They say knowledge is power, and the final report from DEF CON 21's Social Engineer Capture the Flag contest shows that in the wrong hands, the amount of information organizations leave exposed online can empower attackers across the globe.
Over the summer, CSO covered the events of the Social Engineering Capture the Flag (SECTF) contest at DEF CON 21, and the events from just one of the contest's phone calls.
A new report from Social-Engineer Inc. outlines the entire contest, as well as key observations from this year's calls. A contestant pool of 10 men and 10 women used Open Source Intelligence (OSI) to research their target company and collect as much information as possible (flags). Points are awarded based on the flags collected. This information is then used during the contest when the targets are called directly, in order for the contestants to collect additional flags depending on the information they're collecting.
According to the report, the contestants used metadata collection tool Maltego, as well as the usual avenues of information gathering such as Google (Images, Maps, YouTube), LinkedIn, Bing, Facebook, Monster, Twitter, Netcraft, BlogSpot, and more, to details on people and processes within their assigned target. This year's targets included Apple, Boeing, Chevron, Exxon, General Dynamics, GE, GM, Home Depot, Johnson & Johnson, and Walt Disney.
Watching the SECTF contest live is an experience in human interaction. As mentioned, the contestants call their targets and attempt to collect various flags, using a variety of pretexts. Despite the fact that many of the contestants were completely new to the world of social engineering, they made it look easy. Based on the report and seeing the contest live, as well as the number of flags collected, social engineering continues to remain a viable threat or an organization's security.
"Social engineering has played some role in nearly every major hack you have read about over the last few years, yet this year's competition clearly illustrates how poorly prepared companies are to defend against socially engineered attacks," commented Social-Engineer, Inc.'s Chris Hadnagy, the SECTF organizer.
"While there continues to be improvements in the quality and preparation of the contestants, there have not been any significant improvements by companies to secure information available on the internet and educate and prepare employees against a disciplined social engineer. For example, one contestant was able to find an improperly secured help desk document that provided log in credentials for the target companys employee-only online portal."
As revealed in the report, contestants were able to discover information on company VPN; anti-Virus coverage; operating system usage; how IT is handled (outsourced or internal); browser type and version; hardware-based data on phone systems and computers, including make and model; and details about wireless networks. Flags like these, the report adds, when examined by industry, represent a unique opportunity for an attacker to create a plausible story (pretext) that would allow them access to a company's most sensitive information.
Sign up for CIO Asia eNewsletters.