The annual Social Engineering Capture the Flag contest held during DEF CON may seem on the surface to be just an opportunity for pen-testers and hackers to flex their pretexting muscles. But if you’re one of the 10 major technology, manufacturing and critical infrastructure organizations targeted by this year’s contestants, you might want to re-evaluate how well-equipped your staff is to ward off sneaky people.
Social engineering is the linchpin and launching pad for just about every targeted attack that’s been made public. Hackers comb social media sites, online forums, company directories and any other source of intelligence available looking for an edge that will help them get through the front door, or at least through the network perimeter.
The end result ranges from identity theft, to the loss of customer data, to the loss of intellectual property or military/government secrets.
This year, a team of 10 men competed against 10 women, turning their skills against the likes of Apple, Boeing, Chevron, Exxon, General Dynamics, General Electric, General Motors, Home Depot, Johnson & Johnson and Walt Disney Corp., targeting “flags” such as learning which Internet browser(s) is in use at a company, operating system information, wireless access information, whether a virtual private network is used by remote employees and whether there is an onsite cafeteria.
Competitors had two weeks to gather open source intelligence data prior to DEF CON, excluding onsite visits or phishing attempts; they were able to use only Web-based tools in order to prepare a report on their targets. And then during DEF CON, the competitors would use that data during a live-call session that took place during the annual hacker conference in Las Vegas.
“What was notable was the huge amount of information gathered during the OSI portion,” said Chris Hadnagy, founder of Social-Engineer.com, and organizer of the SECTF. “Previously, we’d see a handful of reports with monster amounts of information. This year, there was an unbelievable amount of information. One contestant found an Internet log-in page with a link to a help document that did not require credentials. In that document, they gave you an example of a log-in with a picture of a corporate ID that worked and we were able to log in. Things like that are shocking in 2013 to see.”
Perhaps as shocking is the volume and quality of information given up by the target organizations. Regardless of industry category—be it manufacturing, technology, retail, or energy, oil and gas—the contestants were able to walk off with details on the browser being used in that company, and version number; that was the top flag obtained throughout the competition. Operating system information was also coveted and snared by the competitors, as was whether a VPN was in use.
“Companies are still using browsers like IE 7, the majority are on IE 7. That’s a major blunder in my opinion,” Hadnagy said. “They’re still using a vulnerable browser and people were willing to give that information out to strangers on the phone. It opens them up to a plethora of phishing, phone and onsite impersonation.”
Knowing such information as browser, OS or even VPN details can give a hacker a measure of trust on a call to internal support looking for system access.
The competitors also were able to gain details that could enable physical access such as the food service used by the organization and whether there is an onsite cafeteria; these two details were among the top five sought after and given up by critical infrastructure such as oil and gas utilities.
“How hard is it to obtain a t-shirt, ballcap or clipboard for the company that does food service? How many times are you going to get stopped carrying food into a building? No one stops you,” Hadnagy said. “You don’t need a corporate badge to be invisible. This opens you up to impersonation attacks.”
According to the scoring provided by the contest, Apple fared the worst, followed by General Motors, Home Depot, Johnson & Johnson and Chevron. Details on specific vulnerable areas were not made public, but are available to the target companies upon request, Hadnagy said.
“This is my opinion, but most awareness training is not worth its weight,” Hadnagy said. “The proof is in how easy attacks are carried out against companies with regular security awareness training.”
Still, companies that do conduct training aren’t doing it regularly, according to the results gathered. Some refresh less than annually, while others went so far as to admit to the pretexters that they’d had it during new-employee orientation and never again in the years since.
“The purpose for us holding this competition is to raise awareness of social engineering as a threat,” Hadnagy said, adding that corporations should consider social engineering as part of regular penetration tests. “We’re seeing an increase of social engineering in pen-testing, but we’re not seeing accepted by many major corporations.”