Defcon’s social engineering contest – there is no patch for stupid
A weekend contest at the world’s largest hacking convention in Las Vegas showed one reason why big corporations seem to be such easy prey for cyber criminals: their workers are poorly trained in security.
Amid a spate of high-profile cyber assaults on targets ranging from Sony Corp to the International Monetary Fund, one would think that many companies would be paying special attention to security these days.
But hackers taking part in the competition on Friday and Saturday found it ridiculously easy in some cases to trick employees at some of the largest U.S. companies to reveal information that can be used in planning cyber attacks against them.
The contestants also managed to get employees to use their corporate computers to browse websites the hackers suggested. Had these been criminal hackers, the websites would have likely loaded malicious software onto the PCs.
In one case, a contestant pretended to work for a company’s IT department and persuaded an employee to give him information on the configuration of her PC, data that could help a hacker decide what type of malware would work best in an attack.
“For me it was a scary call because she was so willing to comply,” said Chris Hadnagy, one of the organizers of the contest at the Defcon conference in Las Vegas…
The company whose employees handed over the most data was Oracle Corp, according to Hadnagy. One of the world’s largest software makers, Oracle got its start more than 30 years ago by selling secure databases to the Central Intelligence Agency.
“Oracle was wiped,” said Hadnagy…”
It was the second year that Defcon held a contest in “social engineering,” or the practice where hackers con people into handing over information or taking actions such as downloading malicious software.
Social engineering is frequently used in attacks where the hackers send a “spear phishing” e-mail in which they impersonate a friend of the recipient and ask him or her to open a tainted file or visit a malicious website…
Piece of cake – and, not so incidentally, a technique that predates computers and hacking. A great deal of investigation stretching back into the 19th Century used the same social engineering techniques.
A half-century ago, before I sat down on behalf of a civil rights organization to negotiate some of the first hires of non-white employees in my home state for what has become one of the biggest delivery systems in the United States and the world – one of our activists had a friendly lunch with their HR director while pretending to be a columnist from the biggest news journal in the region. Over the course of that meal he acquired the breakdown of drivers, dispatchers, managers, staff. It was easy to remember. They all were white. We did promise an excellent article on “proper” human resources management.
When we sat down I could not only relate that fact; but, I was able to drop the number of employees in each category in the lap of the regional manager. He rolled over. And I never did tell him how we came by the numbers.