It was another year, another “F” for the top, U.S. firms targeted in the annual Social Engineering Capture the Flag (CTF) Contest at the DEFCON hacking conference, according to a report released on Monday. Some of the U.S.’s top firms, including Apple Computer, IBM, AT&T, McDonald’s and retail giant Wal-Mart proved easy marks for clever hackers using online reconnaissance and persuasion to extract valuable information. None of the 14 firms targeted were able to prevent clever attackers from using phone calls, e-mail and other soft approaches to wheedle sensitive information out of unwitting employees or leaky servers and IT infrastructure.
The report, from the firm Social-Engineer.org (free but only after registration), compiled the results of the second annual Social Engineering CTF, and found little evidence of improvement over the previous year’s report. Indeed, all 14 firms targeted by the contestants yielded information, with fewer than one in three companies offering any resistance to the appeals and entreaties of the attackers.
Of the firms tested, telecommunications giant AT&T received the highest overall score, while Oracle Corp. received the lowest. However, all the companies would have received a failing mark in a real social engineering penetration test, the report concluded.
“The scary part was that there wasn’t a single company that had a level of security that would make us feel confident that they were secure, no matter how many times we called,” said Chris Hadnagy of Social-Engineer.org.
In the case of AT&T, which received the best overall scores of the 14 firms tested, a contestant hit a brick wall when trying to extract information from an employee at one AT&T retail outlet, but found it easy to simply call another retail outlet and get the information from a different employee, Hadnagy said.
The contest, in its second year, is modeled after a long-standing DEFCON CTF event that tests raw hacking skills. In the Social Engineering CTF, contestants are assigned target companies and then allowed to conduct online reconnaissance on their target using tools like the Google search engine and social networking sites like LinkedIn and Facebook, as well as specialized tools like Maltego. Contestants are not permitted to call or e-mail their targets prior to an allotted 25 minute phone call which is conducted live at the DEFCON Conference in Las Vegas.
Contestants are graded on a number of “flags” they obtain through their online research and direct social engineering attacks. Flags are pieces of information based on non-sensitive data pertaining to the inner works of the target company, Social Engineering.org said. In this year’s contest, organizers made an effort to have two or more companies from each of the vertical industries represented.
Many firms were doomed before the contest formally began. Loosely configured IT systems, such as open FTP servers and verbose internal and external Web pages, yielded a treasure trove of information. Many contestants were able to claim “flags” merely through online research, while other were able to obtain enough information about the company’s operations and structure that crafting convincing social engineering scripts was trivial.
Once the actual social engineering attacks began, none of the 14 companies targeted was able to put up a solid front against the social engineers, and only three employees out of all of those contacted by the contestants offered any resistance at all to the attempts to get them to divulge information.
The firms, most of which have IT security budgets ranging from millions to hundreds of millions of dollars annually, did a poor job of readying their employees to spot and rebuff attempts to get them to divulge information or take other actions – such as clicking on a hyperlink supplied by the attacker – that could open their firm up to malware infection.
To the contrary, employees contacted by phone were inclined to bend over backward to facilitate the social engineer- especially when that person posed as a customer of the company.
Employers need to spend more time, and money, educating employees and talking about the danger that even innocuous information can pose to the company. They also need to more closely audit their Web and application infrastructure to make sure they are not leaking confidential information or too much information about company employees and internal policies or projects, the report concluded.
The conclusions are nearly identical to those of last year’s report, which also warned of the dangers of inadequate or inconsistent training of employees and the ability of motivated attackers to use Google and other tools to discover a wealth of data about the operations of potential targets.