Cybersecurity Story
Scenario 1
A high school senior, Mitt, just finishes watching Network Chuck's episode on how scary easy it is to create a phishing attack. So he takes a half hour, builds the phishing web site designed to steal his "friends" credentials. Knowing that he and his friends have just had an assignment to create a profile page on LinkedIn, Mitt's phishing website "looks" like LinkedIn's login page, gather's the credentials and then redirects to Linkedin.com, Using the Social Engineering Toolkit, Mitt crafts a phishing email that looks like it comes from LinkedIn using their logo and an email address that "looks like" linked1n. The phishing email asks the user to "fix" an error in their profile. Mitt sends the email to his friends AND the teacher from his home computer.
The next day at school, Mitt looks at the credential harvester results and is amazed to find that 50% of the class AND his teacher have "logged in" to LinkedIn. He now has their usernames and passwords for Linkedin. Mitt's first thought is to go to Linkedin using his "friends" credential and alter their LinkedIn profile to either embarrass them or cause them to flunk the assignment. Then the "light bulb" comes on for Mitt that he now has his teacher's password and perhaps they "reuse" their password on different accounts. Mitt immediately tries to log into the school's grading system using his teacher's username and password gathered from the credential harvester and is denied entry. Not being one to give up so easily, he remembers that when he set his password he was required to add a special character such as !@#$^&/ so he changes the passwrord from kittyKat1 to kittyKat1! and gets in. Tempted to change his grade from a B to an A, Mitt thinks that changing only his grade might lead to him being discovered by "the authorities", so Matt gives everyone an A.
Scenario 2
Mac is a college graduate with a degree in Cybersecurity. She works for an Incident Response Consultant for a well established cybersecurity company during the day, but at night she works for social justice by using her cyber-powers to anonymously help victims of the "system".
Mac's current social-justice case involves a young Hispanic women, pseudo-named Maria, who is the daughter of illegal immigrants. Maria is a United States citizen, having been born in the US. A group of students at her high school supported by a teacher have been physically and socially abusing her for months. They tell Maria that if she reports the abuse to anyone they will report her parents to Immigration Control and have her family deported. Maria knows the group is sharing photos and videos of her abuse on social media but doesn't know which site is being used.
Mac becomes aware of Maria's plight when one of Maria's friends confides in Mac about Maria's abuse She tells Mac about the perpetrators and that a social media site is being used to share descriptions, photos and videos of the abuse. With a list of the abusers names, Mac begins an Open Source intelligence (OSINT) campaign to discover as much as she can about the alleged perpetrators. During the course of that investigation, she discovers that the teacher had recently created an account on a site that focuses on "Private Social Network" (PSN) solutions. Mac uses social media techniques such as phishing to get the log-in credentials of the teacher and a significant number of the student abusers. Mac also uses Social Media Harvesting tools to gather as much information as she can about all of the participants including Maria.
Maria's friend is concerned that if the abuse continues it may be too late to save Maria, so Mac moves to action. Verifying that this PSN is where the abusers are sharing graphic information, Mac takes aggressive steps. First she takes a "snap shot" of the PSN content showing the abuse, and collecting information about up loaders of the abuse media. She creates an evidence package including server logs and sends that to law enforcement and school officials. Also, angry that the scumbag teacher is allowed to continue working at the high school, Mac breaks into his school account and plants a robot that automatically downloads child pornography for 5 minutes every time the screen saver starts. After two weeks the robot automatically self destructs and removes all evidence it was ever there. Mac, then uses a student school account to report the abuse to the school administrators and also notifies the local press.
At this point, Mac believes her job is done, but what happens if law enforcement and school administrators are more interested in bringing charges against Mac than in pursuing the abusers? See https://en.wikipedia.org/wiki/Steubenville_High_School_rape_case
Resources
Phishing attacks are Scary Easy to do! https://www.youtube.com/watch?v=u9dBGWVwMMA
Generate Phishing Domains Easily with Dnstwist [Tutorial]: https://www.youtube.com/watch?v=ne8SPEoDe8o
Social Engineering Toolkit: https://www.trustedsec.com/tools/the-social-engineer-toolkit-set/