Social Engineering – Fact versus Fiction

Social-Engineer.Org started the idea for this years CTF without really knowing how much fear it would build into people and organizations.  From the beginning we have published our goals, rules and ideas to help squelch the fears of those who think our intent is malicious.

While it is true that social engineering will involve some deception as well as obtaining information about these companies, the information the contestants are trying to obtain is innocuous, NON-FINANCIAL and NON-PERSONAL.  At no time will we allow a contestant to make a call that will compromise a company or person’s financial, banking information or identity.

Despite all of our efforts to notify the public that we are not out for malicious gain it seems like this message is not getting through to many in the security industry.  For example, we have come across an email sent out by a large security firm to all their nationwide customers warning them about the CTF.

This email is posted below:

——–

Subject: Warning Regarding DEF CON 18 Social Engineering Contest

As you may know, DEF CON is the world’s longest running and largest underground hacking conference with the 2010 event scheduled in Las Vegas from July 30 – August 1. The 2010 conference may include a nationwide Social Engineering contest sponsored by a group called social-engineer.org.  This contest that could possibly affect your organization anytime between now and the end of the conference; although due to recent publicity and subsequent security concerns directed to the contest sponsor, it is unclear whether or not the contest will actually occur. The official rules are posted at http://www.social-engineer.org/blog/defcon-social-engineering-contest/

The contest targets an unknown list of “victim” organizations submitted by contest participants and while there are associated “rules” posted for this contest, we can assume some participants may not heed the direction.  Therefore, we suggest DDI clients plan for any attack possible.

With that in mind, DDI suggest you consider the following:

  • All personnel associated with your organization should be aware of anyone attempting to solicit ANY personal information at all.  This could include, userID’s, passwords, account information, name, address, social security number, information on your organizational IT systems or networks, or anything that is not freely available on the Internet.  For example, many organizations provide executive names on the external web site.  So an attacker could say, “Mr. CEO_Name is expecting my call; he asked me to call and ask for him”.  In another example, the attacker will ask the victim to logoff their computer to perform some maintenance, and then ask for the victim’s userID and password to “test” the fix.
  • Be aware of anyone calling and asking for help with a virus, malware, or a network issue.  This is a great way to develop rapport with the victim (asking someone for help appeals to the innate desire to help others).
  • Beware that the caller will appear confident and friendly. They will provide as little information as possible (This is Phil from IT Security, as an example). They will smile and laugh on the phone, they may be a bit forceful, but most of the time they will attempt to appeal to the desire to help or ask for help/assistance.
  • They may use veiled phrases such “we do not want to miss payroll”, “we cannot afford another outage”, “the auditors are waiting for the information”, or something along those lines, which would cause an employee to offer assistance.
  • Callers can imitate anyone they think might solicit information. Examples are an auditor, law enforcement, IT Security, a contractor or vendor, or anyone who might have a valid reason to be associated with your organization.

Please remember that you are dealing with skilled manipulators.  They will be friendly, professional and polished.  We strongly suggest you remind your staff NEVER to give any personal or proprietary information to anyone via the telephone. EVER!

Regards,

Digital Defense

——

We would once again like to reiterate that the CTF will not breach the lines of legality.  We have a professional team of ethical security specialists who are vigilant about maintaining a professional and legal environment during the CTF.  Our goal has been and always will be “Security Through Eduction.”

Trackbacks