No patch for human stupidity: hackers

Hackers at DefCon have long understood that there is no patch for human stupidity. Last week, security researchers uncovered yet another strain of malicious software aimed at smartphones that run Google's popular Android operating system. The application not only logs details about incoming and outgoing phone calls, it also records those calls.

A "Schmooze Strikes Back" contest challenged hackers to test their "social engineering" skills on companies such as Apple, Oracle, Symantec, and Walmart. The contest debuted at the annual DefCon gathering in Las Vegas last year.

"The results are worse than they were last year," said Chris Hadnagy, a social engineering specialist running the contest.

"From what we found, we would own everyone on of these companies."

Hackers were able to talk workers at various companies into disclosing anything from the versions of software used in networks to who provided cafeteria food service.

Knowing specifics about software in company computers lets hackers figure out weaknesses to exploit, and sharing operational information could enable someone intent on corporate espionage to sneak into facilities.

The most effective ruses involved calling companies and posing as a potential customer out to be reassured about the safety of doing business together, according to Hadnagy.

Pretending to be calling from another department in a company, or a remote technical support team, proved to be another effective tactic for hackers.

Retail operations were consistently harder targets, possibly because they are more accustomed to interacting with customers, according to Hadnagy.

"Women seemed to be more security conscious," he said of the contest findings, which will be published in a report later this year.

"We call back and get a guy on the phone and we get everything we want," continued Hadnagy, who runs the social-engineer.org website.

(c) 2011 AFP