Social engineering is the (morally vague) art of tricking someone out of their company’s technical secrets just by talking to them. It often involves deceit and relies on the fact that the weakest link in any computer security system is a human.
At the annual Defcon event, held in Las Vegas this week, attendees, mostly professionals in the computer-security business, engage in several contests. A new this one year involves launching social engineering “attacks,” where contestants must obtain the answers to questions about a company’s security defenses. People working at big companies such as Google and Apple failed to realize they were being social engineered by con artists.
(See our roundup of all Black Hat and Defcon stories).
This year, about 20 Defcon attendees in Las Vegas participated in the contest, which stirred a lot of controversy. The organizers of the conference were three security experts who know how to do social engineering: Chris Hadnagy, (pictured top right) operations manager for Offensive Security; Mati Aharoni (pictured middle), trainer of Offensive Security, and Jim O’Gorman (pictured left) of Continuum Worldwide. They created the site www.social-engineer.org for the contest, which occurred for the first time this year at Defcon and runs through Saturday.
The contest has proved so alarming to the targeted corporations that some called on the help of the FBI, which quizzed the organizers on why they were doing the contest.
“We wanted to start a social engineering program because we believe in security through education,” Hadnagy said at a press conference at Defcon.
The participants were instructing to engage in passive information gathering to find out some sensitive information, such as where its dumpsters are located. (Dumpster diving is a common practice by hackers who want to find documents with company secrets on them). By looking things up on the Web, the participants tried to track down company details, such as what kind of Web browser the employees used and what version of Adobe PDFs they were using. (The answers to these questions can be used to launch cyberattacks against the companies.)
Tipped off by the announcement of the contest, the FBI met with the organizers ahead of time, and the organizers enlisted the help of the Electronic Frontier Foundation, a nonprofit civil-liberties advocacy group, to represent them. In that meeting the Justice Department voiced its concerns about whether any laws would be broken in the contest. The EFF offered legal advice about how to structure the contest; for instance, participants were not allowed to impersonate law enforcement officers during phone calls, as that is a crime.
In almost every case, company representatives gave up secrets they should not have. The companies targeted included Microsoft, Cisco, Apple, BP, Shell,Google, Procter & Gamble, Pepsi, Coca-Cola, and Ford. The contestants were given “flag points” as rewards for each answer they pulled from employees.
Contestants cold-called employees to get the information. In three cases, company employees did not give any details over the phone. But the contestants, posing as journalists or customers, still got data from every company. One contestant managed to get an answer out of his target company in just 22 minutes. The contestant used tricks, such as preying upon emotions, by saying that they had to finish the project and get answers that day.
Because of publicity around the case, a number of contestants dropped out. Some said their bosses would fire them if they participated in the Defcon event.