SE VILLAGE - Social Engineering Course Projects for Undergraduate Students

Video thumbnail (Frame 0) Video thumbnail (Frame 4480) Video thumbnail (Frame 6699) Video thumbnail (Frame 11625) Video thumbnail (Frame 13831) Video thumbnail (Frame 16314) Video thumbnail (Frame 17819) Video thumbnail (Frame 18914) Video thumbnail (Frame 20303) Video thumbnail (Frame 23005) Video thumbnail (Frame 24519) Video thumbnail (Frame 25946) Video thumbnail (Frame 26935) Video thumbnail (Frame 28045) Video thumbnail (Frame 30822) Video thumbnail (Frame 33448) Video thumbnail (Frame 34509) Video thumbnail (Frame 35550) Video thumbnail (Frame 36608) Video thumbnail (Frame 37772) Video thumbnail (Frame 38950) Video thumbnail (Frame 40852) Video thumbnail (Frame 42467) Video thumbnail (Frame 44982) Video thumbnail (Frame 50478) Video thumbnail (Frame 51821) Video thumbnail (Frame 52811) Video thumbnail (Frame 53986) Video thumbnail (Frame 55571) Video thumbnail (Frame 58482) Video thumbnail (Frame 59490) Video thumbnail (Frame 61744) Video thumbnail (Frame 63638) Video thumbnail (Frame 72040)
Video in TIB AV-Portal: SE VILLAGE - Social Engineering Course Projects for Undergraduate Students

Formal Metadata

Title
SE VILLAGE - Social Engineering Course Projects for Undergraduate Students
Alternative Title
Social Engineering Course Projects for Undergrads
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
The hard science disciplines (computer science, electrical and computer engineering) have already started investing heavily in cybersecurity education. Security experts, however, note that cybersecurity is a wider discipline than simply the [technical] fields, and professionals with backgrounds [in] the social sciences … will be needed in the cyber workforce of the future. The relevance of incorporating social sciences into the cybersecurity domain has been acknowledged by the National Academies of Sciences, Engineering, and Medicine and the Department of Homeland Security. Social science disciplines, such as sociology, criminology/criminal justice, anthropology, political science, and psychology are particularly adept at unpacking the complex facets of human behavior and should therefore be leveraged for their contributions to the area of cybersecurity. Yet, the social science arena remains weak in cybersecurity training and education of the future cyber workforce. This talk shares an educator’s efforts to engage undergraduate students in a hands-on social engineering project across Fall 2017 and Spring 2018 semesters. It uses the experiential learning framework that promotes “learning by doing”. Specifically, this talk focuses on three sub-projects: (i) shoulder surfing where student teams competed against each other, (ii) laptop distraction, where student teams attempted to convince Temple University Computer Services employees to leave their laptops (designed for the class exercise) so that the students could remove a bogus ‘intellectual property’ file and place a fake ‘malware’ program on the employees’ machines, and (iii) convince individuals on Temple University campus to take a selfie with team members and a funny prop. The talk also offers a comparative analysis of these projects over the two semesters, sharing the experiences and challenges of both the students and this educator. It also details the issues about designing projects that follow university ethics standards, training students in human subjects research ethics, generating relevant rubrics, and how to evaluate student engagement and learning. To conclude, the educator shares these cases discussed to initiate dialog in the area of hands-on learning for social science students. Audience feedback is welcomed as this educator is still exploring the experiential learning approach, especially in the area of social engineering.
NP-hard Area Focus (optics) Electric generator Divisor Student's t-distribution Projective plane Shared memory Bit Mereology Social engineering (security) Expected value Bit rate Computer configuration Right angle Damping Musical ensemble Video game console Arithmetic progression Position operator
Complexity class NP-hard Laptop Group action Presentation of a group Service (economics) Open source Student's t-test Rule of inference Social engineering (security) Wave packet Local Group Flag Universe (mathematics) Software testing Maize Data conversion Computer engineering Computer forensics Information security Social class Area Cybersex Context awareness NP-hard Student's t-distribution Digitizing Reflection (mathematics) Projective plane Feedback Computer Bit Social engineering (security) Curvature Computer crime Universe (mathematics) Computer science Software testing Right angle Whiteboard Quicksort Computer forensics Laptop Domain name Flag
Laptop Email Group action Multiplication sign Student's t-test Mereology Bit rate Whiteboard Hacker (term) Profil (magazine) Different (Kate Ryan album) Energy level Flag Integrated development environment Software testing Information security Physical system Cybersex Email Student's t-distribution Interior (topology) Social engineering (security) Process (computing) Integrated development environment Chain Universe (mathematics) System programming Condition number Right angle Whiteboard Information security Physical system Laptop
Context awareness Group action Student's t-distribution Projective plane Feedback Computer Social engineering (security) Social engineering (security) Local Group Hacker (term) Computer crime Computer science Flag Damping Right angle Whiteboard Laptop Social class Flag
Context awareness Group action Student's t-distribution Computer Wave packet Local Group Spring (hydrology) Roundness (object) Spring (hydrology) Bit rate Computer science Flag Laptop Social class Flag
Complexity class Group action Presentation of a group Student's t-distribution Multiplication sign Student's t-distribution Control flow Bit Angle Student's t-test Group action Distance Complexity class Neuroinformatik Medical imaging Proof theory Category of being Strategy game Right angle Ideal (ethics) Social class Asynchronous Transfer Mode Flag
Laptop Strategy game Student's t-distribution Acoustic shadow Social class Flag
Group action Student's t-distribution Bit Instance (computer science)
Mathematics Mathematics Uniform resource locator Logical constant Strategy game Computer file Student's t-distribution Perturbation theory Quicksort Social class Flag
Laptop Group action Logical constant Student's t-distribution Group action Mathematics Spring (hydrology) Spring (hydrology) Term (mathematics) Touch typing Arithmetic progression Social class Flag
Email Scheduling (computing) Group action Student's t-distribution Projective plane Student's t-distribution Group action Rule of inference Revision control Medical imaging Spring (hydrology) Spring (hydrology) Flag Circle Game theory Social class Flag
Scripting language Complexity class Context awareness Group action Scheduling (computing) Student's t-distribution Multiplication sign Projective plane Social engineering (security) Local Group Revision control Goodness of fit Process (computing) Hacker (term) Videoconferencing Flag Quicksort Videoconferencing Laptop Social class Flag
Building Student's t-distribution Student's t-distribution Bell and Howell Social class Flag Local Group
Duality (mathematics) Mathematics Lie group Multiplication sign Student's t-distribution Flag Local Group
Strategy game Lie group Student's t-distribution Student's t-distribution Line (geometry) Local Group Flag
Strategy game CNN Student's t-distribution Multiplication sign Order (biology) Chain Student's t-distribution Cuboid Group action YouTube Flag Local Group
Goodness of fit Student's t-distribution Videoconferencing Freeware YouTube Demoscene Flag Local Group
Group action Information Multiplication sign Student's t-distribution Projective plane Student's t-distribution Frame problem Local Group Wave Hypermedia YouTube Social class Flag
Student's t-distribution Multiplication sign Feedback Student's t-distribution Demoscene Local Group Spring (hydrology) Spring (hydrology) Different (Kate Ryan album) Mixed reality Different (Kate Ryan album) Videoconferencing Right angle Musical ensemble Flag
Laptop Complexity class Group action Scripting language Service (economics) Social software Multiplication sign Student's t-distribution Time zone Student's t-test Plastikkarte Bookmark (World Wide Web) Social engineering (security) Local Group Spring (hydrology) Strategy game Different (Kate Ryan album) Videoconferencing Representation (politics) Flag Traffic reporting Social class Scripting language Context awareness Time zone Inheritance (object-oriented programming) Student's t-distribution Plastikkarte Instance (computer science) Group action Entire function Hand fan Cognition Spring (hydrology) Right angle Musical ensemble Laptop Flag
Student's t-distribution Student's t-distribution Website Musical ensemble Computer programming Laptop Flag
Agreeableness Universe (mathematics) Student's t-distribution Laptop Flag
Student's t-distribution Musical ensemble Disk read-and-write head Laptop Number Flag
Duality (mathematics) Goodness of fit Student's t-distribution Bit Digital divide Laptop Flag
Laptop Context awareness Context awareness File format Multiplication sign Adaptive behavior Student's t-distribution Term (mathematics) Perspective (visual) Type theory Duality (mathematics) Goodness of fit Message passing Arithmetic mean Term (mathematics) Different (Kate Ryan album) Set (mathematics) Right angle Quicksort Website Laptop Flag
Type theory Suite (music) Student's t-distribution Laptop Flag Leak
Laptop Group action Scripting language Service (economics) Multiplication sign Student's t-distribution 1 (number) Set (mathematics) Sequence Local Group Duality (mathematics) Spring (hydrology) Mathematics Representation (politics) Flag Data structure Physical system Window Scripting language Service (economics) Student's t-distribution Bit Social engineering (security) Type theory Arithmetic mean Spring (hydrology) Event horizon Right angle Game theory Quicksort Data structure Laptop Flag
NP-hard Group action Logistic distribution Direction (geometry) Multiplication sign Set (mathematics) Social engineering (security) Neuroinformatik Spring (hydrology) Bit rate Cuboid Flag Information Computer engineering Bounded variation Scripting language NP-hard Student's t-distribution Point (geometry) Gradient Feedback Computer Computer simulation Sound effect Hecke operator Computer Social engineering (security) Category of being Process (computing) Computer science Right angle Quicksort Hacker (term) Bounded variation Data structure Point (geometry) Implementation Service (economics) Open source Interactive television Online help Local Group Term (mathematics) Program slicing Divisor Data structure Implementation Information Weight Projective plane CAN bus Spring (hydrology) Universe (mathematics) Flag
Laptop Scripting language Service (economics) Vapor barrier Multiplication sign Student's t-distribution Zoom lens Social engineering (security) Revision control Spring (hydrology) Strategy game Hypermedia Telecommunication Videoconferencing Representation (politics) Right angle Social class
well everyone if you could take your seats please we have our final speaker on to rate uncial right breaking that's why okay I'm sorry console ringing thank you she's a criminology professor at Temple University and she's passionate about educating the next generation workforce about social engineering for social and hard sciences and the relevance of the human factor in cybersecurity let's give her attention [Music] can everyone hear me okay so also the freight get started I'm very excited because is the first talk that I'm giving after I was awarded tenure a month ago so so now I don't have to care about anything right it's great yeah so a little bit about me okay so of Annette temple for about six years now and part of this is a little bit of a story about my own journey as an educator right how many students in the audience right okay so this is this is something you know if you're considering further education once you know if you go into your masters or PhD or things like that right the focus is always on your research nobody ever tells you how to teach great and so all of sudden were thrown into a professor position and the expectations are yeah you do your research publish you get grants but you must also teach and nobody ever trains you properly for that so this is something that I'm trying to figure out it's almost have to learn how to be an educator so what I'm trying to do today is share some of my own experiences doing experiencial learning or hands-on learning in the area of cybersecurity and the started off as a project for non-technical students because I'm housed in liberal arts and so my concern was how am I going to get the liver or exposed to be able to think about cybersecurity even as a career option so this is very much a work in progress I didn't have a foundation to build on it didn't have any former assignments I could look at I had to design the rubrics from scratch okay so this is very much an experiment and what I'm trying to share with you are some of those challenges and struggles that I faced as well as what my students thought about some of the projects that they had to deal with so I gotta start
off with my thank-yous the National Science Foundation the way the Met NSF works if you're not familiar if they fund you for research but they're also interested in out what you do for education so what I'm sharing with you today is the education side of that grant I want to thank the Temple University Office of the VP for research this is where the ethics board is housed and for all the social engineers here or the folks that are considering social engineering as a career path when you're trying to do something in a university setting the rules are very very different okay so the ethics board was really instrumental in working with me and making these projects happen I want to thank the university's IT services because they actually engaged with my students during one of the flags which is really cool and of course I want to thank Stephen hacker I think he's still out there I'm having conversations with people but he was really instrumental in this as well helped me design one of the flags for my classes so and you know I think if I didn't get that sort of voice of reason and support and enthusiasm perhaps these projects wouldn't have taken flight so what's on the agenda I want to tell you
quickly a little bit about me and what my concerns are as an educator and where did I get this idea of trying to do social engineering projects in class then I'm going to talk about the three flats that we tried to do in class shoulder surfing a group selfie and laptop distraction so I'll get into each one of those in a little bit I'm going to talk about the summaries based on again student feedback and end with some of my own reflections and closing thoughts right why does this matter or where would I like to do next in all of that good stuff so let's get started so yes I'm a criminologist at Temple University for those of you who don't know where that is it is in Philadelphia and I've been there for six years and my main area of research my funded projects look at proactive cyber security with an emphasis on adversarial behavior but I'm not here to talk about research I'm here to talk about education and so in the six years that have been at Temple I've been teaching an upper-level liberal arts class called computer crime and for the first three years that I was teaching this class I followed the same approaches that I have been subjected to as an undergraduate student right go research a topic write a paper about it and then do a presentation at the end of the semester okay great and everything was going fine right every semester I would ask my students so how many of you career in cybersecurity and this of what we can't do that I said why not because we don't know how to code we don't know how to hack and I'm saying yeah that's important but you also need to understand that who's doing the happy is a person and what do we do in Liberal Arts is understand human behavior that's what we're trained to do right be it psychology sociology criminology anthropology all this stuff okay that's what we're trained to do so you know what we do have something to contribute but it's set up alarms right for me as an educator I'm doing something wrong if I'm not able to tell my students you know what you can pursue a career in cyber security and here's why so how do you start changing that mindset so I started looking at my hard science colleagues because they do work extensively with computer science and electrical and computer engineers and they were way way way ahead of me right their students already have class offerings in the area of pen testing or digital forensics or things like that so they're actually training students to go out there and pursue careers in cyber security here's a real stickler what does that look like in the liberal arts great how do you get hands-on experience you're learning for the non-technical students and so this had been brewing in my mind for about three years I got my
first grant right yay step toward tenure and again like I said this was looking at proactive cyber security so one of the things I look at a cyber intrusion chain for those of you who don't know what that is it's literally a step-by-step process of how an attack unfolds and I spoke with a lot of ethical hackers pen testers and I asked them you know which of these stages is the most relevant what do you think they said right recon okay so we have recon weaponize delivery exploit install a CT action injectors okay so one of the quotes from one of the one of the pen testers I interviewed really captures it nicely great 50 to 75 percent of the legwork is to learn about the environment ahead of time be it through social engineering calling these people of trying to understand what systems they operate which is what we saw in the CTF researching the vendors rate all of that ascent ok so if this is so important why are we not educating students about this great what can these exercises look so I know I have an idea but I don't know how to implement it and then last summer I got invited to go and speak
at Estonia Cyrus County summer school so they have this summer school every year and last year's theme was social engineering so they said hey can you come in and give a talk on your research on online dating scams I snore right so I go there and what they're doing is this is the first pure social engineering CTF that I've seen at an international level okay where you have students from different parts of the world coming in competing in these flags and they're doing all these cool things that are listed on here right Oh send creating fake profiles generating phishing emails and actually disseminating it shoulder surfing laptop distraction phishing and I was like ah why did I not think about this alright so I'm so inspired I'm excited know I got some ideas I would come back to Temple what happens can i implement this how about an ethics board okay when you are dealing with a student population in a university setting and there's dissection involved the ethics board just said nope can't do that I can't do that can't do that can't do that and so it took three months to work with the ethics board and come up with flags that were acceptable okay so the two that I could port over we're shoulder surfing and laptop distraction and that's when I said okay well this is great but I need one more flag and so last August I reached
out to human hacker and I said am doing the social engineering project can you help me out great so we started talking and we went back and forth look can you try this on no that won't be acceptable and we ended up with the group selfie flag okay and so he said you might give your students a prop of a squeaking rubber chicken and send them out on campus and what they have to do is convince someone to take a selfie with that rubber chicken in them all right said all right righted by that it's board they said that's fine it's safe it's fun logistical each possible and so is that all right I have my flags and I have to now try this out again I had to design the instructions from scratch the rubrics from scratch but I had my first
project ready right and so I decided I'm gonna try this out on my fall 2017 computer crime class so this was my guinea pig class and just to give you a feel for it 34 students 28 in liberal arts and I had six computer science students the projects went fine there are a couple of glitches which I'm going to talk about but they gave good feedback and I learned a lot and so tweak the assignments a little bit and
did round 2 in the spring of 2018 semesters with the when you nine students 20 liberal arts 9 computer science so what happened it's a
first flag is shoulder surfing okay and basically students were broken up in teams and they had to compete against each other the goal being you have to be able to get a clear shoulder surfing the shot of someone from a rival team okay so you cannot target anyone outside of the class because everybody in the class at scientist planners it's like we agreed to this activity rate that we had had done their ethics training so we kept it just to the class and they also were limited to on campus only so no you couldn't follow your classmates home okay that was off-limits so I needed to make sure though that they weren't cheating so how do I know that it's you who took that picture so they had to provide what's called an action shot these
here's a picture of a shoulder surfing successful shot okay so they were able to get something from a rival team got a picture of the image this was in a computer lab and here's the action shot
okay so this is proof that it was the student who had taken picture so students have two weeks to do this and after the two weeks they had to give a debriefing if you will a five-minute presentation but you know how how did they go about doing this what were their strategies and so on so some of the
strategies and these are I put these into the category right so in class I started remembering who was sitting where what devices they were using arriving to class early trying to take a bathroom break during class to see if they could find anybody on their devices at that time the fall 2017 class engaged in something called a honeypot and you're gonna talk about that in a little bit and outside of class so this was during class time outside of class the engage in what was called lights talking so actually followed their classmates after class he kept you know a safe distance between them and their targets try to remain in stealth mode some of them even cross-reference to see that other classes with folks from the rival teams they could target them in other classes overall they said you know be patient persistence pays off and when the opportunity presents itself act quickly so I'm gonna talk about these two delights talking and the honeypot so
here's a picture of someone from the team who is following this target and he followed this person for about 20 minutes if you're wondering where he is that's his shadow okay so he's a good 15 20 feet behind followed him for about 20 minutes on campus until the target stops at a food truck and that's when he was
able to get he's successful shot now that was one approach the other approach
was honey pots so what would happen here and I only saw this in the fall semester it's almost like each semester brought its own unique strategies right I did not influence any of this students could try out they'd run the strategies by but you know they were allowed to be as creative as they wanted to be so here we have someone from Team a comes to class sits in the front opens up her laptop some from TB comes in and says oh this
is awesome I got her I pulls up the phone and gets the picture okay so I
said why did you do that like you guys got your own picture T and Lilly yeah yeah we know but yeah so we let them get a picture of us but we got the picture I was like okay interestingly this ended up turning out to be in team B's favor because team a basically provided the action shot right so there was another instance of the honeypot okay again where you have the bait and kind of setting this up because it might be harder for you to read it's a quick animation that one of the students took right so he has someone sitting down someone from a rival team come to take to show that he's got somebody else right so he's bragging and that's when they get him
okay so so so there was a lot of hot pots that that were utilized and I did not again see this in the next semester so some of the defense based strategies
okay everyone was on high alert so yes you had to target someone while also being targeted so there was a sort of spy versus spy atmosphere for those two weeks nobody used their devices in class every professors dream come true right so it was it was great you saw changes in human behavior okay so they changed seating location they
said at the back of the class okay by
the walls okay they position themselves sideways and they try and they try do you think to have a touch I couldn't find it a proper term for this so it's called sabotage and this was unique to the spring 2018 class so I'm gonna give you the example of what I mean by that so here's the action shot
in progress okay the guy with a laptop pooping in the blue shirt is a target can you see the sabotage going on now do you see the sabotage going on there's a
zoomed in version all right so they get the picture and then I get an email that nice the game professor are we allowed to use this and I was like sure right why not it's fair game so doing the debriefing to actually shared this picture with the class which is quite entertaining so so some of the
challenges that the students faced because this was the first flag that we did people couldn't remember students can remember their classmates great because new faces the names sometimes they followed the wrong people which didn't go over well okay they didn't like the fact that they were limited to on campus but he said sorry that's those are the rules trying to get a clear picture like I said that to act quickly there were a lot of blurry images they weren't always successful like I said being targeting someone well yourself potentially being a target was also problematic they felt uncomfortable and creepy engaging this in this activity like I said they could only target each other but when they were doing this outside of class people would look at them really funny right and so the students were like can we get some special t-shirt or a letter from you that says that this is for a class project said no great like so so there was that feeling of being weird the last circle and that was really interesting as coordinating action shots right so outside of class people in your team aren't going to have the same schedule as you so how do you get someone to true that you took the picture and the spring 2018 class came up with the solution they said we're just gonna do selfies and so that's what they did okay so that was a workaround
on the action shot requirement they got the shoulder surfing picture and they proved that they were there so this was their first activity it was a good sort of warm-up flag and both the semesters and then we decided to go with the next
one which is the group selfie with a temple citizen and an awkward prop so this was a flag that had been
recommended by seaman hacker and for this again this was team based so each team had to give me their script ahead of time which is what they plan to use to approach someone and convince them as to why that person should take a selfie with the team and the end the rubber chicken so the scripts were sent to me two weeks in advance I had to make sure first of all that the script was ok and also that no two teams had the same script and to ensure that there would be no conflict and scheduling I did them dedicated class time because that's when everyone's opposed to be there anyways so they got about two day to day of classes once they prepared some and they couldn't say that this was for the class project till after they had gotten the selfie and again this was upon campus and - yeah they were given two classes another week to get their debriefing done which basically meant they had to create a short video about their experience right so I'm gonna share some of the videos that my students made okay and I thought they did a pretty good job so hopefully the audio works
so for our first thing we did frat boy
pledging Justin's gonna be the pledge and his pledge is that he has to get
selfies with people holding the rubber
chicken we decided to meet outside of
the Bell building and then of course we run immediately into someone we can't ask because it's Leon so being here in our class we were not allowed to ask him
to participate
Justin got out the rubber chicken and we sent him off to attack students and other people who were passing by and
pretty much just told him to go get someone so we did he walked off to the
nearest strangers and approached them
some of them didn't give them the time
of day I guess that's not surprising given that's the city
sorry I'm on my spare change is a pretty doable reaction that someone approaches you randomly in the city I really blame
that guy so Justin just kept walking to the next
person got I gave it the old college try because our first yield succeed you keep
walking down the street and you keep asking everybody you see and then
eventually if you're lucky and
persistent reach to nice people who say yes so Justin brought those people back to know just in front of the Bell Center and we explained that he was pledging
and then we needed to get a selfie with their rubber chicken and here we go you
got our selfie mission accomplished and
this is one by another team don't they have chicken ah with college students in
mind as our targets we wanted to come up
with a strategy that would engage them
he obvious about our intentions ever since we got at chick-fil-a on campus they've been noticeably popular so lines
for it are was super long so we use the popularity of chick-fil-a to our advantage it made more sense than
chicken related strategy in order to get people to take a picture with us and our
rubber chain so our story was that we our prankster and youtubers who wanted people to do the chicken dance for our
channel however we didn't want to be obvious about that so we came up with three chicken challenges and we'd reward
the target with chicken nuggets from chick-fil-a so to prepare we looked up some chicken facts from what was
originally supposed to be a quiz and we went to the Student Activity Center in a box check for laid nuggets of our reward
this was during lunch time outside of
the Student Activity Center so it was fairly opportunistic to find some hungry college students I made one announcement stating that if
you completed our chicken challenges you could win some free chick-fil-a chicken nugget one target came up immediately asking what he had to do for free food I told
him that all he had to do was pass the chicken challenges I asked him if we could take a video for our YouTube channel to which he said yes to probably
the first chicken challenge was to answer a chicken question which was what is the male chicken called that is a rooster just remember the
scene I'm gonna come back to goodness to demonstrate what sound a chicken makes
about doing the well-known chicken dance the third was to take a picture with our rubber chicken you completed all the challenges successfully and we joined in
the frame for a selfie after a selfie we told him about the class project and he walked away happily with its free chicken as far as lessons we learned we
learned that we couldn't be around too many of the other groups with chickens we all went about the same time during the dedicated class time so little conspicuous and noticeable that something could be going on another lesson that we learned was that if you incentivize an activity it'll bring more eager targets which seems obvious but while you if you know your audience as well like college students they're gonna be more willing to participate and will likely do anything for food especially if it's like around mealtime and the third lesson that we learned was that people don't really care if they're on social media with strangers and how easily their information is obtained like we didn't do a wave or anything like that so he unknowingly just gave his for our YouTube channel without you know knowing it could be abused or anything like that so a couple of glitches okay
each team was given the same prop and they were out with the same prop at the same time this caused problems because like I said the guy remember I totally remember the scene where they zoomed in he was actually someone from a different team okay the problem was that they were approaching targets with the same prop in different stories at the same time right it's the potential targets are gonna be like what's going on so that was that was a a problem and what is the feedback obviously that I got from the students was hey can you please you know use different props for the next semester's so sure enough I did I kept of course the rubber chicken and then I got a giant stuffed Minnie Mouse sock monkey a Hello Kitty pillow flamingo llama and a unicorn okay this was the most assorted mix I could find in a short amount of time and so again I'm going to show with you real quick the unicorn video and this is now for the spring 2018 semester
[Music]
skirt three is a personal favorite we went on with the attention of having a staring contest with the unicorn little do we know that we turn into one of the most rewarding experiences we have we use the unicorn as bait to get our target to have a staring contest with wrong initially the goal is to have a staring contest with the unicorn but in all fairness to our contestant we went with Rama clock we get the put a time let's see how that feeling we get up like the inside to stop our snow I'd like this [Music] yep you see yes you ain't you boy so you got the winning unicorn what would you mind if I took a picture with you be there you've got a fan [Music] okay so some of the strategies based on
student debriefings and reports okay so how did the students go about doing this they first decided be cognizant of what potential targets were doing what are they working on are they doing a homework or they surfing are they eating are they chatting with their friends they had to stick to their script but they also had to be able to adapt based on that script so for instance the group that got the stuff llama they came up with the script of save the llama Foundation okay so a lot of students were interested in that and they asked him a lot of tough questions so they had a good story but a parent okay they were able to adapt some of the strategies like is it P texting obviously quid pro quo right we saw that that's offering food for the targets time or you know to get the selfie playing on the emotional card right we want to save the flamingo's we want to save the llamas so there's that desire of wanting to please some of the challenges like I said getting out at the comfort zone right so going out and actually approaching people was interesting the spring 2018 class was scheduled for 9:00 in the morning so it was hard to find people on campus at 9:00 a.m. and even though you know the props have changed the teams were still bumping into each other even though now with different props but it's still kind of why's everyone walking around campus with different props right so that's something now that we have to figure out the last activity the last flag was a laptop distraction flag so again this was team-based and what happened here was folks from the Information Technology Services came in with a laptop and the team had to distract the representative from the laptop okay that was the objective using a story and whatever you wanted to do to adapt so they had to come up with a script which again had to be sent to me in advance to ensure that no two teams would have the same sprouts and we did this in class all right so the IT representatives came in class we dedicated the entire class time to this so about two or three classes and they were given two minutes of prep time in five minutes to actually execute the activity and then they had a two minute debriefing with the IT services representatives so just a note Erica they were not graded on whether or not they were successful in getting the person away from the laptop great what they were graded on is what strategy did they use how convincing were they were they able to adapt in those five minutes so again there's a whole bunch of different videos but I'm not going to be able to share them with you so the one that I am sharing with you is from the fall 2017 semester this was a two student team and I like this clip a lot because their execution was very very smooth they stayed calm and remained in character even when things weren't going their way and they adapted the best in the best possible way that they could all right so it's a two student team and the folks that they're targeting are against the back wall okay so when you see this video you'll know what's going on it may be a little hard to hear because they were moving around all over the place so I've tried to insert cues where possible to help guide you
let's go mr. Dennis price oh right because it we have this very good set up in back door so we do program 45 just so to many new website this year students looking at schools are investors ever since or about babies [Music] if he lives up there I'm not from the
University on the ghost run as far as I could get and so what I do not play and
I'm straight to the University so I won't get friendliness but that's right I was too small for it
[Music] okay so just describe a typical work week here Computer Services attempted it's it's great it starts Monday morning typically would do briefing prepping that head usually depending on the number of issues we see that we dent we're looking for what partner is going
to go with the other two interns I know it's a little bit of a good question and applause yeah I know nice going exhibit I would say it's it's becoming better
how could you say how's it working I know okay so I'm going to pause it right
there and basically if you were to put
this out on the PlayBook format okay it's very interesting right so they have a good context to come with a good back story temple is making a new website they've hired Isis ghosts as ghosts writers to get a feel that's why we're talking to you when there was sort of a credibility check when what do you mean ghost writers right so they actually clarified the term that done their research they were able to defend that when the laptop when the first target gets up with a laptop they said sorry you don't need it you don't want it to get damaged so that doesn't work we have everything set up you don't need to bring it that didn't work at violates policy okay so they try to hitting the target with three different types of adaptation right there when you have the first pass of the laptop okay they ask for a dual and Ruby when you had the second pass of the laptop they split up okay and so on and on go so again the team ultimately ran at a time and they were not successful but they still ended up scoring getting a perfect score basically because they kept at it and they stayed calm and they tried to make it work this was the only team that used sort of a calm approach all the other teams had emergency scenarios so we had
four teams with law enforcement scenarios okay where they came in and
they accused the people from I tease this is some type of wrongdoing so we
had four teams doing that two teams came up with disastrous scenarios so they had
chemical spills so teams came in with fog machines other teams came in with
hazmat suits okay so they did a couple of somebody even came in and did a fake pregnancy like giving birth so it was it was madness but all of them came up with emergency scenarios right so some of the
students thoughts okay props and costumes interestingly the fall 2017 teams were better prepared than the spring 2018 teams they had stronger stories better prepared better put their biggest thing was unanticipated tag-teaming right and so the IT services did a couple of other mean things like you know they got access to the laptop but that's when they were they schedule system updates so they couldn't you know actually get to the device or anything like that they took the battery out so they can start the laptop alright so all those types of things and but one of these things I think it became really easy for the teams that were using emergency script so in the spring 2018 semester actually said you can't do you can't do emergency scenarios and that made it really really difficult so some teams came up with some interesting things one was a birthday celebration surprise okay so they came in and took the person away to play some party games because there were IT service representatives that came in seeking tech support at home and there were a few other creative ones in there and I don't have the time to get into that but what I do want to talk about is the sorry now that I've done this across two semesters I found that the shoulder
surfing activity the students really liked as having that as a first one because they felt that it was a great warm-up exercise then we don't know what social engineering is we don't know what we're gonna do so here's a here's a good safe fun one to start with the down set of course is well we don't know our classmates yet okay the laptop distraction activity that was the most dynamic students had way too much fun with that right because it was in real-time but the downside was they said it was one of the toughest ones because you only had five minutes and you had to do this the group selfie they enjoyed that a lot they said they got to be creative with it but they needed more time okay so overall the structure of the flags were and the instructions were clear easy to follow they were happy with the amount of time that they were given and the only change they said was can you make the laptop distraction activity as the last flag okay because that was the toughest one so the first who would give us enough to sort of prep time and let us warm up and hopefully engage with the ID services folks a little bit better so in closing what's this mean for for
me as an educator implementing social engineering projects are not easy okay in terms of logistics duration structure coming up with the entire setting I was quite challenging for me one of the main challenges was getting approval from the university FX committee an ethics was a big point of discussion yesterday you know a lot of speakers brought that into their talks it's I think it's even tougher and trickier when you're dealing in a university setting so yes there are a lot more restrictions the flags that design the implementations but they still worked with me and we made it work okay so was it the best flag you know is it something like perhaps what you all do professionally no but it's a starting point designing rubrics how do you grade a project like this right what are your categories what are your weights going to be how much do you get how many points do you give for these different things so how do you do that one of my biggest challenges was catering to the computer and information science students okay so as I mentioned that six students and the fall semester from computer science and about 9:00 in the spring semester their biggest thing was do we have to talk to people and I said yes welcome to the liberal arts right you would do of course you have to talk to people right because you're just like well can we write a script that would like execute I'm like no you can't you can't no great you are not hacking a computer system you are hacking the human so they actually found this very challenging some other things that I'm sort of now going to my mind is how do I develop ethically acceptable variations right so one of the things that the students really wanted was hey if we're doing a group selfie project with a prop can we target professors I don't know how my colleagues would feel about that right the I'm tenured now yes but I still like my job right like you know I do at some point again want to be promoted so it's how do I come up with good props okay so there were a lot of you know sort of students really yeah we need yeah I think almost like giving someone a llama and a flamingo actually was the props were cute right so it actually worked in their favor so what might be some tougher props and that the students would have to really come up with unique storylines shoulder surfing they said yeah we'll do this but if we get you do we get bonus points right so for the first year I I didn't really do any of that because this was like I said an experiment I'm trying to figure out what the heck I'm doing but in the next year when I introduced this that might be a possibility so then close rate this is not the first experience you're learning a project that I've done this is actually the second one social engineering is the second one that have tried out okay I've worked with electrical and computer engineers Idaho National Labs right we did something where we simulated Peregrine's cyberattacks and then my students ended up playing adversary they designed the attacks okay that were launched against the electrical and computer engineering students so we actually did that that actually is a talk that I had presented earlier at shmoocon this year so what am i trying to do this okay I think it's really important to emphasize and that's why I love this village so much right that cybersecurity is not just technical is that there is a lot of human aspects to it so how can disciplines in the sort of social science in the liberal arts make their students realize that what they're doing is important and they can contribute that they do have a voice and initially yet started this as something I wanted to do for the liberal arts students but I think hard science students can also benefit this right so so it's kind of moved beyond just for the liberal arts right now it was a heck of a lot of fun okay students had a great time IT services I had a great time they were excited that somebody asked them to engage with their students the biggest thing for me and this is I think the last point that I have here is I was able to create at least a small slice of it right but create something effective safe and fun okay for students and I think what's really important is that we need to educate the educators okay it is risky to think outside the box but I think it pays off because you take your education your pedagogical culture in a whole new direction and I think that's really cool so I do have new flags for the spring 2019 semester in the works but you know
if you have any suggestions or feedback you know I'm happy to take anything really because I do need a lot of help with this it's not easy and so with that I just want to say thank you for your time and attention
[Applause] yes liberal arts he was in media and communications so yeah yeah yeah yep right so so if you notice in both the videos right they had a guy walking in the back and in the voiceover they said we couldn't ask him because he's in her class and the second one was zoom in was also because that was someone from another team the problem was they were all crossing paths because they were all out there on campus doing this at the exact same time and that caused problems right because they were they all had different stories so it's going to cause conflict if they approach a the same target at time T and then you know five minutes later a different team comes with the same problems as a we're doing it for this reason that kind of messes things up so so the zoomin was basically to show that there's intersections going on yeah yes yeah you know one of the biggest criticisms and I think it's a valid criticism that I got from my students is well it's not fair because the IT services folks know what's gonna happen right so they're gonna make our lives difficult and yes that was true but they didn't know what the script was going to be okay so I literally had to form a barrier between the tech representatives between so I even when I had the spring 2018 class I didn't tell them the strategies that the IT services had to use the fall semester which was passing off the laptops so it's it's it's so new but it is a possible [Applause]
Feedback