Slashdot Mirror

← Back to Stories (view on slashdot.org)

DefCon Contest Rattles FBI's Nerves

Posted by Soulskill on from the par-for-the-course dept.

snydeq writes "A DefCon contest that invites contestants to trick employees at 30 US corporations into revealing not-so-sensitive data has rattled nerves at the FBI. Chris Hadnagy, who is organizing the contest, also noted concerns from the financial industry, which fears hackers will target personal information. The contest will run for three days, with participants attempting to unearth data from an undisclosed list of about 30 US companies. The contest will take place in a room in the Riviera hotel in Las Vegas furnished with a soundproof booth and a speaker, so an audience can hear the contestants call companies and try to weasel out what data they can get from unwitting employees." The group organizing the contest has established a strict set of rules to ensure participants don't violate any laws. Update: 07/31 04:45 GMT by S : PCWorld has coverage of one of the day's more successful attacks.

32 of 136 comments (clear)

  1. Dumbasses @ FBI by blackraven14250 · · Score: 3, Interesting

    What dumbasses at the FBI and in the financial industry:

    "The list of target organizations will not include any financial, government, educational, or health care organizations;"

    1. Re:Dumbasses @ FBI by msauve · · Score: 4, Funny

      Well, that leaves retail.

      "Do you have Prince Albert in a can?"

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    2. Re:Dumbasses @ FBI by blair1q · · Score: 2, Interesting

      Well then the contest isn't hardly impressive, is it?

      Because those are the very places that real black-hats would target, so those are the ones with the measures in place to intercept attempts at social-engineering exploits.

      How hard is it to talk your way into a grocery store's customer list?

    3. Re:Dumbasses @ FBI by thePowerOfGrayskull · · Score: 2, Interesting

      Because those are the very places that real black-hats would target, so those are the ones with the measures in place to intercept attempts at social-engineering exploits.

      I work at one of those places, and I gotta say... those "measures" aren't as stringent as I'd like them to be. That is to say - we get employee training (CBT) once a year to refresh our knowledge of various procedures, and it touches briefly on social engineering (a single slide).

      Now - I'm in the IS department, so it may be that those in lending ops, etc have a different story. For us the "measures" in place rely solely on the common sense of each employee.

      Scary, isn't it?

    4. Re:Dumbasses @ FBI by tuomoks · · Score: 2, Insightful

      Unfortunately - yes! Hide the head in the sand, that seems to be the answer nowadays for any- and everything? For a long time, excuse me - started in 60's, I was either responsible of or designing systems and infrastructures for safe and secure, often global environments - can't say that they were perfect, nothing ever is. Time to time (often) the hired security testing groups / companies were able to find some problems, even if documents in wastebaskets - in IT(?) which should have known better, but the main thing was to find the problems, not to hide them!

      You look companies / corporations today, they use much, much more money and time to hide the problems, trying to recover from problems, paying to public and/or government the fines, whatever than preventing the problems? Nothing (much) wrong, business as usually, but sometimes wonder why the stockholders / owners are willing to throw good money - and sometimes good reputation, away? Just wondering - LOL!

    5. Re:Dumbasses @ FBI by kcwatx · · Score: 2, Interesting

      What you observed about your corporation and its measures is probably the very reason this contest is taking place. I also work at one of those institutions, and our CBT is a little more comprehensive when it comes to social networking, but its still up to the bottom rung employees to control the information at the telephone outlet. There are maybe 1000 people at my office, half of which work in a contact center for our company and have access to lots and lots of private information, and our company has other locations with comparable employee numbers. Most of the positions in the contact center are seen as entry level, and anyone who wants to go anywhere in the company gets out of that department as soon as possible,. So that leaves new hires and people who lack motivation or the ability to get promoted. That means there are a lot of people who may be ignorant to such malicious attacks and be susceptible to them, or just may be complacent about security, irritated by their lack of success within the organization, and willing to say whatever it takes to get this person with whom they are speaking to hang up the phone so they can move on to the next call without stacking up too long of an average talk time.

      --
      -The Royal Jugglist
  2. This is refreshing by Majik+Sheff · · Score: 4, Insightful

    It's nice to see the hacker community making a move to acknowledge its roots. Social engineering is the oldest and easily the most challenging/rewarding form of real hacking.

    What's more gratifying, beating the password out of a hash after weeks of brute force or having the mark just tell you in a five-minute phone call?

    --
    Women are like electronics: you don't know how damaged they are until you try to turn them on.
    1. Re:This is refreshing by al0ha · · Score: 2, Funny

      Yeah - social engineering used to be called grifting. But I guess grifting is not as cool a buzzword as anything associated with engineering. Social engineering, puhleez; like it takes a lot of brains to grift a rube.

      --
      Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
    2. Re:This is refreshing by Hatta · · Score: 5, Funny

      I prefer to beat the password out of the mark after 5 minutes of brute force.

      --
      Give me Classic Slashdot or give me death!
    3. Re:This is refreshing by DigiShaman · · Score: 2, Informative

      Hackers by and large just do it for the challenge. Both creating and solving intellectual puzzles.

      Crackers OTOH usually do it for nefarious reasons. If you're a cracker, it's usually to achieve an objective for a greater plan. You want to be silent, stealthy, and render the goal long before anyone becomes the wiser. Social engineering for all its effectiveness increases the risk of exposure.

      --
      Life is not for the lazy.
    4. Re:This is refreshing by KlaymenDK · · Score: 2, Informative

      http://xkcd.com/538/

      That is all.

      --
      "Good news, everyone!"
  3. Okay, be honest. by peacefinder · · Score: 4, Funny

    Who here clicked the link to www.social-engineer.org before thinking about the potential consequences?

    Have you just been had? :-)

    --
    With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
  4. Rules and Do-Not-Do list by Zerth · · Score: 5, Informative

    The CTF Rules

    Each Social Engineer is sent via email a dossier with the name and URL of their target company chosen from the pool of submitted names.

    Pre-Defcon you are allowed to gather any type of information you can glean from the WWW, their websites, Google searches and by using other passive information gathering techniques. You are prohibited from calling, emailing or contacting the company in any way before the Defcon event. We will be monitoring this and points will be deducted for "cheating".

    The goal is to gather points for the information obtained and plan a realistic and appropriate attack vector. The point system will be revealed during the Defcon event. All information should be stored in a professional looking report. 1 week prior to Defcon you will submit your dossiers for review to the judging panel.

    They will be sent their time slot (day/time) to perform their attack vector at Defcon. At Defcon each social engineer will be given 5 minutes to explain to the crowd what they did and what their attack vector is.

    They are then given 20 minutes to perform their attack vector and points are awarded for information gathered as well as goals successfully accomplished during the process.
    A scoreboard will be kept and at the end some excellent prizes will be awarded.

    The Flag

    The "flag" is custom list of specific bits of information, which you will have to discover during your 20-minute phone call.The judging panel created the list, and points will be awarded for each item present on the list. This list will be presented to you on the day of the event

    THE DO NOT LIST:

    Underlying idea of this contest is: No one gets victimized in the duration of this contest. Social Engineering skills can be demonstrated without engaging in unethical activities. The contest focuses on the skills of the contestant, not who does the most damage.

    Items that are not allowed to be targeted at any point of the contest:

    1) No going after very confidential data. (i.e. SS#, Credit Card Numbers, etc). No Illegal Data
    2) Nothing that can get Social-Engineer.org, Defcon, or the participants in the contest sued
    3) No porn
    4) At no point are any techniques allowed to be used that would make a target feel as if they are "at risk" in any manner. (ie. "We have reason to believe that your account has been compromised.")
    5) No targeting information such as passwords.
    6) No pretexts that would appear to be any manner of government agency, law enforcement, or legally liable entity.
    7) The social engineer must only call the target company, not relatives or family of any employee
    8) Use common sense, if something seems unethical - don't do it. If you have questions, ask a judge
    If at any point in the contest it appears that contestants are targeting anything on the "No" list, they will receive one warning. After the one warning they are disqualified from the contest.

    1. Re:Rules and Do-Not-Do list by Score+Whore · · Score: 2, Insightful

      If they aren't going after confidential data, then what exactly is the point here? What I mean is, why would a company care about non-sensitive data, so what protections/security/whatever are they supposedly penetrating here?

    2. Re:Rules and Do-Not-Do list by rotide · · Score: 5, Insightful

      Not everything needs to be about obtaining damaging information. Imagine talking to a random stranger and trying to solicit information from them. It's not as easy as it sounds.

      Seriously, try this some time, just go up to a stranger and get their middle name. It will be harder than you think in most cases, if not impossible.

      Social Engineering is a skill. You have to be very good to go under the "what the fuck does this guy want" radar. You have to be able to read people without seeing them and be able to think very quickly in a very dynamic situation. Again, all while staying under their radar.

      Getting confidential, personally sensitive, or business critical information isn't the point nor appears to be the goal. Merely being good with your social skills (and we're talking a special breed of nerds here, no offense to them though), no great with them, is the point. Having a laundry list of weird and/or "not normally given out" information and trying to gain it, that's going to be hard.

    3. Re:Rules and Do-Not-Do list by garompeta · · Score: 4, Interesting

      There are very cool pranks done at HOPE, which was enlightening. Emmanuel Goldstein called to BP and ended up convincing an employee to leave open the office door, and telling him that because it was too late he wouldn't be appearing with the company van. He didn't get any confidential information regarding to the store (surprisingly, some of the employees seemed to be trained and others seemed to be very stupid to understand the questions) but if wanted he could have gone to the gas station with a free pass to the office, from an unmarked unbranded van. That is social engineering.

    4. Re:Rules and Do-Not-Do list by JWSmythe · · Score: 3, Insightful

          [ignores you like a homeless guy asking for a dollar for more booze and walks away]

          Good try.

          "Excuse me sir, I'm with the [state] joint anticrime taskforce." [flashes official looking id printed up not long before] "We're performing random checks on the citizens in this area. May I see a photo ID?"

          [citizen hands him his drivers license].

          "Thank you Mr " [reads last name from ID] ". We've already had several instances today where criminals have attempted to run when asked for their identification. Have a wonderful day. We appreciate your cooperation."

          His middle name was Henry. He was born October 28, 1955.

          I know, in the game you're not allowed to pretend to be from a government agency. It just made this easier. If you're digging for personal information, you just have to craft "who" you are to be something where they'd want to hand over the information without asking too many questions.

      --
      Serious? Seriousness is well above my pay grade.
  5. Not-so-sensitive?! by zyxwvutsr · · Score: 4, Funny

    What participants can do is collect data on less sensitive subjects such as, "who does your dumpster removal; who takes care of your paper shredding," Hadnagy said.

    "If you don't tell me, I'll look at the dumpster behind your building and read the name on it!"

  6. I feel sorry by blantonl · · Score: 5, Insightful

    I feel sorry for the poor fish in the barrel that gets shot on this one.

    Unwittingly, right now, some guy/gal is sitting in their cubical and is on the cusp of getting the phone call that thrusts them into the international spotlight when the tape of the winning team's efforts is played. They might even lose their job for doing nothing more than, well, doing their job, or answering a harmless set of questions.

    --
    Lindsay Blanton
    RadioReference.com
    1. Re:I feel sorry by T+Murphy · · Score: 2, Interesting

      If their boss actually follows what happens at DefCon, that boss might be smart enough to know how to handle the situation without firing anybody.

      --
      My webcomic
  7. Re:If they go to my bank... by John+Hasler · · Score: 3, Insightful

    They probably won't have to do much. They've sent a letter stating that my personal information has gone missing three times in two years.

    And yet you continue to do business with them. It's pretty obvious why they don't have to do much.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  8. No, this is good by i_want_you_to_throw_ · · Score: 3, Insightful

    If anything social engineering is THE weakest link in the security chain. Let the geeks handle the hardware security but people really and truly need to keep having it pounded into them that they always need to be vigilant and to recognize these attempts.

  9. I can verify this by Anonymous Coward · · Score: 5, Informative

    Posting as AC for obvious reasons, and I can't offer anything in the way of proof (again, for obvious reasons) but I do work for the US Navy in a division that deals with intelligence. We've been getting floods of emails from up on high warning us about Defcon "threats" and that we shouldn't answer any questions from people who call us that we don't know, etc etc.

    1. Re:I can verify this by Anonymous Coward · · Score: 3, Insightful

      Wait, so what do the higher-ups expect you do on ordinary days when Defcon isn't running? Be less vigilant and answer any and all questions posed? What silly advice. What's a good precaution in the week of Defcon should be good *all*of*the*time*.

      All they're really trying to avoid is potential embarrassment if something gets in the news.

    2. Re:I can verify this by Dhalka226 · · Score: 4, Insightful

      That doesn't mean it's not worth occasionally reiterating, especially when there's a specific reason to believe there may be an increased chance of something happening.

      It's not like they're spending millions of dollars to defend it or something, just sending a few emails.

  10. The information they want is almost too innocuous. by yakovlev · · Score: 2, Funny

    Given that the information they want is so innocuous (see their examples,) the way I would probably handle it is:

    1.) Get a list of past DefCon attendees from the company.
    2.) Find prior attendees NOT attending the current DefCon.
    3.) Call those prior attendees up and say "DefCon this year is doing a social engineering CTF, can you help me out by providing some silly and innocuous data about your company/building?"

    This could work surprisingly well, so long as you got somebody willing to play along and help you "cheat."

    In fact, this approach (or something similar) would probably be so common and so effective that there might be a rule added against it.

    What would be particularly funny is if you didn't actually check if they were attending this year, and the "victim" was sitting in the audience!

  11. ahem... by Anachragnome · · Score: 2, Insightful

    "The group organizing the contest has established a strict set of rules to ensure participants don't violate any laws. "

    I think what REALLY scares these guys (the Feds and the Banks) is that they know damn well that MOST hackers out there do not limit themselves with any silly, self-imposed rules.

    Just imagine what the contestants could do without legality/illegality issues hindering them. Anything learned here will simply be repeated, by someone, with no such hindrances in place.

  12. Can they spoof CallerID? by HockeyPuck · · Score: 3, Interesting

    On my desk phone at work, if someone calls from their desk or a number that is currently listed in the directory, their name and number shows up on the display. It's pretty obvious if someone calls up from an outside line. Now if the contestant is allowed to try to spoof my company's phone system into thinking they are from say, HR, more power to them..

    1. Re:Can they spoof CallerID? by radish · · Score: 2, Informative

      The usual approach is to call someone pretty much at random, and ask to be transferred to the real target. That person then sees an internal number (typically of someone they don't know) calling them and to some degree lets their guard down.

      --

      ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"

    2. Re:Can they spoof CallerID? by JWSmythe · · Score: 2, Informative

          Usually it's not that tough to get info. I always maintained an East coast US phone number, regardless of where I was working. I was always doing work things from my cell phone, like dealing with datacenter folks.

          Sometimes in the course of normal work, I'd need to acquire access for a coworker to a site. My name was usually listed as a person authorized to make account changes. If it wasn't, I knew the people who would be. A few times, I called as the owner of the company, added myself to the list of people with site access and then scheduled myself to show up and get an access badge. It didn't matter that I was calling from a cell phone from the wrong side of the country. If those should fail, the good old "I just started work here yesterday, I was told to do this..." got it done. A few places wanted emails from authorized individuals to make changes. Oohh, spoofing an email, that's real tough to do.

      From: William Gates
          To: HR
          Subject: JW Smythe

          JW Smythe has been hired to work in the IT department. Provide him all the required credentials so he can begin work on August 2, 2010.

          BG

        It was easier where I knew all the right addresses, and the writing styles of the authorized folks. That, and I wouldn't get in trouble, since they actually did tell me to do it, even though the third party didn't know.

      --
      Serious? Seriousness is well above my pay grade.
  13. Is this what the cyberczar wants? by Nyder · · Score: 2, Insightful

    Just the other day we had a submission about how we aren't prepared for the "cyberwarz" because we can't get people who knows this sort of stuff, or thinks along these lines.

    Well, damn, seems to me this would be a great excerise for the fbi/ hls, and whoever else to see about hiring/training peeps for those sort of jobs.

    Of course, that makes sense and wouldn't be used.

    --
    Be seeing you...
  14. Re:If they go to my bank... by JWSmythe · · Score: 3, Interesting

        Sometimes that info comes from places you'd rather it not. I got a letter a couple years ago from the VA (United States Veterans Affairs). I was in the military for about a month, almost 20 years ago. (It was a preexisting disqualifying medical condition, for anyone who really wonders.) They sent it to a friends house where I frequently got mail. It stated that my personal information may have been compromised due to a breach of the VA computers. I had seen the news story about it about a month before and didn't think it would apply to me. It's so comforting that I was in a system I shouldn't have been in, and they lost my information to unknown parties, who could be doing almost anything with it. Since they knew a valid address for me, nowhere near where I lived when they collected the data, I have to assume they kept addresses updated from another source.

        Ya, I'd rather not do business with the VA, but apparently they know about me.

        Sometimes I wonder about banks that I've done business with in the past. Some have closed and merged so many times, I have no clue who they are now. A friend of mine got a nasty letter from a bank a couple years ago. He had closed his account with them over 20 years before that. Apparently when they merged with other banks, to fluff their "account holders" numbers, they reopened closed accounts. After the mergers, they started assessing fees to the accounts. He was now on the hook for all kinds of fees they assessed the closed account plus interest. When he tried to straighten it out, the bank couldn't find the record, other than the fact that he owed the money. He still gets calls from collections every once in a while asking for the money.

    --
    Serious? Seriousness is well above my pay grade.