A hacker competition that challenges contestants to trick employees of large companies into divulging potentially sensitive information aims to show how human gullibility is the biggest security vulnerability of all. During its first day at the Defcon hacker conference in Las Vegas, it had clearly achieved its goal. With just …
So who didn't?
Which companies refused to co-operate?
I'm fairly confident that it would come down to the individual person answering the phone, regardless of company policy
Not if the company is vigorous with policy, encouragement and training. Why don't companies do the same thing ?
They are bullies.
This isn't social engineering, that's what regimes do this is bullying. Bullying for fun and results would be a more appropriate name but perhaps less palatable to those who do but don't give them credit because they want to feel nice about bullying. They might want to call themselves social engineers those who don't should call them bullies.
@Boethius: What are you going on about?
They find faults in internal company training and response policies which allows the parties concerned to be better prepared for such "attacks" in the future.
What's this bollocks about bullies? They weren't even allowed to "bully" people by implying they were compromised.
...schools are on holiday.
Oh well 4 / 5 weeks to go of this type of crap.
Humans are the weakest link!
We must eliminate them as soon as possible for our own protection (and sanity).
Nine years too late
See plot description for '2001 - a Space Odyssey', passim.
Have I just been socially engineered to visit social-engineering.com? Is this article itself a competition entry?
I wondered the same thing. Therefore, I did not click the link.
give up your password for a choccy bar?
Sure, why not. Here's my password - it's "chocolate" now where's my Mars bar?
While this may *look* like social engineering, one question needs to be answered. Who, exactly was manipulated? Was it the sap who divulged confidential information for a few empty calories, or was it the researchers who gave away some sweeties for a piece of unverifiable and otherwise useless information (that was almost certainly a lie, anyway).
A few high profile places I have worked in have had internal processes in place for what to do when employees were contacted by the press. It sounds like it is a very easy thing to set up something similar for IT workers to give "set" answers when cold-called by people they don't know.
You have obviously not worked in any sort of real office or company or environment, or at least not on this planet, if you think that BP can have all its phone answering staff trained like that.
Social engineering works, is easy, and will be around forever.
"It sounds like it is a very easy thing to set up something similar for IT workers to give "set" answers when cold-called by people they don't know."
Note: This has nothing to do with IT workers specifically. This is the call center monkeys, the sales team, marketing, beancounters, you, your boss. Anyone with a computer within the company you work for.
I work for a large corporation. They've been rolling out Windows 7 for some time now. When they started doing the refresh, the computers with Windows 7 got full access to their own hard drives and some network drives that were previously locked down (we assume they will be locking them down again at some point). If some random person in sales right now got a call asking to go to some web site and look up a product description and compare it to items we sell, I'm sure they would do it. All kinds of information and statistics would be leaked that the competition would love to have.
They could direct the person to a site with zeroday exploit virus on it (or just ask what kind of antivirus they are running) and compromise their system. With many people having full access to their own C drives, that could get out of control quickly.
As for the rest of your post, they weren't allowed to ask for passwords. People know that passwords are not to be shared, and know enough to lie about it. How many people know not to tell the truth about what antivirus they are running? They weren't allowed to say their system had been compromised, but consider this scenario.
You work for Company X, I call you at work. I say "Hey I work over in IT in Company X, and we're doing a quick check on our internet security. Double click on the Symantec icon in the bottom right corner of the screen and read off the version number for me real quick." You, not knowing any better read off the version number. "Hmm. Interesting. What browser are you using?" You again relay the information, not knowing it is important to keep that private. "Well, your antivirus is out of date, please go to w w w dot update anti virus dot com and click to download the file there, then run it. Have your co-workers do the same."
Poof. Have a set of compromised computers. It sounds believable enough to fool most sales/marketing/accounting types, if they are not tech oriented. For whatever reason, at work we are willing to trust a voice on the phone when we ignore the same requests in spam emails.
I've called people up I've never met, and asked their passwords at the one place I worked. The person never met me or heard from me before and gave them to me with no hesitation. All I had to do was say I was the new network admin and I was making changes to their account and wanted to test them out, but if I changed the password they would have to go through steps to change it back. Once they heard that they would have to do something to change it back they gave it with no resistance.
I repeated that with 6 more people none gave any resistance turns out that the average password was <their login name>12345... We had some serious security issues...
The problem with social engineering
is it's (for a typical commercial organization - may not apply to GCHQ or the NSA) almost always successful and remedial action is close to impossible. If my pen testing shows that I can access internal resources that shouldn't be exposed on the Internet, then I can also suggest possible solutions (e.g. improved firewall rules, ...) - but the fact that I can persuade the helpdesk to divulge the antivirus product in use?
Using a helpdesk is already a bad enough experience (for both the users and the operators), without trying to introduce an initial seven-step process to establish identity* or answering questions about the AV system with: "I'm sorry, I'm not at liberty to divulge that information".
* Which isn't to say that easy and obvious solutions such as the use of CLI is a bad idea.
You really trust CLI? It's pretty easy to present whatever you want as the CLI...
That depends upon the telco. BT for one most definitely check that you're actually entitled to use the number you're trying to present as.
..he said the use of CLI is a bad idea.
For the avoidance of doubt
I was suggesting* that CLI is a useful basic filter (but not a perfect solution) for the problem of identifying who might be calling (say) the helpdesk. What won't work (in most circumstances) is Security insisting on some lengthy identification process.
I remain of the view that most typical organizations that tried to be completely resistant to social engineering (even assuming such a thing were possible) would be unable to function efficiently and would soon be out of business. All security involves trade-offs, and for most organizations the loss of efficiency involved in becoming completely immune to social engineering attacks would greatly outweigh the benefits.
In certain, limited circumstances resistance to social engineering is vital. This is why, when you call your insurer/bank/... you're presented with a series of questions to check your identity. I imagine most people would be reluctant to deal with such an institution that didn't go through this type of process.
* Note to self: try to avoid the use of double negatives
No they don't...
..They asked you to sign a form to comply with the rules and so long as it's e.164, they don't give a toss.
We spoof our CLI's (send out the Non-Geo, not the Geo) all the time, as do most other large businesses.
I can change it in about...Ohh 3 seconds!#
BTW, not with BT anymore, but with two other carriers and we can send CLI down either of those as well.
Re For the avoidance of doubt
I don't wish to pass any negative comment on Chris Miller - nothing wrong with what he's saying.
Just thought I'd lodge my two pennies worth as someone who's a part of a small telco.
CLI is easy to spoof - we regularly do it as a convenience to our customers who want to present their main customer service number rather than one of their hundreds of agents' individual number. For that matter, withholding CLI means nothing except asking the delivering telco not to present it to the callee. They may choose to withhold or not though virtually all do. If you were, for the sake of argument, intending to hide crime by withholding CLI you'd do better to assume that it won't work.
The most common call centre defence to the con artists who were showcasing their talents here, is to give the peons a limited range of subjects and make them refer anything not on their script to their managers. Its bureaucratic and shows otherwise relatively intelligent people as idiots but it's fairly effective if degrading.
To test new functionality for clients I often have to "socially engineer" their call centre staff (it's the quickest way to get a lot of tests done and is often the only way), but if I was doing it in any way that undermined my customers they'd quickly be made to resort to the armadillo shell of the script, and the agents would cease being helpful and friendly.
I imagine that the net result of this competition is that BP have clamped down, that hundreds of call centre workers have been degraded to the safety of the script and that anyone who just wanted a helpful agent to use a modicum of intelligence (i.e. most people) will now get a crappy service instead. Of course a couple of fraudsters have had their egos stroked.
They might be very clever - but it doesn't stop them being dicks.
I didn't mean this to turn into a CLI discussion - my main point was that social engineering (as part of pen testing), is a bit of a waste of time since it will nearly always work and is difficult to defend against in a practical fashion. But it's generated some helpful comments, so that's all good.
I accept that it's easy, if not altogether trivial, to spoof CLI. But it does add a cheap extra layer of security. First, you can't easily spoof a call to make it appear to come from an internal number, which is in itself a defence. Second, for effective social engineering, you'd want to present yourself as a genuine (preferably senior) employee. Such names can often be gleaned from the company web site. But if the helpdesk know the home and mobile numbers, then you'd have to gain knowledge of one of those to make a CLI spoof successful and that may well be more difficult.
As I said, not a perfect defence (nothing ever is), but simple and good enough for many purposes.
actually, the cli you present can be almost anything, present say 4 digits (4628) and how many people would assume it was an internal number even if it rang like an external call...
I (used to) regularly got international cold calls (via a crap VoIP link, incidentally even easier to spoof cli using SIP) showing only 5 digits for some reason, maybe they's just set up their VoIP server incorrectly!
And how crap did they get?
Anyone calling me and asking for this sort of data would probably get a whole load of lies.
O/S Linux - Fedora 13
VPN ? Whats that
Then I'd fire off an email to our security people about the incident.
Yeah, I know I'm a smartass.
You're not that smart, ass.
I don't think you phone up and ask someone what AV version they're using, you use some sort of trickery :
Me : Hello, I'm having trouble with my AV program
Them : Ok, right click on the icon, settings, version and tell me what it says
Me : Err, McAfee.
Them : It should say Symantec
Me : Really, hold on, oh yes, symantec and a 7
Them : "And a 7" do you mean 9.7 ?
Me : Oh yes, thank you, I'm such a doofus with computers. Every time I start reading an Abode document it goes wrong.
Them : Do you mean Adobe?
Me : Maybe... It's from a website
etc..... Before you know it, you've got the official Adobe plugin version and probably the browser and if you tell the helpdesker where your document is (socialengineer.com) you can probably get them to go there too.
Just phoning a random helpdesk and saying "what version and type of AV software do you run" would hopefully get an answer like "beeeeeeeeeeeep click"
password for chocolate
I'd just give out a fake password. Yum!
Social engineering for Hardware hacking
you know you want to click: http://www.puff65537.com/Home/4758-tear-down
At work a few years ago...
Someone had hacked into and run a cmd.exe window (W2K) he was typing rubbish like del command.com!!!!
I knew the PC was locked down so just watched in amusement! I then used the cmd window to communicate like an IM client!
Said hello, can we have the PC back to work etc etc quite funny :)
At work a lot of years ago
Whilst working at a small engineering firm, we had 1 internet capable PC with it's 56k modem, it was there to allow the sales reps who only came into the office once every 3 months to remote in to drop off documents.
Wandering past the PC one day when the screen flickers into life as someone remotes in, and quickly called the boss over so we could both watch the bozo on the other end of the line trying to connect to a search engine to look for porn, and not the good kind. They hadn't realised you could either remote into the PC or use the PC to vist the interwebs, but not both at the same time.
Shortly afterwards one of the remote sales reps decided to persue an oppertunity at a different company, after working for the same firm for 10+ years.
For a moment I saw that as a Flake password :)
"A hacker competition that challenges contestants to trick employees of large companies into divulging potentially sensitive information aims to show how human gullibility is the biggest security vulnerability of all. During its first day at the Defcon hacker contest in Las Vegas, it had clearly achieved its goal." .... no SH* bro.
Now if only Congress would get a blessed clue about as much, and start to support real reform in education - the kind that teaches us to think for ourselves, for instance.
Anon 'cos stupid people with big sticks are even scarier than smart people with big sticks.
The problem is that, paradoxically enough, the most educated people are actually an easier target of skillful charlatans -- it's what I call the Randi effect, although I don't remember if it was him who first said it or not.
Why? Intellectual hubris.
Well educated people have higher opinions of themselves and of their skills than less educated folks. So, when confronted with a scam, trick, whatever, they sure are more likely to spot what is wrong (or that at least something must be) than the "simpletons" -- but is the trickery is actually better than they can spot, they are more likely to believe that everything is real and fine. After all, they are so smart and no one could be tricking them, right? Whereas the "simpletons" are more likely to accept that they are not able to see the trick.
That's why one has to be weary when hearing that some psychic event, for instance, was witnessed by scientists. Without knowing the exact circumstances of the "experiment" (was it controlled? happened at a neutral setting? was it independently and consistently verified? etc.), that means nothing.
And that's why James Randi hasn't have to get rid of that $1 million yet.
Are you mad?
> support real reform in education - the kind that teaches us to think for ourselves, for instance.
They'd never get reelected. No way in hell that would ever happen. But we can always dream. Pass the bong...
"That's why one has to be weary "
I'm often weary of hearing about psychics and their magical readings.
I'm also wary of their "proof".
As for the last sentence, I haven't has to no idea.
I looked at that guys website as the name wasn't familiar. Best FAQ I've ever read -
"It's important to realize that if at this point you still doubt that the money exists, your doubt is in the entire American bond system in general and Goldman Sachs specifically"
The guy should consider entering an app himself!
Yeah, as in "be wear"!
Damn this language that has more homophones than words... :-)
No great secrets
I know all that info about BP and more because I work for one of their suppliers (hence the AC). More interesting and useful to a hacker would have been to ask them how regularly they apply Windows updates and other security patches. Now that is scary.
And oddly enough..
I have a very distant connection to a company that supplies some things to my company, and also supplies some things to BP. I recently stumbled across exactly that information from BP freely accessible in the 3rd party's tool which they'd supplied to us, plus a LOT more, including individuals names - Yet we took on the tool with assurances that all data in it was secure. Aye - very good. Ok, they've fixed it now - but where there's one hole...
is only as good as your most moronic employee.
Could have been worse.
Fuss over nothing
"The information included what model laptops BP used and the specific operating system, browser, anti-virus and virtual private network software the company used."
Oh come on, that's barely anything. A good hacker could find that out in minutes through electronic means, and a bad one wouldn't be able to use it anyway. Not if the company configured it properly.
In my experience that kind of information is not considered important. It's given out to suppliers and potential suppliers on a daily basis, and it saves thousands of pounds a year by getting you a better price form companies that want you to switch to their products, or which are doing deals on certain products, and if you tell a software supplier then you might as well tell the world.
As I said, if the hacker is skilled knowing this information in advance will save them about 5 minutes, and if they are not skilled then they won't be able to do much with it. What matters is whether the company has properly set up the software at their end. If they've left holes in the system a hacker can exploit them without any real difficulty.
You keep telling yourself that..
and while you're about it, why not stick your fingers in your ears, close your eyes and sing "la la la la la"?
Nice attitude. Dribble much?
This was exactly my view on reading the article. If you have to rely on security by obscurity then you are already f**ked.
I personally use XP SP3 and Ubuntu, McAfee and Avira, TrueCrypt and BeCrypt, Comodo and a hardware Cisco firewall, My VPN is Cisco, and I use Tor.
OK, now tell me how much time that has saved you as a hacker - as a vulnerability manager and pen tester I can tell you the answer is next to bugger all - you will still do a full automated scan anyway. "Oh but I now know what vulnerabilities to test for" - Yes but you would test for them anyway.
It's like not telling somebody what encryption a file is using in case it helps them decrypt it - pointless.
does T-shirts saying on the front "Social Engineering Specialist" and on the back "Because there is no patch for human stupidity"
A must for your 2010 wardrobe!!!
@"human gullibility is the biggest security vulnerability of all"
Sadly its a major never ending struggle to try to patch it. :( ... But I still live in hope it can be patched one day.
It reminds me of the Albert Einstein quote: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
To invent the phrase "Social Engineering" when the original phrases such as "Lying" and "Confidence Trick"
Or is the choice of words doublespeak intended to make the scammer feel less guilty about breaking the law
Social engineering is a useful phrase because it groups together a set of activities into a two word jargon, that everyone who talks about it knows broadly speaking what is being discussed. Sure, it essentially consists of con tricks, but "con trick" is such a broad term that it is of no use in this discussion. You would need to qualify it, e.g. "con trick to gain access to a computer network", so you might as well use the phrase "social engineering".
If I was advertising for someone to gain access to a competitor's secrets, advertising for a "con artist" would be no good - someone with the skills to dupe tourists into buying fake tickets, for example, might not have the skills to do this sort of thing. Similarly, advertising for a hacker might not be useful, since they might not have the skills to do this sort of thing either. But the term "social engineering" means that everyone involved is clear about what they want.
It's not to cloud the issue about the legality of the situation, but it's to simply use more precise language.
But "social engineering" sounds like a good thing
Although "social engineering" is a useful phrase, and it's now well understood, I don't think it was well chosen. I would prefer Engineering to be seen as professional and useful activity, contributing to the well-being of society as a whole. Perhaps a more emotionally charged term such as "social dicking-about", "social cracking" or "con-cracking" would better express the activity. IMHO.
My point is
That some of these activities are essentially breaking the law and by giving it a technical/academic sounding name does not vindicate it, and encouraging people to do it as some sort of competition is reckless.
Or am I to be told there is such a thing as "Victimless or White Hat Social Engineering"
Does your outgoing e-mail say at the bottom,
"This message has been scanned for viruses by Dickware.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager, Mr. Ian Credible, Open House, 123 Easy Street, tel. 1-555-OMGOMGOMG."
Ours admittedly doesn't, but at least the antivirus ID used to be present, maybe the version. Probably until someone realised that viruses can tell you that they were passed by Dickware, too, although they weren't.
So now they just put it in the e-mail header lines. "X-Virus-Scanned: by Pointless Exercise Exciser 0.00 (www.we-dare-you.com)"
Social engineering? Just send a bland e-mail to firstname.lastname@example.org . Unseen by human hand.