back to article Social-engineering contest reveals secret BP info

A hacker competition that challenges contestants to trick employees of large companies into divulging potentially sensitive information aims to show how human gullibility is the biggest security vulnerability of all. During its first day at the Defcon hacker conference in Las Vegas, it had clearly achieved its goal. With just …

COMMENTS

This topic is closed for new posts.
  1. Wokstation

    So who didn't?

    Which companies refused to co-operate?

    1. frymaster

      doesn't matter

      I'm fairly confident that it would come down to the individual person answering the phone, regardless of company policy

      1. Alan Firminger

        Not

        Not if the company is vigorous with policy, encouragement and training. Why don't companies do the same thing ?

  2. LaeMing
    Terminator

    Humans are the weakest link!

    We must eliminate them as soon as possible for our own protection (and sanity).

    1. Jonathan Richards 1

      Nine years too late

      See plot description for '2001 - a Space Odyssey', passim.

  3. Dunstan Vavasour

    Hang on...

    Have I just been socially engineered to visit social-engineering.com? Is this article itself a competition entry?

    1. Anonymous Coward
      Anonymous Coward

      title

      I wondered the same thing. Therefore, I did not click the link.

  4. Pete 2 Silver badge

    give up your password for a choccy bar?

    Sure, why not. Here's my password - it's "chocolate" now where's my Mars bar?

    While this may *look* like social engineering, one question needs to be answered. Who, exactly was manipulated? Was it the sap who divulged confidential information for a few empty calories, or was it the researchers who gave away some sweeties for a piece of unverifiable and otherwise useless information (that was almost certainly a lie, anyway).

    A few high profile places I have worked in have had internal processes in place for what to do when employees were contacted by the press. It sounds like it is a very easy thing to set up something similar for IT workers to give "set" answers when cold-called by people they don't know.

    1. Anonymous Coward
      Anonymous Coward

      get real

      You have obviously not worked in any sort of real office or company or environment, or at least not on this planet, if you think that BP can have all its phone answering staff trained like that.

      Social engineering works, is easy, and will be around forever.

    2. Anonymous Coward
      Anonymous Coward

      Title

      "It sounds like it is a very easy thing to set up something similar for IT workers to give "set" answers when cold-called by people they don't know."

      Note: This has nothing to do with IT workers specifically. This is the call center monkeys, the sales team, marketing, beancounters, you, your boss. Anyone with a computer within the company you work for.

      I work for a large corporation. They've been rolling out Windows 7 for some time now. When they started doing the refresh, the computers with Windows 7 got full access to their own hard drives and some network drives that were previously locked down (we assume they will be locking them down again at some point). If some random person in sales right now got a call asking to go to some web site and look up a product description and compare it to items we sell, I'm sure they would do it. All kinds of information and statistics would be leaked that the competition would love to have.

      They could direct the person to a site with zeroday exploit virus on it (or just ask what kind of antivirus they are running) and compromise their system. With many people having full access to their own C drives, that could get out of control quickly.

      As for the rest of your post, they weren't allowed to ask for passwords. People know that passwords are not to be shared, and know enough to lie about it. How many people know not to tell the truth about what antivirus they are running? They weren't allowed to say their system had been compromised, but consider this scenario.

      You work for Company X, I call you at work. I say "Hey I work over in IT in Company X, and we're doing a quick check on our internet security. Double click on the Symantec icon in the bottom right corner of the screen and read off the version number for me real quick." You, not knowing any better read off the version number. "Hmm. Interesting. What browser are you using?" You again relay the information, not knowing it is important to keep that private. "Well, your antivirus is out of date, please go to w w w dot update anti virus dot com and click to download the file there, then run it. Have your co-workers do the same."

      Poof. Have a set of compromised computers. It sounds believable enough to fool most sales/marketing/accounting types, if they are not tech oriented. For whatever reason, at work we are willing to trust a voice on the phone when we ignore the same requests in spam emails.

      1. Kevin 6
        Unhappy

        Actually

        I've called people up I've never met, and asked their passwords at the one place I worked. The person never met me or heard from me before and gave them to me with no hesitation. All I had to do was say I was the new network admin and I was making changes to their account and wanted to test them out, but if I changed the password they would have to go through steps to change it back. Once they heard that they would have to do something to change it back they gave it with no resistance.

        I repeated that with 6 more people none gave any resistance turns out that the average password was <their login name>12345... We had some serious security issues...

  5. Chris Miller
    Thumb Down

    The problem with social engineering

    is it's (for a typical commercial organization - may not apply to GCHQ or the NSA) almost always successful and remedial action is close to impossible. If my pen testing shows that I can access internal resources that shouldn't be exposed on the Internet, then I can also suggest possible solutions (e.g. improved firewall rules, ...) - but the fact that I can persuade the helpdesk to divulge the antivirus product in use?

    Using a helpdesk is already a bad enough experience (for both the users and the operators), without trying to introduce an initial seven-step process to establish identity* or answering questions about the AV system with: "I'm sorry, I'm not at liberty to divulge that information".

    * Which isn't to say that easy and obvious solutions such as the use of CLI is a bad idea.

    1. Anonymous Coward
      Stop

      CLI

      You really trust CLI? It's pretty easy to present whatever you want as the CLI...

      1. A J Stiles

        Depends

        That depends upon the telco. BT for one most definitely check that you're actually entitled to use the number you're trying to present as.

        1. Anonymous Coward
          WTF?

          No they don't...

          ..They asked you to sign a form to comply with the rules and so long as it's e.164, they don't give a toss.

          We spoof our CLI's (send out the Non-Geo, not the Geo) all the time, as do most other large businesses.

          I can change it in about...Ohh 3 seconds!#

          BTW, not with BT anymore, but with two other carriers and we can send CLI down either of those as well.

      2. Anonymous Coward
        FAIL

        No...

        ..he said the use of CLI is a bad idea.

    2. Chris Miller

      For the avoidance of doubt

      I was suggesting* that CLI is a useful basic filter (but not a perfect solution) for the problem of identifying who might be calling (say) the helpdesk. What won't work (in most circumstances) is Security insisting on some lengthy identification process.

      I remain of the view that most typical organizations that tried to be completely resistant to social engineering (even assuming such a thing were possible) would be unable to function efficiently and would soon be out of business. All security involves trade-offs, and for most organizations the loss of efficiency involved in becoming completely immune to social engineering attacks would greatly outweigh the benefits.

      In certain, limited circumstances resistance to social engineering is vital. This is why, when you call your insurer/bank/... you're presented with a series of questions to check your identity. I imagine most people would be reluctant to deal with such an institution that didn't go through this type of process.

      * Note to self: try to avoid the use of double negatives

      1. Alex C

        Re For the avoidance of doubt

        I don't wish to pass any negative comment on Chris Miller - nothing wrong with what he's saying.

        Just thought I'd lodge my two pennies worth as someone who's a part of a small telco.

        CLI is easy to spoof - we regularly do it as a convenience to our customers who want to present their main customer service number rather than one of their hundreds of agents' individual number. For that matter, withholding CLI means nothing except asking the delivering telco not to present it to the callee. They may choose to withhold or not though virtually all do. If you were, for the sake of argument, intending to hide crime by withholding CLI you'd do better to assume that it won't work.

        The most common call centre defence to the con artists who were showcasing their talents here, is to give the peons a limited range of subjects and make them refer anything not on their script to their managers. Its bureaucratic and shows otherwise relatively intelligent people as idiots but it's fairly effective if degrading.

        To test new functionality for clients I often have to "socially engineer" their call centre staff (it's the quickest way to get a lot of tests done and is often the only way), but if I was doing it in any way that undermined my customers they'd quickly be made to resort to the armadillo shell of the script, and the agents would cease being helpful and friendly.

        I imagine that the net result of this competition is that BP have clamped down, that hundreds of call centre workers have been degraded to the safety of the script and that anyone who just wanted a helpful agent to use a modicum of intelligence (i.e. most people) will now get a crappy service instead. Of course a couple of fraudsters have had their egos stroked.

        They might be very clever - but it doesn't stop them being dicks.

    3. Chris Miller
      Thumb Up

      CLI

      I didn't mean this to turn into a CLI discussion - my main point was that social engineering (as part of pen testing), is a bit of a waste of time since it will nearly always work and is difficult to defend against in a practical fashion. But it's generated some helpful comments, so that's all good.

      I accept that it's easy, if not altogether trivial, to spoof CLI. But it does add a cheap extra layer of security. First, you can't easily spoof a call to make it appear to come from an internal number, which is in itself a defence. Second, for effective social engineering, you'd want to present yourself as a genuine (preferably senior) employee. Such names can often be gleaned from the company web site. But if the helpdesk know the home and mobile numbers, then you'd have to gain knowledge of one of those to make a CLI spoof successful and that may well be more difficult.

      As I said, not a perfect defence (nothing ever is), but simple and good enough for many purposes.

      1. Ian Sneyd
        Grenade

        errrm

        actually, the cli you present can be almost anything, present say 4 digits (4628) and how many people would assume it was an internal number even if it rang like an external call...

        I (used to) regularly got international cold calls (via a crap VoIP link, incidentally even easier to spoof cli using SIP) showing only 5 digits for some reason, maybe they's just set up their VoIP server incorrectly!

  6. Anonymous Coward
    Boffin

    And how crap did they get?

    Anyone calling me and asking for this sort of data would probably get a whole load of lies.

    Laptop? Dell

    O/S Linux - Fedora 13

    AV? none

    VPN ? Whats that

    etc

    etc

    Then I'd fire off an email to our security people about the incident.

    Yeah, I know I'm a smartass.

    1. max allan
      FAIL

      You're not that smart, ass.

      I don't think you phone up and ask someone what AV version they're using, you use some sort of trickery :

      Me : Hello, I'm having trouble with my AV program

      Them : Ok, right click on the icon, settings, version and tell me what it says

      Me : Err, McAfee.

      Them : It should say Symantec

      Me : Really, hold on, oh yes, symantec and a 7

      Them : "And a 7" do you mean 9.7 ?

      Me : Oh yes, thank you, I'm such a doofus with computers. Every time I start reading an Abode document it goes wrong.

      Them : Do you mean Adobe?

      Me : Maybe... It's from a website

      etc..... Before you know it, you've got the official Adobe plugin version and probably the browser and if you tell the helpdesker where your document is (socialengineer.com) you can probably get them to go there too.

      Just phoning a random helpdesk and saying "what version and type of AV software do you run" would hopefully get an answer like "beeeeeeeeeeeep click"

  7. Filippo Silver badge
    Joke

    password for chocolate

    I'd just give out a fake password. Yum!

  8. Puff65537
    Grenade

    Social engineering for Hardware hacking

    you know you want to click: http://www.puff65537.com/Home/4758-tear-down

  9. Will Godfrey Silver badge
    Happy

    @Filippo

    For a moment I saw that as a Flake password :)

  10. David McMahon
    Alert

    At work a few years ago...

    Someone had hacked into and run a cmd.exe window (W2K) he was typing rubbish like del command.com!!!!

    I knew the PC was locked down so just watched in amusement! I then used the cmd window to communicate like an IM client!

    Said hello, can we have the PC back to work etc etc quite funny :)

    1. Andrew the Invertebrate

      At work a lot of years ago

      Whilst working at a small engineering firm, we had 1 internet capable PC with it's 56k modem, it was there to allow the sales reps who only came into the office once every 3 months to remote in to drop off documents.

      Wandering past the PC one day when the screen flickers into life as someone remotes in, and quickly called the boss over so we could both watch the bozo on the other end of the line trying to connect to a search engine to look for porn, and not the good kind. They hadn't realised you could either remote into the PC or use the PC to vist the interwebs, but not both at the same time.

      Shortly afterwards one of the remote sales reps decided to persue an oppertunity at a different company, after working for the same firm for 10+ years.

  11. Anonymous Coward
    Anonymous Coward

    No great secrets

    I know all that info about BP and more because I work for one of their suppliers (hence the AC). More interesting and useful to a hacker would have been to ask them how regularly they apply Windows updates and other security patches. Now that is scary.

    1. Anonymous Coward
      Anonymous Coward

      And oddly enough..

      I have a very distant connection to a company that supplies some things to my company, and also supplies some things to BP. I recently stumbled across exactly that information from BP freely accessible in the 3rd party's tool which they'd supplied to us, plus a LOT more, including individuals names - Yet we took on the tool with assurances that all data in it was secure. Aye - very good. Ok, they've fixed it now - but where there's one hole...

  12. Anonymous Coward
    Black Helicopters

    Yep

    "A hacker competition that challenges contestants to trick employees of large companies into divulging potentially sensitive information aims to show how human gullibility is the biggest security vulnerability of all. During its first day at the Defcon hacker contest in Las Vegas, it had clearly achieved its goal." .... no SH* bro.

    Now if only Congress would get a blessed clue about as much, and start to support real reform in education - the kind that teaches us to think for ourselves, for instance.

    Anon 'cos stupid people with big sticks are even scarier than smart people with big sticks.

    1. J 3
      Boffin

      @Yep

      The problem is that, paradoxically enough, the most educated people are actually an easier target of skillful charlatans -- it's what I call the Randi effect, although I don't remember if it was him who first said it or not.

      Why? Intellectual hubris.

      Well educated people have higher opinions of themselves and of their skills than less educated folks. So, when confronted with a scam, trick, whatever, they sure are more likely to spot what is wrong (or that at least something must be) than the "simpletons" -- but is the trickery is actually better than they can spot, they are more likely to believe that everything is real and fine. After all, they are so smart and no one could be tricking them, right? Whereas the "simpletons" are more likely to accept that they are not able to see the trick.

      That's why one has to be weary when hearing that some psychic event, for instance, was witnessed by scientists. Without knowing the exact circumstances of the "experiment" (was it controlled? happened at a neutral setting? was it independently and consistently verified? etc.), that means nothing.

      And that's why James Randi hasn't have to get rid of that $1 million yet.

      1. max allan
        Headmaster

        Intellectual?

        "That's why one has to be weary "

        I'm often weary of hearing about psychics and their magical readings.

        I'm also wary of their "proof".

        (Sorry)

        As for the last sentence, I haven't has to no idea.

        1. J 3
          Alien

          @Intellectual?

          Yeah, as in "be wear"!

          Damn this language that has more homophones than words... :-)

      2. Ross 7

        James Randi

        I looked at that guys website as the name wasn't familiar. Best FAQ I've ever read -

        "It's important to realize that if at this point you still doubt that the money exists, your doubt is in the entire American bond system in general and Goldman Sachs specifically"

        The guy should consider entering an app himself!

    2. Anonymous Coward
      Joke

      Are you mad?

      > support real reform in education - the kind that teaches us to think for ourselves, for instance.

      They'd never get reelected. No way in hell that would ever happen. But we can always dream. Pass the bong...

  13. Anonymous Coward
    Pint

    Corporate Security...

    is only as good as your most moronic employee.

  14. a.4
    Flame

    Dial-A-Prison-Experiment

    http://en.wikipedia.org/wiki/Strip_search_prank_call_scam

    Could have been worse.

  15. PerfectBlue

    Fuss over nothing

    "The information included what model laptops BP used and the specific operating system, browser, anti-virus and virtual private network software the company used."

    Oh come on, that's barely anything. A good hacker could find that out in minutes through electronic means, and a bad one wouldn't be able to use it anyway. Not if the company configured it properly.

    In my experience that kind of information is not considered important. It's given out to suppliers and potential suppliers on a daily basis, and it saves thousands of pounds a year by getting you a better price form companies that want you to switch to their products, or which are doing deals on certain products, and if you tell a software supplier then you might as well tell the world.

    As I said, if the hacker is skilled knowing this information in advance will save them about 5 minutes, and if they are not skilled then they won't be able to do much with it. What matters is whether the company has properly set up the software at their end. If they've left holes in the system a hacker can exploit them without any real difficulty.

    1. Anonymous Coward
      Anonymous Coward

      You keep telling yourself that..

      and while you're about it, why not stick your fingers in your ears, close your eyes and sing "la la la la la"?

      Nice attitude. Dribble much?

    2. Anonymous Coward
      Anonymous Coward

      Totally agree

      This was exactly my view on reading the article. If you have to rely on security by obscurity then you are already f**ked.

      I personally use XP SP3 and Ubuntu, McAfee and Avira, TrueCrypt and BeCrypt, Comodo and a hardware Cisco firewall, My VPN is Cisco, and I use Tor.

      OK, now tell me how much time that has saved you as a hacker - as a vulnerability manager and pen tester I can tell you the answer is next to bugger all - you will still do a full automated scan anyway. "Oh but I now know what vulnerabilities to test for" - Yes but you would test for them anyway.

      It's like not telling somebody what encryption a file is using in case it helps them decrypt it - pointless.

  16. yomchi86
    Thumb Up

    jinx.com

    does T-shirts saying on the front "Social Engineering Specialist" and on the back "Because there is no patch for human stupidity"

    A must for your 2010 wardrobe!!!

  17. MinionZero
    Headmaster

    @"human gullibility is the biggest security vulnerability of all"

    Sadly its a major never ending struggle to try to patch it. :( ... But I still live in hope it can be patched one day.

    It reminds me of the Albert Einstein quote: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."

  18. Kevin 43
    Grenade

    Trust geeks

    To invent the phrase "Social Engineering" when the original phrases such as "Lying" and "Confidence Trick"

    Or is the choice of words doublespeak intended to make the scammer feel less guilty about breaking the law

    1. Anonymous Coward
      Anonymous Coward

      social engineering

      Social engineering is a useful phrase because it groups together a set of activities into a two word jargon, that everyone who talks about it knows broadly speaking what is being discussed. Sure, it essentially consists of con tricks, but "con trick" is such a broad term that it is of no use in this discussion. You would need to qualify it, e.g. "con trick to gain access to a computer network", so you might as well use the phrase "social engineering".

      If I was advertising for someone to gain access to a competitor's secrets, advertising for a "con artist" would be no good - someone with the skills to dupe tourists into buying fake tickets, for example, might not have the skills to do this sort of thing. Similarly, advertising for a hacker might not be useful, since they might not have the skills to do this sort of thing either. But the term "social engineering" means that everyone involved is clear about what they want.

      It's not to cloud the issue about the legality of the situation, but it's to simply use more precise language.

      1. Alan Douglas

        But "social engineering" sounds like a good thing

        Although "social engineering" is a useful phrase, and it's now well understood, I don't think it was well chosen. I would prefer Engineering to be seen as professional and useful activity, contributing to the well-being of society as a whole. Perhaps a more emotionally charged term such as "social dicking-about", "social cracking" or "con-cracking" would better express the activity. IMHO.

    2. Kevin 43

      My point is

      That some of these activities are essentially breaking the law and by giving it a technical/academic sounding name does not vindicate it, and encouraging people to do it as some sort of competition is reckless.

      Or am I to be told there is such a thing as "Victimless or White Hat Social Engineering"

  19. Robert Carnegie Silver badge

    Does your outgoing e-mail say at the bottom,

    "This message has been scanned for viruses by Dickware.

    This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager, Mr. Ian Credible, Open House, 123 Easy Street, tel. 1-555-OMGOMGOMG."

    Ours admittedly doesn't, but at least the antivirus ID used to be present, maybe the version. Probably until someone realised that viruses can tell you that they were passed by Dickware, too, although they weren't.

    So now they just put it in the e-mail header lines. "X-Virus-Scanned: by Pointless Exercise Exciser 0.00 (www.we-dare-you.com)"

    Social engineering? Just send a bland e-mail to postmatser@bp.com . Unseen by human hand.

  20. Etrien Dautre

    Multipussy/DickChain Msg Co

    Sure if you know email and have a kind of a keylogger aboard, reading the object's absolutely not a question. Write there, read here, secdesc=havoc, and you're in. Especially if someone's using a nitty stuff like Hijack logs and asks for a forum's help to define what's the cause of a leakage (-; And oh, there are always files people so un pro fessionally don't delete from the _second_ disk you never format when reinstalling "the latest, tuned" copy of Windows after the intrusion of the best hacker on the Planet -- the User itself.

    Add some primitive "social engineering" to it - and you've done your bet. Well, I feel I may seem to be telling the grass to the soil here.

    And this is just the way people who don't have a Clue in the core principles of the net functions and functioning think. But how encouraging this is sometimes.... so much that your browser sniffer puts a definite ip~ into Favo(u)rite pos just because one says in the open that anyone can/can't handle the net and you know this is said by a professional. Understand, people need further revealing of the story of a newsteller, not as much as any other news which will be just the same and will remain rotating around the shapes, every side of which has already been umpteen times portrayed in all wavelenghts possible and carefully stored for the purposes.

    And, it sometimes probably seems to be kind of octopussy/multipussy chained with so many its tentacles behind so many wheels that you can't deprive any of its DN servers from refreshing, properly renumerate the pool in favor of any other globally trusted devices or effortlessly include some special terms/rules into AS roles. Am I a keeper of a State secret? I think you may shoot yourself in the leg if this is so. And how really much for that triviousity do peasants pay in the circus?

    Burning/drowning out the masters/readers is a way out, though, leaving some so comfortably out of questions which may appear, @ prime, from forums and journalists... but to succeed, one has to buid a real countermagic ring then. Pool... Hmmm...

    Can't find such a miserable me in the Google @ some spaces again, and it hurts my feelings. Sergei, you're the only Russian I... and like that. The situation reminds me of two coloured cats in a dark room.

    And, did someone ever say there's only one ISP on the planet/one rope in the room?

    Relax bro, not @ your gates. Err, what was I talking about... Ah, having the shifting keys during the first hours after the blackout will be a Real Mark Twain in the new Waters.

    .

    Please _do not_ bother to press rating buttons here.

    .

    With the help of the Magic Preview,

    73

This topic is closed for new posts.