Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

4/7/2014
04:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Social Engineering Grows Up

Fifth annual DEF CON Social Engineering Capture the Flag Contest kicks off today with new "tag team" rules to reflect realities of the threat.

The wildy popular DEF CON Social Engineering contest this year in Las Vegas will feature a new twist: Each contestant will be assigned a teammate to whom they must hand-off during the live event where they cold-call targeted corporations.

"We needed to create an event like the real world," says Christopher Hadnagy, chief human hacker at Social-Engineer.org , and organizer of the contest, now in its fifth year. "In the 30 minutes [of the live call], you have to tap out at least twice" so that each teammate will have a role in the live call. The contest aims to wring as much potentially revealing information about the company from the unsuspecting call recipient. Contestants squeeze as many predetermined "flags" out of employees at major US corporations, everything from the type of browser they are using to the name of their cleaning/janitorial service.

The pretense could be that the caller needs to hand the call to his manager or another colleague, for example, to provide more legitimacy for the call -- something Hadnagy and his team at Social-Engineer.org say is becoming more and more common in social engineering exploits. "These are realistic vectors," he says of the two-person call approach. Phony Microsoft tech support scams do this often, says Hadnagy.

As end users get more savvy about phishing emails, the bad guys have upped their game: "Now they are starting to employ a combination of phishing, followed by voicemail or vice versa, so it adds a level of truthfulness to their message," says Michele Fincher, chief influencing agent at Social-Engineer.org, and a former psychology professor at the US Air Force Academy.

Fincher points to a recent phishing campaign that spoofed Verizon's technical support phone number, calling potential victims and sending them to a malicious website. "They [attackers] are using multiple channels -- calling, emailing, and legitimate-looking websites," making it harder for targets to dismiss them as phish, she says.

Social-Engineer.org is opening up the SE Capture the Flag contest today, in conjunction with a newly redesigned website launch for the organization that's better aimed at providing resources and research for businesses, students, and other visitors.

"We've gotten much more serious about the mission. It used to be it was a fun thing and a hobby I did because I enjoyed it, and it's all still true. But we started to see how social engineering is being used in the world and how companies are getting completely hacked with SE, and how little resources there are out there now on it," Hadnagy says.

The new site comes with a more friendly appearance to make it more inviting to visitors. "We made it less dark and 'hackerish' " looking and appealing for research and search, he says. "We had customers saying my boss was a little afraid" of their visiting the site because he wasn't sure if it was a good or bad hacker site, for example, he says.

Among the trends Hadnagy has seen with social engineering awareness is that it's not just penetration testers wanting to learn more about it. He's had more law enforcement officers, senior managers, and professors, for example, take his social engineering training classes.

Also new with this year's SE CTF: Prospective contestants must submit 60- to 90-second videos showing their talents for social engineering. "We hope this will give us the best contestants and help us choose people who are committed to be part of this," Hadnagy says. More than 170 people signed up for last year's contest, he says, so interest is growing. "The first year, we were begging for contestants."

The 20 finalists will each be assigned a teammate via an email introduction, and will have about to month to strategize their game plans for the live-call part of the contest. The contest includes a reconnaissance phase prior to DEF CON, where the contestants research their assigned target corporation using open-source information; they are not permitted to contact the company in advance. "This is all done without any hacking at all," says Hadnagy.

Hadnagy and Fincher will handle the judging this year, using a Web-based judging application that makes the process more objective. They have not yet selected the Fortune 500 US corporations for the contest, but previous contests have targeted AT&T, Cisco, HP, Target, Mobil, and Walmart, among others.

Famed former hacker Kevin Mitnick attends the contest each year, and he will give a talk at the Social Engineering Village. Hadnagy says he's working on some other celebrity speakers to participate as well, but he can't reveal who just yet. Keith Alexander, NSA director and chief of the US Cyber Command, shocked Hadnagy and other attendees in 2012 by unexpectedly dropping into the SE CTF room during the contest.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/7/2014 | 5:10:45 PM
Broadening appeal
So interesting that the social engineering mission is becoming more mainstream.  I wouldn't be surprised if this excercise is at some point adopted as a corporate security awareness excercise. In the meantime, will the public be able to see the finalist videos?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/7/2014 | 5:12:29 PM
Re: Broadening appeal
I don't believe the videos will go public, but the real live competition is open to the public at DEF CON. The contestants sit in a soundproof booth, and attendees can sit in the same room and watch and listen. It's really interesting.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
4/8/2014 | 2:13:18 PM
Re: Broadening appeal
KJH, Can you imagine the uproar if these calls or vidoes went public? It would be epic.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
4/8/2014 | 4:15:45 PM
Re: Broadening appeal
I think we've found the next popular reality show.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/8/2014 | 9:25:46 AM
Re: Broadening appeal
Social engineering is a critical part of security awareness training. Bad guys can defeat millions of dollars worth of security infrastructure within minutes through the clever use of social engineering because that exploits the weakest link in any organization - people. Security assessments should have a social engineering component.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/8/2014 | 2:19:31 PM
Re: Broadening appeal
Agreed, @GonzSTL. That's what makes the SE CTF so important--it really raises awareness of how easy social engineering is to perform, and how human nature, psychology, etc., all come into play. @LornaGarey, it's "entertaining" to watch these live exploits during the CTF, but it's also disconcerting because people naturally want to be helpful, and that's what the bad guys are counting on.
jaingverda
50%
50%
jaingverda,
User Rank: Moderator
4/8/2014 | 3:53:23 PM
Re: Broadening appeal
It is very intresting to watch. How much of a detriment do you think there is to SE hackers when a company enforces two factor authentication though. You know the first half say a manager's name or something but don't have the correct (yubikey) or something to authentcate yourself the rest of the way?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/8/2014 | 4:19:08 PM
Re: Broadening appeal
I'm not sure what you mean here, @jaingverda. The SE CTF uses open-source research reconn, then the cold calls to random employees at specific target corporations. The callers/contestants pose as customers, contractors, students, etc.
jaingverda
50%
50%
jaingverda,
User Rank: Moderator
4/8/2014 | 4:24:12 PM
Re: Broadening appeal
@Kelly Jackson Higgins

I understand what the CTF is about I'm talking about applying two factor authentication to call center industry. Much like how you can set up two factor auth for you google log in or reseting of your password. And how would that effect the ablity of the SE needing that second vitial piece of inteligence. Could they get around the need of the second token somehow or would it stop the SE cold in its tracks. I'm thinking basicly industry wide not just in relation to the compitition at Def Con, how can we improve security without increasing finanical overhead when it comes to SE attacks dramaticly.
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...
CVE-2019-2874
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...
CVE-2019-2875
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...
CVE-2019-2876
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...
CVE-2019-2877
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...