September 15th, 2010DEFCON 18 Social-Engineer CTF Contest Findings Report Summary
Social engineering is a real and dangerous threat to Corporate America. In the simplest of terms, social engineering is manipulating a target to take an action that may or may not be in their best interest. As companies devote more resources to technical security, technical attacks become more expensive. Social engineering is a popular alternative for cyber criminals interested in operating on the cheap. After all, these attackers seek the same high return on investment as business owners.
This real-world threat has been clearly evidenced by a CTF contest recently held at Defcon 18 in Las Vegas. Defcon is one of the world’s largest and longest running annual hacker conventions, focused entirely on the sharing of practical insights into defensive and offensive security. Companies targeted in this year’s CTF contest included BP, Shell, Apple, Google, Microsoft, Cisco Systems, Proctor and Gamble, Pepsi, Coca-Cola, Symantec, Phillip Morris, Walmart, Mcafee and Ford. A report on the findings of this contest, to be published September 15th, 2010, revealed some interesting (even alarming) information.
One of the most alarming findings was that it doesn’t take a seasoned expert in social engineering to successfully penetrate a company. Inexperienced attackers have easy access to free resources including Facebook, LinkedIn, Twitter, Google Search, and Google Street. These resources, coupled with call centers and customer service departments that are focused on customer satisfaction, were enough to gather valuable information from most targeted companies. For the more resistant targets, there were plenty of believable pretexts to choose from (e.g., employee satisfaction survey, helpless customer, recruitment agency interviewing a former employee who just posted a resume on a job-seeking website, etc.). As a last resort, any resistance encountered was easily overcome by simply hanging up and calling again until a more cooperative employee could be reached.
Sensitive information (e.g., financial, strategic, etc.) was off limits for the CTF, but fair game ‘flags’ included employee schedules, browser versions, and anti-virus software used. Contestants were also encouraged to fool targets into opening a fake url as a way of demonstrating a very common attack technique. Based on findings from this contest, the average entry-level and call center employee did not appear to have adequate security training. Due to this fact, they typically did not sense any danger in being as helpful as possible in sharing information that they perceived to be trivial. With the right information, social engineers can pretend to be an insider, essentially gaining the trust of key gatekeepers within any organization, which ultimately leads to the compromise of sensitive information.
The threat that social engineering poses to Corporate America must be taken seriously. The big challenge for any organization looking to defend itself from this threat will be to find a balance between their customer-centered training and their anti-social-engineer security training. Companies want to help their customers, but they don’t want to sink their ship by sharing seemingly-trivial information. Savvy organizations have found that the best prevention naturally falls into place when they identify any security training gaps, include all employees in their security training program, and distribute anti-social-engineer tips on a regular basis.
We would like to take this opportunity to also thank Offensive Security, Continuum Worldwide and the EFF for their continual support.