We encourage the students to try social-engineering attacks on us before, and leading up to, the end-of-semester Capture The Flag exercise we run.  We rarely get any serious attempts.  Yesterday evening, however, I received this email:

From: drjohn.wlsn@gmail.com

Subject: Blog

Date: April 16, 2008 6:02:09 PM CDT

To: wesley@mcgrewsecurity.com

Dear Mr McGrew,

As a semi-regular reader of your blog, I noticed that your April 14 blog mentions that you and a colleague are putting on a capture the flag event. I have considered doing a similar event for my students. However considering time constraints, cost, and player level, I was curious about the logistics of the game. How long did it take you to design the game? How does scoring work? What tools do you introduce to the student? Where are flags hidden that keeps the game challenging but still at the student level?   

Dr John Wilson

This isn’t an unusual kind of email for me to receive.  I answer questions about my blog, my projects, lectures, and various other things on a daily basis.  While the email address is strange, it’s not really unusual for me to communicate with people who prefer their web mail accounts (especially Google) to their more “official” addresses.

This particular request, however, is not from a professor trying to spice up his security class.  It turns out to be a good attempt at a targeted attack.  I almost fell for it!  It arrived yesterday evening when I was feeling ill, running a slight fever, and wasn’t even considering the possibility of it being a ruse.  It’s a good thing that I made the decision to put off responding to all of my emails and other communications to this morning, because taking a closer look at it today made me realize that something could be up.

They did well choosing GMail.  Many other web email services attach the IP address of the web client to outbound emails, which would have likely given these students away.  They also did a good job of posing the questions in a way that asked for a lot of information that someone wanting to put on a CTF would want to know before getting to the heart of the matter (where the flags are).  In a way, their choice of a generic name worked well for them, in that it’s hard to Google, however it may have been a better idea to do some research and use the name of an actual security class professor at another university.  

It could have gone either way honestly!  In my response to the email, I asked that if it was a student team, that they identify themselves (they will be rewarded!).  ”Dr. Wilson” could have been legitimate, though, so I did provide some basic information about the game (that the students would already know) with the promise of following up after the game on Monday. 

Kudos to “Team 3″!