Phone Calls More Dangerous Than Malware To Companies

← Back to Stories (view on slashdot.org)

Phone Calls More Dangerous Than Malware To Companies

Posted by samzenpus on Wednesday October 30, 2013 @11:48AM from the watch-what-you-say dept.

dinscott writes "During Social Engineer Capture the Flag contest, one of the most prominent and popular annual events at DEF CON 21, a pool of 10 men and 10 women, from diverse backgrounds and experience levels, tested their social engineering abilities against 10 of the biggest global corporations, including Apple, Boeing, Exxon, General Dynamics and General Electric. The complete results of the competition are in, and they don't bode well for businesses."

5 of 82 comments (clear)

Min score:

Reason:

Sort:

and the contestants spoofed caller ID, as I do by raymorris · 2013-10-30 12:20 · Score: 4, Informative

The report said the contestants did in fact spoof the caller ID. Though some people know it can be spoofed, most people trust it anyway. We're accustomed to fake links in e-mail, we look for that, but we generally assume caller ID is accurate.
This can be very useful for encouraging bad guys to reveal information.
Re:complete results? by mythosaz · 2013-10-30 12:32 · Score: 5, Informative

The article links to the entire PDF report, in which the values are given for all flags.
http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf
Apple Scored Badly by mythosaz · 2013-10-30 12:35 · Score: 4, Informative

Apple scored badly...
http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf
...but a good deal of the flag points were given for gathering OS, service pack, browser, mail and PDF program/version information -- which I'm going to guess was a probably a given at Apple.
Re:complete results? by mythosaz · 2013-10-30 12:41 · Score: 4, Informative

When you look at the list of the flags, there's a great deal of them that would just happen naturally in net-conversation. They could get 5+7 points for finding out if they had a cafeteria and then finding out who does the food service. That's the sort of thing every idiot on Instagram takes a picture of every morning while they're blogging about their breakfast. Feel free to get 5 "free" points from Linkedin if you get an employee's name. Get a few more points he shouted "Payday, bitches!" on Facebook one Friday afternoon.
The threat is relative. The points assigned to each were subjective.
Re:complete results? by 8tim8 · 2013-10-30 13:08 · Score: 4, Informative

You're right, the link is to a lame story. However, at the end of the story is the actual results: http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf. That, on the other hand, is full of information and analysis, although they don't provide specific information that was harvested from the companies, only analysis of the methods employed and the success rates of those methods.