Problem Brainstorming - Big Thread

[seamustuohy]

Shortened Links Challenge Items

• See the redirect location of a shortened link without going there (i.e. either add a plus sign at the end of a bit.ly, buff.ly , or goo.gl OR just use curl -I)
• Identify if a malicious shortened link is likely a spear phishing attack or a broad range phishing attack. (i.e does it have hundreds of clicks from all over the place?)
• See if a link of unknown pedigree is part of a phishing campaign.
  • Are the referrers almost entirely "Direct." That means it has only been sent via email/sms. If there are other referrers go search on those referer sites to see how they are used. i.e. site:twitter.com "bit.ly/HRWInfoSecTech"

[seamustuohy]

Archiving Content

• Archive a, possibly soon to be taken down, video
• Archive a malicious website for evidence or forensic purposes
• Set up a changes tracker on a website that posts updates to a policy that you are worried about (Can we also do non-protective problems that also use technology?

[seamustuohy]

Fake Video/Photos

• Identify if a photo that is being shared around on social media is likely authentic or not. (looking for previous uses of the photo, exif data showing preexisting lat/lon, etc.)
• Use one of the photo forensics tools to identify possibly doctored photos (http://fotoforensics.com/tutorial.php)

[seamustuohy]

Censorship Measurement

• Creating a custom OONI link to send to a person in-country
• Having them download blockpages
• Use isitdown or other sites to see if censorship is local
• explore the OONI explorer or use OONI explorer API to see if there are cases of possible censorship of important sites
• BONUS POINTS: Submit a possibly at-risk site to the OONI/citizen-lab lists

[seamustuohy]

• Proper handling and collection of data on a persons device. (We could have devices prepared for them to get the evidence from in a "lab" type setting?)
• Memory dumps? (Getting quite a bit advanced at that point...)
• Disk images

via https://rarenet.github.io/DFAK/en/Malware/

[seamustuohy]

• Identifying how a gmail account may have been compromised (We can add an "approved app" with lots of permissions to the account, or have a device log in from another country that the "client" says they have never been to.)
• Recovering a compromised account (Can we get company reps to help us do this?)

via https://rarenet.github.io/DFAK/en/AccountHijacking/

[seamustuohy]

• Cleaning a device for travel. (Likely too difficult to make this into an activity. We would need multiple devices and a way to score what they delete and didn't. Also, the compromises between a purged device and productivity are hard to score for.)

[seamustuohy]

Everything from Etienne's work here => https://github.com/Te-k/how-to-quick-forensic/blob/master/Windows.md

[seamustuohy]

What can we build off of from the Champions Curricula? (https://github.com/securityfirst/championscurriculum) It targets a population with a similar skill level as the ones we are looking to target.

[roseregina]

Compromised Wordpress (suggested by @Te-K over email)

[roseregina]

Copying @rorymbyrne from #19:

Hey guys,

How about having users do a basic vulnerability assessment as a a topic? Maybe something like show users how to do a Nessus/OpenVAS report and output it?

[seamustuohy]

Puzzles which are guiding users through configuring security, privacy, or incident checking on their accounts so the players learn how to do it themselves as well.

<Quick addition here since I'm away from my personal computer with my local code>

[rorymbyrne]

What can we build off of from the Champions Curricula? (https://github.com/securityfirst/championscurriculum) It targets a population with a similar skill level as the ones we are looking to target.

Sure thing. It needs to be updated a bit as the project got put on hold a bit but there should definitely be a few useful things in there.

[rorymbyrne]

How about some very very basic forensic tools?

-Cybertriage is great and pretty straight forward and has a ton of functionality - including if I remember how to take a an easy memory image -Process explorer is pretty simple to use, take a snapshot and compare -TCP view, Autoruns are both pretty simple

https://Any.Run and https://www.joesandbox.com are also useful tools that offer both more visual and more information than VirusTotal.

[becklm]

• Cleaning a device for travel. (Likely too difficult to make this into an activity. We would need multiple devices and a way to score what they delete and didn't. Also, the compromises between a purged device and productivity are hard to score for.)

Not quite the same, but device recovery after suspected compromise (thinking of scenarios where someone may have traveled and suspect there is malware etc. because of unusual performance, and want to restore their device with minimal data loss)

[Te-k]

How about some very very basic forensic tools?

-Cybertriage is great and pretty straight forward and has a ton of functionality - including if I remember how to take a an easy memory image -Process explorer is pretty simple to use, take a snapshot and compare -TCP view, Autoruns are both pretty simple

I like this, it should be pretty easy to generate a few compromised machines and have people search for malware (only question is VM size and Windows licenses). I have written a guide that can be helpful for that https://github.com/Te-k/how-to-quick-forensic/blob/master/Windows.md