For the last five years at Def Con, hackers have competed in the Social Engineer Capture the Flag (SECTF) contest. The contest previously sent the feds into a panic because in this competition, "the phone call is more dangerous than malware." The smooth, slippery and even sneaky tongues of social engineers easily tricked the staff at 10 major companies into handing over specific pieces of privileged information, aka capturing the "flags." The final SECTF report has been released, highlighting human vulnerabilities, manipulating the need to help someone in need, as well as shoddy security of company information accessible via the Internet. So even after five years of public awareness, social engineering is still a massive threat to corporate America.
This year the 10 targeted companies were Apple, Boeing, Chevron, Exxon, General Dynamics, General Electric, General Motors, Home Depot, Johnson & Johnson and Walt Disney. How did they do? "Social engineering has played some role in nearly every major hack you have read about over the last few years, yet this year's competition clearly illustrates how poorly prepared companies are to defend against socially engineered attacks,"explained Chris Hadnagy, aka HumanHacker, and organizer of the SECTF contest.
10 men and 10 women, chosen from 198 applicants, were given two weeks to prepare for the contest by gathering as much intelligence information about the targeted corporations that could be obtained through Google, LinkedIn, Flickr, Facebook, Twitter, corporate websites and other internet sites listed in the report. The Open Source Information (OSI) is only about collecting info found online; interacting with employees at the target companies is against the rules. This would not be the case in a real-world attacker scenario.
In the real world, be it a penetration test or bad actors, there are no strict "rules of engagement" such as those imposed on social engineering contestants in order to protect target companies. Attackers go far beyond pre-texting to offering free "candy."
For instance, journalist Adam Penenberg challengedSpiderLabs to "perform a personal pen-test" on him and that included trying to break into life through his wife. Since she runs a Pilates studio, a friend of the hacking team signed up for a class and left behind a flash drive.
This is a tried and true old trick, such as "dropping" flash drives in a company's parking lot so an employee will pick one up, take it into the building, and plug it in to deliver its malicious payload. This tactic is often successful, whether an employee is curious or wants a free USB, but phishing emails could also be the free "candy" bait. Take that risk times the number of people working for major corporations and you can see how the threat is multiplied. Yet the "most important rule" for the social engineering contest is that there is "absolutely no victimization of any target companies."
Sign up for CIO Asia eNewsletters.