Slashdot Mirror

← Back to Stories (view on slashdot.org)

DefCon Contest Rattles FBI's Nerves

Posted by Soulskill on from the par-for-the-course dept.

snydeq writes "A DefCon contest that invites contestants to trick employees at 30 US corporations into revealing not-so-sensitive data has rattled nerves at the FBI. Chris Hadnagy, who is organizing the contest, also noted concerns from the financial industry, which fears hackers will target personal information. The contest will run for three days, with participants attempting to unearth data from an undisclosed list of about 30 US companies. The contest will take place in a room in the Riviera hotel in Las Vegas furnished with a soundproof booth and a speaker, so an audience can hear the contestants call companies and try to weasel out what data they can get from unwitting employees." The group organizing the contest has established a strict set of rules to ensure participants don't violate any laws. Update: 07/31 04:45 GMT by S : PCWorld has coverage of one of the day's more successful attacks.

6 of 136 comments (clear)

  1. Re:Dumbasses @ FBI by msauve · · Score: 4, Funny

    Well, that leaves retail.

    "Do you have Prince Albert in a can?"

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  2. Okay, be honest. by peacefinder · · Score: 4, Funny

    Who here clicked the link to www.social-engineer.org before thinking about the potential consequences?

    Have you just been had? :-)

    --
    With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
  3. Re:This is refreshing by al0ha · · Score: 2, Funny

    Yeah - social engineering used to be called grifting. But I guess grifting is not as cool a buzzword as anything associated with engineering. Social engineering, puhleez; like it takes a lot of brains to grift a rube.

    --
    Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
  4. Not-so-sensitive?! by zyxwvutsr · · Score: 4, Funny

    What participants can do is collect data on less sensitive subjects such as, "who does your dumpster removal; who takes care of your paper shredding," Hadnagy said.

    "If you don't tell me, I'll look at the dumpster behind your building and read the name on it!"

  5. Re:This is refreshing by Hatta · · Score: 5, Funny

    I prefer to beat the password out of the mark after 5 minutes of brute force.

    --
    Give me Classic Slashdot or give me death!
  6. The information they want is almost too innocuous. by yakovlev · · Score: 2, Funny

    Given that the information they want is so innocuous (see their examples,) the way I would probably handle it is:

    1.) Get a list of past DefCon attendees from the company.
    2.) Find prior attendees NOT attending the current DefCon.
    3.) Call those prior attendees up and say "DefCon this year is doing a social engineering CTF, can you help me out by providing some silly and innocuous data about your company/building?"

    This could work surprisingly well, so long as you got somebody willing to play along and help you "cheat."

    In fact, this approach (or something similar) would probably be so common and so effective that there might be a rule added against it.

    What would be particularly funny is if you didn't actually check if they were attending this year, and the "victim" was sitting in the audience!