Blog article
See all stories »

Hackers Play Social Engineering Capture The Flag At Defcon

Social engineering is a fancier, more technical form of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information. Social engineering or “social penetration” techniques are used to bypass sophisticated and expensive hardware and software in a corporate network. Smart organizations train their employees to identify and resist the more common attempts to trick them into letting down their guard. Criminal hackers use social engineering as a very effective tool and as part of their strategy when gathering information to piece together the parts of their scams. They often target company executives via phone and email. Once they have extracted some data from the top, accessing networks or whatever end game they had in mind is much easier.

Social engineering has always been a “person to person” confidence crime. Once the con man gains the mark’s trust, the victim begins to provide all kinds of information, or to fork over cash and credit. Trust seems to be an inherent trait we all have from birth. I suppose we would need to be able to trust one another in order to survive as an interdependent communal species, otherwise fear would prevent us from relying on others to nurture us until we are tossed out of the nest.

Defcon is a conference for hackers of all breeds. There are good guys, bad guys, and those who are somewhere in between, plus law enforcement and government agents. All kinds of inventive people with an intuition for technology decend on Las Vegas to learn, explore, and hack. InfoWorld reports, “This year’s Defcon gathering in Las Vegas will feature a contest in which participants will compete to gather nuggets of information from unsuspecting target companies — over the telephone instead of the Internet.”

Defcon is known for its antics but it’s also an event where hackers of all flavors improve their skills. The game they are playing this year is a social engineering fun-o-rama called Social Engineering CTF, referencing the game “Capture the Flag.” “This contest will borrow elements from the convention’s traditional computer-based CTF tournaments, but with a few variations. Prior to the conference, participants will receive an email with the name and URL of a target company. Participants will be permitted to gather preliminary information about the company using Google searches and other passive techniques. Contestants are banned from contacting their target directly via email or phone, and they get points for information gathered. Competitors then use that data during the actual tournament to fuel their social engineering attack. They have twenty minutes to call unsuspecting employees at their target companies and obtain specific bits of (nonsensitive) information about the business for additional points. Participants aren’t allowed to make the target company feel at risk by pretending to represent a law enforcement agency.”

Recognize that online predators use these tactics to get what they want. They consider you, the innocent computer user, their natural prey.

So always question authority, or the appearance of authority. Don’t automatically trust or give the benefit of the doubt. When you are contacted via phone or email, or approached in person, proceed with caution. Always be suspect of external or internal communications, and consider that you could be the target of a phishing scam. Never click on links in the body of an email, and if an email prompts you to divulge a username and password, pick up the phone to verify the legitimacy of the request. The best defense is effective policies coupled with ongoing awareness training.

 

4792

Comments: (3)

Uri Rivner
Uri Rivner - BioCatch - Tel Aviv 27 July, 2010, 09:05Be the first to give this comment the thumbs up 0 likes

Good report, Robert.

Defcon tests Social engineering in its pure form: leveraging people’s natural tendency to trust others, tricking them to give you valuable inside information, and use that to gain an unfair advantage when attacking your target. Kevin Mitnik is arguably the most notorious social engineer in the last couple of decades: see https://www.finextra.com/blogs/fullblog.aspx?blogid=3805

If you move to a broader interpretation, such as the one in the Wiki article on social engineering (http://en.wikipedia.org/wiki/Social_engineering_(security)) you’ll find social engineering in many other shapes. The original Trojan horse was an amazing piece of social engineering: faking a retreat and leaving behind a huge wooden horse, the Greeks gained entry to the city of Troy. They counted on the citizens of Troy to celebrate their victory and capture the horse which the ‘defeated’ Greeks left behind.

The bible is also full of social engineering stories: as my colleague Idan Aharoni wrote in this blog (http://www.rsa.com/blog/blog_entry.aspx?id=1588), Jacob used social engineering elements to trick his near sighted father Isaac to bestow upon him a blessing.

Phishing is still a mainstream form of attack because fraudsters find new, creative ways to do social engineering. The latest I saw is using the brand of a big fast food company to run a fake survey. Complete the survey, which asks no sensitive details at all, and you’re entitled to an $80 credit to buy meals. Oh, and they need your card details and ATM PIN code to send you the money.

And social networks are the new breeding ground of both social engineering attacks directed at the members, and collecting data from member pages to attack financial institutions and corporations.

Another good example of social engineering is the latest Microsoft trick of setting up a completely fake bank in New York, and tricking people to give them a huge amount of sensitive data (https://www.finextra.com/news/fullstory.aspx?newsitemid=21598)

Robert Siciliano
Robert Siciliano - Safr.me - Boston 28 July, 2010, 01:40Be the first to give this comment the thumbs up 0 likes

Great stuff Uri, glad to hear from you. 

Uri Rivner
Uri Rivner - BioCatch - Tel Aviv 28 July, 2010, 08:33Be the first to give this comment the thumbs up 0 likes

My sister who works in Paypal sent me the following link, which is a big laugh and somewhat related.

http://www.notla.com/archives/2010/07/nigerian-scammer-gets-a-laptop-from-me/