Social-Engineer.org today announced the release of the Social Engineer Capture the Flag Report, collecting data from the fifth Social Engineer Capture the Flag (SECTF) contest, held at DEF CON 21. During one of the most prominent and popular annual events at DEF CON, a pool of 10 men and 10 women, from diverse backgrounds and experience levels, tested their social engineering abilities against 10 of the biggest global corporations, including Apple, Boeing, Exxon, General Dynamics and General Electric.
The SECTF is conducted to raise awareness of the ongoing threat posed by social engineering and to provide a live demonstration of the techniques and tactics used by the malicious attacker.
In the SECTF, contestants attempt to capture “flags” – specific piece of information that could be used to successfully penetrate their target companies. In the first segment of the competition, contestants were given two weeks to gather as much intelligence about their target using information obtained only through Google, LinkedIn, Flickr, Facebook, Twitter, the corporate websites and other internet sites. During this information-gathering phase, contestants could attempt to capture as many of the pre-defined flags as possible, but could not contact the company or its employees.
Contestants then performed a live call portion of the event during DEF CON 21. In this segment of the competition, social engineers used pretexts established in the information-gathering phase to telephone employees of the company to further elicit information.
SECTF Findings
“Social engineering has played some role in nearly every major hack you have read about over the last few years, yet this year’s competition clearly illustrates how poorly prepared companies are to defend against socially engineered attacks,” said Chris Hadnagy, Chief Human Hacker, Social-Engineer, Inc. “While there continues to be improvements in the quality and preparation of the contestants, there have not been any significant improvements by companies to secure information available on the internet and educate and prepare employees against a disciplined social engineer. For example, one contestant was able to find an improperly secured help desk document that provided log in credentials for the target company’s employee-only online portal. It’s disheartening to note that after years of attacks and years of warnings, these valuable pieces of information are still so easily found and exploited.”
The flags captured during the Open Source Information (OSI) phase were obtained through information found online without any interaction with individuals at the target companies. Information gathered on the internet allowed contestants to capture more than two times the amount of points gathered in the live call portion of the contest, even though OSI flags were valued at half the points of their live call counterparts.
To download a copy of the 2013 DEF CON SECTF report, please visit: https://www.social-engineer.org/defcon-21-sectf-report-download
Top flags gathered in the 2013 SECTF competition
1. Specific Internet browser
2. Operating system information
3. Information on corporate wireless access
4. Confirmation of a corporate Virtual Private Network (VPN)
5. Presence of an onsite cafeteria
The two most commonly obtained flags were the browser and OS of the target companies. With these two pieces of information, the simplest way for an attacker to breach network security would be through a targeted phishing email containing files that would either release malware or lead the target into clicking to a malicious website targeting vulnerabilities specific to their browser or OS.
In addition, the flag captured during the an information gathering phase would be highly useful to a malicious attacker for developing strong pretexts – such as posing as a member of the janitorial staff – in order to gain entry into an office to collect information that may be improperly secured. Also of significance is that targets surrendered every one of the predefined flags at least once during the competition.
Top Flags Gathered by Industry
Heavy Manufacturing
1. What browser and what version
2. What operating system is in use?
3. How long have they worked for the company?
4. Is there a company VPN?
5. Is IT Support handled in house or outsourced?
Technology
1. Do you block websites? (Facebook, Ebay, etc)
2. What operating system is in use?
3. What browser do they use?
4. Is there a company VPN?
5. What make and model of computer do they use?
Consumer Goods and Retail
1. What operating system is in use?
2. Is wireless in use on site?
3. What browser do they use?
4. What make and model of computer do they use?
5. What sort of phone system is used?
Energy, Oil and Gas
1. What browser do they use?
2. Who does the food service?
3. Is there a company VPN?
4. Do you have a cafeteria?
5. Is wireless in use on site?
Each of these collections of flags, when adjusted for industry, presents a unique opportunity for an attacker to create a plausible pretext allowing them unfettered access to a corporation’s most sensitive information.
Conclusions
“Based on all of the data and our observations, we can conclude that social engineering continues to be an immense security risk to organizations,” continued Hadnagy. “This is our fifth consecutive year hosting this event, and despite numerous high-profile security breaches in the commercial sector, we have not seen consistent improvements that directly address the human factor of security. Our goal always has been, and continues to be, ‘Security through Education.’”
Join Social-Engineer.org for a webcast on the report Tuesday, Nov. 5, 2013 1:00 p.m. ET. To register for the webcast, visit https://attendee.gotowebinar.com/register/6320784838786225410.
To download a copy of the 2013 DEF CON SECTF report, please visit: https://www.social-engineer.org/defcon-21-sectf-report-download/
About Social-Engineer, Inc. – Security through Education
Social-Engineer, Inc. is the leading authority in the art and science of social engineering. Social-Engineer, Inc. is comprised of two segments. Social-Engineer.Org is an educational organization notable for developing the world’s first social engineering framework and offering the latest social engineering news through our blog and monthly podcast. While maintaining this educational portion of our organization, we offer professional training and services supporting customers in government and private industry through Social-Engineer.Com.
Like us on Facebook at https://www.facebook.com/seorg.org.
Follow Social-Engineer, Inc. (@SocEngineerInc) on Twitter at https://twitter.com/SocEngineerInc.