Third year in a row there has been one very big cyber security event in Tallinn – Cyber Security Summer School. This year’s topic was related to Social Engineering (http://www.studyitin.ee/ c3s2017) . It took place between 10th of July and 14th of July – 5 full days of workshops and practical sessions, from 8 AM to 8 PM.
Somehow I managed to get myself in and taking into account that there were participants from 25 countries, including USA, Australia, Morocco, all over Europe and maximum 50 people were accepted. And presenters were had very different backgrounds and positions. There were people from NSA (Louisiana), Cambridge (previously worked in Royal Navy, Norwegian Armed Forces, NATO), Temple University in the States (Criminal Justice), Netherlands Forensic Institute, CERT, University of Applied Sciences Mittweida (Germany), and of course, Estonia.
Although I cannot go in deep details due confidentiality agreement which we had to sign, but will give as much as possible to you. We don't want ,even can't damage or victimize anybody and this agreement was signed just to protect people. Everybody owns a chance for privacy.
We had sessions and practical work, people were randomly divided into teams and we had total 8 teams from A-H. Each team was assigned 2 mentors, once technical one more soft skills oriented. And then the game was on. Organizers made a deal with one company which we could start hacking and making reports of this for each day. Imagine, you have basically 50 people, who will target your organization and find out all social vulnerabilities and those people are all taking a part in cyber security event?
Employees of this company had no clue what started to happen, this company for our exercise was not picked randomly, summer school organizers had done a lot of pre-work to keep it all ethical and legal. Contracts were all signed between that company, summer school and ourselves. The CERT was also informed and tons of discussions were held with the ministry of justice. It is illegal to hack somebody, please do not engage into those activities. This was purely educational and not a training to become a cyber terrorist, but training how to build our systems stronger, better, and to fight back unethical hackers, to discover them and make their life harder.
We got 5 different big missions.
- OSINT - Open-source intelligence which was meant for passive data gathering, no personal contacts with anybody, finding out company structure, who is on vacations, who does what and when, also finding potential holes and confidential documents from the web. Every piece of information is useful in order to start planning your attack. This mission was very thrilling and interesting, there are so many tools available online for this also Kali Linux is useful. I cannot disclosure the tools which we learnt and how to use them, but web is full of it.
- Second mission actually wasn’t directly related, but still relevant – we had to social engineer one person away from laptop with roleplay, it was public inside classroom and laptop owner played along, then we needed to get data off from that laptop, specific files, folders, crypto keys. Time window was 10 minutes, all what was needed was to prepare random pdf, image or some other type of file, which you look at it is legit, but it is jacked with malware and if it is ran then we have a shell on their computer. Voila, we can do whatever we want. And we had fully patched windows8 which we used for that exercise.
- Creating a fake persona – well this one is simple, isn’t it? But what if you have like 4 days in order to set it up and aim is to get as many as friends as possible and have comments, likes, etc? You needs to start from the beginning. Where is this person born, parents, sisters, brothers, etc. Huge amount of work and you need to make it look as legit as possible.
- We had a mission not to get caught by shoulder surfers, but you yourself wanted to shoulder surf others. Minus and plus points were given depending if you were photographed or you were the photographer. From here we had some extra missions as well, like if we had a screenshot of organizers Taxify then they asked from us to social engineer the hotel and the room number. Hotels cannot disclose that information without knowing the name and room together, but still we managed to get it within 30 minutes.
- We needed to map down a profiles of all the mentors who were there. A huge work of research.
Also we had extra assignments as well. With mission 1 and 2 we learned some skills and then we were allowed to make fake domains which is related to that company which we targeted and then send them legit e-mails and Spear Phish 2 persons from that company. Each team had their own persons. With proper research you most likely get anybody.
I wish I could disclose more information but my hands are tied. There are 2 movie suggestions which are very relevant to all this:
- The Net (1995) – Old movie, but more true today than 22 years ago.
- The Circle (2017) – Most likely a future of our privacy.
And again - summer school had full permission to host this kind of event in order to raise awareness for the dangers and problems of social engineering.
Be Safe,
Taivo
from team G-spot
impossible to find