Social engineering is the (morally vague) art of tricking someone out of their company’s technical secrets just by talking to them. It often involves deceit and relies on the fact that the weakest link in any computer security system is a human.
At Defcon, one of the Capture the Flag contests performed by the attendees involved launching social engineering “attacks,” where contestants were asked to obtain the answers to a bunch of questions that probed into a company’s security defenses. The employees at the 10 big companies should not have answered the questions, but almost all of them did. Hence, people working at big companies such as Google and Apple failed to realize they were b
eing social engineered by con artists. The contest was so alarming to corporations that they enlisted the help of the FBI, which asked the organizers why they were doing the contest.
About 20 Defcon attendees in Las Vegas participated in the contest, which stirred a lot of controversy. The organizers of the conference were three security experts who know how to do social engineering: Chris Hadnagy, (pictured top right) operations manager for Offensive Security; Mati Aharoni (pictured middle), trainer of Offensive Security, and Jim O’Gorman (pictured left) of Continuum Worldwide. They created the site www.social-engineer.org for the contest, which occurred for the first time this year at Defcon and will be completed at the end of Saturday.
“We wanted to start a social engineering program because we believe in security through education,” Hadnagy said at a press conference at Defcon.
The participants were instructing to engage in passive information gathering to find out some sensitive information, such as where its dumpsters are located. (Dumpster diving is a common practice by hackers who want to find documents with company secrets on them). By looking things up on the web, the participants tried to track down company details, such as what kind of web browser the employees used and what version of Adobe PDFs they were using. (The answers to these questions can be used to launch cyber attacks against the companies.)
Tipped off by the announcement of the contest, the FBI met with the organizers ahead of time, and the organizers enlisted the help of the Electronic Frontier Foundation to represent them. In that meeting the Justice Department voiced its concerns about whether any laws would be broken in the contest. The EFF offered legal advice about how to structure the contest; for instance, participants were not allowed to impersonate law enforcement officers during phone calls, as that is a crime.
In almost every case, company representatives game up secrets they should not have. The companies targeted included Microsoft, Cisco, Apple, BP, Shell,Google, Procter & Gamble, Pepsi, Coca-Cola, and Ford. The contestants were give “flag points” as rewards for each answer the pulled out of the companies. The organizers wanted the contestants to get answers such as who handles the backup system for the company. The contestants cold-called the companies to get the data.
In three cases, company employees did not give any details over the phone. But the contestants, posing as journalists or customers, still got data from every company. One contestant managed to get an answer out of his target company in just 22 minutes. The contestant used tricks, such as preying upon emotions, by saying that they had to finish the project and get answers that day.
Because of publicity around the case, a number of contestants dropped out. Some said their bosses would fired them if they participated in the Defcon event.
Companies: Apple, BP, Google, microsoft, Offensive Security, Procter & Gamble