SE

Search for:


Archive for September, 2010

DEFCON 18 Social-Engineer CTF Contest Findings Report Summary

Wednesday, September 15th, 2010

The Full Report Is available for download from Social-Engineer.Org Here

Social engineering is a real and dangerous threat to Corporate America. In the simplest of terms, social engineering is manipulating a target to take an action that may or may not be in their best interest. As companies devote more resources to technical security, technical attacks become more expensive. Social engineering is a popular alternative for cyber criminals interested in operating on the cheap. After all, these attackers seek the same high return on investment as business owners.

This real-world threat has been clearly evidenced by a CTF contest recently held at Defcon 18 in Las Vegas. Defcon is one of the world’s largest and longest running annual hacker conventions, focused entirely on the sharing of practical insights into defensive and offensive security. Companies targeted in this year’s CTF contest included BP, Shell, Apple, Google, Microsoft, Cisco Systems, Proctor and Gamble, Pepsi, Coca-Cola, Symantec, Phillip Morris, Walmart, Mcafee and Ford. A report on the findings of this contest, to be published September 15th, 2010, revealed some interesting (even alarming) information.

One of the most alarming findings was that it doesn’t take a seasoned expert in social engineering to successfully penetrate a company. Inexperienced attackers have easy access to free resources including Facebook, LinkedIn, Twitter, Google Search, and Google Street. These resources, coupled with call centers and customer service departments that are focused on customer satisfaction, were enough to gather valuable information from most targeted companies. For the more resistant targets, there were plenty of believable pretexts to choose from (e.g., employee satisfaction survey, helpless customer, recruitment agency interviewing a former employee who just posted a resume on a job-seeking website, etc.). As a last resort, any resistance encountered was easily overcome by simply hanging up and calling again until a more cooperative employee could be reached.

Sensitive information (e.g., financial, strategic, etc.) was off limits for the CTF, but fair game ‘flags’ included employee schedules, browser versions, and anti-virus software used. Contestants were also encouraged to fool targets into opening a fake url as a way of demonstrating a very common attack technique. Based on findings from this contest, the average entry-level and call center employee did not appear to have adequate security training. Due to this fact, they typically did not sense any danger in being as helpful as possible in sharing information that they perceived to be trivial. With the right information, social engineers can pretend to be an insider, essentially gaining the trust of key gatekeepers within any organization, which ultimately leads to the compromise of sensitive information.
(more…)

Posted in General Social Engineer Blog | 12 Comments »

Social-Engineer Tool Kit 0.7 – Swagger Wagon Edition

Monday, September 13th, 2010

Obviously when one thinks of social engineering the tools of the trade involve lock picks, black clothes and various costumes for pretexting.  Software tools like Maltego or Email Scrapping scripts have been the extent of software tools that many social engineers could use.  Then along came SET or the Social-Engineer Tool Kit.  Dave created a program that quickly became the standard in software tools for social engineers.  Automating email attacks, web attacks, malicious file attacks and so much more SET allows the auditor to focus on keep their companies and clients tested and secure.

Each edition continues to grow with the feedback from the users. Social-Engineer tool kit has quickly become a tool used by many professional penetration testers all over the world. With over 1 million downloads we are always receiving some excellent feedback and ideas for improvements and additions.

Version 0.7 will be chock full of new features:

  • Two brand new web attack vectors
  • A Slew of bug fixes
  • Two new Teensy attack based payloads
  • A new web attack vector incorporates a technique that SET dubs web jacking
  • The multi-attack vector, this attack will allow you to combine all web attack vectors into one webpage
  • There is a lot more!

In addition, Dave has written an MASSIVE update to the Social Engineer Framework SET Tutorial page. The tutorial spans over 54 pages and has a detailed coverage on every attack vector in SET and includes step by step walk-through.

We are excited about this new release as SET is really becoming a standard in helping security professionals run audits and help companies stay secure.  Thanks to Dave Kennedy for the millions of hours of work in producing a world class tool!

Keep checking in for more information on SET and social engineering in general.  Our podcast is now over 1 year old as well as our newsletter, which are always full of social engineering tips and advice.

Posted in How-Tos | No Comments »




SE Polls

SE CTF

Brad Smith