DEFCON Las Vegas
Some of America's biggest companies should be concerned about the outcome of this year's hacker conference DEF CON. A group of participants provided proof of their talent in social engineering. In information security, the term "refers to psychological manipulation of people into performing actions or divulging confidential information," as Wikipedia explains. In the past, social engineering ment a friendly uncle asked kids when they were going on vacation with their parents just to break into their homes when they were gone.
In today's digitalized world it means criminals call a company's employee, pretending to be a member of the IT-crew and asking about log-in data and other sensitive information. The end result can be identity theft, the loss of customer data, the loss of intellectual property or the loss of military or government secrets.
This year's participants of the Social Engineering Capture the Flag contest targeted Apple, Boeing, Chevron, Exxon, General Dynamics, General Electric, General Motors, Home Depot, Johnson & Johnson and Walt Disney Corp. Two teams searched for informations such as:
Which company is used to deliver packages?
Who does the food service?
Is there a company VPN?
What mail client is used?
What time of the month do the employees get paid?
The complete list of questions can be downloaded at social-engineer.org
The competitors got these information only by using web-based tools or by calls. Two weeks prior to the conference, they started collecting data. During DEF CON, they used it during a live call session. The report on the contest states: "We continue to see improvements in the quality and preparation of the contestans. One thing we do not see, however, are any significant improvements on the part of companies to educate and prepare themselves against social engineering attacks."
Chris Hadnagy, founder of social-engineer.org and organizer of the contest spoke to the blog threatpost.com “One contestant found an Internet log-in page with a link to a help document that did not require credentials. In that document, they gave you an example of a log-in with a picture of a corporate ID that worked and we were able to log in. Things like that are shocking in 2013 to see,” Hadnagy said.
The contest showed that the majority of companies still uses the Internet Explorer 7, which Hadnagy critisizes as a very vulnerable browser. “It opens them up to a plethora of phishing, phone and onsite impersonation.”
One just needs to know information like this to give a company's IT-crew a call and claim technical problems with the systems. It's easy to get some log-in information and codes once the internal support thinks you're a member of the company. How easy it is to convince someone that you're a co-worker from another office, showed Shane MacDougall at last year's contenct when he tricked a Walmart-employee into disclosing sensitive data.
A scoring provided by social-engineer.org shows that Apple fared the worst, followed by General Motors, Home Depot, Johnson & Johnson and Chevron. Details on specific vulnerable areas are available to the target companies upon request. So if you are interested - just pretend to be an Apple employee ;-)
Zum Original
In today's digitalized world it means criminals call a company's employee, pretending to be a member of the IT-crew and asking about log-in data and other sensitive information. The end result can be identity theft, the loss of customer data, the loss of intellectual property or the loss of military or government secrets.
This year's participants of the Social Engineering Capture the Flag contest targeted Apple, Boeing, Chevron, Exxon, General Dynamics, General Electric, General Motors, Home Depot, Johnson & Johnson and Walt Disney Corp. Two teams searched for informations such as:
Which company is used to deliver packages?
Who does the food service?
Is there a company VPN?
What mail client is used?
What time of the month do the employees get paid?
The complete list of questions can be downloaded at social-engineer.org
The competitors got these information only by using web-based tools or by calls. Two weeks prior to the conference, they started collecting data. During DEF CON, they used it during a live call session. The report on the contest states: "We continue to see improvements in the quality and preparation of the contestans. One thing we do not see, however, are any significant improvements on the part of companies to educate and prepare themselves against social engineering attacks."
Chris Hadnagy, founder of social-engineer.org and organizer of the contest spoke to the blog threatpost.com “One contestant found an Internet log-in page with a link to a help document that did not require credentials. In that document, they gave you an example of a log-in with a picture of a corporate ID that worked and we were able to log in. Things like that are shocking in 2013 to see,” Hadnagy said.
The contest showed that the majority of companies still uses the Internet Explorer 7, which Hadnagy critisizes as a very vulnerable browser. “It opens them up to a plethora of phishing, phone and onsite impersonation.”
One just needs to know information like this to give a company's IT-crew a call and claim technical problems with the systems. It's easy to get some log-in information and codes once the internal support thinks you're a member of the company. How easy it is to convince someone that you're a co-worker from another office, showed Shane MacDougall at last year's contenct when he tricked a Walmart-employee into disclosing sensitive data.
A scoring provided by social-engineer.org shows that Apple fared the worst, followed by General Motors, Home Depot, Johnson & Johnson and Chevron. Details on specific vulnerable areas are available to the target companies upon request. So if you are interested - just pretend to be an Apple employee ;-)
Zum Original
