Slashdot Mirror

← Back to Stories (view on slashdot.org)

DefCon Contest Rattles FBI's Nerves

Posted by Soulskill on from the par-for-the-course dept.

snydeq writes "A DefCon contest that invites contestants to trick employees at 30 US corporations into revealing not-so-sensitive data has rattled nerves at the FBI. Chris Hadnagy, who is organizing the contest, also noted concerns from the financial industry, which fears hackers will target personal information. The contest will run for three days, with participants attempting to unearth data from an undisclosed list of about 30 US companies. The contest will take place in a room in the Riviera hotel in Las Vegas furnished with a soundproof booth and a speaker, so an audience can hear the contestants call companies and try to weasel out what data they can get from unwitting employees." The group organizing the contest has established a strict set of rules to ensure participants don't violate any laws. Update: 07/31 04:45 GMT by S : PCWorld has coverage of one of the day's more successful attacks.

8 of 136 comments (clear)

  1. Dumbasses @ FBI by blackraven14250 · · Score: 3, Interesting

    What dumbasses at the FBI and in the financial industry:

    "The list of target organizations will not include any financial, government, educational, or health care organizations;"

    1. Re:Dumbasses @ FBI by blair1q · · Score: 2, Interesting

      Well then the contest isn't hardly impressive, is it?

      Because those are the very places that real black-hats would target, so those are the ones with the measures in place to intercept attempts at social-engineering exploits.

      How hard is it to talk your way into a grocery store's customer list?

    2. Re:Dumbasses @ FBI by thePowerOfGrayskull · · Score: 2, Interesting

      Because those are the very places that real black-hats would target, so those are the ones with the measures in place to intercept attempts at social-engineering exploits.

      I work at one of those places, and I gotta say... those "measures" aren't as stringent as I'd like them to be. That is to say - we get employee training (CBT) once a year to refresh our knowledge of various procedures, and it touches briefly on social engineering (a single slide).

      Now - I'm in the IS department, so it may be that those in lending ops, etc have a different story. For us the "measures" in place rely solely on the common sense of each employee.

      Scary, isn't it?

    3. Re:Dumbasses @ FBI by kcwatx · · Score: 2, Interesting

      What you observed about your corporation and its measures is probably the very reason this contest is taking place. I also work at one of those institutions, and our CBT is a little more comprehensive when it comes to social networking, but its still up to the bottom rung employees to control the information at the telephone outlet. There are maybe 1000 people at my office, half of which work in a contact center for our company and have access to lots and lots of private information, and our company has other locations with comparable employee numbers. Most of the positions in the contact center are seen as entry level, and anyone who wants to go anywhere in the company gets out of that department as soon as possible,. So that leaves new hires and people who lack motivation or the ability to get promoted. That means there are a lot of people who may be ignorant to such malicious attacks and be susceptible to them, or just may be complacent about security, irritated by their lack of success within the organization, and willing to say whatever it takes to get this person with whom they are speaking to hang up the phone so they can move on to the next call without stacking up too long of an average talk time.

      --
      -The Royal Jugglist
  2. Re:Rules and Do-Not-Do list by garompeta · · Score: 4, Interesting

    There are very cool pranks done at HOPE, which was enlightening. Emmanuel Goldstein called to BP and ended up convincing an employee to leave open the office door, and telling him that because it was too late he wouldn't be appearing with the company van. He didn't get any confidential information regarding to the store (surprisingly, some of the employees seemed to be trained and others seemed to be very stupid to understand the questions) but if wanted he could have gone to the gas station with a free pass to the office, from an unmarked unbranded van. That is social engineering.

  3. Can they spoof CallerID? by HockeyPuck · · Score: 3, Interesting

    On my desk phone at work, if someone calls from their desk or a number that is currently listed in the directory, their name and number shows up on the display. It's pretty obvious if someone calls up from an outside line. Now if the contestant is allowed to try to spoof my company's phone system into thinking they are from say, HR, more power to them..

  4. Re:If they go to my bank... by JWSmythe · · Score: 3, Interesting

        Sometimes that info comes from places you'd rather it not. I got a letter a couple years ago from the VA (United States Veterans Affairs). I was in the military for about a month, almost 20 years ago. (It was a preexisting disqualifying medical condition, for anyone who really wonders.) They sent it to a friends house where I frequently got mail. It stated that my personal information may have been compromised due to a breach of the VA computers. I had seen the news story about it about a month before and didn't think it would apply to me. It's so comforting that I was in a system I shouldn't have been in, and they lost my information to unknown parties, who could be doing almost anything with it. Since they knew a valid address for me, nowhere near where I lived when they collected the data, I have to assume they kept addresses updated from another source.

        Ya, I'd rather not do business with the VA, but apparently they know about me.

        Sometimes I wonder about banks that I've done business with in the past. Some have closed and merged so many times, I have no clue who they are now. A friend of mine got a nasty letter from a bank a couple years ago. He had closed his account with them over 20 years before that. Apparently when they merged with other banks, to fluff their "account holders" numbers, they reopened closed accounts. After the mergers, they started assessing fees to the accounts. He was now on the hook for all kinds of fees they assessed the closed account plus interest. When he tried to straighten it out, the bank couldn't find the record, other than the fact that he owed the money. He still gets calls from collections every once in a while asking for the money.

    --
    Serious? Seriousness is well above my pay grade.
  5. Re:I feel sorry by T+Murphy · · Score: 2, Interesting

    If their boss actually follows what happens at DefCon, that boss might be smart enough to know how to handle the situation without firing anybody.

    --
    My webcomic