How to steal corporate secrets in 20 minutes: Ask

IDG News Service - A few companies in the Fortune 500 need to upgrade their Web browsers. And while they're at it, a little in-house training on social engineering wouldn't be a bad idea, either.

Social engineering hackers -- people who trick employees into doing and saying things that they shouldn't -- took their best shot at the Fortune 500 during a contest at Defcon Friday and showed how easy it is to get people to talk, if only you tell the right lie.

Contestants got IT staffers at major corporations, including Microsoft, Cisco Systems, Apple and Shell, to give up all sorts of information that could be used in a computer attack, including what browser and version number they were using (the first two companies called Friday were using IE6), what software they use to open pdf documents, their operating system and service pack number, their mail client, the antivirus software they use, and even the name of their local wireless network.

The first two contestants made it look easy.

Wayne, a security consultant from Australia who wouldn't give his last name, was first up Friday morning. His mission: Get data from a major U.S. company. (IDG News Service has chosen not to report which companies fell for which attacks because of possible security risks.)

Sitting behind a sound-proof booth before an audience, he connected with an IT call center and got an employee talking. Pretending to be a KPMG consultant doing an audit under deadline pressure, Wayne got him to spill details, big time.

Wayne ignored a request for an employee number and launched immediately into a story about how his boss was on his back, and how he really needed to get this audit finished. He worked his Aussie charm on the worker, who'd only been with his new employer for a month. Within minutes, it seemed he was willing to give Wayne pretty much any information he wanted -- at one point he even visited a fake KMPG Web page that Wayne had set up.

He ended the call promising to buy the employee a beer.

He ended the call promising to buy Ledoi a beer.

"What beer do you like?"

"Right now I'm on a Blue Moon kick."

In an interview after the call, Wayne couldn't believe his luck. "I was thinking they're a pretty big company and I know they did a lot of in-house security audits."

Later, contest organizers said his effort was the best of the day. But everyone who was targeted gave up information. Chris Hadnagy, one of the founders of the contest, believes the victims would have given away sensitive information such as passwords had they been asked. "They would have given pictures of their family if they'd asked for it," he said.