DefCon Contest Rattles FBI's Nerves

← Back to Stories (view on slashdot.org)

DefCon Contest Rattles FBI's Nerves

Posted by Soulskill on Friday July 30, 2010 @11:34AM from the par-for-the-course dept.

snydeq writes "A DefCon contest that invites contestants to trick employees at 30 US corporations into revealing not-so-sensitive data has rattled nerves at the FBI. Chris Hadnagy, who is organizing the contest, also noted concerns from the financial industry, which fears hackers will target personal information. The contest will run for three days, with participants attempting to unearth data from an undisclosed list of about 30 US companies. The contest will take place in a room in the Riviera hotel in Las Vegas furnished with a soundproof booth and a speaker, so an audience can hear the contestants call companies and try to weasel out what data they can get from unwitting employees." The group organizing the contest has established a strict set of rules to ensure participants don't violate any laws. Update: 07/31 04:45 GMT by S : PCWorld has coverage of one of the day's more successful attacks.

136 comments

Min score:

Reason:

Sort:

Dumbasses @ FBI by blackraven14250 · 2010-07-30 11:37 · Score: 3, Interesting

What dumbasses at the FBI and in the financial industry:
"The list of target organizations will not include any financial, government, educational, or health care organizations;"
1. Re:Dumbasses @ FBI by msauve · 2010-07-30 11:42 · Score: 4, Funny
  
  Well, that leaves retail.
  
  "Do you have Prince Albert in a can?"
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
2. Re:Dumbasses @ FBI by Anonymous Coward · 2010-07-30 11:46 · Score: 0
  
  In the financial industry, sure.
  At the bureau, not so much. Unlike financial institutions, their concern doesn't stop at their doorstep -- they're tasked with law enforcement, so if they think someone might be breaking laws, they've got every right to be concerned.
3. Re:Dumbasses @ FBI by Zerth · 2010-07-30 11:46 · Score: 1
  
  Seriously. This is supposed to be a contest, a challenge of information security.
  No point in fighting a war of wits with the unarmed.
4. Re:Dumbasses @ FBI by jd · 2010-07-30 11:48 · Score: 1
  
  You don't seriously believe that they were worried about being targeted, do you? Half these people outsource to the same overseas/unregulated call centers, so the same social engineering tricks will work and there's nothing that can be done about it without looking stupid. The other half have employees that are almost certain to fall for social engineering tricks but are "well-connected". In academia, you can kick someone upstairs* in situations like that. In a business, there's rarely an upstairs to kick them.
  *Promoting people into positions that pay better but have minimal contact with the outside world and virtually no actual authority. Plenty of sub-committees, though. Lots of those. That way, you can get rid of high-risk people whilst keeping them close at hand. The lofty ivory towers aren't to isolate the scholars from the masses, they're to keep the masses safe from those who have totally lost it.
  
  --
  It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
5. Re:Dumbasses @ FBI by Soilworker · 2010-07-30 12:21 · Score: 1
  
  It's illegal to ask someone their password ??
  I mean, I don't see what I'm doing illegal if I call some compagny and ask what is their router password... They are those in the illegality if they give my sensitive data from their compagny no ?
6. Re:Dumbasses @ FBI by blair1q · 2010-07-30 12:37 · Score: 2, Interesting
  
  Well then the contest isn't hardly impressive, is it?
  Because those are the very places that real black-hats would target, so those are the ones with the measures in place to intercept attempts at social-engineering exploits.
  How hard is it to talk your way into a grocery store's customer list?
7. Re:Dumbasses @ FBI by clarkkent09 · 2010-07-30 13:34 · Score: 1
  
  The publicity hardly helps. I wonder if any of the organizations called will know what's going on and use the opportunity to mess with the contestants.
  
  --
  Negative moral value of force outweighs the positive value of good intentions.
8. Re:Dumbasses @ FBI by HungryHobo · 2010-07-30 13:59 · Score: 1
  
  If you make any false claims at all then it would probably come under wire fraud.
  A straightforward "Please tell me your password" probably isn't illegal (IANAL though)
  Keep in mind though that false claims would probably include *implied* things as well so even if you speak no word which is not the truth you may still be trying to mislead someone and there's probably laws covering that.
9. Re:Dumbasses @ FBI by digitalunity · 2010-07-30 14:18 · Score: 1
  
  The definitions of unauthorized access to a computer system vary quite a lot by state, but rest assured, all 50 states have their own laws against accessing a computer system against the owners wishes.
  Even if you finagled router logins from a company(*), the courts could find such information does not constitute authorization to use the login to access private data on the network.
  *This of course being wildly unlikely, since even if they're open to clients outside the LAN, the only people who would have the information are likely to know better than to give it out.
  
  --
  You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
10. Re:Dumbasses @ FBI by dave562 · 2010-07-30 14:35 · Score: 1
  
  We're talking about a bunch of hackers here. When I went to my first Defcon, I was socially ackward as all get out. It would have been fantastic to observe real life social engineering in progress. Given the insane size of convention these days, I'm sure that even if a small fraction of the attendees are like I was, that's a few hundred people who would be interested in a social engineering demonstration. Hell, that they can even setup a soundproof booth to do the exhibition in the first place is a testiment to how far the con has come. It sure as hell wouldn't have fit in the tiny conference room in the Sands.
11. Re:Dumbasses @ FBI by mysidia · 2010-07-30 15:25 · Score: 1
  
  Hm.. so what happens if a social 'hacker' (after they already obtained credentials) uses social engineering techniques to get "permission" from an employee to login to a router that the employee has no business giving permission for someone to log in to?
  "Hi, i'm the networking consultant. I've received a report that internet speeds in your department at company XXXX are slow, and i'm ready to fix that and speed things up. I just need your permission to..........
12. Re:Dumbasses @ FBI by thePowerOfGrayskull · 2010-07-30 15:47 · Score: 2, Interesting
  
  Because those are the very places that real black-hats would target, so those are the ones with the measures in place to intercept attempts at social-engineering exploits.
  I work at one of those places, and I gotta say... those "measures" aren't as stringent as I'd like them to be. That is to say - we get employee training (CBT) once a year to refresh our knowledge of various procedures, and it touches briefly on social engineering (a single slide).
  Now - I'm in the IS department, so it may be that those in lending ops, etc have a different story. For us the "measures" in place rely solely on the common sense of each employee.
  Scary, isn't it?
13. Re:Dumbasses @ FBI by Anonymous Coward · 2010-07-30 15:50 · Score: 0
  
  God says... receiveth requirements prisoner tends commander inwardly SMALL resigned wondering blessing amazement solitude must command recognising vindicating fifth languages eligible sharp reacheth Saturn saith sat nowhere funding excepted gaze arrived Catholics ease sad throughout beast few detached see disclosed venerable Descend cogo
  In that case, I think God should lay off the wacky weed...
14. Re:Dumbasses @ FBI by afabbro · 2010-07-30 16:24 · Score: 1
  
  We're talking about a bunch of hackers here. When I went to my first Defcon, I was socially ackward as all get out.
  Ah, so you fit right in.
  
  --
  Advice: on VPS providers
15. Re:Dumbasses @ FBI by tuomoks · 2010-07-30 16:36 · Score: 2, Insightful
  
  Unfortunately - yes! Hide the head in the sand, that seems to be the answer nowadays for any- and everything? For a long time, excuse me - started in 60's, I was either responsible of or designing systems and infrastructures for safe and secure, often global environments - can't say that they were perfect, nothing ever is. Time to time (often) the hired security testing groups / companies were able to find some problems, even if documents in wastebaskets - in IT(?) which should have known better, but the main thing was to find the problems, not to hide them!
  You look companies / corporations today, they use much, much more money and time to hide the problems, trying to recover from problems, paying to public and/or government the fines, whatever than preventing the problems? Nothing (much) wrong, business as usually, but sometimes wonder why the stockholders / owners are willing to throw good money - and sometimes good reputation, away? Just wondering - LOL!
16. Re:Dumbasses @ FBI by slick7 · 2010-07-30 18:27 · Score: 1
  
  Seriously. This is supposed to be a contest, a challenge of information security.
  No point in fighting a war of wits with the unarmed.
  After reading Kevin Mitnick's "The Art of Deception", I now firmly believe in P.T. Barnum's adage that there is a sucker born every minute. The fact the Fools, Boobs and Idiots were possibly out finessed by some kid/ tween/ teen/ adolescent in information harvesting goes to show you that BA's, MA's and PHD's are probably over-rated. Just like that /. article somewhere else in this compendium states.
  
  --
  The mind conceives, the body achieves, the spirit manifests.
17. Re:Dumbasses @ FBI by fbjon · 2010-07-30 18:47 · Score: 1
  
  You must be confused. Education does not affect one's ability to not get fooled in the first place, so there's no reason to under-rate it as you do.
  
  --
  True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
18. Re:Dumbasses @ FBI by CharlyFoxtrot · 2010-07-30 21:13 · Score: 1
  
  More educated people might be more likely to be fooled since they "know" they are too smart to fall for any funny business. Nothing like arrogance to blind someone.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
19. Re:Dumbasses @ FBI by HungryHobo · 2010-07-30 23:04 · Score: 1
  
  Probably depend on weather you really were the networking consultant for their company.
  Getting authorization to enter the bank vault from the janitor is fairly meaningless if the janitor hasn't the right to grant that access.
  previous I was refering to merely obtaining the info, using the passwords would probably be a different matter.
20. Re:Dumbasses @ FBI by Registered+Coward+v2 · 2010-07-31 01:06 · Score: 1
  
  What dumbasses at the FBI and in the financial industry:
  "The list of target organizations will not include any financial, government, educational, or health care organizations;"
  Why? Because the division at the FBI responsible for cyber crimes asks what they plan to do? And then is satisfied by the answer?
  I hope they also send an agent to learn and take back ideas on what works to help companies avoid issues.
  
  --
  I'm a consultant - I convert gibberish into cash-flow.
21. Re:Dumbasses @ FBI by Sulphur · 2010-07-31 02:21 · Score: 1
  
  When in trouble, when in doubt, run in circles, scream and shout.
  --
  Fork (n) A spoon with Wikileaks.
22. Re:Dumbasses @ FBI by kcwatx · 2010-07-31 04:25 · Score: 2, Interesting
  
  What you observed about your corporation and its measures is probably the very reason this contest is taking place. I also work at one of those institutions, and our CBT is a little more comprehensive when it comes to social networking, but its still up to the bottom rung employees to control the information at the telephone outlet. There are maybe 1000 people at my office, half of which work in a contact center for our company and have access to lots and lots of private information, and our company has other locations with comparable employee numbers. Most of the positions in the contact center are seen as entry level, and anyone who wants to go anywhere in the company gets out of that department as soon as possible,. So that leaves new hires and people who lack motivation or the ability to get promoted. That means there are a lot of people who may be ignorant to such malicious attacks and be susceptible to them, or just may be complacent about security, irritated by their lack of success within the organization, and willing to say whatever it takes to get this person with whom they are speaking to hang up the phone so they can move on to the next call without stacking up too long of an average talk time.
  
  --
  -The Royal Jugglist
23. Re:Dumbasses @ FBI by slick7 · 2010-07-31 08:57 · Score: 1
  
  You must be confused. Education does not affect one's ability to not get fooled in the first place, so there's no reason to under-rate it as you do.
  True, education does not affect one's ability to be fooled, but experience does.
  I have had the pleasure to work with engineers, the first year it was "I'm the engineer" and I say, "I've been working here for the last ten years". The second or third year there seems to be a mutual agreement that we could learn from each other except for the fact that I already knew this. The fourth year seems to be the one that the engineer seeks my input prior to starting a project to ensure that it does not conflict with operational demands.
  I really don't like breaking engineers in, it's always sore on the egos, theirs not mine.
  Besides "beyond my grasp", the point is that experiential education is more effective than book learning. Once you are in the "field" book learning is just a baseline and not how the real world works.
  
  --
  The mind conceives, the body achieves, the spirit manifests.
24. Re:Dumbasses @ FBI by Anonymous Coward · 2010-08-01 00:22 · Score: 0
  
  well one of the contestants attacked the infosec department specifically - and *still* got the goods. i mean come on!if there is a group that should stop that attack it's them. Would hate to be in their dept meeting monday morning lol.
25. Re:Dumbasses @ FBI by dave562 · 2010-08-01 14:41 · Score: 1
  
  Damn straight. I was so lame that I got up and walked out of Mark Ludwig's presentation on virii and polymorphism.
26. Re:Dumbasses @ FBI by Stormie · 2010-08-01 15:52 · Score: 1
  
  we get employee training (CBT) once a year to refresh our knowledge of various procedures
  I'm actually surprised how easily security has been compromised, if employees are subjected to cock & ball torture to "refresh" their knowledge of proper procedures. I wouldn't forget in a hurry.
This is refreshing by Majik+Sheff · 2010-07-30 11:44 · Score: 4, Insightful

It's nice to see the hacker community making a move to acknowledge its roots. Social engineering is the oldest and easily the most challenging/rewarding form of real hacking.
What's more gratifying, beating the password out of a hash after weeks of brute force or having the mark just tell you in a five-minute phone call?

--
Women are like electronics: you don't know how damaged they are until you try to turn them on.
1. Re:This is refreshing by al0ha · 2010-07-30 11:52 · Score: 2, Funny
  
  Yeah - social engineering used to be called grifting. But I guess grifting is not as cool a buzzword as anything associated with engineering. Social engineering, puhleez; like it takes a lot of brains to grift a rube.
  
  --
  Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
2. Re:This is refreshing by Majik+Sheff · 2010-07-30 11:53 · Score: 1
  
  You forgot to tell me to get off your lawn, old timer. :P
  
  --
  Women are like electronics: you don't know how damaged they are until you try to turn them on.
3. Re:This is refreshing by Hatta · 2010-07-30 12:10 · Score: 5, Funny
  
  I prefer to beat the password out of the mark after 5 minutes of brute force.
  
  --
  Give me Classic Slashdot or give me death!
4. Re:This is refreshing by Anonymous Coward · 2010-07-30 12:40 · Score: 0
  
  That's why everyone call you a script kiddie.
5. Re:This is refreshing by DigiShaman · 2010-07-30 12:45 · Score: 2, Informative
  
  Hackers by and large just do it for the challenge. Both creating and solving intellectual puzzles.
  Crackers OTOH usually do it for nefarious reasons. If you're a cracker, it's usually to achieve an objective for a greater plan. You want to be silent, stealthy, and render the goal long before anyone becomes the wiser. Social engineering for all its effectiveness increases the risk of exposure.
  
  --
  Life is not for the lazy.
6. Re:This is refreshing by Runaway1956 · 2010-07-30 13:03 · Score: 1
  
  Whoosh.
  GP was referencing an XKCD page, involving a few cheap hardware tools, as opposed to expensive "brute force" password cracking.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
7. Re:This is refreshing by DigiShaman · 2010-07-30 13:05 · Score: 1
  
  Bullshit. Read linky below.
  http://blogs.techrepublic.com.com/security/?p=1400
  
  --
  Life is not for the lazy.
8. Re:This is refreshing by KlaymenDK · 2010-07-30 13:24 · Score: 2, Informative
  
  http://xkcd.com/538/
  That is all.
  
  --
  "Good news, everyone!"
9. Re:This is refreshing by tophermeyer · 2010-07-30 14:02 · Score: 1
  
  uhhhh uhhh whoosh xkcd *farts* *sniff sniff*
  Hi! Welcome to Slashdot!
10. Re:This is refreshing by HungryHobo · 2010-07-30 14:03 · Score: 1
  
  Wow, the population of grim humourless dicks on slashdot seems to have expanded considerably these last few months.
11. Re:This is refreshing by Anonymous Coward · 2010-07-30 14:13 · Score: 0
  
  You must be new here.
12. Re:This is refreshing by Anonymous Coward · 2010-07-30 14:54 · Score: 0
  
  That is a change I most enthusiastically welcome if it means I'll see less of the countless knee-jerk attempts at humor every single Slashdot discussion is drowned in. Sadly, this doesn't seem to be the case.
13. Re:This is refreshing by Majik+Sheff · 2010-07-30 15:12 · Score: 1
  
  Ah yes, rubber hose decryption. Effective but not for the faint of heart.
  
  --
  Women are like electronics: you don't know how damaged they are until you try to turn them on.
14. Re:This is refreshing by Anonymous Coward · 2010-07-30 16:23 · Score: 0
  
  Lol wut? Hacker/cracker is hard/software "engineering" ? Your card plz.
15. Re:This is refreshing by Anonymous Coward · 2010-07-30 16:23 · Score: 0
  
  If anything, this is (or should be), a fairly sound experiement in social engineering and present day perceptive security.
  I'd argue that the FBI and financial industries are reacting the opposite of how they should. If properly monitored, this should produce some fairly valuable intel for them, presumably free of charge.
  I have to wonder if reactionary fear for anything 'unfacillitated by the Gov.' is standard procedure? Seems like it's been that way for decades.
16. Re:This is refreshing by dsoltesz · 2010-07-30 17:29 · Score: 1
  
  At one time, about five minutes ago, I would have agreed wholeheartedly. But now that I've seen grim humorless clueless trolling dicks in action, I'll take the lame geek humor. That's what comment moderation is all about.
17. Re:This is refreshing by dsoltesz · 2010-07-30 17:36 · Score: 1
  
  Sheesh people! Who the hell left the front door unlocked? Next thing you know we'll have Twilight fans wandering in here. Perhaps it's time to add a "Poser" moderation category.
18. Re:This is refreshing by Anonymous Coward · 2010-07-30 18:15 · Score: 0
  
  Wow, the population of grim humourless dicks on slashdot seems to have expanded considerably these last few months.
  Runaway1956's "whoosh" would have been humorous ... if it was valid. It was not valid. This raises the question of why Runaway1956 didn't realize that himself. Smugness at having the flimsiest excuse to say "whoosh" to somebody was the explanation offered.
  
  You know what else describes a humorless dick? Laughing at something that isn't really funny. Like a repetitive Slashdot meme that was funny the first several hundred times but has since lost its luster. Like such a meme that wasn't even used correctly. Like such a meme used in such a way for no reason other than to elevate oneself and show solidarity with a group by putting someone else down falsely. That's the humorless part.
  
  The dick part is that you call someone names for pointing out that there is something wrong with this. I'll let you in on a little revelation about yourself. You don't defend these sad attempts at wit and wisdom because they are genuinely humorous. No. You defend them because you want desperately to feel like you belong someplace and are part of some group or culture. A big part of that feeling is reinforcing the artifacts of that culture. That's why you defend the Slashdot memes.
  
  Try being an individual if you manage to find the guts. Until then, be comforted by your membership in another group you've not yet recognized, for the population of cowards like you has remained roughly the same.
19. Re:This is refreshing by slick7 · 2010-07-30 18:33 · Score: 1
  
  It's nice to see the hacker community making a move to acknowledge its roots. Social engineering is the oldest and easily the most challenging/rewarding form of real hacking.
  What's more gratifying, beating the password out of a hash after weeks of brute force or having the mark just tell you in a five-minute phone call?
  Wait until the Chinese (or name your ethnic group here) get a load of this. The sophistication of the American haxorz is limited by the human languages they speak.
  
  --
  The mind conceives, the body achieves, the spirit manifests.
20. Re:This is refreshing by Anonymous Coward · 2010-07-30 18:46 · Score: 0
  
  u mad?
21. Re:This is refreshing by kaizokuace · 2010-07-30 20:32 · Score: 0
  
  That's what she said!
  
  --
  Balderdash!
22. Re:This is refreshing by HungryHobo · 2010-07-30 23:01 · Score: 1
  
  "Try being an individual if you manage to find the guts. Until then, be comforted by your membership in another group you've not yet recognized, for the population of cowards like you has remained roughly the same."
  says an Anonymous Coward.
23. Re:This is refreshing by Anonymous Coward · 2010-07-31 10:57 · Score: 0
  
  "Try being an individual if you manage to find the guts. Until then, be comforted by your membership in another group you've not yet recognized, for the population of cowards like you has remained roughly the same."
  says an Anonymous Coward.
  Yeah, because the courage to be an individual and to see what is wrong with meme followers such as yourself is fully dependent on whether one has logged in. Right.
  
  Hey, when all else fails and you know you have no rebuttal, just use an ad-hominem. That's much easier than admitting the other guy made a point that hit home, isn't it?
24. Re:This is refreshing by HungryHobo · 2010-08-01 01:06 · Score: 1
  
  If you really don't see the irony in that I guess my original assertion was correct.
Okay, be honest. by peacefinder · 2010-07-30 11:47 · Score: 4, Funny

Who here clicked the link to www.social-engineer.org before thinking about the potential consequences?
Have you just been had? :-)

--
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
1. Re:Okay, be honest. by fotbr · 2010-07-30 12:37 · Score: 1
  
  Very close, actually.
2. Re:Okay, be honest. by Anonymous Coward · 2010-07-30 13:58 · Score: 0
  
  I clicked it from home. But, the thing is so slashdotted that it doesn't even load anyway. It just times out. Or, is that just what they want me to think? Oh no, now you've got me wondering...
3. Re:Okay, be honest. by Patch86 · 2010-07-30 21:25 · Score: 1
  
  You mean "who read TFA"?
  This is slashdot. Presumably there are some things they don't teach at hacking school.
4. Re:Okay, be honest. by Anonymous Coward · 2010-07-31 00:31 · Score: 0
  
  1) WHat consequences?
  2) This is slashdot. No one RTFAs.
Someone call 911! by Anonymous Coward · 2010-07-30 11:47 · Score: 0

Social-Engineering.org's server is on fire!
Rules and Do-Not-Do list by Zerth · 2010-07-30 11:52 · Score: 5, Informative

The CTF Rules
Each Social Engineer is sent via email a dossier with the name and URL of their target company chosen from the pool of submitted names.
Pre-Defcon you are allowed to gather any type of information you can glean from the WWW, their websites, Google searches and by using other passive information gathering techniques. You are prohibited from calling, emailing or contacting the company in any way before the Defcon event. We will be monitoring this and points will be deducted for "cheating".
The goal is to gather points for the information obtained and plan a realistic and appropriate attack vector. The point system will be revealed during the Defcon event. All information should be stored in a professional looking report. 1 week prior to Defcon you will submit your dossiers for review to the judging panel.
They will be sent their time slot (day/time) to perform their attack vector at Defcon. At Defcon each social engineer will be given 5 minutes to explain to the crowd what they did and what their attack vector is.
They are then given 20 minutes to perform their attack vector and points are awarded for information gathered as well as goals successfully accomplished during the process.
A scoreboard will be kept and at the end some excellent prizes will be awarded.
The Flag
The "flag" is custom list of specific bits of information, which you will have to discover during your 20-minute phone call.The judging panel created the list, and points will be awarded for each item present on the list. This list will be presented to you on the day of the event
THE DO NOT LIST:
Underlying idea of this contest is: No one gets victimized in the duration of this contest. Social Engineering skills can be demonstrated without engaging in unethical activities. The contest focuses on the skills of the contestant, not who does the most damage.
Items that are not allowed to be targeted at any point of the contest:
1) No going after very confidential data. (i.e. SS#, Credit Card Numbers, etc). No Illegal Data
2) Nothing that can get Social-Engineer.org, Defcon, or the participants in the contest sued
3) No porn
4) At no point are any techniques allowed to be used that would make a target feel as if they are "at risk" in any manner. (ie. "We have reason to believe that your account has been compromised.")
5) No targeting information such as passwords.
6) No pretexts that would appear to be any manner of government agency, law enforcement, or legally liable entity.
7) The social engineer must only call the target company, not relatives or family of any employee
8) Use common sense, if something seems unethical - don't do it. If you have questions, ask a judge
If at any point in the contest it appears that contestants are targeting anything on the "No" list, they will receive one warning. After the one warning they are disqualified from the contest.
1. Re:Rules and Do-Not-Do list by Score+Whore · 2010-07-30 12:01 · Score: 2, Insightful
  
  If they aren't going after confidential data, then what exactly is the point here? What I mean is, why would a company care about non-sensitive data, so what protections/security/whatever are they supposedly penetrating here?
2. Re:Rules and Do-Not-Do list by rotide · 2010-07-30 12:14 · Score: 5, Insightful
  
  Not everything needs to be about obtaining damaging information. Imagine talking to a random stranger and trying to solicit information from them. It's not as easy as it sounds.
  Seriously, try this some time, just go up to a stranger and get their middle name. It will be harder than you think in most cases, if not impossible.
  Social Engineering is a skill. You have to be very good to go under the "what the fuck does this guy want" radar. You have to be able to read people without seeing them and be able to think very quickly in a very dynamic situation. Again, all while staying under their radar.
  Getting confidential, personally sensitive, or business critical information isn't the point nor appears to be the goal. Merely being good with your social skills (and we're talking a special breed of nerds here, no offense to them though), no great with them, is the point. Having a laundry list of weird and/or "not normally given out" information and trying to gain it, that's going to be hard.
3. Re:Rules and Do-Not-Do list by RyuuzakiTetsuya · 2010-07-30 12:24 · Score: 1
  
  Because this exercise, conducted WITH OUT ethical stops, would lead to compromised internal data.
  
  --
  Non impediti ratione cogitationus.
4. Re:Rules and Do-Not-Do list by lisany · 2010-07-30 12:43 · Score: 1
  
  "Excuse me sir, what is your middle name?"
5. Re:Rules and Do-Not-Do list by garompeta · 2010-07-30 12:54 · Score: 4, Interesting
  
  There are very cool pranks done at HOPE, which was enlightening. Emmanuel Goldstein called to BP and ended up convincing an employee to leave open the office door, and telling him that because it was too late he wouldn't be appearing with the company van. He didn't get any confidential information regarding to the store (surprisingly, some of the employees seemed to be trained and others seemed to be very stupid to understand the questions) but if wanted he could have gone to the gas station with a free pass to the office, from an unmarked unbranded van. That is social engineering.
6. Re:Rules and Do-Not-Do list by Snowmit · 2010-07-30 13:05 · Score: 1
  
  Wait back up to the part where the organisers can detect wrongdoing before the contest starts because "we will be monitoring this." How?
  
  --
  I have a lot of opinions about Cyborgs and Architects
7. Re:Rules and Do-Not-Do list by HungryHobo · 2010-07-30 14:09 · Score: 1
  
  Doesn't this cover everything?
  I've heard it said many times that you can be sued for anything.
  "Nothing that can get Social-Engineer.org, Defcon, or the participants in the contest sued"
  The companies could sue for their feelings being hurt, they could sue for damage to their reputation, they could sue for the wasted time of their employee, they could sue the organizer for being ugly, they could sue for the sky being blue.
  Now weather they'd win for some of those things is a different matter.
8. Re:Rules and Do-Not-Do list by JWSmythe · 2010-07-30 14:25 · Score: 3, Insightful
  
  [ignores you like a homeless guy asking for a dollar for more booze and walks away]
  Good try.
  "Excuse me sir, I'm with the [state] joint anticrime taskforce." [flashes official looking id printed up not long before] "We're performing random checks on the citizens in this area. May I see a photo ID?"
  [citizen hands him his drivers license].
  "Thank you Mr " [reads last name from ID] ". We've already had several instances today where criminals have attempted to run when asked for their identification. Have a wonderful day. We appreciate your cooperation."
  His middle name was Henry. He was born October 28, 1955.
  I know, in the game you're not allowed to pretend to be from a government agency. It just made this easier. If you're digging for personal information, you just have to craft "who" you are to be something where they'd want to hand over the information without asking too many questions.
  
  --
  Serious? Seriousness is well above my pay grade.
9. Re:Rules and Do-Not-Do list by Oyume · 2010-07-30 14:33 · Score: 1
  
  They don't have middle names here in Japan! NOW WHAT?!
10. Re:Rules and Do-Not-Do list by FragHARD · 2010-07-30 15:29 · Score: 1
  
  Well shoot!!!, the first eight rules ruined my plans :-(
  
  --
  FragHARD or don't frag at all
11. Re:Rules and Do-Not-Do list by TooMuchToDo · 2010-07-30 17:00 · Score: 1
  
  No mention of not being able to use LinkedIn. Awesome.
12. Re:Rules and Do-Not-Do list by Score+Whore · 2010-07-30 19:19 · Score: 1
  
  I don't think you get my point.
  If I'm sitting on the bus and you sit down near me and say hello, I'll go ahead and say hello back. If you then comment about the weather I'll respond about the weather. We can have a nice conversation about a local sports team, you might ask me if I was at the game yesterday and I'll tell you no, I wasn't. You can go ahead and pat yourself on the back about extracting that information with your mad social engineering skills, but the reality is all you've done is be part of normal conversation. If you don't manage to get something I give a shit about keeping private, if you don't establish some kind of trust above and beyond the ordinary, if you don't get inside my walls, you've not accomplished anything. The fact that I talked to you about inconsequential chit-chat isn't social engineering, it's just being a normally functioning human being.
  This contest is like demonstrating safe cracking skills by going to the bank and taking cigarette butts from the ashtray outside the front doors.
13. Re:Rules and Do-Not-Do list by Upphew · 2010-07-31 00:37 · Score: 1
  
  "None of your business, piss off!"
14. Re:Rules and Do-Not-Do list by houghi · 2010-07-31 01:46 · Score: 1
  
  flashes official looking id printed up not long before
  I had this happening to me and I asked for the ID to read a secondf time. Looked at it very carefully. So I would not fall for that.
  At a company I worked, police came and and where escorted back out when they di not show the correct paperwork.
  Mind you, these were all official police officers.
  The look on the faces of those officers was priceless:
  "But we are here to investigate "
  "Without the offcial papers you are two people tresspassing and breaking in under false pretenses. Leave now, come back with the papers and we will have all infiormation that you need available. Untill then please leave."
  Iy also is better for them NOT to get the things that way, because if the judge would find out how they recieved it, it would be trown out as evidence and might even trow out the complete case.
  
  --
  Don't fight for your country, if your country does not fight for you.
15. Re:Rules and Do-Not-Do list by crow_t_robot · 2010-07-31 02:12 · Score: 1
  
  3) No porn
  I'm out.
  No, but seriously, it's funny that that has to be a top-of-the-list item. You would think #8 would cover it. I guess Defcon and /b/ just have too much overlap.
16. Re:Rules and Do-Not-Do list by Anonymous Coward · 2010-07-31 03:47 · Score: 0
  
  Hi, I am on a scavenger hunt as part of a birthday party. Can I collect your middle name? Thanks!
17. Re:Rules and Do-Not-Do list by rotide · 2010-07-31 07:24 · Score: 1
  
  I do understand you and I'm sorry your imagination isn't able to come up with scenarios where there could be information that people normally wouldn't give out that also wouldn't be considered sensitive.
  What version of MS/Open Office are you running?
  Who do you use for offsite backup?
  Who supplies your cat5e/6 cable?
  Try cold calling a business and getting one of those answered let alone all 3. The "wtf are you asking for" alarm will go off insanely fast. So now you have to come up with a scenario where you need to know this information and they need to feel compelled to give it to you. All on the same call.
  Keep in mind that the number you ring will likely get you a secretary and/or help desk that won't really care what your question is and will try to find a person that might know. Now _those_ people will (hopefully) question who you are and why you need to know.
  Sure, it's kind of "chit chatty" but frankly, if you're interrupting my day and asking me about specifics that are out of place for a normal/routine call, I'm going to be extremely curious if not frustrated that you're bothering me with such drivel.
  Ya, it might not be information such as admin passwords or firewall rules, but it's information that businesses simply aren't accustomed to giving out and will be hesitant to do so, even if the information has _zero_ value whatsoever. I mean, what damage could you possibly do knowing who supplies their cabling? But on the other hand, why the hell would you want to know and why should I even tell you in the first place?
18. Re:Rules and Do-Not-Do list by tomhudson · 2010-07-31 12:17 · Score: 1
  
  I noticed on the list that they didn't say medical was out of the question. "Hi - we're calling from [insert local hospital name]. There's nothing to be alarmed about - just a minor computer glitch - we have two entries with the same first and last names. Have you ever seen Dr. [insert bogus doctor] in emergency? You're not sure? How about doctor [insert another] in the past two weeks? No. Thank you. To prevent any future problems, I'm going to enter your full name into the computer system - just remember to use your FULL name, including your middle name, in the future. How shall I spell it? Thank you very much. Have a nice day."
19. Re:Rules and Do-Not-Do list by tomhudson · 2010-07-31 12:38 · Score: 1
  If I'm sitting on the bus and you sit down near me and say hello, I'll go ahead and say hello back. If you then comment about the weather I'll respond about the weather. We can have a nice conversation about a local sports team, you might ask me if I was at the game yesterday and I'll tell you no, I wasn't. You can go ahead and pat yourself on the back about extracting that information with your mad social engineering skills, but the reality is all you've done is be part of normal conversation.
  
  I sit on the bus next to you. I quietly lean over, and point out someone I don't know, and say - "If he looks a bit familiar, it's because he's been keeping tabs on you. We know what you did. It would be such a shame ... There's a restaurant at the next bus stop. I think it would be worth your while to join me there for a coffee."
  Then I get up and go to the bus exit.
  If you follow, then I know two things:
  
  You're hiding something
  
  You can be blackmailed over it
  
  Given that, it's only a matter of time to find out *what*. Because almost everyone has a dirty little secret.
  Of course,if you set this up properly, by finding out where your "pigeon" lives first, you can take a few picture. At your meeting, you say something like "how do you think this will affect her?" as you slide a photo of his kid towards him. "Don't say anything - just think about it for a minute." Keep a few other pictures face down (they can be kittens for all you care). Now offer to let him off the hook - and get a reward - in return for the information you want. "Despite all this, I think we can arrange something of mutual benefit. I know someone who is willing to pay (name bogus price) for certain information on your employer. They want a copy of the company employee address book, 50 envelopes and 100 letterheads, and the contact information for 3 medium-sized customers. This last bit is just to verify that the address book is legit, after which they might have some more work for you."
  So, if he falls for it, you've got legitimate company stationary and 3 mid-sized clients contact info. THAT can be sold. Letters of recommendation, references, and now they have someone inside the company to call as a contact person to verify the references. The pigeon has to play along. So, how much is a good reference from a competitor worth in today's job market? More than a cup of coffee, for sure.
20. Re:Rules and Do-Not-Do list by JWSmythe · 2010-07-31 12:47 · Score: 1
  
  That works on the assumption that he's been to the local hospital. I haven't been to a hospital as a patient in about 10 years. That was for a car accident (that I still hurt from). Even knowing that, and the city I live in, there are about a dozen hospitals that I could have gone to. But the general idea would work, it just needs some tuning. A (fake) common billing provider for the local hospitals may work. It doesn't have to be the real billing provider. Most of us don't know who uses what providers.
  Not to give any extra hints for the contestants though. Hmmm, this whole conversation would seem to be a great place to get new ideas for methods. :)
  
  --
  Serious? Seriousness is well above my pay grade.
21. Re:Rules and Do-Not-Do list by mdf356 · 2010-07-31 13:00 · Score: 1
  
  My driver's license doesn't have my middle name printed on it, just the initial.
  
  --
  Terrorist, bomb, al Qaeda, nuclear, yellowcake, kill, assassinate. Carnivore is dead... long live Echelon.
22. Re:Rules and Do-Not-Do list by tomhudson · 2010-07-31 13:36 · Score: 1
  
  Se ... I already know you were in a car accident 10 years ago, that you have lingering pain, and therefore blah blah blah. Insurance providers like that sort of info, as do employers (so that if you hurt yourself on the job they can say "pre-existing condition").
23. Re:Rules and Do-Not-Do list by JWSmythe · 2010-07-31 20:51 · Score: 1
  
  Yup, my pre-existing condition isn't something I try to hide. If I were to ever file a workers comp claim, I know their insurance minions would be all over my history, checking every database in existence. It's not hard. My auto and health insurance both show it. The doctors records show it. My prescription history at the pharmacy shows it. Regardless of how protected HIPAA data is suppose to be, folks seem to get a hold of it somehow.
  My injuries are well documented, so it's not hard to compare a pre-existing condition to a new one. I can't be denied work because of it, because it's protected under the Americans with Disabilities Act.
  I did hurt myself at work a couple years ago. They had me unbox a 150 pound server by myself to get a serial number off it. I told them "I have back problems, I need a hand lifting it." Since they'd seen me lift plenty of stuff, they just blew it off assuming I didn't want to do it. I knew from the way it was boxed, there was no comfortable way for me to lift it. Being told "do it or else", I did it. I hurt myself. I got myself back to my chair very slowly, and asked someone to go to my car for my drugs (muscle relaxers and pain killers). Pretty much, when I do something I shouldn't, it causes muscle spasms around the areas of existing damage, which can result in me laying on the floor rather quickly. The solution is the drugs. I avoid them at work, even though they don't impair my judgment or work ability. I just don't want questions about "why are you taking drugs at work?", and get sent off for a urinalysis, and then provide a doctors note saying that they're prescribed for "as needed" use.
  Normally it's not a problem. I know my body, and what it can do. I can toss 1u servers around like they're nothing, as long as I lift properly. We all should, so we don't damage ourselves. When it's a 6u machine loaded with drives and a 75 pound chassis, I ask for help, just like anyone should. I've done big racking projects. Sure, I'm sore afterwords, but anyone would be.
  The next day after the above mentioned incident, one of our VP's saw me attempting to walk through the office. I had one hand on my back, and the other on the wall, and I was moving very slowly. She spoke kindly, but all her works could roughly translate to "please don't file a workers comp claim". I told her, "Let me sit comfortably in my chair and not move, and I'll be fine. There won't be a workers comp claim." For about 3 days, I got to work, sat in my chair, and moved as little as possible. I do SysAdmin work, so I can remain pretty much immobile other than my hands, and get just about everything done.
  I've never filed a workers comp claim. Unless there's some gross negligence by some future employer, I won't either. I've hurt myself at work, and being a normal guy I suck it up. Once my right hand got slashed open bad enough where pressure and a paper towel wouldn't stop the bleeding. The only thing I asked was for the on-site medic to patch it so I could stop bleeding all over the place. They did a horrible job. I had to redo it with my left hand (I'm right handed), and said "that's how you properly clean and dress a wound". It was like I was teaching a child how to do it. {sigh} She was probably paid good money to do that job, and couldn't even clean and dress a wound. My training over the years was good for something. :) And if you're wondering, at that time I was working night shift QA for a Walmart distribution center. I saw a guy on the loading dock break a finger and not report it, so he wouldn't get in trouble. Pretty much, if he reported it they'd suspend him for a few weeks, and then cut his hours substantially for months after. He just used packing tape to secure the finger to the adjoining finger, and kept working. He was in a lot of pain, but it was the only job he had, and he had a family to support. Getting no paycheck was not an acceptable solution for him.
  
  --
  Serious? Seriousness is well above my pay grade.
24. Re:Rules and Do-Not-Do list by tomhudson · 2010-08-01 01:33 · Score: 1
  
  That is awful. You have my sympathies.
25. Re:Rules and Do-Not-Do list by Score+Whore · 2010-08-02 07:55 · Score: 1
  
  First, you have an elaborate fantasy life.
  Second:
  
  If you follow, then I know two things:
  1. You're hiding something
  2. You can be blackmailed over it
  What makes you think you know two things? Maybe you know ten things:
  3. I have nothing to hide, but I think you're cute and am planning on giving you a hard rogering after we've had dinner.
  4. I have nothing to hide, but you've threatened my family and I am planning on stabbing you in the eye socket with a steak knife at the restaurant.
  5. I have nothing to hide, but I'm bored and think it'd be a gas to see what kind of scam you're attempting.
  6. I have nothing to hide, but figure you are up to no good and intend to collect as much evidence as I can before I arrest you.
  7. I have nothing to hide, but am quite hungry and figure if you're stupid enough to try and blackmail a stranger, you're stupid enough to buy the lobster dinner.
  8. I have nothing to hide, but that's the normal place I stop after work and have a drink while chatting up the waitress.
  9. I have nothing to hide, but have concluded you're a bit delusional and may need someone to keep an eye on you so you don't hurt yourself.
  10. I have nothing to hide, but maybe you do and if I pay attention there might be some money in it for me.
  Life isn't as simple as you seem to think.
26. Re:Rules and Do-Not-Do list by Dashiva+Dan · 2010-08-02 09:30 · Score: 1
  
  Yes, there's other possibilities, and to be good at what you do you need to be able to adjust on the fly as circumstances change, and take risks.
  3: if they're cute, cool. just use protection.
  4: have good reactions, dodge the knife, use their attempted murder to manipulate them instead, or get the hell out.
  5: adjust, or strike out. it's like telemarketing, there's a lot of attempts to get a bite sometimes.
  6: if you're a good enough player you should be able to detect when you're being played, if not, well, thats that whole risk aspect in play
  7: If they ask for a lobster dinner instead of a cup of coffee, and you fall for it, well, you're in teh wrong game.
  8: so, nothing lost, nothing gained, move to next mark
  9: same as 8
  10: same as 7
  
  Of course thre's other possibilities, youjust have to roll with them and keep on trucking. There might be a sucker born every minute, but for every sucker there's a dozen who you won't score on.
  
  --
  "lt;dr" is the correct response to most of my posts.
27. Re:Rules and Do-Not-Do list by Score+Whore · 2010-08-02 10:39 · Score: 1
  
  Sorry. No matter how much you want to wiggle around, you don't get to tell me what I consider secret.
  (And if you've never received a call asking those questions, then you obviously don't actually work in IT. Getting a call from a salesman asking about your current sources isn't that uncommon and it's not secret.)
Cached Versions by GordonChil · 2010-07-30 11:55 · Score: 1

Here, here and here.
If they go to my bank... by Reginald2 · 2010-07-30 11:58 · Score: 1

They probably won't have to do much. They've sent a letter stating that my personal information has gone missing three times in two years. In the age of data mining, I don't think this will be as much of a challenge.
1. Re:If they go to my bank... by John+Hasler · 2010-07-30 12:25 · Score: 3, Insightful
  
  They probably won't have to do much. They've sent a letter stating that my personal information has gone missing three times in two years.
  And yet you continue to do business with them. It's pretty obvious why they don't have to do much.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
2. Re:If they go to my bank... by JWSmythe · 2010-07-30 14:37 · Score: 3, Interesting
  
  Sometimes that info comes from places you'd rather it not. I got a letter a couple years ago from the VA (United States Veterans Affairs). I was in the military for about a month, almost 20 years ago. (It was a preexisting disqualifying medical condition, for anyone who really wonders.) They sent it to a friends house where I frequently got mail. It stated that my personal information may have been compromised due to a breach of the VA computers. I had seen the news story about it about a month before and didn't think it would apply to me. It's so comforting that I was in a system I shouldn't have been in, and they lost my information to unknown parties, who could be doing almost anything with it. Since they knew a valid address for me, nowhere near where I lived when they collected the data, I have to assume they kept addresses updated from another source.
  Ya, I'd rather not do business with the VA, but apparently they know about me.
  Sometimes I wonder about banks that I've done business with in the past. Some have closed and merged so many times, I have no clue who they are now. A friend of mine got a nasty letter from a bank a couple years ago. He had closed his account with them over 20 years before that. Apparently when they merged with other banks, to fluff their "account holders" numbers, they reopened closed accounts. After the mergers, they started assessing fees to the accounts. He was now on the hook for all kinds of fees they assessed the closed account plus interest. When he tried to straighten it out, the bank couldn't find the record, other than the fact that he owed the money. He still gets calls from collections every once in a while asking for the money.
  
  --
  Serious? Seriousness is well above my pay grade.
3. Re:If they go to my bank... by Reginald2 · 2010-07-30 17:33 · Score: 1
  
  What isn't obvious is that if banks are too big to fail why are there so many around my house?
  
  lol
Not-so-sensitive?! by zyxwvutsr · 2010-07-30 12:03 · Score: 4, Funny

What participants can do is collect data on less sensitive subjects such as, "who does your dumpster removal; who takes care of your paper shredding," Hadnagy said.

"If you don't tell me, I'll look at the dumpster behind your building and read the name on it!"
1. Re:Not-so-sensitive?! by tommeke100 · 2010-07-30 20:58 · Score: 1
  
  yeah exactly!
  And how hard is it to get an operator job in a call-center?
  If someone really wants information low-paid operators have access too, how about getting a job there and have access to whatever you like?
2. Re:Not-so-sensitive?! by CharlyFoxtrot · 2010-07-30 21:21 · Score: 1
  
  yeah exactly!
  And how hard is it to get an operator job in a call-center?
  If someone really wants information low-paid operators have access too, how about getting a job there and have access to whatever you like?
  It's more risky if they know who you are and are physically on site, not to mention a lot more time consuming.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
I feel sorry by blantonl · 2010-07-30 12:04 · Score: 5, Insightful

I feel sorry for the poor fish in the barrel that gets shot on this one.
Unwittingly, right now, some guy/gal is sitting in their cubical and is on the cusp of getting the phone call that thrusts them into the international spotlight when the tape of the winning team's efforts is played. They might even lose their job for doing nothing more than, well, doing their job, or answering a harmless set of questions.

--
Lindsay Blanton
RadioReference.com
1. Re:I feel sorry by Anonymous Coward · 2010-07-30 13:46 · Score: 0
  
  Not me, I got laid off two weeks ago.
2. Re:I feel sorry by craw · 2010-07-30 16:13 · Score: 1
  
  I also feel sorry for the poor fish in the barrel. What would be interesting to monitor is how far up the management chain the sh*t flies.
  In a more perfect world, those that succumb to social engineering would then have their bosses/supervisors subjected to the same social engineering, and if they fail, their bosses/supervisors would then be subjected to social engineering....
3. Re:I feel sorry by T+Murphy · 2010-07-30 19:22 · Score: 2, Interesting
  
  If their boss actually follows what happens at DefCon, that boss might be smart enough to know how to handle the situation without firing anybody.
  
  --
  My webcomic
4. Re:I feel sorry by drinkypoo · 2010-07-30 21:04 · Score: 1
  
  They might even lose their job for doing nothing more than, well, doing their job, or answering a harmless set of questions.
  If they lose their job for doing their job, then they can lose their job for doing their job any old time, not just if they are used to win this contest. What is far more likely is that they will lose their job for doing something they thought was their job: giving away information they are not really supposed to. And they should lose their job in this instance. It does not matter if someone is trying to fool them, or if they are just idiots. If they can't do the job, then they need to not have it.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
5. Re:I feel sorry by mldi · 2010-08-01 14:40 · Score: 1
  
  ... that boss might be smart enough...
  Isn't that a bit of an oxymoron?
  
  *ducks*
  
  --
  If you aren't suspicious of your government's actions, you aren't doing your job as a responsible citizen.
rattles FBI nerves... by Michael+Kristopeit · 2010-07-30 12:05 · Score: 1

yeah, the nerves around their funny bone.
they probably set the whole thing up so they could document the attempts rather than dream them up on their own so they could develop a counter procedure policy.
1. Re:rattles FBI nerves... by rotide · 2010-07-30 12:18 · Score: 1
  
  Careful, that creaking sound that comes from your chair isn't actually a creak.. The gubment put a listening device in it and sometimes you hear feedback from their end. In fact, that's how you can tell it's a new version of the bug. They can whisper suggestive things to you as a form of mild brainwashing. I mean, really, your libido isn't that great, they're just failing to get you to go to the kiddie porn sites. Sadly they only keep catching you viewing the granny porn.
  Shhhh!
No, this is good by i_want_you_to_throw_ · 2010-07-30 12:26 · Score: 3, Insightful

If anything social engineering is THE weakest link in the security chain. Let the geeks handle the hardware security but people really and truly need to keep having it pounded into them that they always need to be vigilant and to recognize these attempts.
1. Re:No, this is good by Phat_Tony · 2010-07-31 05:26 · Score: 1
  
  Sometimes "improved" technical security makes the social aspect worse, too. Systems departments frequently have the incentive to make sure there are no *technical* exploits to the systems, but if total security is decreased by social security being decreased when technical security is increased, that's not their problem when something goes wrong. I can quickly list three examples from a previous employer:
  
  - They decided to "increase security" by forcing people to use stronger passwords and to change their passwords ever month. Admittedly, before this change, many people's passwords were names of people in their family or pets, birthdates, cars they drove, or other low security passwords. Still, actually guessing one wasn't particularly probable. But then they made them include capitals and lower case, letters and numbers, be at least 9 characters, and no dictionary words over 2 letter could be present as any subset. And you had to change it every month, and there was some sort of algorithm to determine if you'd changed it "enough," so you couldn't just increment some number in the password every month. The effect? Everyone's password was suddenly on a post-it note on their monitor, or maybe in their top desk-drawer, or under their telephone.
  
  - They decided to lock down access permissions in the computer, so people could only access the limited subset of systems and data they actually needed for their jobs through their login. Good in theory, but many employees there got pulled into working on all sorts of internal "management consulting" type projects to improve the place, and everyone's ability to access data was extensive and ever-changing. But getting things changed with systems was too much of a headache, and even then people frequently ran up against "absolute" privilege limits, such as that people below a certain level couldn't export data sets. But they needed to frequently. suspect the company policy was that you had to get someone at the appropriate level to run the database query and save the file for you, but it reality, to get access to the right data and the ability to export data, everyone just shared passwords all the time, people would put lists of passwords with appropriate access inside the covers of project folders. Everyone at my level had their boss's password because of the data export privilege. Way to improve security.
  
  - They decided that emailing sensitive data was off limits, because email was insecure. Password protecting files wasn't good enough, and implementing encryption was deemed too complex. So the solution was that when we did things like employee reviews that were "sensitive," they all had to be handled as physical copies. So instead of turning on password protection on a Word document and emailing it to my boss, I'd have to print it - on a shared network printer about 100 feet from my desk, a giant laser printer that constantly spewed dozens of documents a minute all day long. By the time I got from my computer to the printer, several other things had printed, and there was constantly a crowd of people standing around picking through documents and sorting stuff out. The review, or a page of it, was likely to end up in someone else's hands just by accident, but if anyone at the printer saw another employee's review go by, they could easily grab it, and then what? I wouldn't know who to blame, or if it was even just a printer error. Then I get the printed copy and go put it either on top of my boss's inbox, a wire basket hanging on the outside of his desk where things sit horizontally in the aisle, or else set it out on top of his desk. Then he makes comments and comes back and puts it on my desk, I make revisions, and we repeat the process. Which is more likely, that a curious gossip is going to read part of it or grab it or go make a copy on the copier when it's sitting around at the printer or out on someone's desk, or that someone there is going to hack the mail system and break the password on a Word file? Yes, they are correct that both Microsoft Exchange and Word password protection are NOT secure. They're just way more secure than the alternative they made us use.
  
  --
  Can anyone tell me how to set my sig on Slashdot?
I can verify this by Anonymous Coward · 2010-07-30 12:35 · Score: 5, Informative

Posting as AC for obvious reasons, and I can't offer anything in the way of proof (again, for obvious reasons) but I do work for the US Navy in a division that deals with intelligence. We've been getting floods of emails from up on high warning us about Defcon "threats" and that we shouldn't answer any questions from people who call us that we don't know, etc etc.
1. Re:I can verify this by Anonymous Coward · 2010-07-30 14:03 · Score: 3, Insightful
  
  Wait, so what do the higher-ups expect you do on ordinary days when Defcon isn't running? Be less vigilant and answer any and all questions posed? What silly advice. What's a good precaution in the week of Defcon should be good *all*of*the*time*.
  All they're really trying to avoid is potential embarrassment if something gets in the news.
2. Re:I can verify this by Anonymous Coward · 2010-07-30 15:23 · Score: 0
  
  I don't doubt it we have gotten many over here as well. I forwarded this article to most of the department and everyone is really getting a kick out of it. I doubt anything will make it over here since we don't take many civilian calls anyway. What section are you in anyway? I might even be in the same building!
3. Re:I can verify this by mdmkolbe · 2010-07-30 16:16 · Score: 1
  
  Nice try. Next time make your social engineering more subtle.
4. Re:I can verify this by Dhalka226 · 2010-07-30 16:26 · Score: 4, Insightful
  
  That doesn't mean it's not worth occasionally reiterating, especially when there's a specific reason to believe there may be an increased chance of something happening.
  It's not like they're spending millions of dollars to defend it or something, just sending a few emails.
5. Re:I can verify this by nospam007 · 2010-07-30 21:21 · Score: 1
  
  "we shouldn't answer any questions from people who call us that we don't know, etc etc."
  Yeah, I never get a virus because I open only mails from my friends.
6. Re:I can verify this by IICV · 2010-07-31 03:48 · Score: 1
  
  It's funny because if your higher-ups had actually read the rules that Defcon posted (you know, done a bit of research), they would have realized that the military is not being targeted. If anyone gets a call pumping them for personal information, it's not going to be due to this defcon event.
what if that info just comes out? like the other s by Joe+The+Dragon · 2010-07-30 12:54 · Score: 1

what if that info just comes out? like the other side just start saying it all or some act's like a VP that need help and some one just gives them way to much info?
The information they want is almost too innocuous. by yakovlev · 2010-07-30 13:04 · Score: 2, Funny

Given that the information they want is so innocuous (see their examples,) the way I would probably handle it is:

1.) Get a list of past DefCon attendees from the company.
2.) Find prior attendees NOT attending the current DefCon.
3.) Call those prior attendees up and say "DefCon this year is doing a social engineering CTF, can you help me out by providing some silly and innocuous data about your company/building?"

This could work surprisingly well, so long as you got somebody willing to play along and help you "cheat."

In fact, this approach (or something similar) would probably be so common and so effective that there might be a rule added against it.

What would be particularly funny is if you didn't actually check if they were attending this year, and the "victim" was sitting in the audience!
ahem... by Anachragnome · 2010-07-30 13:15 · Score: 2, Insightful

"The group organizing the contest has established a strict set of rules to ensure participants don't violate any laws. "
I think what REALLY scares these guys (the Feds and the Banks) is that they know damn well that MOST hackers out there do not limit themselves with any silly, self-imposed rules.
Just imagine what the contestants could do without legality/illegality issues hindering them. Anything learned here will simply be repeated, by someone, with no such hindrances in place.
Can they spoof CallerID? by HockeyPuck · 2010-07-30 13:16 · Score: 3, Interesting

On my desk phone at work, if someone calls from their desk or a number that is currently listed in the directory, their name and number shows up on the display. It's pretty obvious if someone calls up from an outside line. Now if the contestant is allowed to try to spoof my company's phone system into thinking they are from say, HR, more power to them..
1. Re:Can they spoof CallerID? by radish · 2010-07-30 14:15 · Score: 2, Informative
  
  The usual approach is to call someone pretty much at random, and ask to be transferred to the real target. That person then sees an internal number (typically of someone they don't know) calling them and to some degree lets their guard down.
  
  --
  ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
2. Re:Can they spoof CallerID? by JWSmythe · 2010-07-30 15:04 · Score: 2, Informative
  
  Usually it's not that tough to get info. I always maintained an East coast US phone number, regardless of where I was working. I was always doing work things from my cell phone, like dealing with datacenter folks.
  Sometimes in the course of normal work, I'd need to acquire access for a coworker to a site. My name was usually listed as a person authorized to make account changes. If it wasn't, I knew the people who would be. A few times, I called as the owner of the company, added myself to the list of people with site access and then scheduled myself to show up and get an access badge. It didn't matter that I was calling from a cell phone from the wrong side of the country. If those should fail, the good old "I just started work here yesterday, I was told to do this..." got it done. A few places wanted emails from authorized individuals to make changes. Oohh, spoofing an email, that's real tough to do.
  
  From: William Gates
  To: HR
  Subject: JW Smythe
  JW Smythe has been hired to work in the IT department. Provide him all the required credentials so he can begin work on August 2, 2010.
  BG
  It was easier where I knew all the right addresses, and the writing styles of the authorized folks. That, and I wouldn't get in trouble, since they actually did tell me to do it, even though the third party didn't know.
  
  --
  Serious? Seriousness is well above my pay grade.
3. Re:Can they spoof CallerID? by tibit · 2010-07-30 18:26 · Score: 1
  
  It's trivial to spoof caller ID in the U.S. Heck, at work our ISDN provider gladly accepts any 10 digit calling party number we feel like providing them. This is the prime reason why you DON'T want to enable pin-less calling from your "home" number, when using calling card services.
  Pin-less calling means that the calling card system uses caller ID to bypass the pin. At one point I made a bet with a friend, that I can pick any popular calling card access number, random 10k numbers from a 1M+ metro area area code, and I'll hit at least one number whose owner enabled pin-less calling. I set it to auto-detect and log based on how quickly after the language got selected the silence detector kicked in -- the announcements differ in length between "please enter pin number" and "you have ... x hours ... y minutes available". I hit three pin-less numbers in 10k tries. And I didn't cheat -- I selected a "nominal" area code that wasn't a big immigrant population center. The test took a couple days using idle lines.
  
  --
  A successful API design takes a mixture of software design and pedagogy.
4. Re:Can they spoof CallerID? by nblender · 2010-07-31 02:28 · Score: 1
  
  I once did contract work for a north american telecom manufacturer.. The project I was on included a temporary pinhole through the corporate firewall from a specific vendor to an internal database server. I was given contact info for the firewall team at head office (across the border, in another state).. The one day I left the office, I had gotten as far as the lobby and realized I hadn't arranged for the pinhole through the firewall so I walked over to the lobby phone and called the internal extension given me for the firewall team. I spoke to someone there, referenced the project I was on and gave details for the source addresses and internal address/port for the pinhole. In the source addresses, I included my own personal static IP so I could work from home... I told the guy I could give him my managers contact info to verify the request but he said "oh that's ok. I can see you're calling from an internal extension." ... Lots of random people were sitting in the lobby at the time... I could have been anyone...
5. Re:Can they spoof CallerID? by Zero__Kelvin · 2010-08-01 03:29 · Score: 0
  
  "Oohh, spoofing an email, that's real tough to do."
  Ah, you see it was harder to do than you thought. Everybody knows Bill Gates signs his one and true right name to all e-mails, to wit: "- The Antichrist" That is a joke of course, but in all seriousness your composed e-mail wasn't nearly pompous or arrogant enough for anyone to actually believe it was composed by Gates.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
6. Re:Can they spoof CallerID? by JWSmythe · 2010-08-01 05:38 · Score: 1
  
  Ya, I didn't go out looking for any samples of his emails to use. I know even as verbose as I usually am, if I'm just sending a note over to HR saying we've hired someone, that could be a one-liner. I don't know how many people he hand picked back in the day, but if I remember their (MS) structure right now, he doesn't even have a hand in that. I suppose it could happen, but it would probably be more of an email to a department manager saying "I want this guy working here. Interview and hire him."
  
  --
  Serious? Seriousness is well above my pay grade.
Is this what the cyberczar wants? by Nyder · 2010-07-30 13:43 · Score: 2, Insightful

Just the other day we had a submission about how we aren't prepared for the "cyberwarz" because we can't get people who knows this sort of stuff, or thinks along these lines.
Well, damn, seems to me this would be a great excerise for the fbi/ hls, and whoever else to see about hiring/training peeps for those sort of jobs.
Of course, that makes sense and wouldn't be used.

--
Be seeing you...
Re:I like these set of rules better by Redlazer · 2010-07-30 14:17 · Score: 1

Except for the long, deadly strings that are attached, they sum up the rules pretty well.

--
Guns don't kill people, "with glowing hearts" kills people.
Entry Form? by Anonymous Coward · 2010-07-30 14:33 · Score: 0

The sites have been slashdotted. How do I enter myself into the competition?
- Hacker
Re:The information they want is almost too innocuo by JWSmythe · 2010-07-30 14:55 · Score: 0, Offtopic

I haven't been to a Defcon yet. Shit always comes up. But, don't they still take cash at the door? Do you have to provide a photo ID? I've been to several conventions where I observed the people ahead of me and when they don't ask for an ID, I just give a fake name and pay cash. I used to have a bunch of ID badges for "JW Smythe" hanging on my office wall (when I had an office) from various places. I don't feel it's necessary for every schmuck in the world to know who I really am.

--
Serious? Seriousness is well above my pay grade.
When I worked for ... by Anonymous Coward · 2010-07-30 15:17 · Score: 0

When I worked for (unnamed company) when DefCon was on the timetable, they'd send memo's to all staff to be aware of social engineering attemps.
AKA, we know you've been lax, anyone who gets caught is fired.
Re:I like these set of rules better by Anonymous Coward · 2010-07-30 16:20 · Score: 0

I like Deuteronomy 21:10-14 better. All US soldiers would have convenient Muslim slave-women, whom they could cast aside by beating them without any need to support them economically, then simply grab another one at the next village they raid.
And if they're already married, the next 10 verses deal with how the first-born son of the wife he hates cannot be discarded in favor of the son of wife he likes, so I hope all you gals at home got knocked up by your soldier boys before they went out and grabbed some Muslim MILF, because that new Muslim boy kid is going to inherit the house, and the car.
Daughters? Too bad. Maybe they can be left in villages for the Iraqi men to conquer so they don't get lonely ovor the next 20 years of this bloodbath.
Re:I like these set of rules better by Jedi+Alec · 2010-07-30 21:22 · Score: 1

For the record, those jeans does not make your ass look fat.
Your ass makes your ass look fat.

--

People replying to my sig annoy me. That's why I change it all the time.
Social Engineering... by crow_t_robot · 2010-07-31 02:28 · Score: 1

It's obvious that management types are leaking into the Defcon community heavily. I hate the phrase "Social Engineering" and cringe when I hear it. Just another plastic-like buzzword used by management goons on powerpoint slides. The art (it's an Art, not a Science) has been around for a long damn time and already has a name:

http://en.wikipedia.org/wiki/Grifting (aka Confidence Trick)

There's no need to give it a bullshit name make-over.
Wow...social engennering 101 by hesaigo999ca · 2010-08-02 02:13 · Score: 1

What a concept, I wish I could go, just to see this one in action. hopefully someone will youtube it...please,please,please...