Act II: What Harm Can Come Of A Little Classroom Activity...

Act II by ZN

A couple of years ago, I was tasked with bringing redteaming to the classroom*. A fun activity (all legal) to help students understand how theory is put into practice, which in turn we develop new theories to put into practice. In the course we had done extensive reading on topics like, media concentration, privacy & phonetic urges, and a personal favorite, geodemography (Wikipedia is a good starting point and David Lyon if you want to get complicated).

I had first tasked the students to organize themselves by skill sets, derived from their understanding and favorite RT rules. They came up with cute names like TeamAmerica, TeamGotcha, Teammyopsarebetterthanyourops, and TeamChair (they happen to love Rule 62) and even took to occasionally carrying one they decorated around campus (not subtle, but cute). For the most part, students were in full team mode and weren’t sharing anything with anyone or me unless they had successfully completed tasks. Assuming this might happen, I had implanted into these groups several course members who had also served in the military, so teams thought these individuals were their ringers, when in fact they were moles regularly sending me updates via coordinated dead drops (campus by this point thought we were setting up GeoCaches, so particular types of objects hidden in bushes didn’t seem that odd), had provided backdoors to their teams FB groups, or acted as double-agents to prevent groups from completing tasks in a timely manner.

All groups were then tasked with completing four (4) objectives that had to be completed in order each task took 1 day, to complete all tasks took a full academic week or 4 days:

  1. Scope out the AO with official college logo (22 possibilities), get picture taken with at least 2 group members with the logo without being seen by other teams. Any photos with your team and the symbol turned in by other teams negate your submission.
  2. Go to local food establishment and get following info about 3 employees: Name, Favorite Menu Item, and Physical Description. Bonus points if you can social engineer your way to a meal.
  3. Learn about the institution’s security protocols. Who worked where, if there was an observable daily patrol, and specific jobs they have.
  4. Without B&E, using social engineering, get someone to let you into a designated space and remove an item proving violation of space.

Now, tasks 1 and 2 were pretty straightforward with very little issue or institutional risk, but tasks 3 and 4, the manner in which these mildly organized groups of students had accomplished, interpreted the rules, and frankly, had unintentionally (had they been actual bad-people, it could’ve been worse), showed the overarching complacency in a post-Virginia Tech (2007), NIU (2008), UofT, Austin (2010) world. Collectively, they threw the institution into a security panic and caused turnover of security protocols ALL in less then 48hrs. by students just acting like students. I was a very proud, but scared teacher that day!

You might be wondering what could cause such chaos? In task 3 (all groups just watched and were able to turn-in walking pattern maps of how institution security walked the campus, down to the minute. There were a couple of normal health issues that required police and fire department to be called and even noticed a pattern in how then security moved around the campus, they included that in their reports also. There was no sharing amongst the groups and their approaches to the task differed. That was cool, but here is where it gets interesting. One group brought me privately, the CONFIDENTIAL emergency protocol handbook for when things go south for real. I’m not allowed to say how she procured it, but I can share that those protocols have now been changed and require a different kind of access to even read them now.

Now the fun of task 4, one group decided to engage custodial services. The institution told them officially that they couldn’t let them into the designated space directly; they convinced the janitor of that area to let them climb into the rolling trashcan and get wheeled into the space while the janitor was emptying out the trash in that AO. Janitor made it clear that he could not know if someone was in the can or not, so the students spent the next 2 days weighing down the trash can so that the janitor wouldn’t know the difference if a person & item was in the can or not. Personally, I think it was nice of the janitor to play along and being former military he expressed joy in seeing the student’s being creative and trying to sneak around. The group had completed the task successfully by removing a 2ft tall statue and their sheer creativity won them the event (voted on by their classmates).

All in all, it was a good semester, the student’s learned valuable lessons, the dean’s asked me to lay down stricter ground rules (I don’t, it is the real world), and I now consult for the institution in an official/unofficial capacity.

So in conclusion, Rule 33, 79, and 89, until Act III…

*Name of institution and locations have been omitted per request

A Simple Self Red Teaming Assessment or the Art of Red Teaming the Plans

11 Year Old Red Teamer