Phone Calls More Dangerous Than Malware To Companies

← Back to Stories (view on slashdot.org)

Phone Calls More Dangerous Than Malware To Companies

Posted by samzenpus on Wednesday October 30, 2013 @11:48AM from the watch-what-you-say dept.

dinscott writes "During Social Engineer Capture the Flag contest, one of the most prominent and popular annual events at DEF CON 21, a pool of 10 men and 10 women, from diverse backgrounds and experience levels, tested their social engineering abilities against 10 of the biggest global corporations, including Apple, Boeing, Exxon, General Dynamics and General Electric. The complete results of the competition are in, and they don't bode well for businesses."

82 comments

Min score:

Reason:

Sort:

Caller ID by Anonymous Coward · 2013-10-30 11:51 · Score: 0

Like a firewall for your phone.
1. Re:Caller ID by Sable+Drakon · 2013-10-30 12:14 · Score: 5, Insightful
  
  You do know that caller ID is spoofable right?
  
  --
  The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
2. Re:Caller ID by Opportunist · 2013-10-30 22:34 · Score: 5, Insightful
  
  Why do you think that would be any more helpful than the fact that you can actually SEE what URL the link you hit leads you to?
  People don't care about security. And why should they, it is not their job!
  My pet peeve with security in most companies is that the CSO's trying to take the easy way out: Shifting the burden of security on his workers. Need secure access? Hey, no problem, we'll create ludicrous password requirements (like, say, at least 20 characters, with numbers, special characters and a few letters from languages that have been forgotten for 200 years at least sprinkled across, for starters 'til I have time to ponder something REALLY "secure"). And no writing down! How you should remember that gobbelygoo? Not my problem!
  That's got nothing to do with increasing security. That's blame shifting. Nothing else. Any CISO who spends more than 10 seconds pondering it should realize that such a "security solution" opens a completely different and far more troublesome can of worms. And I dare imagine that most of them know that, but prefer to play the blame shifting game to actually solving the underlying problem. It is easier, more convenient and of course cheaper. But now the worker has one headache more, especially one headache that has NOTHING to do with his actual work, that weighs him down, that causes him more workload and doesn't help him at all.
  So it's no wonder IT security is seen like some kind of Gestapo and Stasi rolled into one.
  Dear fellow CISOs: Your job isn't to make life harder for your staff. Your job is to take that problem AWAY from them. Perfect security is not achieved when nobody can do jack anymore 'cause they're busy jumping your security hoops. Perfect security is security that CANNOT be broken by staff because staff has very little if any impact on it. In a perfectly secure corporate world, security is fully transparent to the worker and he does not even NOTICE its presence (unless he tries to do something that breaks company rules or law, of course).
  You can of course start to train your workers about security. Forget it. Bruce Schneier has a very good essay about it and he said it far better than I possibly could. In a nutshell: When a worker faced the choice between doing what he wants to do (his job, chat, fool around, goof off...) and upholding security, doing what he wants always wins.
  And who blames him? If he jumps the myriad of hoops presented to him by security, he wastes time and gets reprimanded for slacking. If he kicks security out the door, in 99 out of 100 times nothing bad will happen because the caller claiming to be Bob from IT Support was actually Bob from IT Support and not Alec from IT SecAuditing.
  Of course, I'm fairly sure the CISO presented him a fully blown sheet of dos and don'ts when someone from IT calls, verify the caller's ID, call back, ask for the supersecret password du jour, whatever. That takes TIME. Time the worker does NOT have. Instead he simply hands out the information, because 99 out of 100 times that's the right thing to do.
  How to solve that? By eliminating the need for Bob to call in the first place. I cannot think of any situation where Bob actually has to call and ask for sensitive info. And if he does, it's time to call the CISO. Not to get Bob into trouble, but to find out why he had to call and eliminate the need. Not to mention of course that someone might have tried to siphon information and that's something your CISO should know about anyway.
  Of course, you cannot eliminate human interaction with secure and sensitive matters entirely. That's an unfortunate reality. But you can eliminate the need for untrained personnel to do it! Every halfway decently sized company has an IT department or at least some kind of staff that does the "IT stuff". And these are the people that you actually CAN train. Because they already have to deal with the matter anyway, and they are also the ones that will most
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
3. Re:Caller ID by Anonymous Coward · 2013-10-31 00:56 · Score: 0
  
  tl;dr
4. Re:Caller ID by AJH16 · 2013-10-31 01:11 · Score: 3, Insightful
  
  You danced around the edge of it but missed the real issue. The real issue is the fact that the worker is seen as a slacker if they take the time to do things securely. If security isn't a mandate from the CEO and pushed down and invested in hard by the entire management organization, then it won't work. Period. Security has to be everyone's job to work well. That said, it also doesn't have to be (and can't be) overly burdonsome, so much of what you said is still accurate.
  The real key is that users must have the support of management to take the time it takes to be secure and processes must make sense so that users see the benefit and the fact that their managers support the process. If you don't have that, they are going to do what it takes to please there manager, not the IT Department, because that is their job.
  
  --
  AJ Henderson
5. Re:Caller ID by gl4ss · 2013-10-31 01:58 · Score: 1
  
  I'm confused, was this a competition about who does fraud best over telephone?
  
  --
  world was created 5 seconds before this post as it is.
6. Re:Caller ID by jriding · 2013-10-31 06:07 · Score: 1
  
  Stated like a true developer.
  
  --
  love the taste, hate the texture
7. Re:Caller ID by SeaFox · 2013-10-31 19:06 · Score: 1
  
  Which is why it would be better to use the ANI number for Caller-ID instead of a special "Caller-ID" string. You better believe it will be more accurate. The phone wouldn't let people fuck around with the info they use for billing.
8. Re:Caller ID by Opportunist · 2013-11-01 08:28 · Score: 1
  
  Well, I "evolved" out of development. And, frankly, I have to say that I'm probably a better manager than someone who comes from a "pure" management background who tries to lead people who do something he doesn't understand. Likewise, the best CFOs come from bookkeeping and not from some BA background.
  There's a reason the CFO is maybe the only person in our management meetings that I truly respect and whose opinion I value at least as much as my own. It's based in experience instead of some management bullshit seminars that have nothing to do with reality.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Reduce unemployment today! by bob_super · 2013-10-30 11:56 · Score: 4, Funny

Good morning citizen, this is the brand-new NSA call center...
complete results? by datapharmer · 2013-10-30 12:00 · Score: 5, Insightful

If those are the complete results that was a pretty short and piss poor competition. If "We got the browser and OS" is social engineering then my apache logs are 1337 hax0rz. This article must be a click farm because it sure doesn't have any actual content. The real news here is "slashdot editors drunk at work, approve spam"

--
Get a web developer
1. Re:complete results? by Anonymous Coward · 2013-10-30 12:04 · Score: 5, Funny
  
  that's not news.
2. Re:complete results? by MurukeshM · 2013-10-30 12:08 · Score: 2
  
  The article itself has only one link, so it's not a click farm. But it is depressingly low on facts.
3. Re:complete results? by TheGavster · 2013-10-30 12:10 · Score: 4, Insightful
  
  In addition to its brevity, it also implies the 4 times as many "flags" were taken simply from searches of Google, Linkedin, and others (2x as many points scored, with flags being worth 0.5x those taken via social engineering). Sounds like the corporate website and employees' social networking accounts are the real threat ...
  
  --
  "Because Science" is one step from "Because old book". Try "Because of my experiment testing my falsifiable assertion".
4. Re:complete results? by SmlFreshwaterBuffalo · 2013-10-30 12:22 · Score: 3, Insightful
  
  In addition to its brevity, it also implies the 4 times as many "flags" were taken simply from searches of Google, Linkedin, and others (2x as many points scored, with flags being worth 0.5x those taken via social engineering). Sounds like the corporate website and employees' social networking accounts are the real threat ...
  Since the article doesn't bother listing what the flags were, one cannot assign a weight to each of them. If all the flags were of equal importance than I would agree with you. But if some are more critical than others, e.g. if flag 1 is "What is the CEO's name?", and flag 2 is "What is the CEO's login and password?", then comparing raw counts as the article is doing is both pointless and misleading.
5. Re:complete results? by mythosaz · 2013-10-30 12:32 · Score: 5, Informative
  
  The article links to the entire PDF report, in which the values are given for all flags.
  http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf
6. Re:complete results? by mythosaz · 2013-10-30 12:41 · Score: 4, Informative
  
  When you look at the list of the flags, there's a great deal of them that would just happen naturally in net-conversation. They could get 5+7 points for finding out if they had a cafeteria and then finding out who does the food service. That's the sort of thing every idiot on Instagram takes a picture of every morning while they're blogging about their breakfast. Feel free to get 5 "free" points from Linkedin if you get an employee's name. Get a few more points he shouted "Payday, bitches!" on Facebook one Friday afternoon.
  The threat is relative. The points assigned to each were subjective.
7. Re:complete results? by gnasher719 · 2013-10-30 12:51 · Score: 4, Funny
  
  If those are the complete results that was a pretty short and piss poor competition. If "We got the browser and OS" is social engineering then my apache logs are 1337 hax0rz. This article must be a click farm because it sure doesn't have any actual content. The real news here is "slashdot editors drunk at work, approve spam"
  I wonder if they found out what browser and OS are used at Apple and at Microsoft...
8. Re:complete results? by Anonymous Coward · 2013-10-30 13:00 · Score: 0
  
  You sure are being silly thinking the little article is the extent of it. Check out:
  Dark Reading http://www.darkreading.com/vulnerability/social-engineers-pwn-the-human-network-i/240163379
  Or read the whole report, rather than what the one article incorporates... http://www.social-engineer.org/defcon-21-sectf-report-download-mix/
9. Re:complete results? by Anonymous Coward · 2013-10-30 13:07 · Score: 0
  
  Silly boy, Slashdot doesn't actually have editors anymore. It's just a shell script that hands out the names.
10. Re:complete results? by 8tim8 · 2013-10-30 13:08 · Score: 4, Informative
  
  You're right, the link is to a lame story. However, at the end of the story is the actual results: http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf. That, on the other hand, is full of information and analysis, although they don't provide specific information that was harvested from the companies, only analysis of the methods employed and the success rates of those methods.
11. Re:complete results? by Anonymous Coward · 2013-10-30 13:23 · Score: 1
  
  If those are the complete results that was a pretty short and piss poor competition.
  If you look at the bottom of TFA you'll see a link to the complete results.
12. Re: complete results? by Anonymous Coward · 2013-10-30 13:45 · Score: 0
  
  that helps greatly, but that last paragraph and link wasn't there when it first appeared on slashdot.
13. Re:complete results? by Mr.+Freeman · 2013-10-30 13:52 · Score: 1
  
  The list of possible flags is also filled with useless information. The *only* flag that means anything is "getting user to go to a fake URL". The rest of them are questions like "who handles your trash collection?" and "who stocks the vending machines?". That information is entirely useless and most of it is even publicly available. Concealing this information provides obscurity at best and a false sense of security at worst.
  
  These aren't even attack vectors. Any idiot can walk into a company and say "hi there, I've from your trash collection company, let me into your server room please!" What matters is how the company actually handles these situations which, of course, wasn't actually tested.
  
  --
  -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
14. Re:complete results? by StormReaver · 2013-10-30 14:04 · Score: 1
  
  The real news here is "slashdot editors drunk at work, approve spam"
  Obligatory: You must be new here.
15. Re:complete results? by Joe_Dragon · 2013-10-30 14:33 · Score: 1
  
  getting into the building is a long way to being able to walk around anywhere even better is ducking into the rest room and changing.
  Or even the vending guy can say something about needing a network link to install say a CC reader system / remote control system / ect now you do want to save $X /mo by not useing the 3g/4g link?
16. Re:complete results? by gman003 · 2013-10-30 14:46 · Score: 4, Insightful
  
  Revised headline: "Slashdot editors still drunk at work, approving spam".
17. Re:complete results? by icebike · 2013-10-30 15:11 · Score: 1
  
  This article must be a click farm because it sure doesn't have any actual content.
  Of course not, this is slashdot, never link to the target when you can hype some blog instead.
  Actual content at http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf
  Upshot: Be suspicious of calls from men, just hang up on women.
  
  --
  Sig Battery depleted. Reverting to safe mode.
18. Re:complete results? by BitZtream · 2013-10-30 16:01 · Score: 3, Funny
  
  They both use Chrome.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
19. Re:complete results? by cusco · 2013-10-30 17:01 · Score: 4, Interesting
  
  If you're in the building you have physical access to some of the company resources, unless you're very closely watched. One local software company found a wireless access point had been plugged into a network port in a conference room and taped to the bottom of the table so that the network could be browsed from the parking lot or the coffee shop downstairs. They think it was a job applicant being interviewed who planted it. In another janitorial staff plugged a netbook into a port in an empty cubicle, where it sniffed the network for a few days until it was removed and handed off.
  Did you know that your network printer has a hard drive that stores print jobs? Depending on the model that interface can be available via USB, Bluetooth, or even its own WAP. Security on that all-in-one printer tends to be pitiful, many of them run a customized Linux kernel that can run a network sniffer and store the results. So if you don't watch your soda delivery guy you might be losing data.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
20. Re:complete results? by rtb61 · 2013-10-30 18:44 · Score: 1
  
  What they don't show is why. In any autocratic system failure to show proper obeisance and provide what ever service is required when demanded by a person deemed to be in authority brings the threat of immediate dismissal. The more autocratic, the greater the threat of dismissal and the greater the compliance to any request by authority. So control breaks down security through threat of failure to comply. Where you have less control and greater individual responsibility you strengthen the resolve of those protecting what they perceive as their area of control and power. Next up of course comes loyalty a two way street. Companies that show little loyalty to their employees get very little in return hence, meh who cares, when it comes to company security. Want secure loyal employees than companies had better start being loyal to their employees.
  
  --
  Chaos - everything, everywhere, everywhen
21. Re:complete results? by Anonymous Coward · 2013-10-30 21:16 · Score: 1
  
  Well that STILL isn't news.
22. Re:complete results? by Anonymous Coward · 2013-10-30 22:15 · Score: 0
  
  Silly boy, Slashdot hasn't had editors in a very longtime. It's just a shell script that hands out the names.
  FTFY
23. Re:complete results? by Rich0 · 2013-10-30 23:13 · Score: 1
  
  If you're in the building you have physical access to some of the company resources, unless you're very closely watched.
  Sure, but first you have to get into the building. This was not demonstrated at all. Merely having the name of the trash company doesn't get you inside.
  At my employer if you don't have an ID card that opens a turnstile you need to walk up to the security desk and be registered. If your photo isn't on file they require a government-issued photo ID. So, you'd need to know the name of the trash collector, and not just the name of their employer.
  Granted, stealing an ID probably would be possible. Unless they're closely watching the cameras it would probably be difficult to detect in advance. Of course, when something bad happens they would be reviewing the logs. You're not going to have airtight security unless you have guards inspect every person or use a mantrap/etc.
24. Re:complete results? by Mister+Transistor · 2013-10-30 23:23 · Score: 1
  
  Employee-Employer Loyalty (and vice versa) DIED the same day that "Personnel" became "Human Resources".
  Go ahead, you can quote me...
  
  --
  -- You are in a maze of little, twisty passages, all different... --
25. Re:complete results? by fatphil · 2013-10-31 00:36 · Score: 1
  
  I'm even more of a leet haxor, breaking teh lawz - I just printed out a copy of the PDF and gave it to my girlfriend, thus violating the copyright notice on it! Their so-called "copyright protection" is teh w34kest ev4r!
  
  --
  Also FatPhil on SoylentNews, id 863
26. Re:complete results? by fatphil · 2013-10-31 00:55 · Score: 1
  
  But you've got to award DEFCON troll points for the bit of the scoring system that says:
  "Format, structure, grammer, layout, general quality of the report ... 0-50 points"
  
  50 points for "grammer"! Trolling indeed is a art.
  
  --
  Also FatPhil on SoylentNews, id 863
27. Re: complete results? by Anonymous Coward · 2013-10-31 00:57 · Score: 0
  
  The complete results are here and 25+ pages http://www.social-engineer.org/defcon-21-sectf-report-download/
28. Re:complete results? by Anonymous Coward · 2013-10-31 01:42 · Score: 0
  
  Yes, but apparently spelling doesn't have any impact.
29. Re:complete results? by Anonymous Coward · 2013-10-31 02:22 · Score: 0
  
  White commercial van, coveralls, nametag, clipboard, tool belt.
  Wear a worn looking hardhat and walk around like you belong there.
  Nobody will even acknowledged your presence, or blink an eye as you walk right in to the datacenter.
30. Re:complete results? by Anonymous Coward · 2013-10-31 02:54 · Score: 0
  
  The article links to the entire PDF report, in which the values are given for all flags.
  http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf
  You seriously want me to click a link to a pdf document in an article about social engineering?
  LOL
  So, how many slashdot reader's computer have you managed to root so far this morning?
31. Re:complete results? by motorhead · 2013-10-31 04:57 · Score: 0
  
  The threat is relative. The points assigned to each were subjective.
  Kind of like "Whose Line is it Anyway?"
  
  --
  Employee Of the Month - Cyberdyne Systems Corporation - September 1997
32. Re:complete results? by Rich0 · 2013-10-31 05:38 · Score: 1
  
  At least at my employer the entire facility is surrounded by a fence, with the only openings being turnstiles that run floor to ceiling, or a manned gatehouse where there is a more traditional turnstile. The only way through that is to either jump it, or have the guard unlock it. Vehicle passage is blocked by a gate - no obstacle if you want to just drive through it, but that would hardly be inconspicuous.
33. Re:complete results? by dgatwood · 2013-10-31 08:01 · Score: 1
  I wonder if they found out what browser and OS are used at Apple and at Microsoft...
  Exactly. When the answers to half of your questions are blindingly obvious without even asking them, you're really wasting your time. Start asking questions that are an actual threat to corporate secrets, though, and at most companies, the employees will clam up faster than a politician caught with a hooker behind a cheap Vegas strip club.
  Take Apple for example. Let's see:
  
  Do you have a cafeteria? Uh, yeah. It's listed on Yelp.
  What operating system do you use? Three guesses and the first two don't count.
  What service pack are you running? What the **** is a service pack?
  What browser do you use? Three guesses and the first two don't count.
  What mail client do you use? Three guesses and the first two don't count.
  What antivirus system do you use? Um... dude, it's a Mac....
  What's your ESSID? Hmm. I wonder if it could be AppleWiFi?
  And so on. These sorts of questions are so innocuous and the information is so easy to obtain by literally anyone in the general public that even the most paranoid person wouldn't try to keep them secret. They don't represent a real-world way to get any further information in anything but the most bizarre scenarios. The interesting question is whether they can then use that information to get something of value. Short of that, this is like screaming that the sky is falling when really a bird just dropped something on your shoulder.
  The fundamental failing here is that these folks naïvely assume everything has to be secret, and that obtaining information at a very low level of trust allows you to take advantage of a slippery slope to obtain information that requires a high level of trust. The reality is quite the opposite when it comes to almost everything on this list. Companies want potential job seekers to know that they have one of the best corporate cafeterias in the area. They want visitors to their campus to be able to use the Wi-Fi network to check their email. They want people to apply on their public jobs website for positions in the cafeteria. And so on. Those needs are fundamentally incompatible with keeping that information secret, period.
  Further, for information that does have to be public knowledge, competent companies take steps to mitigate the damage that the information can do. For example, most companies require you to use a badge to access the corporate cafeteria, vet their new hires carefully, put the Wi-Fi on a public network with no access to internal systems, require you to use a VPN for access to any internal systems, require that confidential information be disposed of in locked metal bins, etc. The fact that those mitigations exist is not a secret (yet the existence of a VPN was one of the "flags"); if your security depends on keeping the mechanism of that security a secret, then it is broken by design.
  In short, if the company is doing security right, then basically nothing on that list of flags is actually of value to an attacker, making this a really silly study.
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
34. Re:complete results? by rtb61 · 2013-10-31 12:54 · Score: 1
  
  Which is exactly where the security went and why social 'engineering' is so effective. Basically in that environment security is for sale.
  
  --
  Chaos - everything, everywhere, everywhen
Scalability by aaronb1138 · 2013-10-30 12:17 · Score: 1

Whether the goal is criminal mischief or good old-fashioned corporate espionage, I think we can agree that malware is a lot more scalable than a call center. Of course, there was the beautiful fusion of techniques from various groups based in south-east asia using Ammyy Admin and similar to effect a social insertion of rapidly propagating malware behind the firewalls. Really, all electronic malice should use a variety of best practices.
1. Re:Scalability by Anonymous Coward · 2013-10-30 13:25 · Score: 0
  
  Malware scales well to compromise a large number of nearly indiscriminate low-value targets (criminal mischief). The call center seems more effective in the category of good old-fashioned corporate espionage to my mind. The attacker can change their tactics on the fly.
and the contestants spoofed caller ID, as I do by raymorris · 2013-10-30 12:20 · Score: 4, Informative

The report said the contestants did in fact spoof the caller ID. Though some people know it can be spoofed, most people trust it anyway. We're accustomed to fake links in e-mail, we look for that, but we generally assume caller ID is accurate.
This can be very useful for encouraging bad guys to reveal information.
Uh, so what was accomplished? by Anonymous Coward · 2013-10-30 12:22 · Score: 0, Insightful

It's like handing out a map to rave that is nothing but a warehouse full of from-a-Mexican-hospital body parts. Or was that the exercise? A new low, /.. A new low.
1. Re:Uh, so what was accomplished? by Joining+Yet+Again · 2013-10-30 13:00 · Score: 1
  
  Tell me more about these raves.
News at 11 you can get passwords with by ralphaostrander · 2013-10-30 12:25 · Score: 2

social engineering. How do you spell your name lemonjello hey that spells lemon jello. The password is !!~^!!`^ bang bang tilda high five bang bang tilda high five. Thank alot have a good day.
Apple Scored Badly by mythosaz · 2013-10-30 12:35 · Score: 4, Informative

Apple scored badly...
http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf
...but a good deal of the flag points were given for gathering OS, service pack, browser, mail and PDF program/version information -- which I'm going to guess was a probably a given at Apple.
1. Re:Apple Scored Badly by R3d+M3rcury · 2013-10-30 12:42 · Score: 1
  
  FTFA:
  
  The two most commonly obtained flags were the browser and OS of the target companies.
  Gosh...Safari on OS X Mavericks?
2. Re:Apple Scored Badly by mythosaz · 2013-10-30 12:51 · Score: 2
  
  That information there (OS+ver, Browser+ver) = 50 points.
  "Do you have a cafeteria?" come in 3rd.
3. Re:Apple Scored Badly by gnasher719 · 2013-10-30 13:01 · Score: 2
  
  ..but a good deal of the flag points were given for gathering OS, service pack, browser, mail and PDF program/version information -- which I'm going to guess was a probably a given at Apple.
  ... and at GE nobody knew what OS, service pack, browser, mail and PDF program they were using... That's why the score is so low!
4. Re:Apple Scored Badly by cusco · 2013-10-30 17:04 · Score: 1
  
  Not necessarily. A lot of people at Microsoft use Firefox and Chrome.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
5. Re:Apple Scored Badly by cusco · 2013-10-30 17:05 · Score: 1
  
  And I should add they also have Android phones and iPads.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Anyone who had to call Apple by Anonymous Coward · 2013-10-30 12:42 · Score: 0

to determine what browser and OS they we using needs to get a clue. Any guesses what browser is installed on Google's machines? Did someone contact Mozilla so they could be told they wee not using IE 4.0?
Boeing employee here by Anonymous Coward · 2013-10-30 12:43 · Score: 1

I was really offended when I got had to reset my HR password, and instead of a normal password reset routine, they *mailed my plain-text password to me*. Ugh. Its not like the 401Ks, health care, payroll, and other personal info behind that system are important.
1. Re:Boeing employee here by undefinedreference · 2013-10-30 14:21 · Score: 5, Interesting
  
  Nothing annoys me more than plain text passwords in emails. Double bonus points if it's a password for something sensitive like my financial information (ex: 401(k), which are among the worst offenders in the bad security department...it's not like they have the largest sum of money in my name, after all).
  The other disconcerting thing (probably the most frightening) is that they sent you your password in plain text. This means that your password is, at most, protected with a reversible cipher and is likely stored with no protection at all. That means if someone broke in (which doesn't even mean a threat from outside is necessary, and there are probably tens, if not hundreds, of people with accounts and/or passwords to get to the database) they could get your password and potentially every one you ever used. Then the real social engineering begins, when they call your bank with all your legitimate information and every likely password for your account in hand... Scary.
2. Re:Boeing employee here by Anonymous Coward · 2013-10-30 15:19 · Score: 0
  
  *shrug* it depends on the users. Ours mostly pick crappy passwords and mailing them strong plain text passwords is IMO better, the ones who are smart will change it and/or delete the email. The ones who are dumb will have a strong password and are less likely to have a post it note with the password on their desk.
3. Re:Boeing employee here by rsborg · 2013-10-30 19:09 · Score: 2
  
  udr, If you haven't already , pretty please get these companies putting your password on a "sharing" plan identifed then slotted, pronto at http://plaintextoffenders.com/ - we need to shame these idiots who abuse our security and apparently feel no downside to doing so.
  
  --
  Make sure everyone's vote counts: Verified Voting
4. Re:Boeing employee here by undefinedreference · 2013-10-31 10:33 · Score: 1
  
  There's a difference between them being generated and sent in an email (which is not exceptionally dangerous because it should be temporal (that is, you force a change when they log in and only allow it to be used within a brief window of time) and sending you an email with a stored password on request. Don't mistake the two. Again, the implication that they're storing your password with no more than a basic reversible cipher is very troubling.
More details in news release by Anonymous Coward · 2013-10-30 12:51 · Score: 1

They also break out by flags captured by industry in the press release - http://www.prweb.com/releases/2013/SECTF/prweb11277564.htm
Top Flags Gathered by Industry
Heavy Manufacturing
1. What browser and what version
2. What operating system is in use?
3. How long have they worked for the company?
4. Is there a company VPN?
5. Is IT Support handled in house or outsourced?
Technology
1. Do you block websites? (Facebook, Ebay, etc)
2. What operating system is in use?
3. What browser do they use?
4. Is there a company VPN?
5. What make and model of computer do they use?
Consumer Goods and Retail
1. What operating system is in use?
2. Is wireless in use on site?
3. What browser do they use?
4. What make and model of computer do they use?
5. What sort of phone system is used?
Energy, Oil and Gas
1. What browser do they use?
2. Who does the food service?
3. Is there a company VPN?
4. Do you have a cafeteria?
5. Is wireless in use on site?
"Each of these collections of flags, when adjusted for industry, presents a unique opportunity for an attacker to create a plausible pretext allowing them unfettered access to a corporation’s most sensitive information."
00f. gotta hurt
I have observed this for years. Family calls. by anubi · 2013-10-30 12:52 · Score: 1

I can definitely see where we are primed to be vulnerable to a socially engineered phone call. Piss off a customer, he calls up the chain of command and we have to answer for having poor social skills. Gotta please everyone or we lose our job.

All someone has to do is mimic someone important, and he gets anything he wants. I think all of have had the experience of "doing the right thing", or following your instincts of common sense, then paying dearly for doing so.

There is another kind of phone call that I find extremely frustrating... yet I know no way to deal with it - as any attempt to stop them will result in me losing my job.

Its social calls.

Everything is humming along, then my cohort's phone rings.

"Hello, honey... uh huh,,, uh-huh...uh-huh...be right there."

I gotta go.,

The rest of the day is shot. I can't say a word. Its the phone. That was an important call.

They are all important calls - and they arrive several times a day.

Annoys the hell out of me - but then I am single and do not have that kind of responsibility. Matter of fact I do not have a cellphone and rarely answer the land line I have because it is so abused by telemarketers.

A machine takes the call and I check it occasionally to see if anything actually meaningful came in, which is quite rare.

Take this with a grain of salt, as I am also one of those INTP perfectionist types.

--
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Ha! It's true ... by TrollstonButterbeans · 2013-10-30 12:53 · Score: 1

And a very reputable company with the really trusted name of --- TELETURD.COM -- provides such a service including a free trial.

What a lovely name!

--
Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
The actual report... by teklarae · 2013-10-30 13:31 · Score: 1

The actual report of what informatoin was recieved and summary is on the site of the organizers: http://www.social-engineer.org/defcon-21-sectf-report-download/
This just in... by SeaFox · 2013-10-30 13:44 · Score: 4, Insightful

If you staff your support lines with the cheapest labor you can get, you will end up with a call center of gullible fools.
1. Re:This just in... by Anonymous Coward · 2013-10-30 19:08 · Score: 0
  
  Since you hired them and hired the person that wrote the procedures and training manuals they follow, you probably deserve a bonus for saving money.
practice? Re:complete results? by Fubari · 2013-10-30 16:08 · Score: 3, Interesting

Pop quiz: what are the chances that somebody practicing social engineering and penetration testing would place the tantalizing results of this amazing DEFCON exercise just one click away inside of the super-secure never been exploited format known as PDF?
*shrug* A bit of paranoia seems like cheap insurance.
1. Re:practice? Re:complete results? by serialband · 2013-11-01 10:03 · Score: 1
  
  Don't use adobe reader to open the pdf. There's plenty of other readers that don't execute the code.
  Foxit, sumatrapdf, etc...
Mandarin by flyingfsck · 2013-10-30 17:50 · Score: 0

No problem, I cannot speak Mandarin.

--
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Clearly there's no bias by Anonymous Coward · 2013-10-30 18:31 · Score: 0

"(...) said Chris Hadnagy, Chief Human Hacker, Social-Engineer, Inc. "
Read the friendly article bozo by Anonymous Coward · 2013-10-30 18:39 · Score: 0

If those are the complete results that was a pretty short and piss poor competition. If "We got the browser and OS" is social engineering then my apache logs are 1337 hax0rz. This article must be a click farm because it sure doesn't have any actual content. The real news here is "slashdot editors drunk at work, approve spam"
At the end of the article is a link to this PDF
http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf
Page 8 lists the flags and their point value.
I find it hilarious that you accuse the editors of being drunk will not properly reading the article which is a typical slashdot user transgression. The editors could have also linked the PDF though, so I agree they weren't on the ball with this.
Phone calls? by Anonymous Coward · 2013-10-30 19:28 · Score: 0

I've noticed over the past 5 years (in Finland) that phone calls are going away as a communication medium in the workplace. We use email, Skype chat and other IM, ticketing and version control to communicate. When someone hasn't been reachable for hours or days, a phone call is considered as a medium of last resort. Even then, it is thought of as extremely intrusive.
The bonus flag by guanxi · 2013-10-30 19:37 · Score: 4, Funny

Can you socially engineer thousands of technically sophisticated Slashdot users into downloading an infected PDF?
1. Re:The bonus flag by Anonymous Coward · 2013-10-30 21:32 · Score: 0
  
  You can socially engineer thousands of literally unsophisticated Slashdot users into downloading an infected PDF.
  As long as it's not in TFA and disguised as an obligatory xkcd.
It is not only hackers doing social engineer by ruir · 2013-10-30 20:43 · Score: 1

Once an american network admin in an african country suggested me in very ambiguous terms, she was making a request from the FBI. And then people wonder why we think american people is dense. It ever anyone says that to you, tell them to sod off and send a written request.
It's stupid to start your comment by Anonymous Coward · 2013-10-30 23:19 · Score: 1

in subject.
So what exactly makes a truly good pretext? by HaggiStan · 2013-10-31 01:11 · Score: 2
The full report (pdf linked at the end of the article) repeatedly insists on the importance of the quality of the pretext:
- "a major difference this year was in the quality of the pretexts employed by our contestants."
- As in the previous years, part of our contestants' success appeared to have been related to the choice of pretext
- Our winner this year [...] developed an excellent pretext, and was fully prepared prior to the contest
On the other hand, the report gives close to no information about what makes a good pretext, aside from mentioning that the best pretext scenarios were usually based on posing as an employee, whereas posing as a student or conducting a survey seems to be less promising for collecting relevant information. What would _really_ have been interesting is some details about how the winning pretexts were constructed.
Women outperform met at social engineering by Grantbridge · 2013-10-31 04:33 · Score: 1

Did anyone else notice the graph showing the women in the contest outperformed their male counterparts? Women were substantially better at the live call portion of the exercise, but also better during the pre-call information gathering phase.