Phone Calls More Dangerous Than Malware To Companies

← Back to Stories (view on slashdot.org)

Phone Calls More Dangerous Than Malware To Companies

Posted by samzenpus on Wednesday October 30, 2013 @11:48AM from the watch-what-you-say dept.

dinscott writes "During Social Engineer Capture the Flag contest, one of the most prominent and popular annual events at DEF CON 21, a pool of 10 men and 10 women, from diverse backgrounds and experience levels, tested their social engineering abilities against 10 of the biggest global corporations, including Apple, Boeing, Exxon, General Dynamics and General Electric. The complete results of the competition are in, and they don't bode well for businesses."

17 of 82 comments (clear)

Min score:

Reason:

Sort:

Reduce unemployment today! by bob_super · 2013-10-30 11:56 · Score: 4, Funny

Good morning citizen, this is the brand-new NSA call center...
complete results? by datapharmer · 2013-10-30 12:00 · Score: 5, Insightful

If those are the complete results that was a pretty short and piss poor competition. If "We got the browser and OS" is social engineering then my apache logs are 1337 hax0rz. This article must be a click farm because it sure doesn't have any actual content. The real news here is "slashdot editors drunk at work, approve spam"

--
Get a web developer
1. Re:complete results? by Anonymous Coward · 2013-10-30 12:04 · Score: 5, Funny
  
  that's not news.
2. Re:complete results? by TheGavster · 2013-10-30 12:10 · Score: 4, Insightful
  
  In addition to its brevity, it also implies the 4 times as many "flags" were taken simply from searches of Google, Linkedin, and others (2x as many points scored, with flags being worth 0.5x those taken via social engineering). Sounds like the corporate website and employees' social networking accounts are the real threat ...
  
  --
  "Because Science" is one step from "Because old book". Try "Because of my experiment testing my falsifiable assertion".
3. Re:complete results? by mythosaz · 2013-10-30 12:32 · Score: 5, Informative
  
  The article links to the entire PDF report, in which the values are given for all flags.
  http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf
4. Re:complete results? by mythosaz · 2013-10-30 12:41 · Score: 4, Informative
  
  When you look at the list of the flags, there's a great deal of them that would just happen naturally in net-conversation. They could get 5+7 points for finding out if they had a cafeteria and then finding out who does the food service. That's the sort of thing every idiot on Instagram takes a picture of every morning while they're blogging about their breakfast. Feel free to get 5 "free" points from Linkedin if you get an employee's name. Get a few more points he shouted "Payday, bitches!" on Facebook one Friday afternoon.
  The threat is relative. The points assigned to each were subjective.
5. Re:complete results? by gnasher719 · 2013-10-30 12:51 · Score: 4, Funny
  
  If those are the complete results that was a pretty short and piss poor competition. If "We got the browser and OS" is social engineering then my apache logs are 1337 hax0rz. This article must be a click farm because it sure doesn't have any actual content. The real news here is "slashdot editors drunk at work, approve spam"
  I wonder if they found out what browser and OS are used at Apple and at Microsoft...
6. Re:complete results? by 8tim8 · 2013-10-30 13:08 · Score: 4, Informative
  
  You're right, the link is to a lame story. However, at the end of the story is the actual results: http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf. That, on the other hand, is full of information and analysis, although they don't provide specific information that was harvested from the companies, only analysis of the methods employed and the success rates of those methods.
7. Re:complete results? by gman003 · 2013-10-30 14:46 · Score: 4, Insightful
  
  Revised headline: "Slashdot editors still drunk at work, approving spam".
8. Re:complete results? by cusco · 2013-10-30 17:01 · Score: 4, Interesting
  
  If you're in the building you have physical access to some of the company resources, unless you're very closely watched. One local software company found a wireless access point had been plugged into a network port in a conference room and taped to the bottom of the table so that the network could be browsed from the parking lot or the coffee shop downstairs. They think it was a job applicant being interviewed who planted it. In another janitorial staff plugged a netbook into a port in an empty cubicle, where it sniffed the network for a few days until it was removed and handed off.
  Did you know that your network printer has a hard drive that stores print jobs? Depending on the model that interface can be available via USB, Bluetooth, or even its own WAP. Security on that all-in-one printer tends to be pitiful, many of them run a customized Linux kernel that can run a network sniffer and store the results. So if you don't watch your soda delivery guy you might be losing data.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Re:Caller ID by Sable+Drakon · 2013-10-30 12:14 · Score: 5, Insightful

You do know that caller ID is spoofable right?

--
The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
and the contestants spoofed caller ID, as I do by raymorris · 2013-10-30 12:20 · Score: 4, Informative

The report said the contestants did in fact spoof the caller ID. Though some people know it can be spoofed, most people trust it anyway. We're accustomed to fake links in e-mail, we look for that, but we generally assume caller ID is accurate.
This can be very useful for encouraging bad guys to reveal information.
Apple Scored Badly by mythosaz · 2013-10-30 12:35 · Score: 4, Informative

Apple scored badly...
http://www.social-engineer.org/defcon21/DC21_SECTF_Final.pdf
...but a good deal of the flag points were given for gathering OS, service pack, browser, mail and PDF program/version information -- which I'm going to guess was a probably a given at Apple.
This just in... by SeaFox · 2013-10-30 13:44 · Score: 4, Insightful

If you staff your support lines with the cheapest labor you can get, you will end up with a call center of gullible fools.
Re:Boeing employee here by undefinedreference · 2013-10-30 14:21 · Score: 5, Interesting

Nothing annoys me more than plain text passwords in emails. Double bonus points if it's a password for something sensitive like my financial information (ex: 401(k), which are among the worst offenders in the bad security department...it's not like they have the largest sum of money in my name, after all).
The other disconcerting thing (probably the most frightening) is that they sent you your password in plain text. This means that your password is, at most, protected with a reversible cipher and is likely stored with no protection at all. That means if someone broke in (which doesn't even mean a threat from outside is necessary, and there are probably tens, if not hundreds, of people with accounts and/or passwords to get to the database) they could get your password and potentially every one you ever used. Then the real social engineering begins, when they call your bank with all your legitimate information and every likely password for your account in hand... Scary.
The bonus flag by guanxi · 2013-10-30 19:37 · Score: 4, Funny

Can you socially engineer thousands of technically sophisticated Slashdot users into downloading an infected PDF?
Re:Caller ID by Opportunist · 2013-10-30 22:34 · Score: 5, Insightful

Why do you think that would be any more helpful than the fact that you can actually SEE what URL the link you hit leads you to?
People don't care about security. And why should they, it is not their job!
My pet peeve with security in most companies is that the CSO's trying to take the easy way out: Shifting the burden of security on his workers. Need secure access? Hey, no problem, we'll create ludicrous password requirements (like, say, at least 20 characters, with numbers, special characters and a few letters from languages that have been forgotten for 200 years at least sprinkled across, for starters 'til I have time to ponder something REALLY "secure"). And no writing down! How you should remember that gobbelygoo? Not my problem!
That's got nothing to do with increasing security. That's blame shifting. Nothing else. Any CISO who spends more than 10 seconds pondering it should realize that such a "security solution" opens a completely different and far more troublesome can of worms. And I dare imagine that most of them know that, but prefer to play the blame shifting game to actually solving the underlying problem. It is easier, more convenient and of course cheaper. But now the worker has one headache more, especially one headache that has NOTHING to do with his actual work, that weighs him down, that causes him more workload and doesn't help him at all.
So it's no wonder IT security is seen like some kind of Gestapo and Stasi rolled into one.
Dear fellow CISOs: Your job isn't to make life harder for your staff. Your job is to take that problem AWAY from them. Perfect security is not achieved when nobody can do jack anymore 'cause they're busy jumping your security hoops. Perfect security is security that CANNOT be broken by staff because staff has very little if any impact on it. In a perfectly secure corporate world, security is fully transparent to the worker and he does not even NOTICE its presence (unless he tries to do something that breaks company rules or law, of course).
You can of course start to train your workers about security. Forget it. Bruce Schneier has a very good essay about it and he said it far better than I possibly could. In a nutshell: When a worker faced the choice between doing what he wants to do (his job, chat, fool around, goof off...) and upholding security, doing what he wants always wins.
And who blames him? If he jumps the myriad of hoops presented to him by security, he wastes time and gets reprimanded for slacking. If he kicks security out the door, in 99 out of 100 times nothing bad will happen because the caller claiming to be Bob from IT Support was actually Bob from IT Support and not Alec from IT SecAuditing.
Of course, I'm fairly sure the CISO presented him a fully blown sheet of dos and don'ts when someone from IT calls, verify the caller's ID, call back, ask for the supersecret password du jour, whatever. That takes TIME. Time the worker does NOT have. Instead he simply hands out the information, because 99 out of 100 times that's the right thing to do.
How to solve that? By eliminating the need for Bob to call in the first place. I cannot think of any situation where Bob actually has to call and ask for sensitive info. And if he does, it's time to call the CISO. Not to get Bob into trouble, but to find out why he had to call and eliminate the need. Not to mention of course that someone might have tried to siphon information and that's something your CISO should know about anyway.
Of course, you cannot eliminate human interaction with secure and sensitive matters entirely. That's an unfortunate reality. But you can eliminate the need for untrained personnel to do it! Every halfway decently sized company has an IT department or at least some kind of staff that does the "IT stuff". And these are the people that you actually CAN train. Because they already have to deal with the matter anyway, and they are also the ones that will most

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.