Attacks/Breaches
8/5/2010
04:47 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Social Engineers Successfully Gather Info

The Defcon18 contest worked well -- too well -- its organizers say

The one glimmer of hope during last week's social-engineering contest at Defcon18 was when two different employees at a major retailer separately shut down a contestant trying to smooth-talk his way into gathering sensitive information on their company.

"One of them said the questions [asked of her] sounded 'fishy'" and that she couldn't answer the questions for security reasons, says Chris Hadnagy, founder of social-engineer.org, which sponsored the Social Engineering Capture The Flag contest in Las Vegas last week. "We all clapped -- we thought that [reaction] was great. Unfortunately, the contestant [then] got a different lady at a different location of the company and was successful."

Success was the overwhelmingly disturbing trend in the contest, where around 17 people had 25 minutes to social-engineer by phone information out of a specific company they were assigned to. Each contestant had been assigned a "target" company in advance of the contest, and were allowed to gather as much information as they could passively (no phone calls, email, or direct contact) before the big showdown in Vegas.

They scored points based on the predesignated "flags" they were able to capture -- everything from finding out who supplies the company's in-house caf food to the type of browser and version they use, their antivirus program, and who handles the trash dumpsters. The flag that brought home the highest number of points was getting the employee to visit a URL, and each of the target company's employees that were given the URL visited it.

All of the contestants were able to social-engineer information out of their targeted companies, some posing as journalists, IT survey-takers, and businessmen, for instance. The list of companies targeted in the contest included Google, BP, McAfee, Symantec, Shell, Microsoft, Oracle, Cisco, Apple, and Walmart. The contest organizers won't reveal which company's employees gave up what information, but the bottom line is that it worked better than the organizers had anticipated.

"I didn't expect it to go as well as it did. In this day and age, I thought more companies would be a lot more security-conscious and not give out such detailed information," says Hagnagy, who is also operations manager for Offensive-Security.com. "From a security professional's standpoint, it was discouraging that this is a massive subset of corporate America -- oil, retail, manufacturing, phone, and security companies. It's a little scary."

Hagnagy says in all cases but one, where the contestant was unable to get a person on the phone at all, the social engineering exploits worked. The contestants each came up with their own pretext for the call, using their own styles and personas. "Every company where we were able to contact a human, they were successful at social-engineering them," he says.

He says the fact that some of the employees visited a URL at the urging of the social engineering caller raises a red flag. "The fact that we can make them go to a URL after we asked them what type of browser they had" is worrisome, according to Hagnagy. The outcome would have been severe if an attacker were able to the same with a malicious page, according to Hagnagy.

Meanwhile, the contestants were limited to what they could gather from the target firm: They weren't allowed to do anything illegal, including get credit card or social security numbers, passwords, or to make the target feel "at risk" in any way, and they weren't allowed to pose as any government agency, law enforcement, or legal entity as a ruse to get information.

The winner of the contest, "Scott," used the pretext of a businessman. "Believing he was who he said he was" was a winning recipe, Hagnagy says. Another pretext that worked for contestants was asking for help. "The magic words, 'Can you please help me?' triggers a sort of automatic response in the human psyche," he says.

Dave Marcus, research and communications director for McAfee Labs, says the contest should serve as teaching moment for companies. But it's not all about training employees, he says. "This is exceptionally difficult. You can social-engineer anybody provided that you know enough about them and are persistent enough," he says. "I think rather than having some generic walk-through course on this, you should put employees into scenario-based training ... have them sit through getting socially engineered and have them go through what it's like to get phished on the phone versus some slide deck saying, 'This is social engineering.'"

Marcus, who spoke at Defcon about a social engineering project of his own using social networks, says it's not difficult to build a profile of a person based on their Tweets, blogs, and other online activity in order to social-engineer them.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8551
Published: 2014-11-26
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to execute arbitrary code via crafted packets.

CVE-2014-8552
Published: 2014-11-26
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to read arbitrary files via crafted packets.

CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?