why hack when you can just ask?

At this past summer’s Def Con hacking convention, the folks at www.social-engineer.org decided to run a “Capture the Flag” competition to highlight the risks posed by social engineering, the art of extracting information from employees in order to make hacking a company’s systems or processes easier.  The test was run under a number of constraints; participants were not allowed to ask for passwords, credit card numbers and the like, due to legal concerns.  Instead, they were tasked with finding out things like the target companies’ operating systems in use, PBX vendors, VPN equipment, payday dates, trash handling and the like.  A total of 15 companies were targeted for open source research and follow up calls.  The results?

  • 14 out of the 15 companies provided one or more of the requested pieces of information.
  • Only 7 companies gave the attackers any resistance to answering the questions they were asked.
  • Out of 135 calls made, only 11 individuals put up any resistance to answering the attackers’ queries.

Some interesting (and depressing) take aways from this report…

Most employees offered no resistance to the attackers’ requests for information. Those that did offer resistance could often be persuaded to give up the goods with a little more conversational kung-fu on the part of the attacker.  Of course, it is possible that the contest’s rules against asking for really sensitive personal information like passwords and credit card numbers may have come into play here.  I would think that the employees would have put up a bit more of a fight if the information being asked for was perceived to be more valuable.  This being said, getting information of low perceived value can help the attacker build a more convincing cover story for later attempts to get to the crown jewels.

Eighty percent of employees called were willing to visit a web address supplied by the attacker. This is pretty disturbing, as it provides the attacker with a great way to collect information about victims’ computers and to install targeted malware on vulnerable interesting systems.

In many cases, the only thing that stopped an attacker from getting a particular piece of information was the employee’s ignorance  or the fact that they were too busy to continue the call. In some cases, employees went out of their way to try and find the information in order to be helpful.  The fact that many of the people called worked in customer or employee facing call centers seemed to work in the attackers’ favor – after all, the call center exists to be helpful.

Attackers calling to ask “survey questions” were able to extract information from their victims pretty consistently.  The context of a survey allows the attacker to ask a series of questions and when the call is delivered in an engaging manner, the employee can be coaxed into providing lots of information.  Security awareness programs should include periodic reminders that employees should not provide answers to questions posed by callers “as part of a survey.”  At my office, I ask employees to transfer these types of calls to Security so we can mess with them.

Ex-employees can also be a source of information about your company.  An attacker armed with a list of recently departed employees could gather information by calling them posing as an employment recruiter.  In this context, asking questions about systems and processes can seem innocent.  It is important to have confidentiality agreements in place with employees and to remind them of their continuing obligations under those agreements after they leave the company.

While this contest was limited in its scope and realism (due to the limits on what could be asked for), I would recommend reading the report to get an idea of what we security professionals are up against.  In these times of limited or shrinking budgets, closing up the security holes that result from human behavior can be a very effective – and cost effective – way to protect our organizations.  Let your employees know about the threat of social engineering attacks and give them a procedure to follow when a call gets suspicious (like having them transfer the call to Security).

Let’s make the hackers work a little bit, folks!

why hack when you can just ask?