As someone who works in cyber security industry, I hear a lot of delusions: “I’m not a target.” “My CISO knows what he’s doing.” “Phishing only works on idiots.” “It doesn’t matter what my password is, I’m the only one who knows it.” “What can a hacker do with my password? I work in accounting.” We are all really smart in retrospect. We think that it will never happen to us, so we cut corners, adding multi-factor authentication to critical systems and keeping single-factor authentication for the rest. This is a terrible idea. Since the myriad technical articles out there explaining why haven’t seemed to sway people, I’m going to try a new approach. Let’s look at one of the greatest episodes of , “The Rickshank Rickdemption” (if you haven’t seen it yet, STOP everything, and watch it), and use it as a teachable animated moment for why it is well past time to ramp up your security efforts. Rick and Morty In the episode, Rick gets captured, gets himself released, and destroys the galactic federation all using privilege escalation – in a very similar way to hackers: 1) – The galactic federation has Rick in a Series 9000 mind controlling device, trying to trick rick to reveal his formula for interdimensional travel. Employ Phishing site and malware Rick creates a false memory and gives the galactic federation what they assume is the formula, which is actually giving Rick access to control the Series 9000 -  Just like a hacker to trick a visitor to think the site is legitimate. 2) – Rick’s formula gives him control over the Series 9000. He transfers his mind to the mind of his captor, just like a , which leaves a backdoor open to a hacked system in order for the hacker to assume control. 3) –  Using his captor’s identity and body, Rick notes that the prison keeps both the galaxy’s most-wanted criminals, but also its most sensitive data, and casually asks those around him for the Level 9 bathroom code, which they give him without a thought. creating a false site Remote Access Trojan remote access trojan Corporate Account Takeover (CATO) “Is it cool if I use the level-nine bathroom? W-W-What's the level-nine master access code again?” By leveraging his current authorization, he gains access to an additional resource by asking to use the bathrooms on level 9. In the same way, hackers can execute a leading to , starting with even a small, low-level entree into an organization’s systems. The email password of a mailroom clerk can be used to send a phishing email to a sales rep to enter their password for a package. The password of a sales rep can be used to phish their managers, and so on, all the way to the top. Lesson here: don’t give out the bathroom code, and don’t rely on vulnerable passwords! Corporate AccountTakeover Vertical privilege escalation – Rick encounters “Seal Team Rick,” assumes the identity of one of the officers, takes a ship, and flies to the council of Ricks, his new authorized identity moving up the ladder. 4) Vertical Privilege Escalation He then uses this new identity and the Series 9000 to take over a high-ranking official in the council of Ricks, granting himself privileges usually reserved for higher-access users, including the teleportation room of the council. It’s like i said -> mailroom clerk to CEO in just a few little security hops. 5) Even More -  Rick uses the privileges he got by assuming the identity of the high-ranking member to access the teleportation room, and then uses a design flaw to teleport the Council into the Galactic Federation facility. When a worker comments that it’s a restricted area because it can transport “the entire Citadel to somewhere else using only buttons and dials,” Rick rightly responds that “ ?” Privilege Escalation it's a bad idea to have it designed that way then, isn't it 6) – Rick has now created havoc in both the Galactic Federation and the Council of Ricks, and uses the diversion to access the mainframe of the federation and makes just one minor change, a 1 to a 0. Does it launch nukes? Does it obliterate their military? No, it makes the entire economy collapse, the federation along with it. The Breach In other words, one fake email (Rick’s invented memory) led to one low-level access privilege (the bathroom code), which climbed and climbed until the entire economy collapsed. There are a lot of absurd things about , but this episode is surprisingly true-to-life. Just look at the casino that was hacked into . Rick and Morty via a connected fish tank So, unless you want your citadel teleported away with you inside it, or your customer records stolen out from under you after a receptionist opens a malicious email link, you’ll take a hard look at all of your authentication protocols, stat.

Target

Even Before Russian Interference, US Election Tech Was Failing

Liberating Businesses From 
the Pains of Passwords with Secret Double Octopus


Rick and Morty Explain The Harm a Hacker can Cause with a Breached Password

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Even Before Russian Interference, US Election Tech Was Failing

What Everyone Should Know About Tools And Services Of ATO Providers

Battling Identity Theft in Subscription Based Services: A Personal War Story

What No One Told Me About Being a Product Manager at an Early Stage Startup

What Are Convolution Neural Networks? [ELI5]

Rules of Thumb for Software Engineering

Even Before Russian Interference, US Election Tech Was Failing

What Everyone Should Know About Tools And Services Of ATO Providers

Battling Identity Theft in Subscription Based Services: A Personal War Story

What No One Told Me About Being a Product Manager at an Early Stage Startup

What Are Convolution Neural Networks? [ELI5]

Rules of Thumb for Software Engineering

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps