Smooth-talking hackers test hi-tech titans' skills

Jul 31, 2010 by Glenn Chapman
Hackers at the infamous DefCon gathering held in Las Vegas are proving that old-fashioned telephone smooth talk is an effective rival to slick software skills when it comes to pulling off attacks on computer networks.

Hackers at an infamous DefCon gathering are proving that old-fashioned smooth talk rivals slick software skills when it comes to pulling off attacks on computer networks.

A first-ever "social engineering" contest here challenges hackers to call workers at 10 companies including technology titans , Apple, Cisco, and Microsoft and get them to reveal too much information to strangers.

"Out of all the companies called today, not one company shut us down," said Offensive operations manager Christopher Hadnagy, part of the social-engineer.org team behind the competition that kicked off on Friday.

The team kept hackers within the boundaries of the law, but had them coax out enough information to show that workers would have unintentionally made it easier to attack networks.

Workers that unknowingly ended up on calls with hackers ranged from a chief technical officer to IT support personnel and sales people.

One employee was conned into opening programs on a company computer to read off specifications regarding types of software being used, details that would let a tailor viruses to launch at the system.

"You often have to crack through firewalls and burn the perimeter in order to get into the internal organization," said Mati Aharoni of Offensive Security, a company that tests company computer defenses.

"It is much easier to use social engineering techniques to get to the same place."

Other companies targeted were Pepsi, Coca Cola, Shell, BP, Ford, and Proctor & Gamble.

The contest, which continues Saturday at DefCon and promises the winner an Apple iPad tablet computer, is intended to show that hardened remain vulnerable if people using them are soft touches.

"We didn't want anyone fired or feeling bad at the end of the day," Aharoni said. "We wanted to show that social engineering is a legitimate attack vector."

A saying that long ago made it onto T-shirts at the annual DefCon event is "There is no patch for human stupidity."

"Companies don't think their people will fall for something as simple as someone calling and just asking a few questions," Hadnagy said.

"It doesn't require a very technical level of attacker," Aharoni added. "It requires someone with an ability to schmooze well."

One worker nearly foiled a hacker by insisting he send his questions in an email that would be reviewed and answered if appropriate.

The hacker convinced the worker to change his mind by claiming to be under pressure to finish a report for a boss by that evening.

"As humans, we naturally want to help other people," Hadgagy said. "I'm not advocating not helping people. Just think about what you say before you say it."

Companies that got word of the social engineering contest before DefCon called in the FBI, which was assured by the event organizers that nothing illegal was afoot.

Information about "exploiting human vulnerabilities" was available at the social-engineer.org websit.

Explore further: Fine tuning your campaign: Scientists conduct research into crowdfunding

add to favorites email to friend print save as pdf

Related Stories

Internet warriors hone skills at Black Hat - DefCon

Jul 26, 2010

Internet warriors are gathering this week to explore chinks in the armors of computers, bank teller machines, mobile phones, power grids, and other "smart" devices intrinsic to modern life.

Cyber warriors gather as online battles rage

Feb 28, 2010

US national security leaders and top cyber warriors from around the world are gathering here to plot defenses against criminals and spies that increasingly plague the Internet.

Recommended for you

Spain: Google News vanishes amid 'Google Tax' spat

Dec 16, 2014

Google on Tuesday followed through with a pledge to shut down Google News in Spain in reaction to a Spanish law requiring news publishers to receive payment for content even if they are willing to give it away.

Brazil: Google fined in Petrobras probe

Dec 15, 2014

A Brazilian court says it has fined Google around $200,000 for refusing to intercept emails needed in a corruption investigation at state-run oil company Petrobras.

Microsoft builds support over Ireland email case

Dec 15, 2014

Microsoft said Monday it had secured broad support from a coalition of influential technology and media firms as it seeks to challenge a US ruling ordering it to hand over emails stored on a server in Ireland.

User comments : 10

Adjust slider to filter visible comments by rank

Display comments: newest first

InsaniD
4.5 / 5 (15) Jul 31, 2010
What a small minded thing to say, Raver. Without folks like these, showing where there are security issues, the world would be a scarier place. Many of the companies "attacked" actually pay for it to happen to see where they can improve their networks and make them safer.
Climb on down off your high horse, partner...
ancible
3 / 5 (4) Jul 31, 2010
Whoops, meant give you five, InsaniD. I dont understand why people go to a information clearing house like physorg and complain about sharing info.
zslewis91
1.8 / 5 (5) Jul 31, 2010
ha ha ha thumbs up to ins. and anc.....Ravenrant? you sir are a joke of sorts..you ,\most obviously enjoy, or at least use the internet...yet those who maintain it to die,,,you sir are a retard, i sir wish death upon you. report this as abuse...sysadmin will take care of it...go choke on a dick. dbag
DickWilhelm
3.3 / 5 (3) Jul 31, 2010
Subtle trolling is an art form, one Ravenrant has yet to master.
Inco
2.3 / 5 (3) Jul 31, 2010
Ravenrant, if you are trolling, you suck at it. If you are not, you are so ignorant its baffling you even found this page.
ksimpson
2.3 / 5 (3) Aug 01, 2010
Ravenrant the first step to fixing a problem is knowing you have one.
Ravenrant
2 / 5 (1) Aug 01, 2010
The damage hackers do (and that includes identity thieves, scammers and frauders) is tremendous compared to the little good they do which wouldn't be required if there weren't other hackers taking advantage of security flaws these guys uncover. Typical low brow comments, if it didn't happen to me everything's fine with the world. Get your identity stolen by a hacker and then tell me what you think of them. Trolling? Try to understand the meaning of a word before you use it.
Hatmon
1 / 5 (1) Aug 01, 2010
Ravenrant, you seem to be having a little trouble with logic. Hackers cause damage therefore all hackers should be bombed? Does it follow that hackers are humans therefore all humans should be bombed? Simply because someone is skilled in acquiring information and hacking systems it does not necessarily follow that they use their skills for evil. Many use their skills to help prevent the very things of which you complain. If I had my identity stolen by a hacker then I would be thankful that there were hackers in the world learning the weaknesses of systems so that the guilty hacker did not take me for much more at a much earlier date.
Ravenrant
1 / 5 (1) Aug 05, 2010
Try reading this article here.

http://www.physor...007.html

I stand by my opinions. Hackers are a group of people who cause massive damage with little or no redeeming value. Take off the rosy glassses, hackers are criminals, they harm people. You can thank them for the anti-virus fee millions are paying out every year, nothing short of extortion.
bottomlesssoul
not rated yet Aug 08, 2010
Nature itself hates secrets, they are pretty much a human invention. The only way to truly keep something a secret is to never share it or remember it again, otherwise it will always leak out.

It's better to try not to rely on secrets.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.