Cyber Security Summer School - Social Engineering

Third year in a row there has been one very big cyber security event in Tallinn – Cyber Security Summer School. This year’s topic was related to Social Engineering (http://www.studyitin.ee/c3s2017) . It took place between 10^th of July and 14^th of July – 5 full days of workshops and practical sessions, from 8 AM to 8 PM. 

Somehow I managed to get myself in and taking into account that there were participants from 25 countries, including USA, Australia, Morocco, all over Europe and maximum 50 people were accepted.  And presenters were had very different backgrounds and positions. There were people from NSA (Louisiana), Cambridge (previously worked in Royal Navy, Norwegian Armed Forces, NATO), Temple University in the States (Criminal Justice), Netherlands Forensic Institute,  CERT,  University of Applied Sciences Mittweida (Germany), and of course, Estonia.

Although I cannot go in deep details due confidentiality agreement which we had to sign, but will give as much as possible to you. We don't  want ,even can't damage or victimize anybody and this agreement was signed just to protect people. Everybody owns a chance for privacy.

We had sessions and practical work, people were randomly divided into teams and we had total 8 teams from A-H. Each team was assigned 2 mentors, once technical one more soft skills oriented. And then the game was on. Organizers made a deal with one company which we could start hacking and making reports of this for each day. Imagine, you have basically 50 people, who will target your organization and find out all social vulnerabilities and those people are all taking a part in cyber security event? 

Employees of this company had no clue what started to happen, this company for our exercise  was not picked randomly, summer school organizers had done a lot of pre-work to keep it all ethical and legal. Contracts were all signed between that company, summer school and ourselves.  The CERT  was  also informed and tons of discussions  were held with the ministry of justice. It is illegal to hack somebody, please do not engage  into those activities. This was purely educational and not a training to become a cyber terrorist, but training how to build our systems stronger, better, and to fight back unethical hackers, to discover them and make their life harder.

We got 5 different big missions.

1. OSINT - Open-source intelligence which was meant for passive data gathering, no personal contacts with anybody, finding out company structure, who is on vacations, who does what and when, also finding potential holes and confidential documents from the web. Every piece of information is useful in order to start planning your attack. This mission was very thrilling and interesting, there are so many tools available online for this also Kali Linux is useful. I cannot disclosure the tools which we learnt and how to use them, but web is full of it.

2. Second mission actually wasn’t directly related, but still relevant – we had to social engineer one person away from laptop with roleplay, it was public inside classroom and laptop owner played along, then we needed to get data off from that laptop, specific files, folders, crypto keys. Time window was 10 minutes, all what was needed was to prepare random pdf, image or some other type of file, which you look at it is legit, but it is jacked with malware and if it is ran then we have a shell on their computer. Voila, we can do whatever we want. And we had fully patched windows8 which we used for that exercise.

3. Creating a fake persona – well this one is simple, isn’t it? But what if you have like 4 days in order to set it up and aim is to get as many as friends as possible and have comments, likes, etc? You needs to start from the beginning. Where is this person born, parents, sisters, brothers, etc. Huge amount of work and you need to make it look as legit as possible.

4. We had a mission not to get caught by shoulder surfers, but you yourself wanted to shoulder surf others. Minus and plus points were given depending if you were photographed or you were the photographer. From here we had some extra missions as well, like if we had a screenshot of organizers Taxify then they asked from us to social engineer the hotel and the room number. Hotels cannot disclose that information without knowing the name and room together, but still we managed to get it within 30 minutes.

5. We needed to map down a profiles of all the mentors who were there. A huge work of research.

Also we had extra assignments as well. With mission 1 and 2 we learned some skills and then we were allowed to make fake domains which is related to that company which we targeted and then send them legit e-mails and Spear Phish 2 persons from that company. Each team had their own persons. With proper research you most likely get anybody.

I wish I could disclose more information but my hands are tied. There are 2 movie suggestions which are very relevant to all this:

• The Net (1995) – Old movie, but more true today than 22 years ago.

• The Circle (2017) – Most likely a future of our privacy.  

Beware, noting is 100% secure, everything can be hacked, even you. Make sure that you just have a plan how to get up and running once it happens. There is no when, it will happen. Locate the attack, isolate it, do not let it spread. It might be your phone, laptop, IOT device, your best friend or YOU.

And again - summer school had full permission to host this kind of event in order to raise awareness for the dangers and problems of social engineering. 

Be Safe,

Taivo

from team G-spot 

impossible to find

School - I026:- Book review - Be Fast or Be Gone: Racing the Clock with Critical Chain Project Management by Andreas Scherer.

It describes a man who goes to work in a new company and starts implementing Critical Chain project management methodology. Book is novel based, quite good reading.

Few words, I wouldn’t like to spoil the reading experience of the 234 pages.

It starts with a reason why one man changed his company where he had successfully used Critical Chain methodology and needed to implement it in a pharmaceutical company.

At the beginning there is a test project what will show what this method can do and throughout the process of implementing it to all company. It includes complex relationships with management, workers and includes a lot of interesting twists and turns. 

The book has got good examples how to communicate delays and how to make very clear, visible reports of the projects.

One interesting part on page 138 witch I would like to share, rest of the story you can get by reading this book.

“What you need is the relay race mentality we’ve encouraging in the <Project> team.  We were able to substantially beat the previous timelines, because we relentlessly worked on the tasks on the Critical Chain with high priority and focus. We constantly looked for ways to regain lost ground. This has to be the mindset on all of our projects. If it is, you’ll win. It’s that simple.”

Amazon shop link: https://www.amazon.com/Be-Fast-Gone-Management-ebook/dp/B004THZ9VK

School - I026: XIV - Pick one company's code of ethics and analyze it in the blog

The piece of writing related to I026. This session concentrated on the ethics and IT. It is actually quite fun to write on those different topics. Having some guideline, make some research, write your heart out. Hopefully will have more post coming in the future as well. Need to take on some challenge.

We had to pick one company and analyze the code of ethics about this company. Since I have covered Tesla in many of my past posts here, then let's go over their Code of Business Conduct and Ethics.

They have 14 sections and one for CEO and senior financial officers and of-course introduction. PDF contains total 4 pages, but also it is readable in their webpage, no need to download the file.

I made high level summary of all those chapters below. It is written in more detail in the document, but everything is very clear.

Introduction

It is very specific, if you break the code, your contract with the company will be terminated and if the code of ethics conflicts with the law, then always follow the law.

1. Compliance with Laws, Rules and Regulations

Laws of the countries are most important and if needed, always ask for help. It is straight forward and they come back and tell that laws is most important topic.

2. Conflicts of Interest

Easy and simple - do not work with competitors, do not use your position in the company to gain benefits, try to avoid loans and other guarantees between employees. If you cannot fulfill your obligations to the company, notify your superior.

3. Insider Trading

Do not use confidential information for trading.

4. Corporate Opportunities

Do not use company property for personal gains.

5. Competition and Fair Dealing

Outperform competition with fairness and honesty, not by sabotage.

6. Discrimination and Harassment

They will not tolerate any illegal discrimination or harassment of any kind.

7. Health and Safety

Be safe, keep others safe.

8. Record-Keeping

Mark down your actual work hours, keep records in detail. Keep in mind that every e-mail, note, memo is candidate for becoming public. Be honest.

9. Confidentiality

Keep confidential information confidential.

10. Protection and Proper Use of Company Assets

Company equipment should not be used for non-Company business, though incidental personal use may be permitted.

11. Payments to Government Personnel

Do not bribe.

12. Waivers of the Code of Business Conduct and Ethics

Any waivers  of the code can be done only by the Board of Directors.

13. Reporting any Illegal or Unethical Behavior

Talk with supervisors always when you see something which shouldn't be tolerated.

14. Compliance Procedures

Ask first, act later. Do not be scared of asking and do it without fear. Anonymity will be protected if needed.

CODE OF ETHICS FOR CEO AND SENIOR FINANCIAL OFFICERS

This chapter basically describes how and what are responsibilities of CEO and senior financial officers. All those chapters are understandable and it is basic ethics

Conclusion

I feel that Tesla's code of ethics can be easily adopted to any company and they are more than reasonable. Nothing unnecessary and it is basic ethics. Coming to think that is it ethical that I wrote this post using my company's laptop? In the end my company will benefit once I have finalized the school and even during when I am in school. Something to think about though. Since I have company's chat and e-mail client also open and will not reject any email or chat then I am not so conserned.

School - I026: XIII - Security, pick one security big security risks in IT and write an review of it - Internet of Things: Internet connected smart devices

This weeks session was focused on security in IT. We needed to take one biggest risks in IT and describe it based on the Mitnic's formula. This contains 3 different parts: technology, training,  policy.

Internet of Things (IOT)

IOT is part of our everyday's life and it will only grow, soon we have sensors and smart devices everywhere, they are not smartphones or tablets, but they can be simple light switch, teddy bear who receives and sends voice messages, cars who come around the corner to pick you up, mirror which tells your temperature, the list is unlimited and it is only increasing. What about Mitnic's formula, how it applies?

Technology

There have been developed special routers for IOT devices, which move them to segmented network to ensure that hacker cannot reach to the computer device network through IOT network easily. Each home should be equipped with firewall inside the router already to keep out the most of the attacks, which just scans ports and tries to get inside trough insecure port. All IOT device access needs to be monitored and alerts of suspicious activity needs to be noticed. Always, when you use IOT device, think it as the weakest point of your computer network (humans doesn't count). Usually those devices are small chips, standard bluetooth/wireless connection points, no additional security layer. Make sure that at least bluetooth / wireless passwords can be changed and no remote access is allowed. Basically it comes to you, and your training and policy.

Training

There are not much trainings of IOT devices, you can acquainted with biggest failures online. There are many good stories out there and summaries as well, like this one in Forbes about IOT bots or how your coffee machine can ruin your life or the Tech Radar article how the hack rate is growing. Just listen to security podcasts, read articles, and always think that this is most insecure part of your network.

Policy

As I have stated two times already. IOT device is the most insecure device in your network (now stated 3 times), then you can prevent a lot by:

• Move IOT devices to segmented network. It would be even good if you have dedicated networks for separate functions of IOT devices based on what they can do.
• Update your firewall, make sure that you log suspicious activity in firewall.
• Make sure that you can change IOT connection passwords and change them often.
• Read about the product before you buy it, use words in google: "how to hack device id/name"
• Always be on alert if it comes to IOT

School - I026: XII - Different way of IT - Write an description of the modern accessibility tool which you have encountered.

This weeks session specialized on accessibility software and hardware tools. We have to write an description of the modern accessibility tool which you have encountered.

I was thinking about different people groups and different accessibility settings and there are so many special tools and hardware made for it. Nothing for single fit which could be used in many operating systems, phones, tablets, laptops/PC's and so on.

  

There will be one silver bullet, really soon, which will resolve all those issues and tools into one, most likely it will eliminate most of the input modules as well. This is called roughly "brain implant".

I've just heard the most ambitious plans by Elon Musk, again he pops up in my blog. He calls it Neuralink. They want to enable this to brain damaged persons in the first step, but it can be enabled to everybody. The area is very wide, job offerings include material engineering, biomedical engineering, electrochemicist and so on. The product will be in the border of ethics and how it can be ensured that nobody doesn't hack your brain-chip?

I think that the most important job here is to ensure full and transparent security for this product, preferably open sourced so the people can in community to see the code and fix bugs whatever are there. The initiative although is perfect. Let's hook us up with the chips and control stuff with our mind.

We can be real live x-men's.

After brain-chip, next step will be enabling exoskeletons. They are divided into 2, active and passive. It depends on the person which one needs to be used also those exoskeletons can be built for different purposes, depending on the needs of the person.

There you have it, basically 2 technologies, which must be used back to back can resolve most of disabilities problems for persons. Brain chip also may help with brain computing power.

•  Eyesight, if we now have brain-chip, exoskeletons, plug in artificial eye and vision.
•  Hearing, microfon, no magic here.
•  Voice, speakers are present.
•  Missing limbs, get artificial one.

Starting from brain-chip we are basically fighting disabilities and actually "normal" people will remove their human disabilities like cannot fly or cannot see  through walls with brain-chip and counted technologies.

School - I026: XI - Bring one positive and one negative example of usability in web.

Bring one positive and one negative example of usability in web.

This lesson focused on people and computer communication, ergonomics and usability.

Jakob Nielsen mapped down definition of usability and it is defined by 5 components:
Learnability
Efficiency
Memorability
Errors
Satisfaction

I am anayzing the same component with two different newspaper webpages regarding to the Satisfaction component.

The BAD Example

Postimees Web - http://www.postimees.ee/

First if I open the webpage I get notifications about cookies. I guess it is standard nowadays. This is one time click on "I Understood" button. I instantly get 11 cookies in my browser, all are either to domain www.postimees.ee or .postimees.ee. First seven are not directly linked to host only, none of them are secure or they will not die when session is over. All cookies expire in a long time in the future, only one is set to expire today. Others are at least one year, until ten years. This makes me very sceptical and causios what they try to track from my browser activity and my movements. They should at least introduce session based cookies.

Webpage is sending constant ping requests to Amazon WebServices and chatbeat analyics service with different parameters which are somehow hashed. Ping is encrypted to 1x1 image. 43B. It is sent every 1.2 minutes. Seems like Chartbeat is using Amazon Elastic Search to store the metrics and then generates audience graphs over those parameters.

They also want to access https://secure.pmo.ee/api/me/ but it always keeps error if you are not logged in - 401(unauthorized).

If we move forward to the webpage itself it is full of ads. On the main page there are now 3 different ads:
 * On the background
 * On the footer
 * On the left side

Footer in the bottom is really annoying and constantly upgrading scroller div style.

I was assuming that when I login then those adds and trackers will be removed, but they still remain. I am expecting that when I pay some money to them then I will get ad free environment, but I only get some paid articles where I am not very sure about quality of the article.

Conclusion, only way how to use Postimees.ee satisfactory is to use adBlock and uBlock.

The Good (not perfect) Example

The Sun Web - https://www.thesun.co.uk/
Same story here, standard cookie policy check. 15 cookies in this webpage, where 5 are session only cookies, 4 are related to host only and rest are available for other sites as well. 3 cookies expire by session and rest of them are mostly with maximum age for 2 years.
Tracking parameters are being sent to www.parsely.com, in every 1 minute and 2 sekunds again 43KB as Postimees.ee. It is similar to Chartbeat, most likely same kind of functionality but different providers.

One resource is not found https://tpc.googlesyndication.com/simgad/6337765394029551775.

On the website layout, it is bit better, it only has one add on the top of the page, which is being tracked back to my location most likely by IP. This website has focused more on images than getting news name to catch the attention, but I already like it better than Postimees.ee due amount of "spam" it is displaying to me.

After I created an account and logged in, my user experience didn't change. Looked for a place to pay, but couldn't find one, so I guess that they are actually living from the ad's and it is not so abusing as Postimees.ee has, I even could live with that.



Do you know any online newspaper which is focused on news? I would be willing to subscribe if I get an ad free environment.

School - I026: X - Take one project and analyze it's software and business model

This topic is actually very abstract one and it had me thinking which company's/projects business and development model would I take.

I've always interested in Elon Musk  as well as Richard Branson but this time, instead of Virgin I decided to take Tesla.

They are focused in different areas of electricity, like electric cards, lithium-ion battery storage's, residential solar panels. Leonardo DiCaprio talked with Elon Musk in Tesla's Gigafactory and there was a phrase that you need 100 Gigafactories to power the entire world with sustainable energy. So Actually I was interested in their business and software development model.

If I go to their homepage and look for job ads, then we see 22 teams and if we google for some keywords in their careers sub-page like:

• Agile - 10 results
• Scrum - 2 results 
• Lean - 23 results 
• Waterfall - 0 results
• Critical path - 5 results
• Kanban - 2 results

Chaos, Spiral, V-model, Prince2 and I didn't go through all the list assuming that already those didn't give any match here and I got matches to some of them above.

They have today (21.04.2017) 2480 job adds and if we divide it to department wise we get following result:

Department	Count
Communications	4
Design	14
Energy Products	51
Engineering	322
Facilities	28
Finance	92
Gigafactory	73
HR	68
IT	76
Legal	13
Manufacturing	200
Marketing	45
Production	14
Quality	17
Retail Development	13
Sales	719
Service	638
Supply Chain	82
Workplace	11
Grand Total	2480

Now If we compare the Google results with the jobs which they have available, map them to department and remove the false positive results:

Position	Methology based on Google	Department
Staff Program Manager, Service Operations	agile	couldn't match Google result to available job
Senior Mechanical Design Engineer- Interior Systems	agile	couldn't match Google result to available job
.Net Developer	agile	IT
Mechanical Design Engineer - Closures Systems	agile	Engineering
Sr. Engineer- Lighting Systems	agile	Engineering
Software Application Engineer	agile	Engineering
Senior Mechanical Design Engineer - Seating Systems	agile	Engineering
Engineer- Interior Systems	agile	Engineering
Sr. Performance & Scalability Test Engineer	agile	IT
Staff Program Manager, Service Operations	scrum	couldn't match Google result to available job
.Net Developer	scrum	IT
Process Engineer, Gigafactory	lean	Gigafactory
Process Technician - Seat Manufacturing	lean	Manufacturing
Material Project Manager - Manufacturing Introduction Group	lean	Manufacturing
Material Project Manager - Manufacturing Introduction Group	lean	Manufacturing
Material Handler	lean	Service
Engineer- Interior Systems	lean	Engineering
Tool and Die Maker - Assembly/Tryout	lean	Manufacturing
Mechanical Design Engineer - Closures Systems	lean	Engineering
EHS Manager - Factory Departments	lean	Manufacturing
Production Planner	lean	Production
Engineering Applications Product Manager	critical path	IT
Installation Project Manager - Supercharger	critical path	couldn't match Google result to available job
Senior Mechanical Design Engineer - Battery Enclosure	critical path	Engineering
Tesla Supercharger Land Use and Permitting Specialist	critical path	Engineering
Material Project Manager - Manufacturing Introduction Group	kanban	couldn't match Google result to available job
Production Planner	kanban	Production

In summary it comes to that Tesla actually uses a agile at least in Engineering, Gigafatory, IT, Manufacturing, Production and Service departments.

Department	Number
couldn't match Google result to available job
agile	2
critical path	1
kanban	1
scrum	1
couldn't match Google result to available job Total	5
Engineering
agile	5
critical path	2
lean	2
Engineering Total	9
Gigafactory
lean	1
Gigafactory Total	1
IT
agile	2
critical path	1
scrum	1
IT Total	4
Manufacturing
lean	5
Manufacturing Total	5
Production
kanban	1
lean	1
Production Total	2
Service
lean	1
Service Total	1

Although those results are based on Google search it seems that they are using very agile methodology. 

It also is shown that they are using agile approach as their cars pretty much get monthly upgrades of new features, they don't wait when they have product fully ready, but they rather give and improve customers experience every month. Porsche is also making electric car to compete with Tesla, but Porsche first car will come around 2020 and by that time they are way too late to compete in the electric car market with agile development models. 

Tesla didn't make cheap car, they sat down, thought what they can do and how to do fast, they did super car which is able to get updates in your home WiFi and get additional features. You put stuff in, put activation can be over time, not everything must work in the first place. Recently they activated serf driving capabilities. Sensors where there, they just weren't activated.

This is excellent example of agile business model which has high level road-map planned and roll-out takes in place feature by feature. I would call it even high level is planned with traditional method, which is split to iterations and iterations are handled by agile model. Combination of many methodologies which actually makes this very rapid, fast and professional company which delivers.