For the last five years at Def Con, hackers have competed in the Social Engineer Capture the Flag (SECTF) contest. The contest previously sent the feds into a panic because in this competition, “the phone call is more dangerous than malware.” The smooth, slippery and even sneaky tongues of social engineers easily tricked the staff at 10 major companies into handing over specific pieces of privileged information, aka capturing the “flags.” The final SECTF report has been released, highlighting human vulnerabilities, manipulating the need to help someone in need, as well as shoddy security of company information accessible via the Internet. So even after five years of public awareness, social engineering is still a massive threat to corporate America.
This year the 10 targeted companies were Apple, Boeing, Chevron, Exxon, General Dynamics, General Electric, General Motors, Home Depot, Johnson & Johnson and Walt Disney. How did they do? “Social engineering has played some role in nearly every major hack you have read about over the last few years, yet this year’s competition clearly illustrates how poorly prepared companies are to defend against socially engineered attacks,” explained Chris Hadnagy, aka HumanHacker, and organizer of the SECTF contest.
10 men and 10 women, chosen from 198 applicants, were given two weeks to prepare for the contest by gathering as much intelligence information about the targeted corporations that could be obtained through Google, LinkedIn, Flickr, Facebook, Twitter, corporate websites and other internet sites listed in the report. The Open Source Information (OSI) is only about collecting info found online; interacting with employees at the target companies is against the rules. This would not be the case in a real-world attacker scenario.
In the real world, be it a penetration test or bad actors, there are no strict “rules of engagement” such as those imposed on social engineering contestants in order to protect target companies. Attackers go far beyond pre-texting to offering free “candy.”
For instance, journalist Adam Penenberg challenged SpiderLabs to “perform a personal pen-test” on him and that included trying to break into life through his wife. Since she runs a Pilates studio, a friend of the hacking team signed up for a class and left behind a flash drive.
This is a tried and true old trick, such as “dropping” flash drives in a company’s parking lot so an employee will pick one up, take it into the building, and plug it in to deliver its malicious payload. This tactic is often successful, whether an employee is curious or wants a free USB, but phishing emails could also be the free “candy” bait. Take that risk times the number of people working for major corporations and you can see how the threat is multiplied. Yet the “most important rule” for the social engineering contest is that there is “absolutely no victimization of any target companies.”
Humans, divulging details over the phone to social engineers, were not necessarily the weakest link; “information gathered on the internet allowed contestants to capture more than two times the amount of points gathered in the live call portion of the contest.” The findings illustrate that:
While there continues to be improvements in the quality and preparation of the contestants, there have not been any significant improvements by companies to secure information available on the internet and educate and prepare employees against a disciplined social engineer. For example, one contestant was able to find an improperly secured help desk document that provided log in credentials for the target company’s employee-only online portal. It’s disheartening to note that after years of attacks and years of warnings, these valuable pieces of information are still so easily found and exploited.
According to the report [pdf], the top flags gathered in the 2013 SECTF competition were:
- Specific Internet browser
- Operating system information
- Information on corporate wireless access
- Confirmation of a corporate Virtual Private Network (VPN)
- Presence of an onsite cafeteria
“The two most commonly obtained flags were the browser and OS of the target companies,” the report explains. “With these two pieces of information, the simplest way for an attacker to breach network security would be through a targeted phishing email containing files that would either release malware or lead the target into clicking to a malicious website targeting vulnerabilities specific to their browser or OS.”
If you are curious why something like a company having a cafeteria is important, then that is because a malicious attacker would use any helpful tidbit to penetrate a company; learning about a cafeteria opens the possibility for an attacker to physically enter the building by impersonating a canteen employee or delivery person and collecting “information that may be improperly secured.”
Any “privileged” info helps an attacker develop elaborate lies, pretexting, that could trick company employees into giving out more info. It also opens to way for an attacker with “insider” knowledge to wield the power of it during a call, the “tribe mentality,” such as pretending to be an IT person at the company with the rights to ask software and network-related questions. In fact, “targets surrendered every one of the predefined flags at least once during the competition.”
Hadnagy pointed out, “Even though social engineering has received major press, as well as been the topic for discussions amongst the security community and corporate America, it still proves to be a major threat and the easiest way in to most companies.”
And these were the good guys simply competing in a contest. In the real world, an attacker will attempt any dirty trick to achieve his or her “treat.”