Smooth-talking hackers test hi-tech titans' skills

July 31, 2010 by Glenn Chapman
Hackers at the infamous DefCon gathering held in Las Vegas are proving that old-fashioned telephone smooth talk is an effective rival to slick software skills when it comes to pulling off attacks on computer networks.

Hackers at an infamous DefCon gathering are proving that old-fashioned smooth talk rivals slick software skills when it comes to pulling off attacks on computer networks.

A first-ever "social engineering" contest here challenges hackers to call workers at 10 companies including technology titans , Apple, Cisco, and Microsoft and get them to reveal too much information to strangers.

"Out of all the companies called today, not one company shut us down," said Offensive operations manager Christopher Hadnagy, part of the team behind the competition that kicked off on Friday.

The team kept hackers within the boundaries of the law, but had them coax out enough information to show that workers would have unintentionally made it easier to attack networks.

Workers that unknowingly ended up on calls with hackers ranged from a chief technical officer to IT support personnel and sales people.

One employee was conned into opening programs on a company computer to read off specifications regarding types of software being used, details that would let a tailor viruses to launch at the system.

"You often have to crack through firewalls and burn the perimeter in order to get into the internal organization," said Mati Aharoni of Offensive Security, a company that tests company computer defenses.

"It is much easier to use social engineering techniques to get to the same place."

Other companies targeted were Pepsi, Coca Cola, Shell, BP, Ford, and Proctor & Gamble.

The contest, which continues Saturday at DefCon and promises the winner an Apple iPad tablet computer, is intended to show that hardened remain vulnerable if people using them are soft touches.

"We didn't want anyone fired or feeling bad at the end of the day," Aharoni said. "We wanted to show that social engineering is a legitimate attack vector."

A saying that long ago made it onto T-shirts at the annual DefCon event is "There is no patch for human stupidity."

"Companies don't think their people will fall for something as simple as someone calling and just asking a few questions," Hadnagy said.

"It doesn't require a very technical level of attacker," Aharoni added. "It requires someone with an ability to schmooze well."

One worker nearly foiled a hacker by insisting he send his questions in an email that would be reviewed and answered if appropriate.

The hacker convinced the worker to change his mind by claiming to be under pressure to finish a report for a boss by that evening.

"As humans, we naturally want to help other people," Hadgagy said. "I'm not advocating not helping people. Just think about what you say before you say it."

Companies that got word of the social engineering contest before DefCon called in the FBI, which was assured by the event organizers that nothing illegal was afoot.

Information about "exploiting human vulnerabilities" was available at the websit.

Explore further: Internet warriors hone skills at Black Hat - DefCon

Related Stories

Cyber warriors gather as online battles rage

February 28, 2010

US national security leaders and top cyber warriors from around the world are gathering here to plot defenses against criminals and spies that increasingly plague the Internet.

Intel faced hacker attack same time as Google

February 23, 2010

(AP) -- Intel Corp. has revealed that it was targeted by a "sophisticated" hacker attack this year at about the same time as a spying probe that hit Google Inc.

Recommended for you

Researchers engineer a tougher fiber

February 22, 2019

North Carolina State University researchers have developed a fiber that combines the elasticity of rubber with the strength of a metal, resulting in a tougher material that could be incorporated into soft robotics, packaging ...

A quantum magnet with a topological twist

February 22, 2019

Taking their name from an intricate Japanese basket pattern, kagome magnets are thought to have electronic properties that could be valuable for future quantum devices and applications. Theories predict that some electrons ...


Adjust slider to filter visible comments by rank

Display comments: newest first

4.5 / 5 (15) Jul 31, 2010
What a small minded thing to say, Raver. Without folks like these, showing where there are security issues, the world would be a scarier place. Many of the companies "attacked" actually pay for it to happen to see where they can improve their networks and make them safer.
Climb on down off your high horse, partner...
3 / 5 (4) Jul 31, 2010
Whoops, meant give you five, InsaniD. I dont understand why people go to a information clearing house like physorg and complain about sharing info.
1.8 / 5 (5) Jul 31, 2010
ha ha ha thumbs up to ins. and anc.....Ravenrant? you sir are a joke of ,\most obviously enjoy, or at least use the internet...yet those who maintain it to die,,,you sir are a retard, i sir wish death upon you. report this as abuse...sysadmin will take care of it...go choke on a dick. dbag
3.3 / 5 (3) Jul 31, 2010
Subtle trolling is an art form, one Ravenrant has yet to master.
2.3 / 5 (3) Jul 31, 2010
Ravenrant, if you are trolling, you suck at it. If you are not, you are so ignorant its baffling you even found this page.
2.3 / 5 (3) Aug 01, 2010
Ravenrant the first step to fixing a problem is knowing you have one.
2 / 5 (1) Aug 01, 2010
The damage hackers do (and that includes identity thieves, scammers and frauders) is tremendous compared to the little good they do which wouldn't be required if there weren't other hackers taking advantage of security flaws these guys uncover. Typical low brow comments, if it didn't happen to me everything's fine with the world. Get your identity stolen by a hacker and then tell me what you think of them. Trolling? Try to understand the meaning of a word before you use it.
1 / 5 (1) Aug 01, 2010
Ravenrant, you seem to be having a little trouble with logic. Hackers cause damage therefore all hackers should be bombed? Does it follow that hackers are humans therefore all humans should be bombed? Simply because someone is skilled in acquiring information and hacking systems it does not necessarily follow that they use their skills for evil. Many use their skills to help prevent the very things of which you complain. If I had my identity stolen by a hacker then I would be thankful that there were hackers in the world learning the weaknesses of systems so that the guilty hacker did not take me for much more at a much earlier date.
1 / 5 (1) Aug 05, 2010
Try reading this article here.


I stand by my opinions. Hackers are a group of people who cause massive damage with little or no redeeming value. Take off the rosy glassses, hackers are criminals, they harm people. You can thank them for the anti-virus fee millions are paying out every year, nothing short of extortion.
not rated yet Aug 08, 2010
Nature itself hates secrets, they are pretty much a human invention. The only way to truly keep something a secret is to never share it or remember it again, otherwise it will always leak out.

It's better to try not to rely on secrets.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.