Professor Rubin gave his students an interesting assignment: conduct red-blue social media based penetration tests on American universities. Students were tasked to construct an attack, defend and a "cover-your-tracks" plan. Hashtags, fake coffee shops, racy direct messages and yoga pants were just some of the strategies used to lead victims on social media to an emulated attack landing-page. Afterwards, students defended their university’s social media presence from other teams carrying out their plans. Lastly, they employed concealment techniques to remove attack evidence.
The teams switched attack & defense phases after a four-week period. They catalogued their actions with a standardized syslog for analysis, and we calculated the amount of clicks each team generated based on the University IP range. The talk focuses on the results of this project, and it outlines some of our favorite write-ups, names, strategies and novel project constructions. An unexpected event also occurred – the students had a moral objection to some of the strategies attackers use on social media and refused to perform these attacks unless we gave them an alternative. We review the ethics of these exercises and generate a lessons learned based on our discussions with the class.