Hackad (2021–…): Season 1, Episode 2 - Kan man hacka en stad? - full transcript
Sweden is very computerized.
This creates attack surfaces.
The threat is real.
Not much resources are put into
security as would need to.
SVT has hired four professional
hackers attack individuals–
and companies, to show how vulnerable
we are in our connected society.
The basic functions of society are
constantly attacked–
And the results can be catastrophic.
Can our hackers access
an important company?
We have received a mission,
so we'll run through it.
It's Helsingborgshem.
They have just moved to new
premises with "max security".
A brand new building,
nice lobby and everything like that.
Helsingborgshem has
1/5 of all residents in Helsingborg.
Businesses, health centers, schools
- in addition to ordinary flats.
It's a large part of Helsingborg.
They have asked us to test
the security of the building.
We have to get inside
and place a computer.
I've already been there.
They have good access systems,
so you need cards, possibly code.
There's tall glass doors
which closes tightly–
-So it won't be easy
to accompany someone inside.
I have checked the entrances. We
need to get in via the main entrance.
- During Covid, this becomes hard.
- It will be a challenge.
Richard is the IT-manager
and security manager at the company.
We have agreed to this
because we want to test ourselves.
That is a crucial issue and it is
very important to address it.
If we can help others see
the importance, then it's great.
The mission is
to enter the head office -
and place a computer.
Via the computer we can infiltrate
the network and take over:
The register where protected
info about the tenants is available–
And housing queue. Can they
manipulate the system–
-And put themselves first in line?
For me, it's interesting
to see how they do it–
-Because we have not informed
staff that this is underway.
No one, except me,
knows what we are doing.
I think "social engineering" -
part will succeed.
But I do not think
the network attack will succeed.
Social manipulation,
or "social engineering", means-
- that a hacker exploits someones
strong instinct to be social.
We'll send an email to the reception
which says-
- that the consultant needs
access to a conference room.
It will look like it came from
the manager to trick the reception.
Linus has registered a domain that
is identical to Helsingborgshems.
"L" is replaced by a capital "i".
It's impossible to see if the mail
comes from the real IT-manager.
15 minutes before David arrives at
the reception we will send the email.
They won't have time to call people and
double check, it should be hectic.
-Let's press "send".
-Yes.
–11.32 it was sent.
-Here we go.
If David enters a conference room,
he can place a minicomputer there.
Then it can call out
to our server.
One of the most common ways today
is via social engineering.
You look for a person - it
can be the receptionist, or support.
Both functions are there to
help visitors and customers adjust.
Nor can they question
everything.
They need to learn to see through,
be suspicious and think:
"Is this really true?"
Hey! My name is David. I was
contacted by Richard Mauritsson.
With a tool bag,
or delivery or whatever–
-You often come in
in many places.
Welcome!
Once inside,
then you are inside the shell.
And inside
anything can happen.
I'm going to call him.
He has sent an email and
has booked a conference room for me.
He said he had contacted you. You
should have an email.
He has cc:ed me.
A larger company in Sweden
discovered by chance
- they had a server
that was not theirs.
That you can trick your way
in via "social engineering" .....
One manipulates, says
that you have an important errand –
- it happens all the time.
He said to me
that he would be busy today.
I can't talk about it,
but there has been an incident.
The issue is
that it's internal –
-So everyone may not
have been informed.
I can't really tell you.
So I get it, I was woken up
this morning too. Hope you understand.
She looks at the email, at me–
- then they close the door
and start talking to each other.
"Now I'm fucked, now I'm done."
The receptionist called me,
who was a little unsure about a man–
-Who wanted a conference room. She
wondered, "Should I let him inside?"
Because I had not sent
an email I also became suspicious.
I did not know if it was SVT.
It could be a confused consultant.
- You'll have to call Richard.
-Perfect. I'm calling from here?
I'm taking one last chance.
If she's just listening to my tone
that I am nervous or insecure–
- She'll throw me out. I say, "Hey!,
it's David. I'm here. "
She doesn't know Richard's reply.
I'm a colleague
of Linus Kvarnhammar.
Our receptionist was exemplary.
She was insecure and contacted me.
I am very happy and very proud of
that our staff has that insight.
Thanks.
It was "game over",
we were "busted".
She called Richard immediately.
He did not answer.
She called, called, then he picked up.
Shame. That's how it is.
It feels like
a huge failure.
To have planned something so well,
the adrenaline pumps ...
And we didn't succeed.
Their new office feels
thought out and hard to access.
They have thought about the
physical security.
We had to regroup, me and Linus,
and think differently.
When we were going to the new building,
there were two addresses.
The new address, and an old one.
Helsingborgshem has two.
We have been to one.
The other is at on Drottninggatan
out by the bathing area.
Then we saw that it existed
another office that may be alive.
- We'll go there then.
I'm lost.
We'll see when we arrive.
this rundown building.
Lights are off, it's dark.
It said that the office has moved.
- They're at Drottninghög.
-They have moved? Thanks.
It seemed totally dead,
initially.
-No wireless networks?
-We checked if there was wifi.
Yes, here. One unprotected network.
I find an open network
called Helsingborgshem–
And a closed one called Hbghem.
Here's a lot of stuff.
When we sit there and hack,
we see a person enter the building.
It wasn't totally dead then.
So maybe it's possible to get in.
A person is coming.
It only takes a minute. It looks
as if someone is entering the building.
So I went with her. She looked
who I was and walked in a door.
- Did you see if she went up or down?
-She went into a room here.
We Swedes are SO afraid of conflict.
We glance a little.
"But what if someone is new?"
We dare not say, "What are you doing here?"
It's something you have to do.
If you see someone you don't recognize,
ask.
Wait a minute, another car is coming.
Can you shut yourself in?
-Where are you now?
-I'm in a storeroom.
The so-called caretaker
is probably on his way in now–
- so be quiet and hope
that that person goes upstairs.
Don't move.
The person enters ... now.
I was looking for a place
to plug our minicomputer into.
There were empty offices,
some with handbags.
So I took one of the most empty,
crawled down on the floor–
-Plugged it in
and the network cable–
- and waited for a light to come on
that shows there is network traffic.
No, I'm not getting a link.
Anticlimax. Could they have closed
the network here?
But then it hit me
that there was a reception.
And there was network equipment there.
"What if those outlets are active?"
There I connected the small computer.
And the light began to shine.
"we could be done now. But I want to
get it confirmed from the outside. "
I'm inside Helsingborgshem.
Can you open your laptop quickly?
I have no way
to verify that it works.
I just want to check that it has
connected and then escape.
Then I hear voices outside.
A meeting room has been emptied of people who
are standing outside.
And I have Jesper on the phone,
to check if the computer is alive.
People outside are standing and talking.
I have not locked the toilet door -
-So someone might open and go inside.
and I'm standing there with a phone.
Jesper says: "Boom, looking
really good. We are indeed in. "
"Found a domain controller.
Good. We're really in. "
Yes!
We are on the right network.
You have to try to get out now.
He can 't be there anymore, so he
decides to play it super cool.
He flushes the toilet,
opens the door and just walks out.
Opened and went out as if I belonged
there. Turned my back to the people.
I don't even know if they saw me.
When I noticed
that no one followed -
- was a really good feeling.
Now we have a wonderful time of hacking
on the internal network in front of us.
Attacks on companies
with important functions–
-Can have serious consequences.
One afternoon in February the
sodium hydroxide levels rose at the
-waterworks in Oldsmar
in Florida, USA.
Hackers had gotten into the
system that controlled the plant.
A discharge of sodium lye
in the water–
- could have led to
catastrophic consequences.
Luckily an employee had the
situation under control
-And lowered the levels again.
In May, long queues formed at
gas stations on the east coast of USA.
The oil company Colonial's pipeline–
-Had been taken over by hackers
which stopped oil supplies.
And in September last year
a patient died
-When the hospital in Düsseldorf had
been attacked by hackers–
- which made it impossible to
receive patients.
An ambulance had to drive
to a hospital in Wuppertal.
But when it arrived, it was
too late. The patient had died.
These are just a few examples
on cyberattacks–
- against important societal functions.
- Here come the hackers!
- This is Jinny.
Jinny joined for the first time
physically. Awesome.
She's an awesome hacker.
It's going to be great.
- We have to go through everything.
-What's our goal?
- We'll divide our tasks.
- A wonderful, disorganized atmosphere.
You and I, Jesper,
start mapping up the network.
Linus, you'll look at AD.
-David tried to organize the chaos.
-I'll look at host discovery.
Jesper just wants to go in and attack everything
and hack, super eager.
Let's not be too hasty
and think that we ...
False "assumptions"
can lead us into a "rabbit hole".
Then we started letting loose
in four different ways.
You had a list. A combo list,
or what have you found?
-You found it with leaked passwords.
-Yes, but I haven't tried them.
Often when you start a test like this
on a larger network -
-It's pretty chaotic. It's
nice to be able to work unstructured.
They use Telia
as an ISP at least.
Do you have the port scan results?
It's on Dropbox,
in the recon folder.
Our mini-computer tricks computers
to connect to us instead.
You can trick them to send secrets -
-Which you can crack
if the password is bad.
Install wireguard tools,
then you get a daemon
-Oh, what's this?
-That's a ...
Take user once.
Rava, then.
This feels very PLC.
Careful now.
We tricked a computer to give us a secret
which we cracked pretty quickly.
Now you're toast, Richard! Soon.
Now, cracked.
No - Administrator!
Kerberoast is up and running.
It took a few seconds–
- then we got a hit
on the Administrator account.
The administrator has access
to all machines on a network.
There is a group of such users
at all companies.
I'm testing the password
against the domain controller.
If it is green, the password works.
If it's yellow, then we're domain admin
and own the entire network.
–Boom!
-Yes!.
It was a "game over scenario".
That was
their domain administrator account.
So this user was
the key to the kingdom.
- The housing queue is ours.
-I'm in the queue, can we promote ...
-Yes of course.
-I have already registered.
18.40, then it's "game over time".
Here's a list of all accounts
in the entire organization - 850.
And here we have hashed
secret, encrypted passwords.
To get them in plain text, we need
guess at immense speed.
I'm going to do that with a script.
Now it will start working like crazy.
Then we will get
a file called "cracked".
There we get a lot of passwords in clear
text, which will grow over time.
Now it's been a few minutes.
We have cracked 78 passwords.
"Gris1234" (Pig1234).
"Vinter21" (Winter21).
Shall we run a bett on how many
contains summer and year?
The most common passwords contain
"summer" or "winter" and year.
These are all intercoms
and all codes for all properties.
- Inside this system?
-Yes.
So what code do you want,
to which house?
If you want,
then you enter Helsingborgshem.
I'm almost sure
that they have gotten in.
As an IT-manager, I have to
make it as hard as possible-
-So that the attacker
might choose another target.
After a bit of sleep and a lot of adrenaline
we would present our findings.
- Can we come in?
–Absolutely.
We had bought flowers
to the receptionist–
-Who did a good job,
because we were thrown out.
I am interested,
regardless of the result.
It can give me an answer that means
that I can put a new strategy -
- regardless of whether you succeed
or fail.
So we got to enter this fort-
- which we did not manage to break into,
at least not physically.
We had an envelope to show
poor Richard.
Exciting.
An envelope with a password that
we cracked. 120, I think it was.
The last page
is perhaps the most interesting.
Really interesting.
On the last page, were the admin accounts.
Six passwords that we cracked.
He got to see
a lot of passwords in plain text.
It may be surprising
how bad some are.
Passwords are easy to crack.
It doesn't matter where you work.
People should remember
their password.
You try to find
a password that works.
He gets a few pages with usernames
and passwords you don't want.
The password quality
maybe wasn't fantastic.
The first thing that many think of
When discuss IT is technology.
"We have to get this, and that,
computers and technology. "
While in fact it's
knowledge, consciousness–
Rules and guidelines, which are important.
It's 80 percent consciousness,
knowledge, guidelines and routines -
And 20 percent technology.
We'll change password policy -
- where we won't change passwords
so often, and require longer passwords.
Hopefully we can get people
to use better passwords.
He was looking for his own name
in the list of cracked passwords -
-But we haven't cracked it,
so it's a compliment to him.
To find your own password there,
would not have been great.
Then I'd have to rethink.
But it didn't end there. We showed
him what one can accomplish.
If you look at this,
do you recognize this?
I think it's
one of our phase 2 servers.
-What is that?
-Our real estate system.
It's our customer register
and our housing queue.
- Do you think we got it?
-Yes, because you have the interface up.
It was like a small joke.
As we established access,
Linus was already a customer.
But he did not have many points
in the housing queue.
Now we could actually give Linus
1337 points–
-But we held back.
So now we have reached
our goals.
Their mission was
to enter the network.
And then access the customer register
and manipulate the housing queue.
The hackers never succeeded physically
to enter the head office -
-But via an old office
they got the access.
The hackers needed less than four
hours to take over the network.
They managed to get the customer register
and manipulate the housing queue.
The way your hackers
entered the housing company–
-Will work
in over 90 percent of cases.
There is no company in the world
which one can not get into.
If these really skilled people
want to get in, they will.
They have done this in less than
48 hours, and even less than that.
of course you are impressed
of how quietly they have done this.
We had all the power to do
what we wanted. That's pretty serious.
The Coop food chain had to close almost
all its 800 stores in the country.
- Crime has moved online.
- It's up. Yes, we have contact!
Yes!
We're going to stop somewhere. It feels
as if I have done something bad.
This is extremely serious.
Subtitles: Anders Kaage
Swedish Media Text for SVT
This creates attack surfaces.
The threat is real.
Not much resources are put into
security as would need to.
SVT has hired four professional
hackers attack individuals–
and companies, to show how vulnerable
we are in our connected society.
The basic functions of society are
constantly attacked–
And the results can be catastrophic.
Can our hackers access
an important company?
We have received a mission,
so we'll run through it.
It's Helsingborgshem.
They have just moved to new
premises with "max security".
A brand new building,
nice lobby and everything like that.
Helsingborgshem has
1/5 of all residents in Helsingborg.
Businesses, health centers, schools
- in addition to ordinary flats.
It's a large part of Helsingborg.
They have asked us to test
the security of the building.
We have to get inside
and place a computer.
I've already been there.
They have good access systems,
so you need cards, possibly code.
There's tall glass doors
which closes tightly–
-So it won't be easy
to accompany someone inside.
I have checked the entrances. We
need to get in via the main entrance.
- During Covid, this becomes hard.
- It will be a challenge.
Richard is the IT-manager
and security manager at the company.
We have agreed to this
because we want to test ourselves.
That is a crucial issue and it is
very important to address it.
If we can help others see
the importance, then it's great.
The mission is
to enter the head office -
and place a computer.
Via the computer we can infiltrate
the network and take over:
The register where protected
info about the tenants is available–
And housing queue. Can they
manipulate the system–
-And put themselves first in line?
For me, it's interesting
to see how they do it–
-Because we have not informed
staff that this is underway.
No one, except me,
knows what we are doing.
I think "social engineering" -
part will succeed.
But I do not think
the network attack will succeed.
Social manipulation,
or "social engineering", means-
- that a hacker exploits someones
strong instinct to be social.
We'll send an email to the reception
which says-
- that the consultant needs
access to a conference room.
It will look like it came from
the manager to trick the reception.
Linus has registered a domain that
is identical to Helsingborgshems.
"L" is replaced by a capital "i".
It's impossible to see if the mail
comes from the real IT-manager.
15 minutes before David arrives at
the reception we will send the email.
They won't have time to call people and
double check, it should be hectic.
-Let's press "send".
-Yes.
–11.32 it was sent.
-Here we go.
If David enters a conference room,
he can place a minicomputer there.
Then it can call out
to our server.
One of the most common ways today
is via social engineering.
You look for a person - it
can be the receptionist, or support.
Both functions are there to
help visitors and customers adjust.
Nor can they question
everything.
They need to learn to see through,
be suspicious and think:
"Is this really true?"
Hey! My name is David. I was
contacted by Richard Mauritsson.
With a tool bag,
or delivery or whatever–
-You often come in
in many places.
Welcome!
Once inside,
then you are inside the shell.
And inside
anything can happen.
I'm going to call him.
He has sent an email and
has booked a conference room for me.
He said he had contacted you. You
should have an email.
He has cc:ed me.
A larger company in Sweden
discovered by chance
- they had a server
that was not theirs.
That you can trick your way
in via "social engineering" .....
One manipulates, says
that you have an important errand –
- it happens all the time.
He said to me
that he would be busy today.
I can't talk about it,
but there has been an incident.
The issue is
that it's internal –
-So everyone may not
have been informed.
I can't really tell you.
So I get it, I was woken up
this morning too. Hope you understand.
She looks at the email, at me–
- then they close the door
and start talking to each other.
"Now I'm fucked, now I'm done."
The receptionist called me,
who was a little unsure about a man–
-Who wanted a conference room. She
wondered, "Should I let him inside?"
Because I had not sent
an email I also became suspicious.
I did not know if it was SVT.
It could be a confused consultant.
- You'll have to call Richard.
-Perfect. I'm calling from here?
I'm taking one last chance.
If she's just listening to my tone
that I am nervous or insecure–
- She'll throw me out. I say, "Hey!,
it's David. I'm here. "
She doesn't know Richard's reply.
I'm a colleague
of Linus Kvarnhammar.
Our receptionist was exemplary.
She was insecure and contacted me.
I am very happy and very proud of
that our staff has that insight.
Thanks.
It was "game over",
we were "busted".
She called Richard immediately.
He did not answer.
She called, called, then he picked up.
Shame. That's how it is.
It feels like
a huge failure.
To have planned something so well,
the adrenaline pumps ...
And we didn't succeed.
Their new office feels
thought out and hard to access.
They have thought about the
physical security.
We had to regroup, me and Linus,
and think differently.
When we were going to the new building,
there were two addresses.
The new address, and an old one.
Helsingborgshem has two.
We have been to one.
The other is at on Drottninggatan
out by the bathing area.
Then we saw that it existed
another office that may be alive.
- We'll go there then.
I'm lost.
We'll see when we arrive.
this rundown building.
Lights are off, it's dark.
It said that the office has moved.
- They're at Drottninghög.
-They have moved? Thanks.
It seemed totally dead,
initially.
-No wireless networks?
-We checked if there was wifi.
Yes, here. One unprotected network.
I find an open network
called Helsingborgshem–
And a closed one called Hbghem.
Here's a lot of stuff.
When we sit there and hack,
we see a person enter the building.
It wasn't totally dead then.
So maybe it's possible to get in.
A person is coming.
It only takes a minute. It looks
as if someone is entering the building.
So I went with her. She looked
who I was and walked in a door.
- Did you see if she went up or down?
-She went into a room here.
We Swedes are SO afraid of conflict.
We glance a little.
"But what if someone is new?"
We dare not say, "What are you doing here?"
It's something you have to do.
If you see someone you don't recognize,
ask.
Wait a minute, another car is coming.
Can you shut yourself in?
-Where are you now?
-I'm in a storeroom.
The so-called caretaker
is probably on his way in now–
- so be quiet and hope
that that person goes upstairs.
Don't move.
The person enters ... now.
I was looking for a place
to plug our minicomputer into.
There were empty offices,
some with handbags.
So I took one of the most empty,
crawled down on the floor–
-Plugged it in
and the network cable–
- and waited for a light to come on
that shows there is network traffic.
No, I'm not getting a link.
Anticlimax. Could they have closed
the network here?
But then it hit me
that there was a reception.
And there was network equipment there.
"What if those outlets are active?"
There I connected the small computer.
And the light began to shine.
"we could be done now. But I want to
get it confirmed from the outside. "
I'm inside Helsingborgshem.
Can you open your laptop quickly?
I have no way
to verify that it works.
I just want to check that it has
connected and then escape.
Then I hear voices outside.
A meeting room has been emptied of people who
are standing outside.
And I have Jesper on the phone,
to check if the computer is alive.
People outside are standing and talking.
I have not locked the toilet door -
-So someone might open and go inside.
and I'm standing there with a phone.
Jesper says: "Boom, looking
really good. We are indeed in. "
"Found a domain controller.
Good. We're really in. "
Yes!
We are on the right network.
You have to try to get out now.
He can 't be there anymore, so he
decides to play it super cool.
He flushes the toilet,
opens the door and just walks out.
Opened and went out as if I belonged
there. Turned my back to the people.
I don't even know if they saw me.
When I noticed
that no one followed -
- was a really good feeling.
Now we have a wonderful time of hacking
on the internal network in front of us.
Attacks on companies
with important functions–
-Can have serious consequences.
One afternoon in February the
sodium hydroxide levels rose at the
-waterworks in Oldsmar
in Florida, USA.
Hackers had gotten into the
system that controlled the plant.
A discharge of sodium lye
in the water–
- could have led to
catastrophic consequences.
Luckily an employee had the
situation under control
-And lowered the levels again.
In May, long queues formed at
gas stations on the east coast of USA.
The oil company Colonial's pipeline–
-Had been taken over by hackers
which stopped oil supplies.
And in September last year
a patient died
-When the hospital in Düsseldorf had
been attacked by hackers–
- which made it impossible to
receive patients.
An ambulance had to drive
to a hospital in Wuppertal.
But when it arrived, it was
too late. The patient had died.
These are just a few examples
on cyberattacks–
- against important societal functions.
- Here come the hackers!
- This is Jinny.
Jinny joined for the first time
physically. Awesome.
She's an awesome hacker.
It's going to be great.
- We have to go through everything.
-What's our goal?
- We'll divide our tasks.
- A wonderful, disorganized atmosphere.
You and I, Jesper,
start mapping up the network.
Linus, you'll look at AD.
-David tried to organize the chaos.
-I'll look at host discovery.
Jesper just wants to go in and attack everything
and hack, super eager.
Let's not be too hasty
and think that we ...
False "assumptions"
can lead us into a "rabbit hole".
Then we started letting loose
in four different ways.
You had a list. A combo list,
or what have you found?
-You found it with leaked passwords.
-Yes, but I haven't tried them.
Often when you start a test like this
on a larger network -
-It's pretty chaotic. It's
nice to be able to work unstructured.
They use Telia
as an ISP at least.
Do you have the port scan results?
It's on Dropbox,
in the recon folder.
Our mini-computer tricks computers
to connect to us instead.
You can trick them to send secrets -
-Which you can crack
if the password is bad.
Install wireguard tools,
then you get a daemon
-Oh, what's this?
-That's a ...
Take user once.
Rava, then.
This feels very PLC.
Careful now.
We tricked a computer to give us a secret
which we cracked pretty quickly.
Now you're toast, Richard! Soon.
Now, cracked.
No - Administrator!
Kerberoast is up and running.
It took a few seconds–
- then we got a hit
on the Administrator account.
The administrator has access
to all machines on a network.
There is a group of such users
at all companies.
I'm testing the password
against the domain controller.
If it is green, the password works.
If it's yellow, then we're domain admin
and own the entire network.
–Boom!
-Yes!.
It was a "game over scenario".
That was
their domain administrator account.
So this user was
the key to the kingdom.
- The housing queue is ours.
-I'm in the queue, can we promote ...
-Yes of course.
-I have already registered.
18.40, then it's "game over time".
Here's a list of all accounts
in the entire organization - 850.
And here we have hashed
secret, encrypted passwords.
To get them in plain text, we need
guess at immense speed.
I'm going to do that with a script.
Now it will start working like crazy.
Then we will get
a file called "cracked".
There we get a lot of passwords in clear
text, which will grow over time.
Now it's been a few minutes.
We have cracked 78 passwords.
"Gris1234" (Pig1234).
"Vinter21" (Winter21).
Shall we run a bett on how many
contains summer and year?
The most common passwords contain
"summer" or "winter" and year.
These are all intercoms
and all codes for all properties.
- Inside this system?
-Yes.
So what code do you want,
to which house?
If you want,
then you enter Helsingborgshem.
I'm almost sure
that they have gotten in.
As an IT-manager, I have to
make it as hard as possible-
-So that the attacker
might choose another target.
After a bit of sleep and a lot of adrenaline
we would present our findings.
- Can we come in?
–Absolutely.
We had bought flowers
to the receptionist–
-Who did a good job,
because we were thrown out.
I am interested,
regardless of the result.
It can give me an answer that means
that I can put a new strategy -
- regardless of whether you succeed
or fail.
So we got to enter this fort-
- which we did not manage to break into,
at least not physically.
We had an envelope to show
poor Richard.
Exciting.
An envelope with a password that
we cracked. 120, I think it was.
The last page
is perhaps the most interesting.
Really interesting.
On the last page, were the admin accounts.
Six passwords that we cracked.
He got to see
a lot of passwords in plain text.
It may be surprising
how bad some are.
Passwords are easy to crack.
It doesn't matter where you work.
People should remember
their password.
You try to find
a password that works.
He gets a few pages with usernames
and passwords you don't want.
The password quality
maybe wasn't fantastic.
The first thing that many think of
When discuss IT is technology.
"We have to get this, and that,
computers and technology. "
While in fact it's
knowledge, consciousness–
Rules and guidelines, which are important.
It's 80 percent consciousness,
knowledge, guidelines and routines -
And 20 percent technology.
We'll change password policy -
- where we won't change passwords
so often, and require longer passwords.
Hopefully we can get people
to use better passwords.
He was looking for his own name
in the list of cracked passwords -
-But we haven't cracked it,
so it's a compliment to him.
To find your own password there,
would not have been great.
Then I'd have to rethink.
But it didn't end there. We showed
him what one can accomplish.
If you look at this,
do you recognize this?
I think it's
one of our phase 2 servers.
-What is that?
-Our real estate system.
It's our customer register
and our housing queue.
- Do you think we got it?
-Yes, because you have the interface up.
It was like a small joke.
As we established access,
Linus was already a customer.
But he did not have many points
in the housing queue.
Now we could actually give Linus
1337 points–
-But we held back.
So now we have reached
our goals.
Their mission was
to enter the network.
And then access the customer register
and manipulate the housing queue.
The hackers never succeeded physically
to enter the head office -
-But via an old office
they got the access.
The hackers needed less than four
hours to take over the network.
They managed to get the customer register
and manipulate the housing queue.
The way your hackers
entered the housing company–
-Will work
in over 90 percent of cases.
There is no company in the world
which one can not get into.
If these really skilled people
want to get in, they will.
They have done this in less than
48 hours, and even less than that.
of course you are impressed
of how quietly they have done this.
We had all the power to do
what we wanted. That's pretty serious.
The Coop food chain had to close almost
all its 800 stores in the country.
- Crime has moved online.
- It's up. Yes, we have contact!
Yes!
We're going to stop somewhere. It feels
as if I have done something bad.
This is extremely serious.
Subtitles: Anders Kaage
Swedish Media Text for SVT