Social Engineers demonstrate the damage that could be caused by information

They say knowledge is power, and the final report from DEF CON 21's Social Engineer Capture the Flag contest shows that in the wrong hands, the amount of information organizations leave exposed online can empower attackers across the globe.

[Social engineering: How oversharing information can lead to disaster online]

Over the summer, CSO covered the events of the Social Engineering Capture the Flag (SECTF) contest at DEF CON 21, and the events from just one of the contest's phone calls.

A new report from Social-Engineer Inc. outlines the entire contest, as well as key observations from this year's calls. A contestant pool of 10 men and 10 women used Open Source Intelligence (OSI) to research their target company and collect as much information as possible (flags). Points are awarded based on the flags collected. This information is then used during the contest when the targets are called directly, in order for the contestants to collect additional flags depending on the information they're collecting.

According to the report, the contestants used metadata collection tool Maltego, as well as the usual avenues of information gathering such as Google (Images, Maps, YouTube), LinkedIn, Bing, Facebook, Monster, Twitter, Netcraft, BlogSpot, and more, to details on people and processes within their assigned target. This year's targets included Apple, Boeing, Chevron, Exxon, General Dynamics, GE, GM, Home Depot, Johnson & Johnson, and Walt Disney.

Watching the SECTF contest live is an experience in human interaction. As mentioned, the contestants call their targets and attempt to collect various flags, using a variety of pretexts. Despite the fact that many of the contestants were completely new to the world of social engineering, they made it look easy. Based on the report and seeing the contest live, as well as the number of flags collected, social engineering continues to remain a viable threat or an organization's security.

"Social engineering has played some role in nearly every major hack you have read about over the last few years, yet this year's competition clearly illustrates how poorly prepared companies are to defend against socially engineered attacks," commented Social-Engineer, Inc.'s Chris Hadnagy, the SECTF organizer.

[10 security tips for customer support and service]

"While there continues to be improvements in the quality and preparation of the contestants, there have not been any significant improvements by companies to secure information available on the internet and educate and prepare employees against a disciplined social engineer. For example, one contestant was able to find an improperly secured help desk document that provided log in credentials for the target companys employee-only online portal."

As revealed in the report, contestants were able to discover information on company VPN; anti-Virus coverage; operating system usage; how IT is handled (outsourced or internal); browser type and version; hardware-based data on phone systems and computers, including make and model; and details about wireless networks. Flags like these, the report adds, when examined by industry, represent a unique opportunity for an attacker to create a plausible story (pretext) that would allow them access to a company's most sensitive information.

The report also disclosed the fact that the second place top scorer (at DEF CON first and second place were announced as female) was actually a male. Overall the women did better this year, but the original second place was disqualified. There are strict rules for the SECTF contest, the main one being that the person the contestant speaking to should never feel as if they are in jeopardy.

[3 steps to identify a potential phishing email]

"The contestant in question threatened the employee with termination as well as being responsible for the loss of a major negotiation if she did not comply in order to manipulate her into providing the flags. The judging panels made a unanimous decision that this was unethical conduct, eliminating this contestant from consideration," the report explained.

In terms of the number of flags collected, both with OSI and on the phone, as well as the value of the flags collected, Apple was the top company. They're followed by GM, Home Depot, Johnson & Johnson, Chevron, and Boeing. It should be noted that the rankings do not speak to the actual state of security at the organization, just the value and number of flags collected.

Of the flags collected the most, the type of browser used took the top spot, followed by operating system, wireless access information, and VPN-based information. A full copy of the report is available here.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about AppleBoeing AustraliaChevron AustraliaCSOFacebookGEGeneral DynamicsGoogleHome DepotInc.MonsterNetcraftWalt Disney

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts