For me the reveal that should be satisfying is how the Dark Army ties into things Griffith [10:42 AM] And if Tyrell is doing ANYTHING Like, does Whiterose have him? Steele [10:42 AM] I am a strong believer in not directing your own work I think Whiterose is sending Joanna the gifts Song [10:42 AM] oooh. Steele [10:42 AM] There is no reason behind my theory, I just feel like Tyrell is too pat an answer Griffith [10:42 AM] Hooked up on life support, Tyrell is just barely alive enough to try and keep an eye on f Society for Whiterose. Like a Bond villian. Steele [10:43 AM] And if not him, then Whiterose Griffith [10:43 AM] speaking of F Society -- finally, there's a set of balls in Congress! (thanks, try the veal) Song [10:43 AM] That was priceless Steele [10:43 AM] Ah, so Tyrell as an agent of Dark Army Song [10:43 AM] Boehner's face. Very Forrest Gump-ian Steele [10:43 AM] How did they manage to drop that in? Griffith [10:44 AM] Remember when Darlene sent that obsequious dude to DC? That was his op. Steele [10:44 AM] Ohhhh Griffith [10:44 AM] dunno how they pulled that off tho. without getting shot by... everyone. Song [10:44 AM] Ahhhh Steele [10:44 AM] Aw, poor dude He probably can't code Song [10:44 AM] Well I don't think that would get you shot though who knows Steele [10:44 AM] He'd certainly get caught Griffith [10:44 AM] being on the roof of the Capitol should get you shot. Song [10:44 AM] I wanna talk about Angela though. Steele [10:44 AM] Like Angela By Dom Song [10:44 AM] great minds. Steele [10:44 AM] Angela seems to have no end game or too many end games Song [10:45 AM] I thought Dom was gonna do the thing where she's like, hinting that she knows without saying anything but then she outright threw it in Angela's face Steele [10:45 AM] Sometimes Dom just says everything Griffith [10:45 AM] At least we know she is NOT going to sleep with Pryce. Steele [10:45 AM] Name, address, social security number, I think you brought down the economy, whatever Song [10:45 AM] That was creepy. Griffith [10:46 AM] Dom will take a break for a bad barbecue.

As would we all. Steele [10:46 AM] They cannot do a scene where he does not sidle up to her Griffith [10:46 AM] I thought Pryce was going for the kiss.
I really did. Steele [10:46 AM] Dom needs to stop eating Dum Dums Song [10:46 AM] But it's her "thing" Griffith [10:46 AM] That's called "character!" Song [10:46 AM] *eyeroll* Steele [10:46 AM] I don't know if it's a character thing or is going to end up as a plot device Griffith [10:46 AM] like Kojak had character Steele [10:46 AM] Like she chokes to death on one or something Song [10:46 AM] Oh I'd love it if her dum dum was a chekhov's gun a hack is going on and she just throws the lollipop and it lands in elliot's ear Griffith [10:47 AM] that's how she'll kill Whiterose. stick a lollipop on one of Whiterose's nice dresses Steele [10:47 AM] I hope Sam Esmail is reading this Song [10:47 AM] the ridiculousness of that would kill me Steele [10:47 AM] Because this is the twist the season needs to end on Griffith [10:47 AM] there is absolutely no way they wouldn't find the femtocell about 30 minutes after Dom left Angela, right? Steele [10:47 AM] So Whiterose wants Dom alive, he wants Elliot alive Song [10:47 AM] Gotta say Dom is shaping up to be one of my favorite things about this season. Steele [10:48 AM] Will we see Dom and Elliot working together? Griffith [10:48 AM] Next year, Whiterose will make Dom, Eliot, and barely alive Tyrell team up Griffith [10:48 AM] to FIGHT CRIME Steele [10:48 AM] In China Spinoff Song [10:48 AM] I dunno, they seem to be pulling a cat-and-mouse with Dom and Elliot Griffith [10:48 AM] speaking of Dom and Elliot... why is Elliot in prison? for what crime? Steele [10:48 AM] It can't be for killing Tyrell And not for the hack Song [10:49 AM] Remember a few episodes back? Darlene alludes that he put himself in there? I got the feeling that maybe Elliot confessed to something, but I don't know what Griffith [10:49 AM] He turned himself in? Steele [10:49 AM] Oh yeah Maybe something with the drug dealer? Song [10:49 AM] But if I think about it, I'm not sure if that's just a feeling I have or if its corroborated Griffith [10:49 AM] Can't be the hack or he wouldn't get visitors like Darlene and Angela, they'd be under intense investigation Song [10:49 AM] Maybe something to do with Shayla Griffith [10:50 AM] True. the dead girlfriend. Steele [10:50 AM] And it has to be something that would be a pretty short sentence Whiterose letter or not Song [10:50 AM] Well I think his early release was predicated on getting Ray busted Steele [10:50 AM] Ah Griffith [10:50 AM] he's a model prisoner for that. Song [10:51 AM] But it also outs him as someone who's unnaturally skilled at hacking and Dom is so on his tail Steele [10:51 AM] Too bad Rob Marvin didn't watch last night because the whole Ecoin thing came up Song [10:51 AM] if she gets to Angela, she gets to Elliot Yeah I did think of Rob when the Ecoin thing popped up Griffith [10:51 AM] That's another nice thing: more effects in the real world.

Blood thrown on the rich! burning garbage! Song [10:51 AM] Also the newscasters! Endorsing E-Coin Steele [10:51 AM] Literal garbage fires Yeah, that was a breach of ethics, I thought Why endorse a new currency from a corporation? Griffith [10:52 AM] I'm sure the network was owned by E Corp. It wouldn't be "synergistic" if they didn't! Song [10:52 AM] I kind of want more interaction between fsociety and the consequences of their actions, but I don't think it's going to come from Darlene Now that Elliot's out, maybe he'll see more of what he's done up close and personal Griffith [10:52 AM] Darlene stole a smart house so she could avoid the real world. Steele [10:52 AM] We might soon be watching Breitbart TV in our Breitbart cabs and paying with Breitcoin, so yeah Song [10:53 AM] nope. Steele [10:53 AM] Where is the smart house woman? She was missing from the meeting Song [10:53 AM] OH yeah Steele [10:53 AM] Wasn't that her that they were looking for? Song [10:53 AM] You'd think she'd be on customer service everyday Steele [10:53 AM] I could not remember her name Song [10:53 AM] asking "why is my house not fixed yet" Griffith [10:53 AM] Not sure. Will have to look that up.
She's the corporate lawyer, so likely. Steele [10:53 AM] And maybe she'd show up to check on it That meeting was Angela's worst To show her hand like that Like nobody knows what she's up to Song [10:53 AM] Well, that and her meeting with Dad Griffith [10:54 AM] Angela wants to change things from the inside. even if it means not being nice to her only relative. she kinda is a horrible person. Song [10:54 AM] But you can't do it all on your own Griffith [10:54 AM] there, I said it.

Big Disney-eyed Angela SUCKS. Song [10:54 AM] I don't know if she's horrible or if she's honestly thinking she's doing the brave and right thing aw I like Angela Steele [10:54 AM] Maybe she turned bad when Elliot and Darlene made her watch the Careful Massacre of the Bourgeoisie Griffith [10:55 AM] That would break any human Song [10:55 AM] I don't think she's "bad"; I just think she believes she's doing what's right Steele [10:55 AM] I watched it, so look out Song [10:55 AM] and that's more dangerous lol Steele [10:55 AM] Next week we can look forward to Elliot being in the real world again Maybe Song [10:55 AM] Well physically being in the real world mentally? Steele [10:55 AM] Never mentally Song [10:55 AM] slackbot [10:55 AM] ¯\_(?)_/¯ Steele [10:56 AM] I think I saw that guy in prison Song [10:56 AM] Ha Griffith [10:56 AM] BadA$$ gonna cut him. Song [10:56 AM] Hope Joey BadA$$ gets out of prison too Steele [10:56 AM] I think Joey Bada$$ put himself there and has already gotten himself out Griffith [10:56 AM] I'm sure if Elliot gets out, so does Leon. Song [10:57 AM] I wanna watch their buddy cop adventure Steele [10:57 AM] So next week I assume we watch Dom at a barbecue for an hour In real time Griffith [10:57 AM] I would totally watch that! Song [10:57 AM] She's so delightfully socially awkward that it would produce at least 5 gold star moments Griffith [10:57 AM] I would just sit next to her for an hour, saying nothing. Watching her eat ribs. Steele [10:57 AM] That's why she relies on the lollipop Griffith [10:58 AM] I may have a crush. And I like ribs. Song [10:58 AM] Steele [10:58 AM] You just got married Eric Song [10:58 AM] If you ignore the other two powerpuff girls, Blossom kinda looks like Dom and Mojo Jojo can be...uh...fsociety? Griffith [10:59 AM] As a wise chessplayer probably once said, "Just because you're on a diet, doesn't mean you can't look at the menu." Steele [10:59 AM] Song , go tell Buzzi that Elliot is dead and Tyrell killed him Song [10:59 AM] Roger Steele [10:59 AM] That is his punishment for not watching for two weeks Song [10:59 AM] I'm so curious to see whether or not he'll come back with "this season is meh" or if the last two episodes, with the retro and the reveal, might bring him back into the fold Steele [10:59 AM] He's going to love last week's episode and hate this one Griffith [11:00 AM] This season is a lot of things -- hell, it's like watching 4 different tv shows sometimes--but not "meh" Song [11:00 AM] He doesn't even know we're taking bets. Steele [11:00 AM] We'll tell him next week Song [11:00 AM] It's like we're...plotting.
While ethically murky, his tactics show that scammers aren't immune to their own tactics. Tech support scammers, who typically try to convince consumers that their computer is infected with malware and sell them unnecessary security services to "clean" the PC, are not a new problem.

Everyone from Microsoft to the Federal Trade Commission has tried to fight them. But one enterprising programmer named Ivan Kwiatkowski came up with an unorthodox and questionably ethical idea to beat the scammers at their own game: he attempted to infect the tech support scammer's own computer with ransomware. After Kwiatkowski's parents stumbled on a tech support scam, he fixed their computer.

But just for fun, he saved the phone number provided on the scam web page, and called it to see what would happen.

That led to him setting up a remote connection to the spammer's computer using what appeared to be a legitimate tech support chat client. He was using an old Windows XP virtual machine, which the spammer quickly—and falsely— diagnosed as being infected with malware that only an expensive antivirus program could remove. "In the end, she reaches the following conclusion: my computer has been infected, and now it needs to be cleaned up," Kwiatkowski wrote on his blog. "I'm encouraged to buy either ANTI SPY or ANTI TROJAN, for the measly sum of $189.90." So he played along. He called back and read a second scammer a fake credit card number.

After the scammer tried multiple times to input the digits, Kwiatkowski sent a zip file containing a ransomware program masquerading as a photo of his credit card, suggesting that the scammer try to read it himself. "And while a background process quietly encrypts his files, we try paying a couple more times with those random CC numbers and he finally gives up, suggesting that I contact my bank and promising to call me back next Monday," Kwiatkowski wrote. It's unclear from Kwiatkowski's account whether the ransomware actually worked, and his tongue-in-cheek, ethically murky approach to getting back at tech support scammers won't make a dent in the overall industry. Still, in an era of increasing cyber crime, a real-life Mr. Robot like Kwiatkowski is at least a reminder that spammers themselves aren't immune from the nefarious tactics they employ to prey on unsuspecting computer users.
NEWS ANALYSIS: Amid the talk about the latest technology and research discoveries at Black Hat USA, it's clear that enterprises still aren't consistently implementing common sense cyber-security practices. LAS VEGAS—There was plenty of news at Black Hat USA last week about new cyber-threats, vulnerabilities and exploits.

The good news is that security technologies are more advanced than ever and researchers are getting better at spotting hacks and malware.The bad news is that most threats are preventable by following security 101 practices that just require basic common sense and preparation, advice which is often ignored, overlooked or deemed not cost effective by executives.Patching operating systems and applications, training your staff and employees to spot threats, and backing up your data will do more to protect your enterprise than the latest machine learning threat detection technology, experts here said.No security system can stop a phishing attack—by duping users to click on links that deliver malicious code to their computers—if users continue to click on email attachments or web links without understanding the signs of a threat or the potential risks. One company that is getting a lot of attention in this area is KnowBe4, a security awareness training company that is notable for its Chief Hacking Officer—former infamous hacker Kevin Mitnick—who is offering years of social engineering experience to help enterprises fend off phishing and ransomware attacks. "I've been involved with social engineering since I was 16," he said in an interview here. "I was mischievous but not malicious.

The techniques that I used in the 1970 still work today.

Back then it was the phone. Now it's email."KnowBe4's team teaches people the "street craft of the bad guys" in order to inoculate them, Mitnick said.

Then he trains IT staff members to create simulated phishing attacks on their own users in order to keep them on their toes and aware of possible threats.Other types of vulnerabilities take a different kind of diligence: patching and updating business critical applications.
In recent weeks Enterprise Resource Planning applications, including SAP and Oracle, have been singled out as especially vulnerable, mainly because keeping the systems patched is often beyond the time, budget and wherewithal of many organizations.In May the Department of Homeland Security issued a warning—the first of its kind—of security holes in SAP systems that the company had patched, but because the patches were never implemented, users remain at risk.Even most mature organizations are just trying to keep up with security patches, said Juan Perez-Etchegoyen, CTO of SAP security consultancy Onapsis. "Security is a big pain point for customers," he said, as they often decide to wait for a major upgrade to fix an issue, rather than try a patch and risk breaking proprietary customizations. "No two SAP installations are alike," he said.All this said, no enterprise network will be completely secure if top-level management does not buy in to security and make it a priority.

This issue is coming to a head with ransomware.

An increasing number of businesses, especially health care and financial services, are being hit by hackers who encrypt files and then demand payment for the keys to unlock the files.According to new research released this week, 80 percent of organizations have been hit with a cyber-attack in the past year and about 50 percent have been hit with a ransomware attack, according to Malwarebytes, which conducted the study with Osterman Research.Malwarebytes CEO Marcin Kleczynski said ransomware is not just for individual victims any more. "It has evolved into a wild fire on the business side," adding that the type of schemes dramatized on the TV show "Mr. Robot" are not really fiction at all.In such cases, it's often easier for businesses to pay the ransom rather than try to remediate the situation themselves or take more preventative measures in the first place—which does nothing to stem the tide of more ransomware attacks.In most ransomware cases, the ransom currency of choice is Bitcoin, which takes time to obtain if a victim is not prepared.
So, increasingly, savvy chief security officers are starting to keep a funded Bitcoin wallet available for such occurrences."User training is still the most effective solution," Kleczynski said.Scot Petersen is a technology analyst at Ziff Brothers Investments, a private investment firm. He has an extensive background in the technology field. Prior to joining Ziff Brothers, Scot was the editorial director, Business Applications & Architecture, at TechTarget.

Before that, he was the director, Editorial Operations, at Ziff Davis Enterprise. While at Ziff Davis Media, he was a writer and editor at eWEEK. No investment advice is offered in his blog.

All duties are disclaimed.
Scot works for a private investment firm, which may at any time invest in companies whose products are discussed in this blog, and no disclosure of securities transactions will be made.
Black Hat is a gathering of security researchers, hackers, and industry that meets in Las Vegas to do three things: outline the latest threats, show how the good guys and the bad guys can be defeated, and launch attacks on the attendees. This year saw ...