Phone Calls More Dangerous Than Malware To Companies

dinscott writes "During Social Engineer Capture the Flag contest, one of the most prominent and popular annual events at DEF CON 21, a pool of 10 men and 10 women, from diverse backgrounds and experience levels, tested their social engineering abilities against 10 of the biggest global corporations, including Apple, Boeing, Exxon, General Dynamics and General Electric. The complete results of the competition are in, and they don't bode well for businesses."

Re:Caller ID

[Sable Drakon]

You do know that caller ID is spoofable right?

and the contestants spoofed caller ID, as I do

[raymorris]

The report said the contestants did in fact spoof the caller ID. Though some people know it can be spoofed, most people trust it anyway. We're accustomed to fake links in e-mail, we look for that, but we generally assume caller ID is accurate.

This can be very useful for encouraging bad guys to reveal information.

Ha! It's true ...

[TrollstonButterbeans]

And a very reputable company with the really trusted name of --- TELETURD.COM -- provides such a service including a free trial.

What a lovely name!

Re:

[SeaFox]

Which is why it would be better to use the ANI number for Caller-ID instead of a special "Caller-ID" string. You better believe it will be more accurate. The phone wouldn't let people fuck around with the info they use for billing.

Mandarin

[flyingfsck]

No problem, I cannot speak Mandarin.

Re:Caller ID

[Opportunist]

Why do you think that would be any more helpful than the fact that you can actually SEE what URL the link you hit leads you to?

People don't care about security. And why should they, it is not their job!

My pet peeve with security in most companies is that the CSO's trying to take the easy way out: Shifting the burden of security on his workers. Need secure access? Hey, no problem, we'll create ludicrous password requirements (like, say, at least 20 characters, with numbers, special characters and a few letters from languages that have been forgotten for 200 years at least sprinkled across, for starters 'til I have time to ponder something REALLY "secure"). And no writing down! How you should remember that gobbelygoo? Not my problem!

That's got nothing to do with increasing security. That's blame shifting. Nothing else. Any CISO who spends more than 10 seconds pondering it should realize that such a "security solution" opens a completely different and far more troublesome can of worms. And I dare imagine that most of them know that, but prefer to play the blame shifting game to actually solving the underlying problem. It is easier, more convenient and of course cheaper. But now the worker has one headache more, especially one headache that has NOTHING to do with his actual work, that weighs him down, that causes him more workload and doesn't help him at all.

So it's no wonder IT security is seen like some kind of Gestapo and Stasi rolled into one.

Dear fellow CISOs: Your job isn't to make life harder for your staff. Your job is to take that problem AWAY from them. Perfect security is not achieved when nobody can do jack anymore 'cause they're busy jumping your security hoops. Perfect security is security that CANNOT be broken by staff because staff has very little if any impact on it. In a perfectly secure corporate world, security is fully transparent to the worker and he does not even NOTICE its presence (unless he tries to do something that breaks company rules or law, of course).

You can of course start to train your workers about security. Forget it. Bruce Schneier has a very good essay about it and he said it far better than I possibly could [schneier.com]. In a nutshell: When a worker faced the choice between doing what he wants to do (his job, chat, fool around, goof off...) and upholding security, doing what he wants always wins.

And who blames him? If he jumps the myriad of hoops presented to him by security, he wastes time and gets reprimanded for slacking. If he kicks security out the door, in 99 out of 100 times nothing bad will happen because the caller claiming to be Bob from IT Support was actually Bob from IT Support and not Alec from IT SecAuditing.

Of course, I'm fairly sure the CISO presented him a fully blown sheet of dos and don'ts when someone from IT calls, verify the caller's ID, call back, ask for the supersecret password du jour, whatever. That takes TIME. Time the worker does NOT have. Instead he simply hands out the information, because 99 out of 100 times that's the right thing to do.

How to solve that? By eliminating the need for Bob to call in the first place. I cannot think of any situation where Bob actually has to call and ask for sensitive info. And if he does, it's time to call the CISO. Not to get Bob into trouble, but to find out why he had to call and eliminate the need. Not to mention of course that someone might have tried to siphon information and that's something your CISO should know about anyway.

Of course, you cannot eliminate human interaction with secure and sensitive matters entirely. That's an unfortunate reality. But you can eliminate the need for untrained personnel to do it! Every halfway decently sized company has an IT department or at least some kind of staff that does the "IT stuff". And these are the people that you actually CAN train. Because they already have to deal with the matter anyway, and they are also the ones that will most

Re:Caller ID

[AJH16]

You danced around the edge of it but missed the real issue. The real issue is the fact that the worker is seen as a slacker if they take the time to do things securely. If security isn't a mandate from the CEO and pushed down and invested in hard by the entire management organization, then it won't work. Period. Security has to be everyone's job to work well. That said, it also doesn't have to be (and can't be) overly burdonsome, so much of what you said is still accurate.

The real key is that users must have the support of management to take the time it takes to be secure and processes must make sense so that users see the benefit and the fact that their managers support the process. If you don't have that, they are going to do what it takes to please there manager, not the IT Department, because that is their job.

Re:

[gl4ss]

I'm confused, was this a competition about who does fraud best over telephone?

Re:

[jriding]

Stated like a true developer.

Re:

[Opportunist]

Well, I "evolved" out of development. And, frankly, I have to say that I'm probably a better manager than someone who comes from a "pure" management background who tries to lead people who do something he doesn't understand. Likewise, the best CFOs come from bookkeeping and not from some BA background.

There's a reason the CFO is maybe the only person in our management meetings that I truly respect and whose opinion I value at least as much as my own. It's based in experience instead of some management bulls

Reduce unemployment today!

[bob_super]

Good morning citizen, this is the brand-new NSA call center...

complete results?

[datapharmer]

If those are the complete results that was a pretty short and piss poor competition. If "We got the browser and OS" is social engineering then my apache logs are 1337 hax0rz. This article must be a click farm because it sure doesn't have any actual content. The real news here is "slashdot editors drunk at work, approve spam"

Re:complete results?

[Anonymous Coward]

that's not news.

Re:complete results?

[gman003]

Revised headline: "Slashdot editors still drunk at work, approving spam".

Re:

[Anonymous Coward]

Well that STILL isn't news.

Re:

[MurukeshM]

The article itself has only one link, so it's not a click farm. But it is depressingly low on facts.

Re:

[fatphil]

But you've got to award DEFCON troll points for the bit of the scoring system that says:
"Format, structure, grammer, layout, general quality of the report ... 0-50 points"

50 points for "grammer"! Trolling indeed is a art.

Re:complete results?

[TheGavster]

In addition to its brevity, it also implies the 4 times as many "flags" were taken simply from searches of Google, Linkedin, and others (2x as many points scored, with flags being worth 0.5x those taken via social engineering). Sounds like the corporate website and employees' social networking accounts are the real threat ...

Re:complete results?

[SmlFreshwaterBuffalo]

In addition to its brevity, it also implies the 4 times as many "flags" were taken simply from searches of Google, Linkedin, and others (2x as many points scored, with flags being worth 0.5x those taken via social engineering). Sounds like the corporate website and employees' social networking accounts are the real threat ...

Since the article doesn't bother listing what the flags were, one cannot assign a weight to each of them. If all the flags were of equal importance than I would agree with you. But if some are more critical than others, e.g. if flag 1 is "What is the CEO's name?", and flag 2 is "What is the CEO's login and password?", then comparing raw counts as the article is doing is both pointless and misleading.

Re:complete results?

[mythosaz]

The article links to the entire PDF report, in which the values are given for all flags.

http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf [social-engineer.org]

practice? Re:complete results?

[Fubari]

Pop quiz: what are the chances that somebody practicing social engineering and penetration testing would place the tantalizing results of this amazing DEFCON exercise just one click away inside of the super-secure never been exploited format known as PDF?
*shrug* A bit of paranoia seems like cheap insurance.

Re:

[serialband]

Don't use adobe reader to open the pdf. There's plenty of other readers that don't execute the code.

Foxit, sumatrapdf, etc...

Re:complete results?

[mythosaz]

When you look at the list of the flags, there's a great deal of them that would just happen naturally in net-conversation. They could get 5+7 points for finding out if they had a cafeteria and then finding out who does the food service. That's the sort of thing every idiot on Instagram takes a picture of every morning while they're blogging about their breakfast. Feel free to get 5 "free" points from Linkedin if you get an employee's name. Get a few more points he shouted "Payday, bitches!" on Facebook one Friday afternoon.

The threat is relative. The points assigned to each were subjective.

Re:complete results?

[gnasher719]

If those are the complete results that was a pretty short and piss poor competition. If "We got the browser and OS" is social engineering then my apache logs are 1337 hax0rz. This article must be a click farm because it sure doesn't have any actual content. The real news here is "slashdot editors drunk at work, approve spam"

I wonder if they found out what browser and OS are used at Apple and at Microsoft...

Re:

[BitZtream]

They both use Chrome.

Re:

[dgatwood]

I wonder if they found out what browser and OS are used at Apple and at Microsoft...

Exactly. When the answers to half of your questions are blindingly obvious without even asking them, you're really wasting your time. Start asking questions that are an actual threat to corporate secrets, though, and at most companies, the employees will clam up faster than a politician caught with a hooker behind a cheap Vegas strip club.

Take Apple for example. Let's see:

• Do you have a cafeteria? Uh, yeah. It's listed

Re:complete results?

[8tim8]

You're right, the link is to a lame story. However, at the end of the story is the actual results: http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf [social-engineer.org]. That, on the other hand, is full of information and analysis, although they don't provide specific information that was harvested from the companies, only analysis of the methods employed and the success rates of those methods.

Re:

[rtb61]

What they don't show is why. In any autocratic system failure to show proper obeisance and provide what ever service is required when demanded by a person deemed to be in authority brings the threat of immediate dismissal. The more autocratic, the greater the threat of dismissal and the greater the compliance to any request by authority. So control breaks down security through threat of failure to comply. Where you have less control and greater individual responsibility you strengthen the resolve of those

Re:

[Mister Transistor]

Employee-Employer Loyalty (and vice versa) DIED the same day that "Personnel" became "Human Resources".

Go ahead, you can quote me...

Re:

[rtb61]

Which is exactly where the security went and why social 'engineering' is so effective. Basically in that environment security is for sale.

Re:

[Anonymous Coward]

If those are the complete results that was a pretty short and piss poor competition.

If you look at the bottom of TFA you'll see a link to the complete results [social-engineer.org].

Re:

[Mr. Freeman]

The list of possible flags is also filled with useless information. The *only* flag that means anything is "getting user to go to a fake URL". The rest of them are questions like "who handles your trash collection?" and "who stocks the vending machines?". That information is entirely useless and most of it is even publicly available. Concealing this information provides obscurity at best and a false sense of security at worst.

These aren't even attack vectors. Any idiot can walk into a company and say "

Re:

[Joe_Dragon]

getting into the building is a long way to being able to walk around anywhere even better is ducking into the rest room and changing.

Or even the vending guy can say something about needing a network link to install say a CC reader system / remote control system / ect now you do want to save $X /mo by not useing the 3g/4g link?

Re:complete results?

[cusco]

If you're in the building you have physical access to some of the company resources, unless you're very closely watched. One local software company found a wireless access point had been plugged into a network port in a conference room and taped to the bottom of the table so that the network could be browsed from the parking lot or the coffee shop downstairs. They think it was a job applicant being interviewed who planted it. In another janitorial staff plugged a netbook into a port in an empty cubicle, where it sniffed the network for a few days until it was removed and handed off.

Did you know that your network printer has a hard drive that stores print jobs? Depending on the model that interface can be available via USB, Bluetooth, or even its own WAP. Security on that all-in-one printer tends to be pitiful, many of them run a customized Linux kernel that can run a network sniffer and store the results. So if you don't watch your soda delivery guy you might be losing data.

Re:

[Rich0]

If you're in the building you have physical access to some of the company resources, unless you're very closely watched.

Sure, but first you have to get into the building. This was not demonstrated at all. Merely having the name of the trash company doesn't get you inside.

At my employer if you don't have an ID card that opens a turnstile you need to walk up to the security desk and be registered. If your photo isn't on file they require a government-issued photo ID. So, you'd need to know the name of the trash collector, and not just the name of their employer.

Granted, stealing an ID probably would be possible. Unless th

Re:

[Rich0]

At least at my employer the entire facility is surrounded by a fence, with the only openings being turnstiles that run floor to ceiling, or a manned gatehouse where there is a more traditional turnstile. The only way through that is to either jump it, or have the guard unlock it. Vehicle passage is blocked by a gate - no obstacle if you want to just drive through it, but that would hardly be inconspicuous.

Re:

[StormReaver]

The real news here is "slashdot editors drunk at work, approve spam"

Obligatory: You must be new here.

Re:

[icebike]

This article must be a click farm because it sure doesn't have any actual content.

Of course not, this is slashdot, never link to the target when you can hype some blog instead.

Actual content at http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf [social-engineer.org]

Upshot: Be suspicious of calls from men, just hang up on women.

Re:

[fatphil]

I'm even more of a leet haxor, breaking teh lawz - I just printed out a copy of the PDF and gave it to my girlfriend, thus violating the copyright notice on it! Their so-called "copyright protection" is teh w34kest ev4r!

Scalability

[aaronb1138]

Whether the goal is criminal mischief or good old-fashioned corporate espionage, I think we can agree that malware is a lot more scalable than a call center. Of course, there was the beautiful fusion of techniques from various groups based in south-east asia using Ammyy Admin and similar to effect a social insertion of rapidly propagating malware behind the firewalls. Really, all electronic malice should use a variety of best practices.

Re:

[Joining Yet Again]

Tell me more about these raves.

News at 11 you can get passwords with

[Ralph Ostrander]

social engineering. How do you spell your name lemonjello hey that spells lemon jello. The password is !!~^!!`^ bang bang tilda high five bang bang tilda high five. Thank alot have a good day.

It's stupid to start your comment

[Anonymous Coward]

in subject.

Apple Scored Badly

[mythosaz]

Apple scored badly...

http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf [social-engineer.org]

...but a good deal of the flag points were given for gathering OS, service pack, browser, mail and PDF program/version information -- which I'm going to guess was a probably a given at Apple.

Re:

[R3d M3rcury]

FTFA:

The two most commonly obtained flags were the browser and OS of the target companies.

Gosh...Safari on OS X Mavericks?

Re:

[mythosaz]

That information there (OS+ver, Browser+ver) = 50 points.

"Do you have a cafeteria?" come in 3rd.

Re:

[gnasher719]

..but a good deal of the flag points were given for gathering OS, service pack, browser, mail and PDF program/version information -- which I'm going to guess was a probably a given at Apple.

... and at GE nobody knew what OS, service pack, browser, mail and PDF program they were using... That's why the score is so low!

Re:

[cusco]

Not necessarily. A lot of people at Microsoft use Firefox and Chrome.

Re:

[cusco]

And I should add they also have Android phones and iPads.

Boeing employee here

[Anonymous Coward]

I was really offended when I got had to reset my HR password, and instead of a normal password reset routine, they *mailed my plain-text password to me*. Ugh. Its not like the 401Ks, health care, payroll, and other personal info behind that system are important.

Re:Boeing employee here

[undefinedreference]

Nothing annoys me more than plain text passwords in emails. Double bonus points if it's a password for something sensitive like my financial information (ex: 401(k), which are among the worst offenders in the bad security department...it's not like they have the largest sum of money in my name, after all).

The other disconcerting thing (probably the most frightening) is that they sent you your password in plain text. This means that your password is, at most, protected with a reversible cipher and is likely stored with no protection at all. That means if someone broke in (which doesn't even mean a threat from outside is necessary, and there are probably tens, if not hundreds, of people with accounts and/or passwords to get to the database) they could get your password and potentially every one you ever used. Then the real social engineering begins, when they call your bank with all your legitimate information and every likely password for your account in hand... Scary.

Re:

[undefinedreference]

There's a difference between them being generated and sent in an email (which is not exceptionally dangerous because it should be temporal (that is, you force a change when they log in and only allow it to be used within a brief window of time) and sending you an email with a stored password on request. Don't mistake the two. Again, the implication that they're storing your password with no more than a basic reversible cipher is very troubling.

Re:

[rsborg]

udr, If you haven't already , pretty please get these companies putting your password on a "sharing" plan identifed then slotted, pronto at http://plaintextoffenders.com/ [plaintextoffenders.com] - we need to shame these idiots who abuse our security and apparently feel no downside to doing so.

More details in news release

[Anonymous Coward]

They also break out by flags captured by industry in the press release - http://www.prweb.com/releases/2013/SECTF/prweb11277564.htm

Top Flags Gathered by Industry
Heavy Manufacturing
1. What browser and what version
2. What operating system is in use?
3. How long have they worked for the company?
4. Is there a company VPN?
5. Is IT Support handled in house or outsourced?

Technology
1. Do you block websites? (Facebook, Ebay, etc)
2. What operating system is in use?
3. What browser do they use?
4.

I have observed this for years. Family calls.

[anubi]

I can definitely see where we are primed to be vulnerable to a socially engineered phone call. Piss off a customer, he calls up the chain of command and we have to answer for having poor social skills. Gotta please everyone or we lose our job.

All someone has to do is mimic someone important, and he gets anything he wants. I think all of have had the experience of "doing the right thing", or following your instincts of common sense, then paying dearly for doing so.

There is another kind of phone cal

The actual report...

[Tekla Francis]

The actual report of what informatoin was recieved and summary is on the site of the organizers: http://www.social-engineer.org/defcon-21-sectf-report-download/ [social-engineer.org]

This just in...

[SeaFox]

If you staff your support lines with the cheapest labor you can get, you will end up with a call center of gullible fools.

The bonus flag

[guanxi]

Can you socially engineer thousands of technically sophisticated Slashdot users into downloading an infected PDF?

It is not only hackers doing social engineer

[ruir]

Once an american network admin in an african country suggested me in very ambiguous terms, she was making a request from the FBI. And then people wonder why we think american people is dense. It ever anyone says that to you, tell them to sod off and send a written request.

So what exactly makes a truly good pretext?

[HaggiStan]

The full report (pdf linked at the end of the article) repeatedly insists on the importance of the quality of the pretext:

• "a major difference this year was in the quality of the pretexts employed by our contestants."
• As in the previous years, part of our contestants' success appeared to have been related to the choice of pretext
• Our winner this year [...] developed an excellent pretext, and was fully prepared prior to the contest

On the other hand, the report gives close to no information about what makes a

Women outperform met at social engineering

[Grantbridge]

Did anyone else notice the graph showing the women in the contest outperformed their male counterparts? Women were substantially better at the live call portion of the exercise, but also better during the pre-call information gathering phase.