The good folks at www.social-engineer.org have recently released a report detailing the results of the social engineering “Capture the Flag” contest held this past summer at the Defcon 19 security conference. This report is a must read for security professionals. (You have to register to download the report, but this is one of the rare times that it is worth giving up some personal info to gain access to a pdf)
The CTF contestants were given the task of collecting as many pieces of information (“flags”) as they could from one of 14 targeted companies, across multiple industry sectors. In phase one of the contest, contestants were given 2 weeks to conduct open source research on their quarry using the web, social media, Google and the like. Phase two of the contest took place at Defcon, where contestants made phone calls to their targets and tried to “social engineer” ( bamboozle) unsuspecting employees into revealing information which could help an attacker plot her nefarious strategy.
If you are responsible for security at your organization, you really need to read the full report; it is chock full of great information which you can use to enhance the critical human element of your security programs.
Here are a few tidbits which stood out for me:
In all cases where the attacker asked an employee to visit a URL, the employee ended up doing so, even if they were resistant at first. The attacker could use this behavior in a number of ways. First, they would be able to query the system to determine what versions of software are installed to inform later attacks. They could direct the employee to a “drive by download” site which attempts to exploit vulnerabilities to install malware on the system. They could get an idea of what type of web filtering was in place – if the company did not block access to social media sites, these might be used to leverage later attacks. And if the attacker was smart and persuasive, she could get the employee to download and run software on their system.
Much of the information sought by the attackers could be gathered without contacting the target company. Information which was freely available on the web, or mistakenly made available through defects in policy or system configuration was a treasure trove for contestants. Here are some of the prizes found during the open source research phase:
- Employee personal blogs with corporate information posted to them
- Employee resumes which listed technical or organizational information of use than attacker
- Photographs which depicted employee badge designs, names of vendors, access control and CCTV systems in use, other technology in use, or layouts of facilities, amongst others.
- Some organizations even had employee lists, with titles, email addresses and phone numbers available on the web – these are pure gold for the Social Engineer.
None of the organizations seemed to have provided employees with a script for dealing with callers asking strange questions. In the absence of instructions, many employees fell back on their customer service training and innate desire to “help” and played in to the hands of the attacker. A simple “let me get my manager on the line” script could have stopped many of these attacks.
There is a lot more great information in this report… Read it and share it with your external facing employees today.
Are you still reading my blathering? Get reading!