Sin City was filled with plenty of people last week, and thousands of them were hackers. That's understandable, considering that Las Vegas hosted the Black Hat security conference, the B-Sides security conference, and DEF CON 21. Most of the week focused on talks, new products, creative uses of code (for defense and offence), but there was another side as well; people, and the information they possess.
Last week may have been the largest gathering of novice and professional social engineers in North America. As chance (and a pre-planned schedule) would have it, CSO got the chance to watch them in action. Our observations were made while wandering around DEF CON, as well as within the Social Engineering village, the home to the Social Engineering Capture the Flag (SECTF) contest, ran by Chris Hadnagy, from Social-Engineer Inc.
CSO joined dozens of others in the room hosting the SECTF contest just as a young woman named Christina was entering a soundproof booth ready to make her first call. Christina, who asked that her last name not be used, is a perfect example of why social engineering is something that shouldn't be taken lightly, she isn't a professional. In fact, her profession isn't even in the IT sector. Her work schedule kept her from doing any in-depth research, but in two days she compiled a report for the contest on her assigned target.
As part of the rules for the SECTF event, contestants are given the name of the target company, as well as a list containing the types of information, or flags, that need to be gathered. Each flag has a point value, and the contestant with the most points wins. Christina's target was a company in the Fortune 500; CSO is withholding the company's name, as it isn't important -- the point of the contest is that the target could be any company, anywhere in the world.
Fortunately for the company selected for the call CSO witnessed, and all of the others that were part of the contest last weekend, there are strict rules as to the type of flags obtained, and how they can be earned.
Contestants are prohibited from seeking out passwords and other sensitive data (such as SSN or credit card details). The contestants are also not allowed to pretend to be law enforcement or government officials, and at no time can the contestants present their calls or questions in a way that will make the person on the other end of the phone feel at risk.
"No one gets victimized during this contest. Social Engineering skills can be demonstrated without engaging in unethical activities," the contest rules state.
During the day that CSO watched the SECTF contestants in action, participants confirmed things such as names, OS versions, browser usage and preference, and what types of third-party software was being used. The people on the other end of the line freely offered other information as well, including personal histories and insider data as to development plans and pending projects. Break schedules were also discussed, offering a map of when the employee would be at their desk or away from the office.
On their own, none of the flags obtained during the calls were all that valuable, but when combined, they're a wealth of information to an attacker. Knowing that a company has Windows XP, and that their employees are either forced or prefer to use Internet Explorer, creates a clear attack surface to target. Follow that with the knowledge that the company uses Adobe 9.x for accessing PDF files, and things start to look grim.
Posing as a corporate compliance officer, Christina spoke to a person working for a subsidiary of her target company, which was the only option as the company was so large, all of its business runs through the satellite firms. She obtained all of the aforementioned flags, in addition to getting the person on the other end of the phone to visit a website of her choosing. Had her call been a legit attack, the game would have ended the moment the person on the phone loaded webpage. The flags were obtained, and the website loaded, in less than twenty minutes.
There's light at the end of the tunnel though, because some of the targets in the SECTF event refused to share information, and at one point the person at the other end of the phone told the contestant that they couldn't share a phone number, because company policy prohibited it -- eluding to the fact that there was some type of awareness program in place.
The problem is, while a contestant would give up (and did give up), a real attacker would press forward. Eventually, there will be a crack in the company's armor, someone will ignore policy and help the person calling, and that's exactly what a social engineer is looking for.
The point of all of this, and why the SECTF event is so controversial to some, is because it highlights a fundamental weakness in the security chain that is forged in policies, products and services; people. Humans are helpful, they thrive on communication, skilled attackers know this, and they exploit it constantly.