World Cyber Crisis? Students to the Rescue!

UK Prime Minister David Cameron recently hopped the pond to meet with Barack Obama — one would be hard-pressed to think of a more high-profile meeting. What was on the agenda? Cyber security. Understandably so — their meeting came on the heels of the alleged North Korean hacking of Sony and the hijacking of CENTCOM’s Twitter and YouTube accounts by ISIS supporters.

A White House press statement called cyber attacks one of the most serious “economic and national security challenges” facing the world today, and declared that both government and private sector were under attack. The two world leaders announced plans to strengthen cyber security for critical infrastructure and the financial sector. Looking longer term, they called for increased information sharing, intelligence cooperation and investment in cyber security education.

One of the most exciting pledges was to create the Cambridge vs. Cambridge cyber security contest, pitting the Massachusetts Institute of Technology (MIT) against the UK’s University of Cambridge. MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) hailed the announcement as a “hackathon” that will harness the students’ “collective brainpower.” In the UK, the event was heralded a trans-Atlantic digital war game that will help to prepare the British Isles for future cyber terrorist attacks.

The Ivory Tower and Computer Hacking: Mutually Compatible

How do you get from here to Carnegie Hall? Practice, practice, practice! Fortunately, there is a growing recognition that, if we want to protect cyberspace, the nursery is a better place to find recruits than in a retirement home. That is why NSA Director GEN Keith Alexander decided to keynote Black Hat, and why the newest spin-off from the world’s largest hacker convention, DEF CON, is aimed squarely at kidz.

In the United States, there are a growing number of cyber security competitions at the university level. Under NSA supervision, the military services have held an annual cyber war exercise since 2001 (unlike in football, West Point currently holds the trophy). This has led to the creation of the National Cyber Security Defense Competition among universities and CyberPatriot for high school and even middle school students.

Such programs are designed to give students the opportunity to apply their studies in a hands-on exercise (often based on “capture the flag” scenarios) with the added incentive of fierce competition among peers. These hacker events have been hugely popular, with the winners immediately gaining “1337” status in their discipline and advancing to clashes of network titans in contests such as DEFCON CTF 2015.

Unfortunately, however, these remain tiny sparks of light in what is an otherwise pitch-black cave of cyber security education. Colleges simply cannot keep up in what is now a dynamic and rapidly evolving network security threat landscape. PBS recently reported that there are over 200,000 unfilled cyber security jobs in the U.S. alone!

War Gamez in Social Media – not your typical college class

ZeroFOX recently presented at ShmooCon about a novel cyber security exercise carried out in partnership with Johns Hopkins University. The exercise instructed graduate level students to simulate red team/blue team social media penetration tests on other American universities. Each group was assigned to “attack” a school for part of the experiment before switching to defending a different school.

The “attacking” students, with the help of botnet armies and subversive hyperlinks, infiltrated adversary networks with highly imaginative – and effective – social media attacks. Their goal was simple: to lure the target audience into clicking on a tracking link. In the study, the link redirected to a benign 404 page. However, in a genuine cyber attack, a click would not have simply tracked the clicker’s basic information, but could have compromised the entire network. We recorded the basic demographics of clicks for scoring purposes; including browser and operating system statistics.

During the offensive campaign phase, the attackers used attractive hashtags, bogus business schemes, fake job announcements, insider Facebook group details, sports updates, free ice cream and much more to lure gullible students to click on their link.

The most effective lures, in descending order, were the following:

  • Automated Tinder invitations: 75% click rate
  • Access to closed Facebook groups: 12.5% click rate
  • Fake job announcements: 12.5% click rate
  • Sexually provocative student blogs: ~500 clicks
  • Hashtag hijacks of sporting events: retweets, clicks, favorites

The war game was a short exercise, but the results of our study were extraordinary. In summary, the “attackers” were able to “compromise” plenty of target networks simply by using social media communications. All told, nearly 3,000 users clicked on the tracker links.

The Social Media Threat Vector

Our project validated something we have known for a long time at ZeroFOX: it is shockingly easy to carry out cyber attacks on social media. Unfortunately for today’s corporations, the adversary has known this for a long time as well.

The students at Johns Hopkins University proved that people are far more willing to trust something posted on social media than other platforms. Email, for example, it widely assumed to be vulnerable. According to Norton, 89% of people won’t open an email from an unknown sender. Yet well over a third will accept a friend request from an unknown individual, and 40% of people have fallen victim to social media cyber crime.

More importantly, our experiment proved that not only is cyber crime evolving rapidly, but the key to innovative solutions involves getting students excited and involved sooner than later. It takes more than a textbook on malware analysis to train the next generation of cyber warriors. As such, Obama and David Cameron are spot on in creating the Cambridge vs. Cambridge competition. As we were thoroughly impressed by in our own study, students thrived in the competitive environment and came up with a huge array of innovative strategies to both launch, and defend against, social media cyber attacks. This competition, as we hope will be true of Cambridge vs. Cambridge, put students in the driver’s seat and inspired them to grapple with a daunting new challenge in cyber security.

A new generation of cyber crime is here. But so is the next wave of innovative and cutting-edge solutions.