As of the spring 2019 semester, the Women in Cybersecurity (WiCyS) Student Chapter is an official student organization on campus. Our first official event was having a certified ethical hacker, Mishaal Khan, demonstrate real-life hacking techniques. Khan works with a company called Mindsight, which is an information technology (IT) consulting firm based in Downers Grove, IL. WiCyS was also fortunate to have Mindsight’s marketing director, Jane Vitro and senior recruiter, Adrianne Aeschliman attend the presentation as well.
Khan started the presentation off by sending us all a live phishing email, which looked like it was an email from LinkedIn. He showed what an attacker can find out if you click on the email link or worse, actually type your credentials in when you reach the fake LinkedIn login page. It was refreshing to see what happens when you click on a phishing email because most of us are trained not to do so, and I liked being able to see why.
He also gave a live demonstration of a WannaCry ransomware attack, so we could see what happens to your files when you’re a victim of an attack like this. He also balanced the demonstrations out with explaining what you need to do to protect yourself from attacks like these. Regarding ransomware, he told us that we need to have at least two physical backups of our data and one backup in the cloud. That way, if your machine is compromised, you can recover your data from the cloud.
The next part of the presentation focused on password cracking, specifically dictionary attacks. Dictionary attacks are exactly as they sound; the hacker will test a bunch of words from a huge dictionary in attempts to guess your password. To demonstrate this, Khan had one of the attendees go in and set a password (without Khan looking). He then ran a script to crack that password. In less than a second, Khan asked “was your password puppies?” This brought some laughs because that was the password, but at the same time, the harsh reality is that many people do still set passwords that are as weak as "puppies" (although it is an adorable password).
What are we to do if we have so many passwords to remember and the simple ones are cracked easily? Khan’s answer was to use a password manager. He sets every password of his to the maximum amount of characters allowed and even showed us one to prove it. His Twitter password is 40 random characters that no one could possibly guess. I personally was iffy about using a password manager myself, but after his presentation, I’m looking into one that will suit my needs.
The presentation ended with a demonstration of several social engineering attacks. Khan explained the concept of Open Source Intelligence (OSINT), which is a fancy term for knowing what to Google. Based on someone’s phone number, he was able to get their full name, date of birth, and address. This was from a website that’s open to the public so that anyone can use it, which was a scary rude awakening for many of the students that attended. He also demonstrated how you can spoof a phone call by calling one of the attendees. The program he used was not difficult to use at all, which also makes you realize how easy it is to attempt one of these attacks.
I thought it was a fantastic presentation, but you may think I’m biased because I’m the WiCyS Student Chapter president. I could also tell you that the attendees enjoyed it, but I thought it would be better to ask some of them for a quote instead, as you can see below.
“Cybersecurity: the only field where live demos belong. You see just how vulnerable you really are.” – Antoine Foggs
“I think the event definitely reminded a lot of students how vulnerable everyone is in this age of the internet, and it showed how important cybersecurity is for everyone.” - Przemyslaw Warias
"Mishaal demonstrated a variety of attacks and explained them in an accessible way. The attacks are less frightening because he explained how they work and what we can do to protect ourselves and our data." – Vinesh Kannan
"It was a breath of fresh air to see actual phishing and hacking techniques that I had only read in textbooks be demonstrated. " – Prashanth Murugan
"'Cybersecurity is a shared responsibility where the more systems we secure, the more secure we all become': This quote from Jeh Johnson was the base of this presentation. I appreciate the efforts put in explaining us how to make our cyber world safer. This presentation was the first presentation that I had attended at IIT and it was the perfect start. The content was interesting to me and I liked that the presenter added demonstrations to his presentation. This made the explanation more effective and easier to understand." - Divyanshu Kalola
WiCyS plans on having Khan come back in the future so if you’re interested in seeing his next presentation, please make sure to join WiCyS on HawkLink and email me ([email protected]) so I can invite you to our Basecamp. We use this portal to list our events, and post announcements that are relevant to the chapter members. Our schedule is on there as well and you can export it to whatever mobile calendar app you use.