Mascots, March Madness & #yogapants: Hacking Goes to College

Presented at ShmooCon XI (2015), Jan. 18, 2015, 11 a.m. (60 minutes).

Professor Rubin gave his students an interesting assignment: conduct red-blue social media based penetration tests on American universities. Students were tasked to construct an attack, defend and a "cover-your-tracks" plan. Hashtags, fake coffee shops, racy direct messages and yoga pants were just some of the strategies used to lead victims on social media to an emulated attack landing-page. Afterwards, students defended their university's social media presence from other teams carrying out their plans. Lastly, they employed concealment techniques to remove attack evidence. The teams switched attack & defense phases after a four-week period. They catalogued their actions with a standardized syslog for analysis, and we calculated the amount of clicks each team generated based on the University IP range. The talk focuses on the results of this project, and it outlines some of our favorite write-ups, names, strategies and novel project constructions. An unexpected event also occurred - the students had a moral objection to some of the strategies attackers use on social media and refused to perform these attacks unless we gave them an alternative. We review the ethics of these exercises and generate a lessons learned based on our discussions with the class.

Presenters:

  • Chris Cullison
    Chris Cullison and Zack Allen of ZeroFOX and Dr. Rubin of Johns Hopkins University work together to help defend the social media aspect of an organization's security posture. Dr. Rubin advises as well as provides his graduate class to help test, verify and push the boundaries of social media-based attacks and defenses. This group has worked with industry, academia and government, spoken at conferences and been published in academic journals. With the help of the brilliant minds of students at Johns Hopkins University, they test the boundaries of security with a focus on this new attack vector.
  • Zack Allen
    Chris Cullison and Zack Allen of ZeroFOX and Dr. Rubin of Johns Hopkins University work together to help defend the social media aspect of an organization's security posture. Dr. Rubin advises as well as provides his graduate class to help test, verify and push the boundaries of social media-based attacks and defenses. This group has worked with industry, academia and government, spoken at conferences and been published in academic journals. With the help of the brilliant minds of students at Johns Hopkins University, they test the boundaries of security with a focus on this new attack vector.
  • Avi Rubin
    Chris Cullison and Zack Allen of ZeroFOX and Dr. Rubin of Johns Hopkins University work together to help defend the social media aspect of an organization's security posture. Dr. Rubin advises as well as provides his graduate class to help test, verify and push the boundaries of social media-based attacks and defenses. This group has worked with industry, academia and government, spoken at conferences and been published in academic journals. With the help of the brilliant minds of students at Johns Hopkins University, they test the boundaries of security with a focus on this new attack vector.

Similar Presentations: