Slashdot Mirror
Phone Calls More Dangerous Than Malware To Companies
dinscott writes "During Social Engineer Capture the Flag contest, one of the most prominent and popular annual events at DEF CON 21, a pool of 10 men and 10 women, from diverse backgrounds and experience levels, tested their social engineering abilities against 10 of the biggest global corporations, including Apple, Boeing, Exxon, General Dynamics and General Electric. The complete results of the competition are in, and they don't bode well for businesses."
Good morning citizen, this is the brand-new NSA call center...
If those are the complete results that was a pretty short and piss poor competition. If "We got the browser and OS" is social engineering then my apache logs are 1337 hax0rz. This article must be a click farm because it sure doesn't have any actual content. The real news here is "slashdot editors drunk at work, approve spam"
Get a web developer
You do know that caller ID is spoofable right?
The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
Whether the goal is criminal mischief or good old-fashioned corporate espionage, I think we can agree that malware is a lot more scalable than a call center. Of course, there was the beautiful fusion of techniques from various groups based in south-east asia using Ammyy Admin and similar to effect a social insertion of rapidly propagating malware behind the firewalls. Really, all electronic malice should use a variety of best practices.
The report said the contestants did in fact spoof the caller ID. Though some people know it can be spoofed, most people trust it anyway. We're accustomed to fake links in e-mail, we look for that, but we generally assume caller ID is accurate.
This can be very useful for encouraging bad guys to reveal information.
social engineering. How do you spell your name lemonjello hey that spells lemon jello. The password is !!~^!!`^ bang bang tilda high five bang bang tilda high five. Thank alot have a good day.
Apple scored badly...
http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf
I was really offended when I got had to reset my HR password, and instead of a normal password reset routine, they *mailed my plain-text password to me*. Ugh. Its not like the 401Ks, health care, payroll, and other personal info behind that system are important.
They also break out by flags captured by industry in the press release - http://www.prweb.com/releases/2013/SECTF/prweb11277564.htm
Top Flags Gathered by Industry
Heavy Manufacturing
1. What browser and what version
2. What operating system is in use?
3. How long have they worked for the company?
4. Is there a company VPN?
5. Is IT Support handled in house or outsourced?
Technology
1. Do you block websites? (Facebook, Ebay, etc)
2. What operating system is in use?
3. What browser do they use?
4. Is there a company VPN?
5. What make and model of computer do they use?
Consumer Goods and Retail
1. What operating system is in use?
2. Is wireless in use on site?
3. What browser do they use?
4. What make and model of computer do they use?
5. What sort of phone system is used?
Energy, Oil and Gas
1. What browser do they use?
2. Who does the food service?
3. Is there a company VPN?
4. Do you have a cafeteria?
5. Is wireless in use on site?
"Each of these collections of flags, when adjusted for industry, presents a unique opportunity for an attacker to create a plausible pretext allowing them unfettered access to a corporation’s most sensitive information."
00f. gotta hurt
I can definitely see where we are primed to be vulnerable to a socially engineered phone call. Piss off a customer, he calls up the chain of command and we have to answer for having poor social skills. Gotta please everyone or we lose our job.
All someone has to do is mimic someone important, and he gets anything he wants. I think all of have had the experience of "doing the right thing", or following your instincts of common sense, then paying dearly for doing so.
There is another kind of phone call that I find extremely frustrating... yet I know no way to deal with it - as any attempt to stop them will result in me losing my job.
Its social calls.
Everything is humming along, then my cohort's phone rings.
"Hello, honey... uh huh,,, uh-huh...uh-huh...be right there."
I gotta go.,
The rest of the day is shot. I can't say a word. Its the phone. That was an important call.
They are all important calls - and they arrive several times a day.
Annoys the hell out of me - but then I am single and do not have that kind of responsibility. Matter of fact I do not have a cellphone and rarely answer the land line I have because it is so abused by telemarketers.
A machine takes the call and I check it occasionally to see if anything actually meaningful came in, which is quite rare.
Take this with a grain of salt, as I am also one of those INTP perfectionist types.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
And a very reputable company with the really trusted name of --- TELETURD.COM -- provides such a service including a free trial.
What a lovely name!
Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
Tell me more about these raves.
The actual report of what informatoin was recieved and summary is on the site of the organizers: http://www.social-engineer.org/defcon-21-sectf-report-download/
If you staff your support lines with the cheapest labor you can get, you will end up with a call center of gullible fools.
Pop quiz: what are the chances that somebody practicing social engineering and penetration testing would place the tantalizing results of this amazing DEFCON exercise just one click away inside of the super-secure never been exploited format known as PDF?
*shrug* A bit of paranoia seems like cheap insurance.
Can you socially engineer thousands of technically sophisticated Slashdot users into downloading an infected PDF?
Once an american network admin in an african country suggested me in very ambiguous terms, she was making a request from the FBI. And then people wonder why we think american people is dense. It ever anyone says that to you, tell them to sod off and send a written request.
Why do you think that would be any more helpful than the fact that you can actually SEE what URL the link you hit leads you to?
People don't care about security. And why should they, it is not their job!
My pet peeve with security in most companies is that the CSO's trying to take the easy way out: Shifting the burden of security on his workers. Need secure access? Hey, no problem, we'll create ludicrous password requirements (like, say, at least 20 characters, with numbers, special characters and a few letters from languages that have been forgotten for 200 years at least sprinkled across, for starters 'til I have time to ponder something REALLY "secure"). And no writing down! How you should remember that gobbelygoo? Not my problem!
That's got nothing to do with increasing security. That's blame shifting. Nothing else. Any CISO who spends more than 10 seconds pondering it should realize that such a "security solution" opens a completely different and far more troublesome can of worms. And I dare imagine that most of them know that, but prefer to play the blame shifting game to actually solving the underlying problem. It is easier, more convenient and of course cheaper. But now the worker has one headache more, especially one headache that has NOTHING to do with his actual work, that weighs him down, that causes him more workload and doesn't help him at all.
So it's no wonder IT security is seen like some kind of Gestapo and Stasi rolled into one.
Dear fellow CISOs: Your job isn't to make life harder for your staff. Your job is to take that problem AWAY from them. Perfect security is not achieved when nobody can do jack anymore 'cause they're busy jumping your security hoops. Perfect security is security that CANNOT be broken by staff because staff has very little if any impact on it. In a perfectly secure corporate world, security is fully transparent to the worker and he does not even NOTICE its presence (unless he tries to do something that breaks company rules or law, of course).
You can of course start to train your workers about security. Forget it. Bruce Schneier has a very good essay about it and he said it far better than I possibly could. In a nutshell: When a worker faced the choice between doing what he wants to do (his job, chat, fool around, goof off...) and upholding security, doing what he wants always wins.
And who blames him? If he jumps the myriad of hoops presented to him by security, he wastes time and gets reprimanded for slacking. If he kicks security out the door, in 99 out of 100 times nothing bad will happen because the caller claiming to be Bob from IT Support was actually Bob from IT Support and not Alec from IT SecAuditing.
Of course, I'm fairly sure the CISO presented him a fully blown sheet of dos and don'ts when someone from IT calls, verify the caller's ID, call back, ask for the supersecret password du jour, whatever. That takes TIME. Time the worker does NOT have. Instead he simply hands out the information, because 99 out of 100 times that's the right thing to do.
How to solve that? By eliminating the need for Bob to call in the first place. I cannot think of any situation where Bob actually has to call and ask for sensitive info. And if he does, it's time to call the CISO. Not to get Bob into trouble, but to find out why he had to call and eliminate the need. Not to mention of course that someone might have tried to siphon information and that's something your CISO should know about anyway.
Of course, you cannot eliminate human interaction with secure and sensitive matters entirely. That's an unfortunate reality. But you can eliminate the need for untrained personnel to do it! Every halfway decently sized company has an IT department or at least some kind of staff that does the "IT stuff". And these are the people that you actually CAN train. Because they already have to deal with the matter anyway, and they are also the ones that will most
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
in subject.
On the other hand, the report gives close to no information about what makes a good pretext, aside from mentioning that the best pretext scenarios were usually based on posing as an employee, whereas posing as a student or conducting a survey seems to be less promising for collecting relevant information. What would _really_ have been interesting is some details about how the winning pretexts were constructed.
You danced around the edge of it but missed the real issue. The real issue is the fact that the worker is seen as a slacker if they take the time to do things securely. If security isn't a mandate from the CEO and pushed down and invested in hard by the entire management organization, then it won't work. Period. Security has to be everyone's job to work well. That said, it also doesn't have to be (and can't be) overly burdonsome, so much of what you said is still accurate.
The real key is that users must have the support of management to take the time it takes to be secure and processes must make sense so that users see the benefit and the fact that their managers support the process. If you don't have that, they are going to do what it takes to please there manager, not the IT Department, because that is their job.
AJ Henderson
I'm confused, was this a competition about who does fraud best over telephone?
world was created 5 seconds before this post as it is.
Did anyone else notice the graph showing the women in the contest outperformed their male counterparts? Women were substantially better at the live call portion of the exercise, but also better during the pre-call information gathering phase.
Stated like a true developer.
love the taste, hate the texture
Which is why it would be better to use the ANI number for Caller-ID instead of a special "Caller-ID" string. You better believe it will be more accurate. The phone wouldn't let people fuck around with the info they use for billing.
Well, I "evolved" out of development. And, frankly, I have to say that I'm probably a better manager than someone who comes from a "pure" management background who tries to lead people who do something he doesn't understand. Likewise, the best CFOs come from bookkeeping and not from some BA background.
There's a reason the CFO is maybe the only person in our management meetings that I truly respect and whose opinion I value at least as much as my own. It's based in experience instead of some management bullshit seminars that have nothing to do with reality.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.