Senior Research Analyst Zack Allen and Chief Technology Officer Chris Cullison will be presenting original research at ShmooCon 2015 conducted with Dr. Avi Rubin of Johns Hopkins University. The presentation, “Mascots, March Madness & #yogapants: Hacking Goes to College,” is a culmination of several months of social media penetration testing on American Universities carried out with the help of Avi Rubin’s Security and Privacy in Computing class.
Professor Rubin gave his students an interesting assignment: conduct red-blueSenior Researcher Zack Allen and CTO Chris Cullison will present original research at ShmooCon 2015 conducted with Johns Hopkins’ Dr. Avi Rubin. social media based penetration tests on American universities. Students were tasked to construct an attack, defend and a “cover-your-tracks” plan. Hashtags, fake coffee shops, racy direct messages and yoga pants were just some of the strategies used to lead victims on social media to an emulated attack landing-page. Afterwards, students defended their university’s social media presence from other teams carrying out their plans. Lastly, they employed concealment techniques to remove attack evidence.
The teams switched attack & defense phases after a four-week period. They catalogued their actions with a standardized syslog for analysis, and we calculated the amount of clicks each team generated based on the University IP range. The talk focuses on the results of this project, and it outlines some of our favorite write-ups, names, strategies and novel project constructions. An unexpected event also occurred – the students had a moral objection to some of the strategies attackers use on social media and refused to perform these attacks unless we gave them an alternative. We review the ethics of these exercises and generate a lessons learned based on our discussions with the class.