The Attack

I’m a college student studying abroad at the University of Pennsylvania, studying a mixture of CS, Physics and Music. This semester I decided to take a course CIS551: Network and Computer Security, eager to learn about the field. This is the story of how as part of the course, I compromised the security of one of my fellow students through social engineering techniques.

For our final project, the class was divided up into two sets of teams, attack and defense. After half way through the project, defense and attack switched. The role of the defense teams was to construct a secure network chat client. In plain English, they had to write a piece of software that would allow two people to communicate over the internet without fear of wiretapping. The aim of the attack side was to disrupt or compromise their system.

For me the excitement came from the attack side. We had learned in class about ‘social engineering attacks’ as a powerful offensive security tool. The basic premise according to wiki is “the art of manipulating people into performing actions or divulging confidential information”. A trick of a con-man. This was a perfect opportunity for me to actually try putting such a technique into practice whilst still remaining well in the bounds of morality and legality. I asked for permission and was soon granted it. The eagle was a’ go.

Phase 1: Information Gathering

First we cross referenced the list of emails on the defense team against the Penn Directory Database. Once we gained full names and school, we cross referenced this against publicly available data using a combination data mining tools and lookups on social networks such as Facebook and LinkedIn. These were used to build profiles, including photos of potential targets. In our attack proposal we also listed social engineering to warn them of it.

Phase 2: Gaining Rapport/Trust

The next phase of the social engineering attack involved multiple steps. The plan was to place a mole outside the classroom in the engineering building posing as a recruiter from a prestigious company, offering summer internships! First up was obtaining a domain name and email address for use in the attack. We picked X (name redacted) to be the company we would replicate as they are known for being secretive and security focused. We thus registered Xrecruiting.com and had the address forward to X.com for authentic looks, while using emails registered to that domain for our purposes.

Next I waited around the engineering buildings looking for a junior administrative assistant or janitor and upon finding one, convinced them that he needed a Penn Lanyard urgently for his senior design presentation as he had forgotten his. He was soon granted a lanyard and next the team photoshopped a X badge with the face of our ‘recruiter’ (another Penn student) in order to simulate authenticity. We also printed advertising posters to place outside the classroom for further realism. We then placed our mole outside the 551 classroom dressed up in a X t-shirt (purchased online) with the fake badge, the posters, and a laptop set up with a survey. Our representative advertised summer internships in security. A number of students from the class fell for it and entered their information in the survey.

Next we gained further rapport by reaching out to the targets via email. First we initiated contact asking for basic details a resume etc:

“This is Joseph from X, we met earlier today. The team and I are very eager to find a candidate that fits our openings here. “

It wasn’t long before our target replied, eager to seize the opportunity:

“.please find attached herewith my resume for your kind perusal.I have fair bit of knowledge in Networks and Network Security.”

The game was on, he was falling for it! However, it was one thing to have his trust, but for us to actually use it in some way, we needed to push this further.

Phase 3: Exploitation

To exploit our position of power we had many options, some of which would be pushing the assignment over the edge. With this level of trust it would be feasible to gain access to information protecting online accounts, a very scary thought. However, we decided to go down a different route and instead convinced them of the need to review their source code for recruitment purposes. This allowed us to analyze their code for potential exploits.

“My team operates mainly on a Java codebase. Do you have any experience in the area? We’ll also get you to submit a few simple coding exercises and perhaps the code from a previous project to see if you’re a good fit.”

We exchanged a few more emails back and forth but it wasn’t really getting anywhere. I decided to press a little harder being relatively sure of his trust:

“.In looking into specifically which project you would be working on, it would also be good to know if you had any experience in crypto protocols and defensive infrastructure. In regards to this I have two questions. Firstly, is there a professor I could contact in regards to the syllabus and, secondly is there anything that matches this description that you have engaged in as far as you know. Could you possibly let me know feasible times in the next week for an interview? Also, are there any current projects in Java you are working for which a codebase is available for our engineers to review? Even a work in progress is fine. We’re really interested in seeing material and your personal projects from this course given the nature of the internship..”

Finally we struck gold! A few hours later the following appeared in my inbox:

“Please find attached herewith 2 java source code files. (server.java and client.java) These are for a basic chat system application. Further, me and my group would be adding some encryption techniques in it (I ll send you those once we start working on it and progress to some level)”

and later:

“Hi Joseph Please find attached herewith 2 java code files for a chat system with AES cryption. Thanks. Regards.”

In the final copy they submitted they had hard coded their AES key, this would be easier than I thought! However this wasn’t quite good enough. It would still be difficult to intercept their communication, much less read their messages.

Next I simulated a discussion between the professor and X granting access to the ‘recruiter’ to come visit the demo.

“I have some exciting news and a question for you. I have been informed by Professor X that the class has upcoming demos on attack/defense and focusing on network vulnerabilities. I have his permission and now I need yours, to come and watch you demo live..” “... Original Message ... Subject: Re: CIS551 Security Recruitment From: X <X@XXXXXXX> Date: Sun, April 21, 2013 11:41 am To: “[email protected]” <[email protected]> Hi Joseph I’d be happy to let you and your team come visit my students on Monday during Network Security demos they are undertaking using chat systems they have coded.”

The target replied with the affirmative, very eagerly inviting our recruiter in.

“Yes absolutely. You are most welcome. Its this Monday at 4pm in Engineering Building. Hope to see you there.” “My contact no. is REDACTED if you need any help with location or anything.”

Today being demo day, the stage was all set, and our fake recruiter was again in place. I had given her my new wifi enabled camera to stream a screencap of the enemies messages direct from their screen as they typed, to where my team was sitting a few meters away.

Throughout the demo my team acted as all the other attack teams had, using DDoS, ARP Poisoning and other standard network attacks, to try to compromise their server. However we really had a trump card. Both their encryption key and better yet, the plaintext of their messages.

After launching our usual slew of attacks on their code (most of which worked anyway), we closed the demo and went to meet the other team. When asked if we had any more attacks, I motioned to the recruiter to pass me the camera and as she handed it over, our opponents faces took on stunned looks. It took a good few minutes to convince them of the depth of our attack. Successfully executing this was such an amazing feeling.

I’ve not yet received my grade for the course, but I feel that more than anything this was a fantastic learning experience before I head out soon to look for a position in industry or for higher study.

Postscriptum: I received the following email from the poor guy to whom all this happened. Here's an excerpt:

"Hey Shaanan

I have to admit your Social Engineering attack was just tooooooo gooooood.

Certain things may seem random in nature and unconnected but when put together, start making sense, I should have put all these together...

But it wasn't supposed to be !!!

This might sound funny, but I am happy I was a part of it (an eye opener for me !!!)

Best of luck for all your future endeavors."

 

 

I’ve linked below the email log with names and emails redacted for the perusal of my readers with permission of the opposing team. It’s quite the read. Enjoy.

Begin email log!

 

Hi TARGET,
This is Joseph from X, we met earlier today. The team and I are very eager to find a candidate that fits for our openings here and were wondering if you'd be able to send over a resume so we can better evaluate your candidacy.
If we decide to go ahead, you'll receive another email from us in the next day describing how we'll move forward with the process.

Additionally if you could expand on in your reply the details of any significant work you have done or are doing in the security field. We are interested in class projects and or external research you have undertaken. Code samples are of particular interest as they allow us to gain an insight into your skills. Thus, if you have a github or equivalent with a code base we can look at, feel free to send it through with your resume.

Best,
Joseph

-----
Junior Recruiter at X Technologies
Security Division

Hi Joseph

Please find attached herewith my resume for your kind perusal.

I have fair bit of knowledge in Networks and Network Security. I am looking for a profile with Networking and Data Analytics work. I am not really into coding although I know programming in C and C++.

Thanks.
Regards.

 

Thanks TARGET,

We have plenty of openings in Data Analytics however the focus of the programs I'm responsible for are more security, including network security. My team operates mainly on a Java codebase. Do you have any experience in the area?
We'll also get you to submit a few simple coding exercises and perhaps the code from a previous project to see if you're a good fit.

If you could answer the following questions it would also be great:

a) Why do you want to work at X?
b) Rate yourself 1-5 on the following technologies:
           1. Firewalls Configuration/Snort
           2. Network Programming
           3. Signals Analysis
           4. Java
           5. Scripting (Python/Bash/Ruby)
           6. Network Analytics
c) Please list two coding projects you have worked on recently in the security field
d) Please submit a file reverse.c which takes a string as input from stdin and reverses it. We are looking for runtime and clean code.

Thanks for your prompt replies. Our timeframe is short before summer so we are trying to keep things moving quickly.

---- Joseph.

 

Hi Joseph

As I mentioned, I am not really into coding and programming. I have experience of working more on the networks/infrastructure side. 

Please find below the answers to your question below - 

 

a) Internet has become such an important commodity  in our lives that literally everything can now be done online. But just as everything else, there is flip side to it as well. No doubt internet does make our lives simple and convenient but it can turn our lives upside down in a matter of minutes if our privacy and security get compromised. 
I have a strong background in networking and have developed interest in Network Security. Although given the nature of this field, it is really hard to actually share and practice it in real world scenarios. This is where I believe that my knowledge and X's 9 years of expertise in network security, put together, can really help both of us advance and excel more in the field of network security.

b)         1. Firewalls Configuration/Snort         = 2 
           2. Network Programming                  =  1
           3. Signals Analysis                          =  4
           4. Java                                         =  0
           5. Scripting (Python/Bash/Ruby)        =  0
           6. Network Analytics                       =  5

c) INTRUSION DETECTION SYSTEM : Designed algorithm for an IDS on C which parses network packets and performs analysis on them. It was also able to extract data from each TCP connection and record it into a file. 

d) Attached here.

Thanks.
Regards.

TARGET

 

This all looks great!
If we were to go ahead, you'd likely be in a networks infrastructure role, however all our engineers are required to code from time to time. I'll go ahead and forward your code on to our engineers.

Just to let you know one other area we are currently looking into is cryptography over the network, including custom engineered versions of SSL/TLS. Our design currently looks at hiding the protocols through clever infrastructure design. In looking into specifically which project you would be working on, it would also be good to know if you had any experience in crypto protocols and defensive infrastructure. In regards to this I have two questions. Firstly, is there a professor I could contact in regards to the syllabus and, secondly is there anything that matches this description that you have engaged in as far as you know.

Finally, if we move on with the interviewing process, what times in the next week are you available to chat with one of our engineers. The interview would be a mixture of coding and network systems analysis.

Best,

 

Hi Joseph

I am currently pursuing a course - COMPUTER AND NETWORK SECURITY. ( http://www.cis.upenn.edu/~cis551/ )
This course teaches almost all the cryptography algorithms in detail.

So, I have extensive theoretical knowledge about Cryptography and various Network Attacks and their Defenses.

Also, I am well versed with technologies like Kerberos, SSL/TLS, IPSec in theory. 

But I do not have any practical experience of working on any of these technologies.

Thanks.
Regards.

TARGET

 

That's ok, we don't expect our interns to come in necessarily knowing everything in advance. 
Thanks very much for the course page, I will send a follow up to Dr X to inquire further in depth into the syllabus.

Could you possibly let me know feasible times in the next week for an interview?
Also, are there any current projects in Java you are working for which a codebase is available for our engineers to review? Even a work in progress is fine. We're really interested in seeing material and your personal projects from this course given the nature of the internship.

I presume they had you code a standard buffer overflow in C alongside your IDS. No work in any other languages?

Best,
Joseph

 

Hi Joseph

Please find attached herewith 2 java source code files. (server.java and client.java)
These are for a basic chat system application. Further, me and my group would be adding some encryption techniques in it (I ll send you those once we start working on it and progress to some level)

I ll be available at different times on different days. So could you give me some days preference which suits you so I could tell my available timing for those particular days.

Also, a request not to mention my name when you email the professor since I am not sure how he would take it. You can just email him and ask your queries in a general way.

Thanks.
Regards,
TARGET

<SOURCE CODE ATTACHED>

 

Thanks very much,
I'll be sure to forward the code on to our engineers. In terms of dates, Thursday and Friday next week are currently looking best for us. As were are located on the west coast, we are available to interview between 9AM-5PM PDT.

I'll leave your name out of my request for syllabus information and I may contact him regarding further interaction with the class. The program seems excellent.

All my best,

Joseph

Hi Joseph

I would be fine with any time between 2- 5 pm (PDT) on Thursday and Friday.

Please let me know whichever time suits you so I can keep myself available at that time.

Thanks.
Regards.

TARGET

 

Would Friday at 5PM EST work?
Our engineers also took a look at your Java code and asked if you could update them as soon as it's done. We're on a short timetable so by Monday morning would be appreciated, if you're planning on finishing it by then.
I also suggest you do some interview preparation. Review your basic algorithms, data structures, and network theory!

All the best and good luck,
Joseph

 

-------- Original Message --------
Subject: Re: X Internship Followup
From: XXX XXXX<[email protected]>
Date: Thu, April 18, 2013 9:30 pm
To: [email protected]

Hey Joseph,

We took a look at TARGET's code. It seems a bit incomplete in terms of the security features at the moment. We were wondering if you could get the candidate to update us as he goes. You know our timeline, we're looking to get someone in asap, so if you stress that timeliness is important that would be great. Additionally, in regards to interview times, we'd have someone free at 2PM our time.

    -------- Original Message --------
    Subject: Re: X Internship Followup
    From: [email protected]
    Date: Thu, April 18, 2013 8:30 pm
    To: Eliot X<[email protected]>

     Hey Eliot,
     Please find attached some material in java from the candidate, it's meant to be a secure       chat client I believe. Additionally, what times are you free to interview in the next week?

 

Hi Joseph

Yes Friday 5 pm EST works for me.

I ll try and send the code by Monday with the security feature. The one which I had sent was just a basic chat system. 

Also, I would like to bring into focus that I am not really into coding. Even as regards to the Chat system, I did most of the logic design and the coding was done by my group mates.  As you mentioned I would be more suited for Network Infrastructure role rather than software profile.
So, I would really appreciate if you could let you engineer who would be interviewing me know this.

And thanks for the heads up regarding the interview topics.

Thanks.
Regards.

TARGET

 

Hi Joseph

Please find attached herewith 2 java code files for a chat system with AES encryption.

Thanks.
Regards.

TARGET

<SOURCE CODE ATTACHED>

 

Thanks X!

Seems like some good work there. If you update it and want us to see your new code feel free to send it along whenever you can.

Additionally, I have some exciting news and a question for you.  I have been informed by Professor X that the class has upcoming demos on attack/defense and focusing on network vulnerabilities. I have his permission and now I need yours, to come and watch you demo live. I am happy to bring an engineer and if things work out, this may accelerate the process. We plan on also visiting other teams, but you don't have to worry about that affecting your chances.

Best,
Joseph

-------- Original Message --------
Subject: Re: CIS551 Security Recruitment
From: XXXX <XXX@XXXXXX>
Date: Sun, April 21, 2013 11:41 am
To: "[email protected]" <>
Hi Joseph
I'd be happy to let you and your team come visit my students on Monday during Network Security demos they are undertaking using chat systems they have coded.

Perhaps you could even teach them a thing or two?

Thanks.
Regards.

-JMS

On Fri, Apr 19, 2013 at 9:47 AM,[email protected]<[email protected]> wrote:
Dear Professor X,
I work for X Technologies (X.com) and recent visited UPenn on a recruiting drive for security engineers. I met with some of your students and they passed on your details.
I'm reaching out to you because I would appreciate further interaction with your class and would be willing to sponsor internships for the best of them if things work out. Is there any good time in the next week for me to come in with a member of my team?

 

If you have further questions, you can contact our office at 650-494-1574 ext 15. or email me back here. My manager is XXXXXX ([email protected] and http://www.linkedin.com/pub/XXXXXX). If you require further verification of my credentials, I'd be happy to talk with you. X X at Penn is also familiar with me and X's work, having given us authorization last week to come in.

All the best,
Joseph O.

Junior Recruiter
X Technologies

 

Hey Joseph

Yes absolutely. You are most welcome. Its this Monday at 4pm in Engineering Building.

Hope to see you there.

Thanks.
Regards.

TARGET

 

Sure Joseph.

My contact no. is REDACTED if you need any help with location or anything.

See you tomorrow.

Regards.

TARGET