Recently, NBC News invited me to take part in an experiment that took place in Russia with NBC’s Chief Foreign Correspondent, Richard Engel. For this experiment a honeypot environment was created emulating a user in Russia performing basic tasks; such as browsing the Internet, checking email, and instant messaging. The primary purpose of this experiment was to gauge how quickly a compromise would occur on given devices, should the user perform normal activity while in Russia for the Sochi Olympics. In this post I outline the experiment and how I set it up. In my next post I’ll talk about the actual experiment and what I learned.
The devices used in this experiment were all brand new, ensuring a known starting point for comparison. Three devices were used- An Apple MacBook Air, due to the relative sense of security that Apple products promote. An Android phone, to give insight into the mobile environment as well as visibility into local threats not visible to Google Play. Finally, a Lenovo laptop running Windows 7 because of its utilization worldwide. On all of the devices, there was no security software of any type installed. These devices merely had standard operational programs such as Java, Flash, Adobe PDF Reader, Microsoft Office 2007, and a few additional productivity programs.
When considering this experiment, there were some basic things to be considered. First was mimicking the user behavior of Richard Engel. Since these were going to be machines with fake data, it was important to accurately imitate his normal activities. I had to investigate Richard’s user habits. In addition to other information, I needed to understand what he actually did on a daily basis, and sites he commonly visits. Also, I needed to understand where he posted. Did he post information on forums? Did he post on foreign language sites?
One tool commonly used when performing this type of research is Maltego. Maltego gives the user the ability to perform open-source intelligence queries to find information about an individual from a diverse set of data-sources. I was easily able to find his email address, common sites he posts on, and additional information to help setup fake machines and accounts on websites with the intent of portraying Richard Engel.
After creating a “profile” of Richard, I then performed the laborious task of generating what appeared to be his user presence on each of the devices. This was accomplished by creating fake contacts (Including name, phone number, email address, and title) to place into his fake email account I created. If a nefarious user compromised the machine, they would in fact think it was really used by Richard, which allows us to study their behavior in closer detail.
In addition to creating fake contacts, I also browsed the Internet, emulating Richards’s habits. I went to Olympic themed websites, as well as traditional news sites that he often checks- like nbcnews.com.
In addition to browsing the Internet and creating fake accounts, I also used a SIM card that was registered to Richard Engel, and seeded fake data onto the phone. We browsed the Internet on the phone as well as downloaded Olympic themed applications.