Tuesday Nov 1st 2011
DefCon attendees participated in a social engineering penetration test against 14 major companies, which handed up information with minimal to no resistance.
of the biggest companies-including Apple, IBM and AT&T-were easily tricked
into giving up potentially sensitive information during a contest that featured
a variety of social engineering attacks.
"Social Engineering Capture the Flag" contest targeted 14 companies
in five industries-retail, airlines, food service, technology and mobile
services-during the DefCon conference in Las Vegas in August.
tried to ferret information out of employees at Apple, AT&T, Conagra Foods,
Dell, Delta Airlines, IBM, McDonald's, Oracle, Symantec, Sysco Foods, Target,
United Airlines, Verizon and Walmart using social engineering techniques,
according to a postmortem report released by Social-Engineer.org Oct. 31.
had to obtain certain types of information, or "flags," from various
companies during a 25-minute time period. There were more than 60 flags,
representing nonsensitive data, but still information about the companies'
inner workings, such as names of the food service providers in the company
cafeteria, antivirus programs deployed and the browser version being used.
of the 14 companies succeeded in keeping the information away from the
attackers, according to the report. Only three employees offered any type of
resistance, the report found.
companies have the mentality of, 'It won't happen to us,' or 'Our people won't
fall for that.' The sad truth is, those are the very people that will and do
fall victim to these attacks, as demonstrated by the contest," said Chris
Hadnagy of Social-Engineer.org, who organized the contest.
the firms tested, AT&T received the highest overall score and Oracle
received the lowest. However, in a real-world situation, both companies would
have failed the social engineering penetration test for giving up any
information in the first place, the report said.
had two weeks to gather information and research their assigned target using
passive information-gathering methods, such as Google searches and looking at
social networks and Websites. The contestants compiled their data in a dossier,
turned in prior to the conference, which was used to calculate part of the
overall score for each contest participant. At DefCon, the contestants sat in a
soundproof booth and were allowed to directly contact the company; they were
given 25 minutes to collect as much information as possible.
of the targeted companies' employees were persuaded to visit a URL the callers
requested, according to the report. Considering the number of times attackers
compromise a company by infecting one machine with malware downloaded from a
dodgy Website, the fact that the employees were easily persuaded to go to the
link is worrying, according to the report.
contestant who called an AT&T retail outlet had difficulty getting the
employee to provide any information, which was a positive sign, since it meant
the employee was thinking about what was appropriate to divulge. However, in
the end the contestant was able to get the information desired by simply calling
a different AT&T employee at that same location.
of the firms gave up the information online, allowing contestants to collect
their flags even before the phone call. Open FTP servers and internal and
external Web pages yielded a lot of information, making it much easier for the
contestants to create convincing phone scripts.
one thing to teach employees policies, but it's better to teach them what to do
when they are asked to violate policy, Jim Stickley, CTO of TraceSecurity, told
eWEEK in an earlier interview.
Stickley uses social
engineering tactics when auditing security measures at banks and credit
unions around the country. Instead of teaching, "Don't give out private
information over the phone," employees need to be told to say they can't
do that, and to offer to transfer the call to a senior manager, Stickley said.
year's report drew nearly identical conclusions as last year's report, which
also found that companies were not adequately training their employees and
motivated attackers could use publicly available tools to dig up a wealth of
data in a reconnaissance mission. The barrier of entry for social engineering
attacks "is very low," the report concluded.
investing millions of dollars in security annually, the companies involved are
doing a poor job of training employees to spot and rebuff attempts to disclose
information or to perform certain tasks, the report concluded. Employees
contacted by phone were inclined to be helpful, especially if the caller
claimed to be a customer and facilitated the social engineering attack,
according to the report.