Earlier this month, more than 10,000 hackers and security experts descended upon the Rio Hotel in Las Vegas for the 19th annual DefCon conference. Each year, this group of infosec aficionados gather together to trade information on hacking, connect with companies looking to hire talented hackers and share stories meant to reinforce reputations of hacker icons. Like any conference DefCon includes presentations and casual conversation, but insight into the power of hacking is also provided by contests that are held each year as part of the conference.
Capture the Flag
One of more entertaining contests at this year’s DefCon conference was a social engineering version of Capture the Flag. Each social engineering participant is sent a dossier with the name and URL of their target company chosen from the pool of submitted names (These names are submitted by the company who as indicated that that are willing to be a target in this game).
The goal is to gather points for information obtained and plan a realistic attack. A list of flags (goals) will be provided, and points will be awarded for discovered items. The winner selection is based on the number of points scored.
Targets asked to participate were all high profile, prominent companies and the flags were a mixture of physical, HR, and IT related information with varying point values. (It is important to note that one of the rules of the game prohibits the disclosure of any information obtained during the game.)
Phat32, last year’s winner, provided summary of his wining efforts. This turned out to be a wonderful case study in social engineering at its best (or worst, depending on your view).
What We Can Learn
Phat32 chose to focus on the IT flags in this “Capture the Flag” game. His reasoning for this choice was:
“… concentrating on a single type of flag allowed for a more smoothly flowing conversation rather than trying to jump back and forth from physical to HR to IT questions. Part of what makes a pretext convincing to other people is how much you believe it yourself. In becoming this person you’re portraying, you add the emotional filler that’s often missing when someone is just faking it. By focusing on the IT flags, I was able to leverage my own IT experience (good and bad) and present a convincing pretext during my call.”
Note phat32’s ability to convince himself as well as his target that his requests for information were legitimate was essential.
Phat32 also did a great deal of research on his target. His thoughts on this included:
“The more inside information you can provide, the more plausible that you are who you say you are.”
“Social media was helpful when I found postings from former employees describing their experiences working for the target (good and bad). This type of information is valuable for understanding the corporate culture and how current employees may feel about the company and their work environment. For example, if you see a common theme about harsh working conditions, you can leverage this in your pretext by expressing a similar dissatisfaction with your own employer. Sharing this with an employee of the target presents a common point of emotional experience and commiseration.”
“Searching the target company’s job postings was another valuable source of information. By reviewing the job postings, I gained a sense of what skill sets they were looking for and subsequently, what type of technology was in use (OS, hardware platforms, etc). For example, a posting for System Administrator with strong skills in Red Hat tells you something about the platform of Linux they work with. This works for learning about applications and even the physical and logical structure of their networks (data center technicians, global sites, stringent uptime requirements, Senior skills needed due to complex routing or specialized equipment, etc.).”
Phat32’s summary of his attack methods included the following advice:
First, know the target and do as much research as possible so as to understand the target company.
Second, know your own capabilities—you need to be proficient in the field in which you are looking to gather data so that you can appear to be the person the target expects you to be.
Finally, prepare yourself for the target company contact. Your story needs to support your pretext and head towards your data collection objectives.
Though Phat32 and other DefCon hackers participating in this contest might make social engineering look easy, it is important to remember that like any other discipline, social engineering requires skill, experience and work in order to be successful. A BS artist who is depending only on his skill at conversation will sound like a BS artist—knowing what to look for will help you know when to call BS should your company become a less-willing target in someone’s unsolicited social engineering game.
When it comes to the security of your business, social engineering isn’t the only threat. Want to learn more about how you can protect your customer and company data? Sign-up to receive our need-to-know security tips for your business.