Editor’s Note: The DEF CON Social Engineer Capture The Flag Report is attached here.
From: Dark Reading
Apple, General Motors, Home Depot, Johnson & Johnson, Chevron, Boeing, and other major corporations easily fall to social engineers in recent contest, new report shows
Kelly Jackson Higgins
To provide some perspective on just how poorly corporate America is able to combat social engineering attacks today, consider this: Famously secretive Apple fared the worst in a recent social engineering contest.
Organizers of the annual Social Engineering Capture The Flag (SETF) contest at DEF CON have released the final report on the competition, held in August in Las Vegas, and the findings don’t bode well for enterprises: Social engineering exploits are as easy as ever to pull off successfully, with contestants able to glean valuable company information online and from employees answering phones at Apple, General Motors, Home Depot, Johnson & Johnson, Chevron, Boeing, Walt Disney, Exxon, General Dynamics, and General Electric.
The fifth annual SETF, which is held to raise awareness about social engineering threats, included 10 men and 10 women contestants who each initially conducted online research (no hacking or direct contact allowed) on their assigned target company for the contest. They then placed live telephone calls to their target in a soundproof booth at DEF CON in front of an audience of attendees and contest organizers. Each was scored based on the “flags,” or specific checklist items, they were able to obtain from their targets, such as the caller’s browser, operating system, or getting them to visit a rigged URL.
“The bottom line is [the target corporations] did really poorly,” says Michele Fincher, chief influencing agent for Social-Engineer, Inc., the firm that runs the event each year at DEF CON. “The companies who happened to do well did so accidentally or out of ignorance in they either couldn’t answer the question or didn’t know how, so the call shut down. Very few [employees] said, ‘I am not allowed to give out this information.'”
One male contestant in the online-research portion of the contest prior to the live event was able to access a document on his assigned target company’s public website that provided him the credentials to log into the company’s intranet. “He didn’t do any hacking on the corporate website, [which is against the rules]. But he found a document to help new employees log in that literally showed a real badge with login information that actually worked. Using that credential, he got into the employee intranet,” Fincher says.
Fincher, who wouldn’t name the targeted firm, says that finding highlighted just how easy it is to gather valuable information on a targeted organization via the Internet using open-source intelligence, a.k.a. OSINT, or information gathered from publicly available sources such as websites, social media, and other online resources. “There has not been a lot of activity on the part of corporations to improve this sort of exposure and data leakage,” she says.
Leave a Reply