Forgot your password?
typodupeerror
Security Businesses

Phone Calls More Dangerous Than Malware To Companies 82

Posted by samzenpus
from the watch-what-you-say dept.
dinscott writes "During Social Engineer Capture the Flag contest, one of the most prominent and popular annual events at DEF CON 21, a pool of 10 men and 10 women, from diverse backgrounds and experience levels, tested their social engineering abilities against 10 of the biggest global corporations, including Apple, Boeing, Exxon, General Dynamics and General Electric. The complete results of the competition are in, and they don't bode well for businesses."
This discussion has been archived. No new comments can be posted.

Phone Calls More Dangerous Than Malware To Companies

Comments Filter:
  • by bob_super (3391281) on Wednesday October 30, 2013 @07:56PM (#45286999)

    Good morning citizen, this is the brand-new NSA call center...

  • complete results? (Score:5, Insightful)

    by datapharmer (1099455) on Wednesday October 30, 2013 @08:00PM (#45287035) Homepage
    If those are the complete results that was a pretty short and piss poor competition. If "We got the browser and OS" is social engineering then my apache logs are 1337 hax0rz. This article must be a click farm because it sure doesn't have any actual content. The real news here is "slashdot editors drunk at work, approve spam"
    • by Anonymous Coward on Wednesday October 30, 2013 @08:04PM (#45287049)

      that's not news.

    • The article itself has only one link, so it's not a click farm. But it is depressingly low on facts.

      • by fatphil (181876)
        But you've got to award DEFCON troll points for the bit of the scoring system that says:
        "Format, structure, grammer, layout, general quality of the report ... 0-50 points"

        50 points for "grammer"! Trolling indeed is a art.
    • by TheGavster (774657) on Wednesday October 30, 2013 @08:10PM (#45287103) Homepage

      In addition to its brevity, it also implies the 4 times as many "flags" were taken simply from searches of Google, Linkedin, and others (2x as many points scored, with flags being worth 0.5x those taken via social engineering). Sounds like the corporate website and employees' social networking accounts are the real threat ...

      • by SmlFreshwaterBuffalo (608664) on Wednesday October 30, 2013 @08:22PM (#45287175)

        In addition to its brevity, it also implies the 4 times as many "flags" were taken simply from searches of Google, Linkedin, and others (2x as many points scored, with flags being worth 0.5x those taken via social engineering). Sounds like the corporate website and employees' social networking accounts are the real threat ...

        Since the article doesn't bother listing what the flags were, one cannot assign a weight to each of them. If all the flags were of equal importance than I would agree with you. But if some are more critical than others, e.g. if flag 1 is "What is the CEO's name?", and flag 2 is "What is the CEO's login and password?", then comparing raw counts as the article is doing is both pointless and misleading.

      • Re:complete results? (Score:5, Informative)

        by mythosaz (572040) on Wednesday October 30, 2013 @08:41PM (#45287277)

        When you look at the list of the flags, there's a great deal of them that would just happen naturally in net-conversation. They could get 5+7 points for finding out if they had a cafeteria and then finding out who does the food service. That's the sort of thing every idiot on Instagram takes a picture of every morning while they're blogging about their breakfast. Feel free to get 5 "free" points from Linkedin if you get an employee's name. Get a few more points he shouted "Payday, bitches!" on Facebook one Friday afternoon.

        The threat is relative. The points assigned to each were subjective.

    • by gnasher719 (869701) on Wednesday October 30, 2013 @08:51PM (#45287339)

      If those are the complete results that was a pretty short and piss poor competition. If "We got the browser and OS" is social engineering then my apache logs are 1337 hax0rz. This article must be a click farm because it sure doesn't have any actual content. The real news here is "slashdot editors drunk at work, approve spam"

      I wonder if they found out what browser and OS are used at Apple and at Microsoft...

      • Re: (Score:3, Funny)

        by BitZtream (692029)

        They both use Chrome.

      • by dgatwood (11270)

        I wonder if they found out what browser and OS are used at Apple and at Microsoft...

        Exactly. When the answers to half of your questions are blindingly obvious without even asking them, you're really wasting your time. Start asking questions that are an actual threat to corporate secrets, though, and at most companies, the employees will clam up faster than a politician caught with a hooker behind a cheap Vegas strip club.

        Take Apple for example. Let's see:

        • Do you have a cafeteria? Uh, yeah. It's listed
    • Re:complete results? (Score:5, Informative)

      by 8tim8 (623968) on Wednesday October 30, 2013 @09:08PM (#45287455) Journal

      You're right, the link is to a lame story. However, at the end of the story is the actual results: http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf [social-engineer.org]. That, on the other hand, is full of information and analysis, although they don't provide specific information that was harvested from the companies, only analysis of the methods employed and the success rates of those methods.

      • by rtb61 (674572)

        What they don't show is why. In any autocratic system failure to show proper obeisance and provide what ever service is required when demanded by a person deemed to be in authority brings the threat of immediate dismissal. The more autocratic, the greater the threat of dismissal and the greater the compliance to any request by authority. So control breaks down security through threat of failure to comply. Where you have less control and greater individual responsibility you strengthen the resolve of those

        • Employee-Employer Loyalty (and vice versa) DIED the same day that "Personnel" became "Human Resources".

          Go ahead, you can quote me...

          • by rtb61 (674572)

            Which is exactly where the security went and why social 'engineering' is so effective. Basically in that environment security is for sale.

    • by Anonymous Coward

      If those are the complete results that was a pretty short and piss poor competition.

      If you look at the bottom of TFA you'll see a link to the complete results [social-engineer.org].

    • The list of possible flags is also filled with useless information. The *only* flag that means anything is "getting user to go to a fake URL". The rest of them are questions like "who handles your trash collection?" and "who stocks the vending machines?". That information is entirely useless and most of it is even publicly available. Concealing this information provides obscurity at best and a false sense of security at worst.

      These aren't even attack vectors. Any idiot can walk into a company and say "
      • getting into the building is a long way to being able to walk around anywhere even better is ducking into the rest room and changing.

        Or even the vending guy can say something about needing a network link to install say a CC reader system / remote control system / ect now you do want to save $X /mo by not useing the 3g/4g link?

      • Re:complete results? (Score:5, Interesting)

        by cusco (717999) <brian.bixby@NoSPam.gmail.com> on Thursday October 31, 2013 @01:01AM (#45288393)

        If you're in the building you have physical access to some of the company resources, unless you're very closely watched. One local software company found a wireless access point had been plugged into a network port in a conference room and taped to the bottom of the table so that the network could be browsed from the parking lot or the coffee shop downstairs. They think it was a job applicant being interviewed who planted it. In another janitorial staff plugged a netbook into a port in an empty cubicle, where it sniffed the network for a few days until it was removed and handed off.

        Did you know that your network printer has a hard drive that stores print jobs? Depending on the model that interface can be available via USB, Bluetooth, or even its own WAP. Security on that all-in-one printer tends to be pitiful, many of them run a customized Linux kernel that can run a network sniffer and store the results. So if you don't watch your soda delivery guy you might be losing data.

        • by Rich0 (548339)

          If you're in the building you have physical access to some of the company resources, unless you're very closely watched.

          Sure, but first you have to get into the building. This was not demonstrated at all. Merely having the name of the trash company doesn't get you inside.

          At my employer if you don't have an ID card that opens a turnstile you need to walk up to the security desk and be registered. If your photo isn't on file they require a government-issued photo ID. So, you'd need to know the name of the trash collector, and not just the name of their employer.

          Granted, stealing an ID probably would be possible. Unless th

    • The real news here is "slashdot editors drunk at work, approve spam"

      Obligatory: You must be new here.

    • by icebike (68054)

      This article must be a click farm because it sure doesn't have any actual content.

      Of course not, this is slashdot, never link to the target when you can hype some blog instead.

      Actual content at http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf [social-engineer.org]

      Upshot: Be suspicious of calls from men, just hang up on women.

    • by fatphil (181876)
      I'm even more of a leet haxor, breaking teh lawz - I just printed out a copy of the PDF and gave it to my girlfriend, thus violating the copyright notice on it! Their so-called "copyright protection" is teh w34kest ev4r!
  • Whether the goal is criminal mischief or good old-fashioned corporate espionage, I think we can agree that malware is a lot more scalable than a call center. Of course, there was the beautiful fusion of techniques from various groups based in south-east asia using Ammyy Admin and similar to effect a social insertion of rapidly propagating malware behind the firewalls. Really, all electronic malice should use a variety of best practices.
  • social engineering. How do you spell your name lemonjello hey that spells lemon jello. The password is !!~^!!`^ bang bang tilda high five bang bang tilda high five. Thank alot have a good day.
  • Apple Scored Badly (Score:5, Informative)

    by mythosaz (572040) on Wednesday October 30, 2013 @08:35PM (#45287239)

    Apple scored badly...

    http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf [social-engineer.org]

    ...but a good deal of the flag points were given for gathering OS, service pack, browser, mail and PDF program/version information -- which I'm going to guess was a probably a given at Apple.

    • FTFA:

      The two most commonly obtained flags were the browser and OS of the target companies.

      Gosh...Safari on OS X Mavericks?

      • by mythosaz (572040)

        That information there (OS+ver, Browser+ver) = 50 points.

        "Do you have a cafeteria?" come in 3rd.

    • ..but a good deal of the flag points were given for gathering OS, service pack, browser, mail and PDF program/version information -- which I'm going to guess was a probably a given at Apple.

      ... and at GE nobody knew what OS, service pack, browser, mail and PDF program they were using... That's why the score is so low!

    • by cusco (717999)

      Not necessarily. A lot of people at Microsoft use Firefox and Chrome.

  • by Anonymous Coward

    I was really offended when I got had to reset my HR password, and instead of a normal password reset routine, they *mailed my plain-text password to me*. Ugh. Its not like the 401Ks, health care, payroll, and other personal info behind that system are important.

    • by undefinedreference (2677063) on Wednesday October 30, 2013 @10:21PM (#45287785)

      Nothing annoys me more than plain text passwords in emails. Double bonus points if it's a password for something sensitive like my financial information (ex: 401(k), which are among the worst offenders in the bad security department...it's not like they have the largest sum of money in my name, after all).

      The other disconcerting thing (probably the most frightening) is that they sent you your password in plain text. This means that your password is, at most, protected with a reversible cipher and is likely stored with no protection at all. That means if someone broke in (which doesn't even mean a threat from outside is necessary, and there are probably tens, if not hundreds, of people with accounts and/or passwords to get to the database) they could get your password and potentially every one you ever used. Then the real social engineering begins, when they call your bank with all your legitimate information and every likely password for your account in hand... Scary.

      • by rsborg (111459)

        udr, If you haven't already , pretty please get these companies putting your password on a "sharing" plan identifed then slotted, pronto at http://plaintextoffenders.com/ [plaintextoffenders.com] - we need to shame these idiots who abuse our security and apparently feel no downside to doing so.

  • by Anonymous Coward

    They also break out by flags captured by industry in the press release - http://www.prweb.com/releases/2013/SECTF/prweb11277564.htm

    Top Flags Gathered by Industry
    Heavy Manufacturing
    1. What browser and what version
    2. What operating system is in use?
    3. How long have they worked for the company?
    4. Is there a company VPN?
    5. Is IT Support handled in house or outsourced?

    Technology
    1. Do you block websites? (Facebook, Ebay, etc)
    2. What operating system is in use?
    3. What browser do they use?
    4.

  • I can definitely see where we are primed to be vulnerable to a socially engineered phone call. Piss off a customer, he calls up the chain of command and we have to answer for having poor social skills. Gotta please everyone or we lose our job.

    All someone has to do is mimic someone important, and he gets anything he wants. I think all of have had the experience of "doing the right thing", or following your instincts of common sense, then paying dearly for doing so.

    There is another kind of phone cal
  • The actual report of what informatoin was recieved and summary is on the site of the organizers: http://www.social-engineer.org/defcon-21-sectf-report-download/ [social-engineer.org]
  • This just in... (Score:5, Insightful)

    by SeaFox (739806) on Wednesday October 30, 2013 @09:44PM (#45287617)

    If you staff your support lines with the cheapest labor you can get, you will end up with a call center of gullible fools.

  • by guanxi (216397) on Thursday October 31, 2013 @03:37AM (#45288725)

    Can you socially engineer thousands of technically sophisticated Slashdot users into downloading an infected PDF?

  • Once an american network admin in an african country suggested me in very ambiguous terms, she was making a request from the FBI. And then people wonder why we think american people is dense. It ever anyone says that to you, tell them to sod off and send a written request.
  • The full report (pdf linked at the end of the article) repeatedly insists on the importance of the quality of the pretext:
    • "a major difference this year was in the quality of the pretexts employed by our contestants."
    • As in the previous years, part of our contestants' success appeared to have been related to the choice of pretext
    • Our winner this year [...] developed an excellent pretext, and was fully prepared prior to the contest

    On the other hand, the report gives close to no information about what makes a

  • Did anyone else notice the graph showing the women in the contest outperformed their male counterparts? Women were substantially better at the live call portion of the exercise, but also better during the pre-call information gathering phase.

"Someone's been mean to you! Tell me who it is, so I can punch him tastefully." -- Ralph Bakshi's Mighty Mouse

Working...