DEF CON attendees demonstrate social engineering prowess in CTF contest

Sin City was filled with plenty of people last week, and thousands of them were hackers. That's understandable, considering that Las Vegas hosted the Black Hat security conference, the B-Sides security conference, and DEF CON 21. Most of the week focused on talks, new products, creative uses of code (for defense and offence), but there was another side as well; people, and the information they possess.

Last week may have been the largest gathering of novice and professional social engineers in North America. As chance (and a pre-planned schedule) would have it, CSO got the chance to watch them in action. Our observations were made while wandering around DEF CON, as well as within the Social Engineering village, the home to the Social Engineering Capture the Flag (SECTF) contest, ran by Chris Hadnagy, from Social-Engineer Inc.

CSO joined dozens of others in the room hosting the SECTF contest just as a young woman named Christina was entering a soundproof booth ready to make her first call. Christina, who asked that her last name not be used, is a perfect example of why social engineering is something that shouldn't be taken lightly, she isn't a professional. In fact, her profession isn't even in the IT sector. Her work schedule kept her from doing any in-depth research, but in two days she compiled a report for the contest on her assigned target.

As part of the rules for the SECTF event, contestants are given the name of the target company, as well as a list containing the types of information, or flags, that need to be gathered. Each flag has a point value, and the contestant with the most points wins. Christina's target was a company in the Fortune 500; CSO is withholding the company's name, as it isn't important -- the point of the contest is that the target could be any company, anywhere in the world.

[Social engineering: The basics]

Fortunately for the company selected for the call CSO witnessed, and all of the others that were part of the contest last weekend, there are strict rules as to the type of flags obtained, and how they can be earned.

Contestants are prohibited from seeking out passwords and other sensitive data (such as SSN or credit card details). The contestants are also not allowed to pretend to be law enforcement or government officials, and at no time can the contestants present their calls or questions in a way that will make the person on the other end of the phone feel at risk.

"No one gets victimized during this contest. Social Engineering skills can be demonstrated without engaging in unethical activities," the contest rules state.

During the day that CSO watched the SECTF contestants in action, participants confirmed things such as names, OS versions, browser usage and preference, and what types of third-party software was being used. The people on the other end of the line freely offered other information as well, including personal histories and insider data as to development plans and pending projects. Break schedules were also discussed, offering a map of when the employee would be at their desk or away from the office.

On their own, none of the flags obtained during the calls were all that valuable, but when combined, they're a wealth of information to an attacker. Knowing that a company has Windows XP, and that their employees are either forced or prefer to use Internet Explorer, creates a clear attack surface to target. Follow that with the knowledge that the company uses Adobe 9.x for accessing PDF files, and things start to look grim.

Posing as a corporate compliance officer, Christina spoke to a person working for a subsidiary of her target company, which was the only option as the company was so large, all of its business runs through the satellite firms. She obtained all of the aforementioned flags, in addition to getting the person on the other end of the phone to visit a website of her choosing. Had her call been a legit attack, the game would have ended the moment the person on the phone loaded webpage. The flags were obtained, and the website loaded, in less than twenty minutes.

There's light at the end of the tunnel though, because some of the targets in the SECTF event refused to share information, and at one point the person at the other end of the phone told the contestant that they couldn't share a phone number, because company policy prohibited it -- eluding to the fact that there was some type of awareness program in place.

[Social engineers' favorite pick-up lines]

The problem is, while a contestant would give up (and did give up), a real attacker would press forward. Eventually, there will be a crack in the company's armor, someone will ignore policy and help the person calling, and that's exactly what a social engineer is looking for.

The point of all of this, and why the SECTF event is so controversial to some, is because it highlights a fundamental weakness in the security chain that is forged in policies, products and services; people. Humans are helpful, they thrive on communication, skilled attackers know this, and they exploit it constantly.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Adobe SystemsCSOInc.

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place