Just for a bet - Solo per scommessa. Competition "Contraband Pixels & Texts, or... make stories, not phishing"

Written by Roberto Sotgiu‎

A story selected in the fourth "round" of the competition "Contraband Pixels & Texts, or... make stories, not phishing". Available in English and Italian languages (original post in the official contest page).

 

Just for a bet (English language)

After a football match:
"Hey Pietro, how come haven't you played today?"
"Two days ago I went to the emergency room where they kept me for 24 hours under observation and told me not to practice any sport for at least a week"
"Damn, I had no idea. What happened?"
"Eheh so curious? Don't you study computer security? You're an hacker are you? Find it out by your own then! If you do find out the actual reason by tomorrow night I'll invite you for dinner on Saturday.. but be careful, if you cheat you will pay for it"
"Deal!"

The day after I started thinking about how to find the reason why he was kept at the hospital. I had to rush so I began learning about the hospital computer system. An hour later I got that my only chance was to get access at the SDO (hospital discharge summary in English) which must been filled out in any case of admissions/discharge of a patient.

Each hospital is connected at the system and most of the time doctors can make a research simply using name, surname and date of birth.
Problem number two: how to find out in which hospital Pietro has been recovered. I started collecting informations about the three hospitals in order to analyze their way to work and maybe discover a distracted or not very careful healthcare provider who would easily leave usernames and passwords unattended on the screen...since nowadays socials go viral there is also a chance that It might have taken a picture with that computer on the background and put it online.

Unluckily I couldn't find anything on the socials but on the other hand I managed to have an idea of the organization behind and so I took the decision to call the hospital pretending to be a physician asking about "my patient" and the reason why he was recovered.
Digging in the internet domains of the three hospitals with a common computer program that can be easily found on the web I stepped on a unexpected document with a list of internal numbers divided by department. Every social engineering is aware of their importance.

I went to that hospital wearing my best outfit and I started walking around until I found the floor of the offices; no one would stop a middle age gentleman dressed up all over but the chief. During my walk I saw the health director's office with the door wide open and himself behind his desk. With another little program I made my cellphone call the E.R. As if that call was coming from the chief's office.

"Hello, it's Fabrizio Monticone, who is speaking?"
"Good morning, it's Adriano Deiana. How can I help you?"
"Here in the office there is my son crying saying that Pietro Riva, good friend of mine and father of his best friend Simone, has been recovered at the hospital two days ago. I tried to call him but he won't answer and my son would really like to know if he is alright "

"Do me a favor and check on the system why we kept him here 24 hours under observation "
After few seconds of silence ..
"Hello there, can you hear me? Please i beg you, my son won't go until he knows that everything is alright with his friend and I really have a lot of work going on here, you will understand "
"Alright, please tell me again his name, surname and date of birth "

"Pietro Riva April 26th 1970"
"Just give me a second sir."
"You can ensure your son not to worry, the patient arrived at the E.R. For a head trauma occurred during a friendly football match; the analysis didn't show anything of suspicious and after the usual 24h he has been discharged "

"Well, I knew there was nothing to worry about, he would have told me otherwise. Thank you so much Adriano and have a pleasant day!"

After 5 minutes I gave Pietro a call: " hey Pietro how is your head doing after your injury?"
"Ahuaha I knew it!! Don't you dare to be busy on Saturday, we'll go to eat sushi. Seeya Robi!"
"I'll meet you on Saturday Pie"

 

 

Solo per scommessa (Italian language)

<<Oh Pietro, come mai non hai giocato oggi ma sei venuto solo a vederci?>>
<<Due giorni fa sono dovuto andare al pronto soccorso: mi hanno ricoverato 24 ore in O.B.I., il reparto di osservazione breve intensiva, e mi hanno detto di non praticare sport e di non affaticarmi per almeno una settimana.>>
<<Caspita, non sapevo niente. Che problema hai avuto?>>
<<Eheh quante domande, tu non studi sicurezza informatica? Sei un hacker no? Scoprilo da solo, se riesci a sapere esattamente il motivo del ricovero entro domani notte, ti offro la cena sabato ma se scopro che hai chiesto ad amici e/o parenti me la offrirai tu.>>
<<Ok, affare fatto>>
L’indomani al risveglio iniziai a pensare a come potessi riuscire a sapere il motivo del ricovero, non c’era tempo da perdere e iniziai subito a documentarmi sui sistemi informatici ospedalieri. Passata un’ora capii che avrei dovuto avere accesso alla SDO (scheda dimissione ospedaliera) che deve essere obbligatoriamente compilata per ogni caso di accettazione/dimissione del paziente. Il sistema è collegato con tutti gli ospedali cittadini e, la maggior parte delle volte, le ricerche da parte dei medici avvengono attraverso nome, cognome e data di nascita. Secondo problema: come sapere in che pronto soccorso e quindi in che ospedale fu ricoverato Pietro per poter iniziare la ricerca. Iniziai a raccogliere informazioni sui tre ospedali cittadini per capire qualcosa e verificare se qualche operatore sanitario poco accorto, magari non più giovane d’età, di quelli che hanno l’abitudine di mettere un post-it attaccato allo schermo del pc con username e password, avesse scattato una foto nei pressi dei pc. Ormai i più anzianotti sembra facciano a gara a chi è più social; tra smartphone, facebook e gruppi whatsapp, ormai, alcuni hanno perso ogni senso del pudore. A breve, dopo che i due loro smartphone cinesi con un ottimo rapporto qualità prezzo verranno sbloccati dalla dogana, anche i miei genitori, ahimè, probabilmente percorreranno questa strada. Dopo tante ricerche tra i social non saltò fuori niente, in compenso riuscii a farmi un’idea delle strutture e decisi di fingermi un medico e provare a chiamare l’ospedale e farmi dire direttamente da loro il motivo del ricovero. Scandagliando, con un semplice programmino scaricabile da internet gratuitamente, i domini dei tre ospedali riuscii a trovare un documento che mi fece sobbalzare dalla sedia, la lista dei numeri interni suddivisa per reparti. Qualsiasi ingegnere sociale conosce l’importanza di questi documenti. Mi presentai in quell’ospedale vestito con il miglior abito in mio possesso (per passare inosservato) e inizia a girare per l’ospedale finché non arrivai nel piano dove erano situati gli uffici dei dirigenti, nessuno fermerebbe un signore di quarant’anni vestito con abiti firmati e con il passo deciso, se non il capo. Le persone hanno la tendenza a non scontrarsi con chi appaia ai loro occhi in una posizione di autorità. Durante il mio giro vidi l’ufficio del direttore sanitario aperto e una persona alla scrivania, due minuti su google e capii che si trattava proprio di lui, era in ufficio. Con un altro semplice programmino trovato in internet feci in modo di usare il mio telefono come centralino e chiamai il pronto soccorso facendo figurare la chiamata in arrivo dall’ufficio del direttore sanitario.
<< Salve sono Fabrizio Monticone, con chi ho il piacere di parlare?>>
<Buon giorno direttore, sono Adriano Deiana, mi dica >>
<<Ho qui in ufficio mio figlio in lacrime, mi riferisce che Pietro Riva, mio carissimo amico e padre del suo migliore amico Simone, due giorni fa è stato ricoverato in ospedale. Ho provato a chiamarlo ma non mi risponde e mio figlio vuole sapere se sta bene>>
<<Mi faccia il favore, controlli nel sistema per che cosa è stato trattenuto 24 ore in O.B.I.>>
Dopo qualche secondo di esitazione subito continuai.
<<Pronto mi sente? Glielo sto chiedendo come favore, mio figlio è qui sopra in ufficio e non se ne andrà finché non saprà se sta bene o no e ho tanto di quel lavoro da fare, capirà sicuramente>>
<<Si certo, va bene, mi ripeta nome, cognome e data di nascita>>
<<Pietro Riva, 26 aprile 1970>>
<<Mi dia un secondo direttore>>
<<Allora, può tranquillamente dire a suo figlio di non preoccuparsi, il paziente è arrivato al pronto soccorso per un trauma cranico subìto durante una partita di calcetto, le analisi non hanno destato sospetti e dopo le solite 24 ore è stato dimesso>>
<<Meglio così, sapevo che non ci sarebbe stato da preoccuparsi, d'altronde mi avrebbero avvisato, la ringrazio infinitamente Adriano, a buon rendere, arrivederci>>
Tempo 5 minuti e chiamai Pietro: << Ciao Pietro come va la testa dopo il trauma cranico?>>
<<Ahaha, lo sapevo!!!, sabato non prendere impegni, andremo a mangiare sushi. Ciao Robi >>
<<Ciao Pie, a sabato>>

 

 


"Contraband Pixels & Texts, or... make stories, not phishing" is a literary-graphic competition on social engineering and phishing, organized by CNIT (Consorzio nazionale interuniversitario per le telecomunicazioni), partner of DOGANA project.
PARTICIPANTS: writers and cartoonists / illustrators.

REGISTRATION: registration is free and open to people residing in EU countries (Austria, Belgium, Bulgaria, Cyprus, Croatia, Denmark, Estonia, Finland, France, Germany, Greece, Ireland, Italy, Latvia, Lithuania, Luxembourg , Malta, Netherlands, Poland, Portugal, United Kingdom, Czech Republic, Romania, Slovakia, Slovenia, Spain, Sweden, Hungary), Israel and Switzerland.
RULES: participants (writers and / or illustrators) must submit artworks coherent with the competition theme:

  • Writers must submit a short story (max. 5000 characters including spaces, excluding title) addressing the theme provided by the organization.
  • Illustrators must submit an artwork of up to 1024x768 pixels resolution, representing or summarizing the project theme in a drawing or in a comic strip.

The same author may submit multiple illustrations and short stories.
Artworks can be submitted in Italian, in English and / or in both languages ​​(Italian and English).
Artworks presented in two languages ​​will receive an additional bonus.
Artworks must be shared on the Facebook page dedicated to the competition (https://www.facebook.com/pixelettere), starting from February, 13th, 2017. Last date to submit artworks is June, 10th, 2017. Dates for intermediate selections will be communicated time to time.
Artworks must be shared by the authors on their Facebook profiles, when they are shared on the Facebook page of the project. Short stories and comics not shared on both will be automatically excluded from the competition.
Authors are also encouraged to advertize their artworks, pushing more Facebook shares within their social network, in order to promote the DOGANA initiative and disseminate the message. Facebook likes and re-shares will be evaluated to assign a specific bonus.
Artworks will be selected periodically from the DOGANA Facebook page and added to the finalists group, then shared by the project staff on the official blog of the DOGANA Project (https://www.dogana-project.eu/index.php/social-engineering-blog) and on the official Twitter channel (https://twitter.com/DOGANAProject).
The jury will select the artworks from DOGANA Facebook page by evaluating the artistic quality (qualitative evaluation) and popularity (ie likes and shares). Jury’s judgment is unchallengeable.

THEME OF COMPETITION. In computer security, social engineering refers to psychological manipulation of people into performing actions or divulging confidential information. Phishing is a type of fraud over the Internet where a hacker tries to trick the victim to provide personal information, financial data or access codes, posing as a trustworthy digital communication entity. The author should submit an artwork addressing this theme, without constraints on literary genre (mainstream, fantastic, sci-fi, comedy, drama etc.).
In each short story, authors must use at least once the word "horizon" and/or “dogana”, at their creative discretion.
On every illustration/comic the official logo of the DOGANA project must be reported, placed and sized at the author’s discretion. The DOGANA logo is available in the header of the project website (https://www.dogana-project.eu).

JURY:

  • Pelagio D'Afro (http://www.pelagiodafro.com), multiple author composed by Giuseppe D'Emilio Arturo Fabra, Roberto Fogliardi and Alessandro Papini, founders of the Italian writing lab Carboneria Letteraria (http://www.carbonerialetteraria.com);
  • Enrico Frumento, Social engineering expert, scientific project coordinator;
  • Matteo Mauri, communication and scientific dissemination expert, CNIT/University of Cagliari, internal member of the DOGANA project staff;
  • Alessandro Morbidelli, writer and architect, member of Carboneria Letteraria, s-traveler of http://www.sdiario.com.

PROCEDURE AND EVALUATION CRITERIA: project process and evaluation will be carried out by the jury, whose verdict will be final and unchallengeable.
The winners will be chosen from the shortlist of finalists selected on the DOGANA project blog.

  • A score from 0 to 10 will be assigned from each member of the jury based on quality, relevance and form of the artwork (short story and / or comic strip), up to a total of 0 to 30 points.
  • 0 to 10 bonus will be awarded to artworks received in both languages ​​(Italian and English) by evaluating the translation effectiveness.
  • 0 to 10 bonus will be awarded for exceptional popularity (likes and shares).

The best short stories and comics will be rewarded by the sponsors and could be collected in a publication (digital and / or paper).

AWARDS:

  • 1st (short story or illustration): 400,00 € and invitation to an official workshop / dissemination event organized by DOGANA project.
  • 2nd (short story): 150,00 €.
  • 2nd (illustration): 150,00 €.

Date and site of the award ceremony will be published on the DOGANA Blog and Twitter profile.

INFO: Organizing secretary, twitter page (https://twitter.com/DOGANAProject), email: This email address is being protected from spambots. You need JavaScript enabled to view it.
COPYRIGHT: artworks must be unpublished and free of copyright restrictions. Any artwork already published, with copyright constraints or unlawfully plagiarized (even partially) will be immediately excluded from the competition and reported to authorities.
When the artwork is published on the DOGANA Facebook page and submitted to the competition, the DOGANA organization becomes sole owner and acquires the distribution and reproduction rights. The organization is therefore exclusively authorized to use, reproduce, adapt, publish and distribute the works freely. The winning artworks will be used at any time and by any means in order to promote activities and events related to the competition theme.

PRIVACY OF PERSONAL DATA: personal data collected will be treated only for purposes related to the competition. Legal reference is Art. 7 of the Italian D.lgs n.196 / 2003. The privacy policy under Article 13 of D.lgs n.196 / 2003 is available on DOGANA Facebook page.
ACCEPTANCE OF RULES: participation implies the acceptance of all above rules. Furthermore, the author also agrees:

  • To use his existing social profile: each profile used to increase the shares of artworks must exist at the time of publication of this notice and will be verified by the organization staff; any attempt to use false sharing or ad-hoc profiles to trick the popularity evaluation will result in immediate exclusion of the author.
  • To avoid offensive language, and personally respond to any violation of the Italian law. Any violation will result in immediate exclusion of the author.

 




This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618

 

      

 

PHISHING WARS
The DOGANA phishing videogame

Want to try it?
Read more here and contact us

 

DOGANA CARDS GAME
Phishing: awareness through play

Want to try it?
Read more here and contact us

 

Contraband pixels and texts
Read all about our liteary-graphic competition on phishing and social engineering

All the pictures and novels