Phone Calls More Dangerous Than Malware To Companies 82
dinscott writes "During Social Engineer Capture the Flag contest, one of the most prominent and popular annual events at DEF CON 21, a pool of 10 men and 10 women, from diverse backgrounds and experience levels, tested their social engineering abilities against 10 of the biggest global corporations, including Apple, Boeing, Exxon, General Dynamics and General Electric. The complete results of the competition are in, and they don't bode well for businesses."
and the contestants spoofed caller ID, as I do (Score:5, Informative)
The report said the contestants did in fact spoof the caller ID. Though some people know it can be spoofed, most people trust it anyway. We're accustomed to fake links in e-mail, we look for that, but we generally assume caller ID is accurate.
This can be very useful for encouraging bad guys to reveal information.
Re:complete results? (Score:5, Informative)
The article links to the entire PDF report, in which the values are given for all flags.
http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf [social-engineer.org]
Apple Scored Badly (Score:5, Informative)
Apple scored badly...
http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf [social-engineer.org]
Re:complete results? (Score:5, Informative)
When you look at the list of the flags, there's a great deal of them that would just happen naturally in net-conversation. They could get 5+7 points for finding out if they had a cafeteria and then finding out who does the food service. That's the sort of thing every idiot on Instagram takes a picture of every morning while they're blogging about their breakfast. Feel free to get 5 "free" points from Linkedin if you get an employee's name. Get a few more points he shouted "Payday, bitches!" on Facebook one Friday afternoon.
The threat is relative. The points assigned to each were subjective.
Re:complete results? (Score:5, Informative)
You're right, the link is to a lame story. However, at the end of the story is the actual results: http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf [social-engineer.org]. That, on the other hand, is full of information and analysis, although they don't provide specific information that was harvested from the companies, only analysis of the methods employed and the success rates of those methods.