The Cities That (Never?) Sleep: Shanghai

July 14, 2019

The University of Pennsylvania Glee Club Tour 2019: “The Cities That Never Sleep”

Destinations (according to the PRC overlords):

  • China, China, China

Destinations (otherwise):

  • Shanghai, China (The People’s Republic of China)
  • Hong Kong (SAR)
  • Macau (SAR)
  • Taipei, Taiwan (The Republic of China)
  • Tokyo, Japan

First leg: Air Canada Economy PHL–>YYZ–>PVG. Lovely break at the Maple Leaf Lounge in YYZ, but otherwise nothing notable.

I landed in Shanghai at around 6PM, hours earlier than the rest of the Glee Club. I therefore took the opportunity to get acquainted with my surroundings, walking in the vicinity of People’s Square.

I loved the mixed of small stalls, and skyscrapers that permeated my path. I bought a few bananas from a street vendor and wandered over to where a large crowd was gathering for paired dancing:

A few steps onward was line dancing:

and a little further, karaoke:

Our hostel was located along a river, with lovely views in the evening and was a great starting out point for adventures.

Two days of adventures in Shanghai included visiting some of the famous markets, gardens, and of course performances.

Our major performance in the city was a collaborative concert with the women of the Shanghai Conservatorium of Music. (Photos Courtesy of the Penn Glee Club Tour Blog https://penngleetour.tumblr.com)

Our China leg also included a day trip to Suzhou, known by many as the “Venice of the East”. It’s a beautiful ‘small town’ of ten million people and many canals.

The biggest tourist attraction in Suzhou is the heavily trafficked Humble Administrator’s Garden. Where once it may have been a peaceful spot to relax, not so much anymore.

I also spent half a day in Shanghai sightseeing with Christian, a freshman Bass in the Glee Club. While known for his misadventures, he’s a charming and incredibly personable individual who could make conversation with a stone wall.

One notable feature of all the cities we visited was the incredible number of luxury goods shops. I saw enough Louis Vuitton and Rolex to last a lifetime.

One such encounter was an evening dinner treat when the Glee Club was taken to a fancy Peking Duck restaurant by the family of one of our members. While I couldn’t partake of the meal, it took place inside one of many vaulted malls, filled top-full of high end and expensive fashion.

Soon our time in Shanghai was over, and it was off to Hong Kong.

The Attack

April 29, 2013

I’m a college student studying abroad at the University of Pennsylvania, studying a mixture of CS, Physics and Music. This semester I decided to take a course CIS551: Network and Computer Security, eager to learn about the field. This is the story of how as part of the course, I compromised the security of one of my fellow students through social engineering techniques.

For our final project, the class was divided up into two sets of teams, attack and defense. After half way through the project, defense and attack switched. The role of the defense teams was to construct a secure network chat client. In plain English, they had to write a piece of software that would allow two people to communicate over the internet without fear of wiretapping. The aim of the attack side was to disrupt or compromise their system.

For me the excitement came from the attack side. We had learned in class about ‘social engineering attacks’ as a powerful offensive security tool. The basic premise according to wiki is “the art of manipulating people into performing actions or divulging confidential information”. A trick of a con-man. This was a perfect opportunity for me to actually try putting such a technique into practice whilst still remaining well in the bounds of morality and legality. I asked for permission and was soon granted it. The eagle was a’ go.

Phase 1: Information Gathering

First we cross referenced the list of emails on the defense team against the Penn Directory Database. Once we gained full names and school, we cross referenced this against publicly available data using a combination data mining tools and lookups on social networks such as Facebook and LinkedIn. These were used to build profiles, including photos of potential targets. In our attack proposal we also listed social engineering to warn them of it.

Phase 2: Gaining Rapport/Trust

The next phase of the social engineering attack involved multiple steps. The plan was to place a mole outside the classroom in the engineering building posing as a recruiter from a prestigious company, offering summer internships! First up was obtaining a domain name and email address for use in the attack. We picked X (name redacted) to be the company we would replicate as they are known for being secretive and security focused. We thus registered Xrecruting.com and had the address forward to X.com for authentic looks, while using emails registered to that domain for our purposes.

Next I waited around the engineering buildings looking for a junior administrative assistant or janitor and upon finding one, convinced them that I needed a Penn Lanyard urgently for my senior design presentation as I had forgotten mine. I was soon granted a lanyard and next the team photoshopped a X badge with the face of our ‘recruiter’ (another Penn student) in order to simulate authenticity. We also printed advertising posters to place outside the classroom for further realism. We then placed our mole outside the 551 classroom dressed up in a X t-shirt (purchased online) with the fake badge, the posters, and a laptop set up with a survey. Our representative advertised summer internships in security. A number of students from the class fell for it and entered their information in the survey.

Next we gained further rapport by reaching out to the targets via email. First we initiated contact asking for basic details a resume etc:

“This is Joseph from X, we met earlier today. The team and I are very eager to find a candidate that fits our openings here… “

It wasn’t long before our target replied, eager to seize the opportunity:

“…please find attached herewith my resume for your kind perusal…I have fair bit of knowledge in Networks and Network Security.”

 

The game was on, he was falling for it! However, it was one thing to have his trust, but for us to actually use it in some way, we needed to push this further.

Phase 3: Exploitation

To exploit our position of power we had many options, some of which would be pushing the assignment over the edge. With this level of trust it would be feasible to gain access to information protecting online accounts, a very scary thought. However, we decided to go down a different route and instead convinced them of the need to review their source code for recruitment purposes. This allowed us to analyze their code for potential exploits.

“My team operates mainly on a Java codebase. Do you have any experience in the area?

We’ll also get you to submit a few simple coding exercises and perhaps the code from a previous project to see if you’re a good fit.”

 

We exchanged a few more emails back and forth but it wasn’t really getting anywhere. I decided to press a little harder being relatively sure of his trust:

“…In looking into specifically which project you would be working on, it would also be good to know if you had any experience in crypto protocols and defensive infrastructure. In regards to this I have two questions. Firstly, is there a professor I could contact in regards to the syllabus and, secondly is there anything that matches this description that you have engaged in as far as you know…

Could you possibly let me know feasible times in the next week for an interview?

Also, are there any current projects in Java you are working for which a codebase is available for our engineers to review? Even a work in progress is fine. We’re really interested in seeing material and your personal projects from this course given the nature of the internship….”

 

Finally we struck gold! A few hours later the following appeared in my inbox:

“Please find attached herewith 2 java source code files. (server.java and client.java)

These are for a basic chat system application. Further, me and my group would be adding some encryption techniques in it (I ll send you those once we start working on it and progress to some level)”

 

and later:

“Hi Joseph

 

Please find attached herewith 2 java code files for a chat system with AES encryption.

 

Thanks.

Regards.”

In the final copy they submitted they had hard coded their AES key, this would be easier than I thought! However this wasn’t quite good enough. It would still be difficult to intercept their communication, much less read their messages.

Next I simulated a discussion between the professor and X granting access to the ‘recruiter’ to come visit the demo.

“I have some exciting news and a question for you.  I have been informed by Professor Smith that the class has upcoming demos on attack/defense and focusing on network vulnerabilities. I have his permission and now I need yours, to come and watch you demo live….”

 

“——– Original Message ——–
Subject: Re: CIS551 Security Recruitment
From: X <[email protected]>
Date: Sun, April 21, 2013 11:41 am
To: “[email protected]” <[email protected]>

Hi Joseph

I’d be happy to let you and your team come visit my students on Monday during Network Security demos they are undertaking using chat systems they have coded.”

The target replied with the affirmative, very eagerly inviting our recruiter in.

“Yes absolutely. You are most welcome. Its this Monday at 4pm in Engineering Building.

 

Hope to see you there.”

 

“My contact no. is REDACTED if you need any help with location or anything.”

 

Today being demo day, the stage was all set, and our fake recruiter was again in place. I had given her my new wifi enabled camera to stream a screencap of the enemies messages direct from their screen as they typed, to where my team was sitting a few meters away.

Throughout the demo my team acted as all the other attack teams had, using DDoS, ARP Poisoning and other standard network attacks, to try to compromise their server. However we really had a trump card. Both their encryption key and better yet, the plaintext of their messages.

After launching our usual slew of attacks on their code (most of which worked anyway), we closed the demo and went to meet the other team. When asked if we had any more attacks, I motioned to the recruiter to pass me the camera and as she handed it over, our opponents faces took on stunned looks. It took a good few minutes to convince them of the depth of our attack. Successfully executing this was such an amazing feeling.

I’ve not yet received my grade for the course, but I feel that more than anything this was a fantastic learning experience before I head out soon to look for a position in industry or for higher study.

I’ve linked below the email log with names and emails redacted for the perusal of my readers with permission of the opposing team. It’s quite the read. Enjoy.

http://localhost/blog/full-email-log/

 

Friday – Day 249 #TheNextBigThing

April 11, 2013

Firstly in case you noticed the odd title of this post, I will be hashtagging a number of my posts as such for the next few weeks. This is because I’m part of a promotion at the University of Pennsylvania to promote the Samsung Galaxy S 4 and have been given the opportunity to own one myself if I pass a sufficient threshold of views. Selling out it may be, but I trust you to forgive me for the period of two weeks or so. Also, if you feel like being particularly generous, like my posts, as that counts extra!

Friday was intensely busy with grading CIS 121 midterms for a good majority of the day. It was relatively uneventful with the exception of a difficult coding question at the end. The gist of the question was as follows:

Assessing student responses was difficult, even more so given that many of the TAs found the question to be challenging as well.

In the afternoon I caught a bus to New York City, where I would be staying for the weekend as part of the Glee Club NYC Performance Tour. Upon arrival I was taken by my fellow clubbers Dan ‘Po’ Carsello and Kirk ‘Mortton’ Arner to a home in the West Village. The place where I was to be staying for the weekend belonged to one Daniel Pincus, Glee Alum and renaissance man.

Dan was a consultant for The Quantic Group, a pharma focused consulting group. Balanced with that is his position on the board of The Muslim Jewish Conference, an international non for profit that focuses on discussing topics of shared concern between the two faith communities. That was paired with additional activism efforts he engages in across the middle east, working to free women from repression and on the establishment of civil liberties.Oh and did I mention he founded his own popular dance troupe?

Not only is he professionally accomplished, but he is something of an artist, with a work of his own on display and varied books on artwork and photography.

Sitting on Dan’s coffee table was a Canon EOS 5D Mark III, a top of the range, full frame, digital camera. He was gracious enough to let me take a few photos on it, but the feature set was overwhelming and combined with my very amateur skills, didn’t result in any fantastic images.

Opposite the coffee table, I fell in love. As I entered the room for the first time, my eyes were immediately drawn to a piano mysteriously labelled with a white number 15. The piano was a Steinway upright, already a good sign, and as I tinkled at the keys, rich, full, dulcet tones rose from the heart of the beast.

Piano #15

Piano #15

My first impression of Dan when he walked through the door was already pretty favourable. His stride evoked a sense of confidence but the smile on his face and his demeanour as he walked two guests into the house betrayed a side that carried more spontaneity. Bolstering my impression of him was the two fine ladies that entered with him, a gorgeous Pakistani in a flowing yellow evening gown and a researcher from the Antarctic circle, casually in conversation.

From his position, it would’ve been easy to lay the three awkward Glee Clubbers in his house aside and make haste to away to his next destination of the evening, but generously he offered us to join him on his next adventure.

His next animus was to convene with an artist friend of his, who, residing above a dumpster owned by an Italian Mafia family, had been commissioned by Dan to build a ‘Gamelatron’ – a fully automated Indonesian gong music ensemble. He showed great passion towards this pet project of his, and enthused all of us as to it’s transformative powers. Unfortunately, I wasn’t able to embark on the trip (Dan and Kirk filled the car anyway) but a few hours later they returned with stories of wonder. It seems they two were as impressed by Dan as I was.


Dan then explained to me the story of Piano #15 and my breath was almost taken away. He took a photo of the signatures under the lid and explained to me that the piano I had played on was in fact purchased from Carnegie Hall and had been played on by artists such as the great Lang Lang.

Lang Lang's Signature

Lang Lang’s Signature

Following their return, I closed up my Physics books, unpacked on the couch in his most spacious apartment and soon fell fast asleep.

© 2012-2024 Shaanan Cohney