Sending news
Penetration testing of virtual classes
This text was written only for inform people and the article is not
manual how can get access to secured page. The author is not responsible
for any demage caused by using this article.
Security in virtual space
In Czech Republic is portal: www.spoluzaci.cz - the virtual space for schools, classmates and teachers. For input to one virtual class you need a password. The password are usualy selected by admin of class. Passwords used on this website are very bad and weak. There is everywhere sentence for help you with password. Let's use social engineering, google and our skill for get input to classroom space. Just security test.
We tested about 130 sites, statistic are here:
| Type | Number | Percent | Security | Attack |
| Firstname of teacher | 54 | 42% | weak | Downloaded list of firstnames from czech goverment, order by incidencet |
| Name of headmaster | 10 | 8% | weak | Offical site of school, public information |
| Name of class-teacher | 20 | 15% | weak | Offical site of school - Trying all teachers names |
| Last place of a shool trip | 3 | 2% | weak | Wordbook, social engineering on ICQ |
| Favourite color of our teacher | 2 | 1,6% | weak | Just trying |
| Second name of one pupil | 10 | 8% | very weak | Just read the name. List of pupils is published |
| Some easy question | 6 | 4,4% | very weak | Possible find on internet or guess |
| Number of pupils in class | 1 | 0,7% | very weak | Just trying (In Czech republic can class from 5 to 35 pupils) |
| Nickname of one pupil | 9 | 12,3% | not good | Nickname is not good password. Wordbook attack (maybe), Guessing (Nickname is usualy created from name), Social Engineering in real - very easy get to know somone nickname |
| undefined,???,empty | 8 | 6% | ??? - awesome | Depend on password, help question is right. Possible attack: Wordbook and Advance social engineering. |
Results
As you can see a lot of passwords are weak and you can get premissions for input in a few minutes. Normal input to virutal class is login used email from Seznam.cz (Seznam is owner of www.spoluzaci.cz). In avarge class is about 20 pupils - get one password of this pupils is way to open gate again. And belive me, that wordbook attack of twenty different emails will be succesfull.
This can be very dangerous - email is bind with virtual class and in security area you can find another contacts (telephone number etc.) and usually a lot of photos. Site www.spoluzaci.cz is not commerecial website but site showing how big security holes are on internet. Only less then 8% of virtual class are safety.
Copyright © 2006-2007 Social - engineering.eu| All Rights Reserved
Design by Gerhard Erbes
Design by Gerhard Erbes