Author Archives: sophiemariennviso

About sophiemariennviso

Cyber Security enthousiast

One more year, on the way to… where?

A secret location.. A scavenger hunt to find it. Following the tradition, that’s how our teambuilding weekend (offsite) starts. |  

On D-day, at 8h30 we needed to be at the office to start our hunt, and only then we could get our first official clue: a QR code. This allowed us to download an app, which contained a scavenger hunt via which we could find the secret location of the offsite. The first challenge was to find some passwords, lucky for us we already found those passwords in an email which was sent few weeks before with information on the offsite.. 

Someone noticed that the picture in the email contained some interesting strings and this led to the first password. The second one was just some text hidden in not so plain sight and from there on, trouble started.|As always, our colleagues also like to troll each other, and some team members had been planting fake clues the previous weeks. What was a real hint and what just “friendly” trolling?

IMG_20180531_082945imageoffsite

Long story short: after many fake clues, a long driving through Belgium, the Netherlands, Germany (thanks, trolls!) and solving challenges on general culture, schlager music, beer knowledge and digging up information on some colleagues, we ended up in our final location: a huge house in the middle of the Ardennes.

Arrived at the location we found that the table was already set for lunch, the pool open to splash, a sauna not too far away and a bunch of really fun VR sets to play aroundwith.|More challenges, anyone? Of course! Let’s play! Why not a team-wide Gotcha? Just to keep the competitiveness high..

20180601_193600

After everyones bellies were filled, we could hang around and work in teams on Shark Tank ideas.. The Shark Tank is a key part of every NVISO offsite..|It is a space where we work on new ideas, and how we believe we should evolve as a company.. It is a great opportunity for the whole team to have a constructive discussion, and contribute to shape NVISO the way we want it to be.

This year we worked on our core values (We care; We are proud, We break barriers and No Bullshit), and how those should reflect in our relations with employees, clients and society. Some fantastic ideas came out of the Shark Tank, and we will be working on them over coming months.|It is not about which idea “wins”, but what we all “win” as a team from all the good ideas we put together.

Of course, the other big goal of the offsite is bonding with our colleagues.|And we also had plenty of time for that. One month ago we all received a mail asking to subscribe to one topic, under the mysterious titles of #Fast, #High and #Relaxing.. Behind those cryptic names hid a karting morning in Francorchamps (really fun and challenging in the rain!), skydiving and a full luxury pass for Spa Thermes. 

DCIM/100MEDIA/DJI_0083.JPG

Sadly, due to the weather, those of us who chose for #High could not jump.. But no complains! Our No Bullshit value in place. We will just postpone our fun, and we will take our leaps some other weekend this summer. |

But of course, we all know the best bonding happens over a beer (Belgian, as ourselves!). Nothing breaks barriers as a nice party, and that was the perfect final for our event! For everybody’s sake we will keep the pictures of those private. Let’s only say that there were lots of fun, and perfectly wrapped up two great days with the whole NVISO team under the same roof. 

And talking about scavenger hunts, were you able to find 3 passwords in this blog post?   

Stalking a reporter – behind the scenes!

Introduction
Around mid-October we got a call from a reporter working on an article covering online privacy and social media. Rather than writing about others, the reporter wanted to have his own story. So, he asked NVISO to research him on-line, and find out as much as possible about him! Of-course, after agreeing on some “ground rules” with the journalist, we were 100% up for it!

The ground rules that were put in place:

  • We would focus on mining only publicly available information, not make him a target of an attack.
  • We were not allowed to use social engineering tricks on him or his friends and family to get additional information.
  • In other words: we could use any information already available online, without actively asking for more.

The article that was recently published by the journalist can be found online (Dutch only, sorry!): http://www.nieuwsblad.be/cnt/dmf20171107_03174488. For anyone interested in the “behind the scenes” on how we approached this – keep on reading!

Let’s hunt!

The team that stalks together…

We assembled a small group of volunteers and got to the task. We created a repository to collectively track our findings, as all bits of information would help the other researchers to move further on their own search, or validate information pieces gathered from different sources. The starting point was obvious: We had the journalists’ name, the email address he used to propose the experiment and a phone number on his signature. Plenty of information to start from!

The first step was to find his Facebook profile. We quickly found out that the reporter does not use the combination name + last name as the profile name, making it more difficult to track down the profile (assuming that he actually has a Facebook profile 😊). But as it often happens, some friends had mentioned his full name on publicly tagged Facebook pictures. We knew his face now! After that, identifying his own profile was possible by looking at metadata in the pictures, including the tagged friends. From there on we started building our file. The privacy settings for the profile were (unfortunately for us) quite restrictive… luckily for us that was not the case for all his friends!

Screen Shot 2017-11-14 at 14.57.36

Facebook showing profile picture after you’ve entered a wrong password

We found his personal email account by guessing and trying to login with the email account to Facebook. Facebook shows you your profile picture when you say that you forgot your password. That is how we could link his personal email with Facebook. We correctly guessed that he also used this email for other social media and apps, and used the same method to see of he had an account. From there onwards, figuring which other services he was using was easy. From there we could gather additional interests, routines, professional activities, social relations…

Of course, this kind of research leads to many false positives. In our case, someone with the same name happens to live close by to our reporter, and some of our data actually referred to that person. That is where crossing data from different sources comes in handy. It allows to discard some of the bits that don’t really match the puzzle.

During our investigations, we also discovered details on the ex-girlfriend of the journalist – her online activity proved to be an excellent source of information! Prolific Instagrammer, her account gave us a lot of info about travels they did together, pictures, friends… Why do we know she was his ex? They are not friends on Facebook anymore! We got no juicy stuff about the breakup, though.

With the parents name (which we found in a cached document on Google), we could find their house, pets, and social media accounts with additional clues… We could assemble a fairly decent family tree. We were also able to find his home address.

With these results we got back to our reporter. He was quite surprised by the things we found out without directly approaching him or his friends! He found particularly scary what we found out about his family and his ex-girlfriend.  He was surprised, though, not seeing his birthdate on our data list.

One step further … go phishing
After our initial investigations, we mutually agreed to take it one step further. 

So what did we do ? We created a fake Facebook profile to trick him or his friends into sharing additional information, contacting his parent or just some good, old phishing to get his credentials and access his email account. We opted for the last option.

We crafted an email based on his interests (which we already identified during the first part of the research). We sent him a link that sounded very relevant for him, so he would definitely try to check it it. And it worked, even though he knew he was going to be targeted by us in this time window. He clicked, and he was directed to a google authentication page. Google? Well, actually NVISO-owned, Google-looking. That is how we got his password.

Once we gain access to his account, we stopped the game. We called him and showed him we were in by sending a mail via his own private inbox to his work email. The challenge was completed. We left nicely, whiteout reading his emails.

Untitled

Emailing from within the inbox of the reporter to the reporter (yes, this is a dummy screenshot!)

In a meeting afterwards, we explained him how he was phished. Up till then he had no clue how he had given us his credential! But we have to confess: still, we didn’t get his birthdate.

Conclusion
Most people aren’t too surprised anymore about the wealth of information available on each of us online. What is interesting, though, is how often we believe we are fine, just because we have our privacy settings nicely set and reviewed for all our accounts (as was the case with the journalists’ Facebook profile for example). That old account you forgot you had, the friends that tagged you, the university bulletin, a legal document or a nice note in memoriam of a loved one can give most valuable information to anyone who is interested.

Entering the active reconnaissance part, phishing once again proved a very reliable method to get additional details from a target – in our case, it even gave us full access to the journalists’ mailbox.

We are all on-line. Most of our life is these days, and that is not necessarily a bad thing. But it is important to remember that, despite all privacy and security rules we want to enforce, humans are still the weakest link. Understanding how we share information online and the impact it has on us and others is key in an increasingly digitalised world – we are happy to have contributed to the article & hope to have raised some awareness with the readers!