They say knowledge is power, and the final report from DEF CON 21's Social Engineer Capture the Flag contest shows that in the wrong hands, the amount of information organizations leave exposed online can empower attackers across the globe.
Over the summer, CSO covered the events of the Social Engineering Capture the Flag (SECTF) contest at DEF CON 21, and the events from just one of the contest's phone calls.
A new report from Social-Engineer Inc. outlines the entire contest, as well as key observations from this year's calls. A contestant pool of 10 men and 10 women used Open Source Intelligence (OSI) to research their target company and collect as much information as possible (flags). Points are awarded based on the flags collected. This information is then used during the contest when the targets are called directly, in order for the contestants to collect additional flags depending on the information they're collecting.
According to the report, the contestants used metadata collection tool Maltego, as well as the usual avenues of information gathering such as Google (Images, Maps, YouTube), LinkedIn, Bing, Facebook, Monster, Twitter, Netcraft, BlogSpot, and more, to details on people and processes within their assigned target. This year's targets included Apple, Boeing, Chevron, Exxon, General Dynamics, GE, GM, Home Depot, Johnson & Johnson, and Walt Disney.
Watching the SECTF contest live is an experience in human interaction. As mentioned, the contestants call their targets and attempt to collect various flags, using a variety of pretexts. Despite the fact that many of the contestants were completely new to the world of social engineering, they made it look easy. Based on the report and seeing the contest live, as well as the number of flags collected, social engineering continues to remain a viable threat or an organization's security.
"Social engineering has played some role in nearly every major hack you have read about over the last few years, yet this year's competition clearly illustrates how poorly prepared companies are to defend against socially engineered attacks," commented Social-Engineer, Inc.'s Chris Hadnagy, the SECTF organizer.
"While there continues to be improvements in the quality and preparation of the contestants, there have not been any significant improvements by companies to secure information available on the internet and educate and prepare employees against a disciplined social engineer. For example, one contestant was able to find an improperly secured help desk document that provided log in credentials for the target companys employee-only online portal."
As revealed in the report, contestants were able to discover information on company VPN; anti-Virus coverage; operating system usage; how IT is handled (outsourced or internal); browser type and version; hardware-based data on phone systems and computers, including make and model; and details about wireless networks. Flags like these, the report adds, when examined by industry, represent a unique opportunity for an attacker to create a plausible story (pretext) that would allow them access to a company's most sensitive information.
The report also disclosed the fact that the second place top scorer (at DEF CON first and second place were announced as female) was actually a male. Overall the women did better this year, but the original second place was disqualified. There are strict rules for the SECTF contest, the main one being that the person the contestant speaking to should never feel as if they are in jeopardy.
"The contestant in question threatened the employee with termination as well as being responsible for the loss of a major negotiation if she did not comply in order to manipulate her into providing the flags. The judging panels made a unanimous decision that this was unethical conduct, eliminating this contestant from consideration," the report explained.
In terms of the number of flags collected, both with OSI and on the phone, as well as the value of the flags collected, Apple was the top company. They're followed by GM, Home Depot, Johnson & Johnson, Chevron, and Boeing. It should be noted that the rankings do not speak to the actual state of security at the organization, just the value and number of flags collected.
Of the flags collected the most, the type of browser used took the top spot, followed by operating system, wireless access information, and VPN-based information. A full copy of the report is available here.