Smooth-talking hackers test hi-tech titans' skills

Jul 31, 2010 by Glenn Chapman
Hackers at the infamous DefCon gathering held in Las Vegas are proving that old-fashioned telephone smooth talk is an effective rival to slick software skills when it comes to pulling off attacks on computer networks.

Hackers at an infamous DefCon gathering are proving that old-fashioned smooth talk rivals slick software skills when it comes to pulling off attacks on computer networks.

A first-ever "social engineering" contest here challenges hackers to call workers at 10 companies including technology titans , Apple, Cisco, and Microsoft and get them to reveal too much information to strangers.

"Out of all the companies called today, not one company shut us down," said Offensive operations manager Christopher Hadnagy, part of the social-engineer.org team behind the competition that kicked off on Friday.

The team kept hackers within the boundaries of the law, but had them coax out enough information to show that workers would have unintentionally made it easier to attack networks.

Workers that unknowingly ended up on calls with hackers ranged from a chief technical officer to IT support personnel and sales people.

One employee was conned into opening programs on a company computer to read off specifications regarding types of software being used, details that would let a tailor viruses to launch at the system.

"You often have to crack through firewalls and burn the perimeter in order to get into the internal organization," said Mati Aharoni of Offensive Security, a company that tests company computer defenses.

"It is much easier to use social engineering techniques to get to the same place."

Other companies targeted were Pepsi, Coca Cola, Shell, BP, Ford, and Proctor & Gamble.

The contest, which continues Saturday at DefCon and promises the winner an Apple iPad tablet computer, is intended to show that hardened remain vulnerable if people using them are soft touches.

"We didn't want anyone fired or feeling bad at the end of the day," Aharoni said. "We wanted to show that social engineering is a legitimate attack vector."

A saying that long ago made it onto T-shirts at the annual DefCon event is "There is no patch for human stupidity."

"Companies don't think their people will fall for something as simple as someone calling and just asking a few questions," Hadnagy said.

"It doesn't require a very technical level of attacker," Aharoni added. "It requires someone with an ability to schmooze well."

One worker nearly foiled a hacker by insisting he send his questions in an email that would be reviewed and answered if appropriate.

The hacker convinced the worker to change his mind by claiming to be under pressure to finish a report for a boss by that evening.

"As humans, we naturally want to help other people," Hadgagy said. "I'm not advocating not helping people. Just think about what you say before you say it."

Companies that got word of the social engineering contest before DefCon called in the FBI, which was assured by the event organizers that nothing illegal was afoot.

Information about "exploiting human vulnerabilities" was available at the social-engineer.org websit.

Explore further: Twitpic to stay alive with new owner

add to favorites email to friend print save as pdf

Related Stories

Internet warriors hone skills at Black Hat - DefCon

Jul 26, 2010

Internet warriors are gathering this week to explore chinks in the armors of computers, bank teller machines, mobile phones, power grids, and other "smart" devices intrinsic to modern life.

Cyber warriors gather as online battles rage

Feb 28, 2010

US national security leaders and top cyber warriors from around the world are gathering here to plot defenses against criminals and spies that increasingly plague the Internet.

Recommended for you

Facebook dressed down over 'real names' policy

Sep 17, 2014

Facebook says it temporarily restored hundreds of deleted profiles of self-described drag queens and others, but declined to change a policy requiring account holders to use their real names rather than drag names such as ...

Yelp to pay US fine for child privacy violation

Sep 17, 2014

Online ratings operator Yelp agreed to pay $450,000 to settle US charges that it illegally collected data on children, in violation of privacy laws, officials said Wednesday.

User comments : 10

Adjust slider to filter visible comments by rank

Display comments: newest first

InsaniD
4.5 / 5 (15) Jul 31, 2010
What a small minded thing to say, Raver. Without folks like these, showing where there are security issues, the world would be a scarier place. Many of the companies "attacked" actually pay for it to happen to see where they can improve their networks and make them safer.
Climb on down off your high horse, partner...
ancible
3 / 5 (4) Jul 31, 2010
Whoops, meant give you five, InsaniD. I dont understand why people go to a information clearing house like physorg and complain about sharing info.
zslewis91
1.8 / 5 (5) Jul 31, 2010
ha ha ha thumbs up to ins. and anc.....Ravenrant? you sir are a joke of sorts..you ,\most obviously enjoy, or at least use the internet...yet those who maintain it to die,,,you sir are a retard, i sir wish death upon you. report this as abuse...sysadmin will take care of it...go choke on a dick. dbag
DickWilhelm
3.3 / 5 (3) Jul 31, 2010
Subtle trolling is an art form, one Ravenrant has yet to master.
Inco
2.3 / 5 (3) Jul 31, 2010
Ravenrant, if you are trolling, you suck at it. If you are not, you are so ignorant its baffling you even found this page.
ksimpson
2.3 / 5 (3) Aug 01, 2010
Ravenrant the first step to fixing a problem is knowing you have one.
Ravenrant
2 / 5 (1) Aug 01, 2010
The damage hackers do (and that includes identity thieves, scammers and frauders) is tremendous compared to the little good they do which wouldn't be required if there weren't other hackers taking advantage of security flaws these guys uncover. Typical low brow comments, if it didn't happen to me everything's fine with the world. Get your identity stolen by a hacker and then tell me what you think of them. Trolling? Try to understand the meaning of a word before you use it.
Hatmon
1 / 5 (1) Aug 01, 2010
Ravenrant, you seem to be having a little trouble with logic. Hackers cause damage therefore all hackers should be bombed? Does it follow that hackers are humans therefore all humans should be bombed? Simply because someone is skilled in acquiring information and hacking systems it does not necessarily follow that they use their skills for evil. Many use their skills to help prevent the very things of which you complain. If I had my identity stolen by a hacker then I would be thankful that there were hackers in the world learning the weaknesses of systems so that the guilty hacker did not take me for much more at a much earlier date.
Ravenrant
1 / 5 (1) Aug 05, 2010
Try reading this article here.

http://www.physor...007.html

I stand by my opinions. Hackers are a group of people who cause massive damage with little or no redeeming value. Take off the rosy glassses, hackers are criminals, they harm people. You can thank them for the anti-virus fee millions are paying out every year, nothing short of extortion.
bottomlesssoul
not rated yet Aug 08, 2010
Nature itself hates secrets, they are pretty much a human invention. The only way to truly keep something a secret is to never share it or remember it again, otherwise it will always leak out.

It's better to try not to rely on secrets.