Tuesday, January 31, 2017

Social Engineering Task 1

My task was to Google another player by name, find out some information on them, and give them what I found in class. I handed them a paper with some social media info, work experience, political views, languages spoken, and a few pictures of them.

I got their full name by looking at an email sent by another professor that had the whole class' BHCC emails/student names. This is why professors should always BCC everyone on emails! I then proceeded to Google their name and clicking on social media links with their name on it. 4/5 times it was the right person when I clicked on a link (probably due to their location and the location of my IP).

Real life attackers can use the techniques I use to accomplish my task in a real-life situation very much the same way I did: by searching and clicking away. With the information gathered, they can try and pose as the person they are gathering information on for other tasks, such as phishing/catphishing.

An ethical issue raised by my task would be if it's right to pretend to be someone you are not. In the real world, this can be done morally right if there is an ongoing penetration test on an organization and the testers are pretending to be someone they aren't in order to test the employees of the company. And, of course, it is just morally wrong to pretend to be someone else, especially when the person has bad intentions.

Social Engineering Task #1




My task was to sneak in the largest food item possible into class. So I took a bunch of bananas from my job's office space to put in my bag until I was able to sneak them out my backpack when people weren't paying attention to me in class. I set them on the table while everyone was busy doing the ethical assignment and took a picture, was only really caught by 1 or 2 people.

My task showed me how people can sneak and plant things in places. Which is helpful in terms of jokes or it could be used to frame someone.

Planting something from laughs and harmless jokes is fine, however, ethics come into place when you cross a line to frame someone.

READINGS (due 2/7): Laws and Ethics

Please read the following three pieces in preparation for class on February 7, when we will discuss the question of the relationship between ethics and the law.  These readings are varying lengths--the Plato excerpt is about 2 pages, the King and Rawls excerpts are about 15-20 pages each.  Please read them and take notes on them.  Your notes should focus on two things: 1) summarizing and understanding the author's point of view 2) responding to the author's point of view from your own perspective.

Plato, excerpt from Crito
Martin Luther King Jr., Letter from Birmingham Jail (pay attention to pages 7-10)
John Rawls, excerpt from A Theory of Justice

Ethics blog post assignment (1/31)

Please make a blog post in response to the following prompt by 9pm this coming Monday.

Identify a specific ethical situation or case related to hacking and analyze it using the SCAP (situation, claim, argument, principle) method explained in class today. Describe the situation, make a claim about the rightness or wrongness of the actions in question, argue in defense of your claim, and explain the principles underlying your argument.


Social task #1

My task was to convince any player to buy me something. I was able to accomplish my task by convincing a player to buy me a treat from a vending machine. The steps I did was me and the player were walking in college and I just started a discussion on social networking and I uploaded a picture on my facebook account and then just asked how many likes do get on your last picture you uploaded. He replied and said 40 I knew that already because I checked out his timeline and I knew I could get more likes than that. So I just made a bet with him if I get more likes than your last posted picture you will buy me a snack and if I don't I will buy you a snack he agreed and after a hour I beat him and he lost so as we were walking we saw a vending machine so I told him to buy me a snack. He bought me Famous Amos from the vending machine as treat as he lost the bet. I took a picture of him secretly which I have posted below as my evidence.

Social task #1

My task was to click a picture of a fellow player without letting him know. I accomplished this task very easily when I was just hanging around with one of my fellow player where I was thinking how could I convince him let me take a snap of him then I saw a wonderful place in the park where there was a nice location where I asked him to take my picture and after that he clicked a really nice picture and then he asked me to take a picture of him as well easy as that. Below is the picture of the player as i kept for evidence.
 

Social Engineering Task #1



In the social engineering assignment my task was to put the peace of paper which contains the information about the secret task into fellow player’s pocket, bag or jacket. It was not easy to do without getting his attention. When we got a social engineering task in the classroom I was lucky that I was sitting next to a person who placed his jacket on the chair where he sat on. But still It was hard to interrupt someone’s awareness specially when others know that I have to accomplish a secret task. So I wait for a couple of minutes because he was paying full attention to protect himself. But when he was busy in listening professor’s lecture I slowly moved and put the peace of paper in the pocket of his jacket. I accomplished my task without getting his attention. It was not good for me to do that but that was my task to complete. In that way we can put anything into someone’s pocket like mobile, electronic device, GPS device to harm, listen, reach or track people. I was surprised when I was thinking about such facts and it can happen with me too. In the end I would like to say that It is good for us to pay full attention to the surrounding and stay aware, so nobody can harm, reach or track you in that way.

Social Engineering Challenge # 1

My social engineering challenge was to get a video of a stranger without them knowing.  I accomplished my task by a spontaneous move (I did not plan ahead) while I was riding the “T”. I have been thinking about how to approach my task for a while and I hadn’t been able to come up with a solid plan yet. While I was using my cellphone in the train I realized there was somebody in front of me and there was nobody sitting/standing next to me so I decided it was the perfect opportunity to record the stranger sitting in front of me. I pretended like I was still reading something on my cellphone and I recorded him for a few seconds since I felt very weird while doing it and I was scared somebody was gonna notice me doing it (including the stranger) which would had led to a very awkward moment.
I have evidence of my task but due to privacy laws I will not be posting it here without making the proper changes in order to avoid seeing the person's face.
I think anybody could use the same technique I used to accomplish the same task in a real-life situation which is very alarming since out of 10 people riding public transportation at least 8 are usually in their mobile devices (tablets, cell-phones or laptops). Anybody that could record a stranger without their knowledge could use that data for many purposes which noone of them are good or legal, you could make a video to bully somebody or even to spy on somebody.

Ethically this analysis leads me to think that we have lost a lot of our privacy on a daily basis in this modern world. Nobody should be collecting or using personal data without the proper authorization because it is an invasion of privacy. Even though there are legal actions you can take in a case in which you have been bullied or spied through personal data that was collected without your authorization, it is still very hard to prevent such incident since it is so easy to snap pictures or record videos in any place in which you are surrounded by people and their mobile devices. The only ethical way of doing what I did would be by asking properly the individual or individuals  before proceeding with the recording and collection of personal data.   

Social Engineering Task #1

My task was to get a dollar from someone. When our class was about to end , I approached to someone and said , "Excuse me,Can I ask you a question?" He said, "Sure". I was like, "Its a hypothetical question" and he said, "ok". I asked, "Hypothetically speaking, if you had a one dollar bill on you and I were to ask you for a dollar for no particular reason, would you give me a dollar?" he replied," mmmmm... sure... if you needed a dollar, I would give you one." Me, " ok, then.... will you give me a dollar?" and he was like, "for real bro". It was kind of weird conversation, but anyhow he gets a idea that it might be my task so he said,"I will give you dollar right now, first you need to switch your seat with me" I said , "ok sure" so he handed me a dollar first and then we switched seats. after switching he wanted to click a selfie with us, so we did. There was all the  weird stuff going on. But in a same time we both accomplish our tasks.

Materials for ethics portion of class 1/31

Here is a list of moral dilemmas that we will work with in class today to put into practice the Situation, Claim, Argument, Principle (SCAP) method of moral reasoning.  First, we will watch this short lecture from 2010 by Michael Sandel, a professor of moral philosophy, and look at how he applies these steps.  Then, we will break into pairs and analyze moral dilemmas.

Social Engineering Task #1



My task was shoulder surfing a fellow player, and then write a report for that player. I accomplished this task, and I don't think this task was easy when doing with strangers instead.
We were in class, so we both needed to log into our hacker identity gmails. I was sitting next to him, watching him typing his email password, and laughing at him, because he forgot his password (I forgot my password, too). He was trying to type in the password for 5-7 times. Then I remind him about capitalize the letters, and finally, he could log into his gmail. By watching all the time, I got his password, too. 
In the real life situation, it's hard to know who is watching at you while you are typing your password on your computers, or your phone at the crowded places like library, train stations. Someone would distract you by talking to you while you are typing your password, and then they could get your password without your knowledge. .
Be attention with surrounding while typing the important passwords, even your friends, classmates. In the way I think would be morally right that a person is watching you could remind you to cover the keyboard, or remind you to be attention with surrounding. In the other side, with your user name and password that they could steal from you, they can use it to guess your other user name and passwords with multiple purposes, such as banking online, social media sites, etc.

Social Engineering Task #1

My task was to have someone from class hand over their phone unlocked. After class ended I had a conversation with a student and the whole time I was thinking how can I accomplish this? I thought of tons of excuses but the simplest ended up being to exchange contacts for class.

The student walked away for a few min and I literally could of had access to anything on their phone for that time. If they had any private emails I could have read them. If their bank account information was on there I could have taken a picture with my own phone.

I could have had access to troll his social media accounts. I also could have even been malicious enough to have locked the student out of their phone. There is so much evil and headaches that I could have caused towards that student. But obviously I did not.

My after thoughts were that we do not realize ourselves sometimes how much information is actually stored on our phones. We rely on them religiously now and we should always have a password on our phones. We can never leave them laying around unlocked because someone may even have access to your bank information if you have  that app open.

Overall my task ended up being easier than I thought when I simplified my scheme and did not overthink it.

Monday, January 30, 2017

Social Engineering Task #1

My task was to get someone to swap their card with mine (they still had to do the task on their original card). I accomplished this task but I forgot to take their card with me and the other player threw both cards away. Hindsight 20/20. I would have used  a picture of the card as proof if it wasn't for the aforementioned circumstance. I do know that their task was to get someone to reveal their card.

My approach to this step was to find someone who wasn't content with their "hard challenge" so that they would trade up with mine. I quickly realized I may have had the harder challenge. Not only was half the players done by the end of the class but some were convinced that my task was "sketchy" or it would "give them more work" if they switched cards with me. The premise of me wanting to swap was a suspicious indicator that my challenge was "hard" in the first place to my fellow players! Fair enough, I understand the sentiment. *grumbles* Even though it made my task way harder than it should've been. The completion of the task fell solely on luck because the player I came across had to get me to reveal my card and they could do so by switching with me. So it was a means for both of us to complete our tasks.

I can see this applying to real life in the sense that for someone to be more compliant with your requests is to find a way that it would also benefit them or at least appear so. Where in a room full of vigilant social engineering task players this may be a harder to do in the real world it would be much easier. For example, exchange a USB and tell them it contains a game or something of interest to them so they could perform your requested action (to swap) whilst it may contain something malicious that could act as a key logger or something that exfiltrates their data.

Some ethical issues this raise is being compliant to some requests may have some consequences. As my fellow players were vigilant in taking my card because it could very well given them "more work" in the real world an exchange can be more detrimental where one party may give too much information that could be used against them later. These "swaps" or exchanges may not be equal and one party may be looking to take advantage in some way. Some people may use these techniques for good such as being cautious in divulging information or assets they wouldn't want exchanged. Protecting company assets or trade secrets. On the other side of the spectrum where it could be someone "borrowing" a USB but giving it back with malware or a virus.






Social Engineering Task #1


My task was to take a picture of a stranger without their knowledge.  Below is a picture of the person behind me at the grocery store.  I approached the task by taking my phone out while waiting in line and texting a friend.  I then turned sideways, leaned against my grocery cart and, under the pretense that I was still texting, took this picture.  While I was in the store I observed many people talking, texting, or in some way using their phone.  It would have been easy at any time for some to take a picture of someone else without their knowledge.  When someone is using their phone the immediate assumption is they are texting or on social media or looking up information.  I don’t think the first thought is that they are using the camera because the primary function of a phone is communication.  Because we have this assumption, people are less concerned with what they are doing around those with phones as opposed to a camera.  By simply looking absorbed in the phone, which is not out of the ordinary these days, it is easy to take pictures of people without them knowing.  This can then be used to gain information about their habits, preferences, and daily activities.   In this case, I can see what this person eats.  If I had lingered in the store I could have watched to see how he paid for his groceries. I also could have followed him to his car.  I might have learned more about him from bumper stickers or his license plate.  I could have even followed him home then looked up his address to get his name and phone number.  I could then call him pretending to be a representative of the supermarket and claim something was wrong with one of the items he bought and that I needed his credit card to reimburse him.

Photography is an art form and candid photos of people doing everyday things could be an example of the subject matter.  To make this activity morally right, one would then need to disclose the photo to the person after taking it and request permission to use it.   I think taking a picture of someone for personal gain or shaming is unethical as was the case with the women who took the photo of the other woman in the gym locker room.   If I was disrobing in a locker room and someone had a camera pointing at me I would stop and confront them.  But if someone was using their phone, and people always are, I wouldn’t give it a second thought…that is until now.

Tuesday, January 24, 2017

Social Engineering Posts

Each week, you should make a blog post describing your approach to your social engineering task. You should post whether or not you succeeded. This post should include all four of the following parts:

Execution: What was your task? Did you accomplish it? Show some evidence, if possible!
 
Narrative/method: How did you approach your task? Step by step, what did you do to try to accomplish your task?
 
Application: How could a person apply the techniques you used to try to accomplish your task in a real-life situation? What could someone do with the information you gained about your target or with the behavior you convinced your target to do?
 
Ethical reflection: What are the ethical issues raised by your task? How could a person do the same actions in the "real world" in a way that you think would be morally right? How could a person do the same actions in a way that you think would be morally wrong?