Smooth-talking hackers test skills on technology titans

Hackers at an infamous DefCon gathering are proving that old-fashioned smooth talk rivals slick software skills when it comes to pulling off attacks on computer networks.

A first “social engineering” contest here challenges hackers to call workers at 10 companies including technology titans Google, Apple, Cisco, and Microsoft and get them to reveal too much information to strangers.

“Out of all the companies called today, not one company shut us down,” said Offensive Security operations manager Christopher Hadnagy, part of the social-engineer.org team behind the competition that kicked off on Friday.

The team kept hackers within the boundaries of the law, but had them coax out enough information to show that workers would have unintentionally made it easier to attack networks.

Workers that unknowingly ended up on calls with hackers ranged from a chief technical officer to IT support personnel and sales people.

One employee was conned into opening programs on a company computer to read off specifications regarding types of software being used, details that would let a hacker tailor viruses to launch at the system.

“You often have to crack through firewalls and burn the perimeter in order to get into the internal organisation,” said Mati Aharoni of Offensive Security, a company that tests company computer defences.

“It is much easier to use social engineering techniques to get to the same place.”

Other companies targeted were Pepsi, Coca Cola, Shell, BP, Ford, and Proctor & Gamble.

‘No patch for human stupidity’
The contest, which continues on Saturday at DefCon and promises the winner an Apple iPad, is intended to show that hardened computer networks remain vulnerable if people using them are soft touches.

“We didn’t want anyone fired or feeling bad at the end of the day,” Aharoni said. “We wanted to show that social engineering is a legitimate attack vector.”

A saying that long ago made it on to T-shirts at the annual DefCon event is “There is no patch for human stupidity.”

“Companies don’t think their people will fall for something as simple as someone calling and just asking a few questions,” Hadnagy said.

“It doesn’t require a very technical level of attacker,” Aharoni added. “It requires someone with an ability to schmooze well.”

One worker nearly foiled a hacker by insisting he send his questions in an email that would be reviewed and answered if appropriate.

The hacker convinced the worker to change his mind by claiming to be under pressure to finish a report for a boss by that evening.

“As humans, we naturally want to help other people,” Hadgagy said. “I’m not advocating not helping people. Just think about what you say before you say it.”

Companies that got word of the social engineering contest before DefCon called in the FBI, which was assured by the event organizers that nothing illegal was afoot.

Information about “exploiting human vulnerabilities” was available at the social-engineer.org website. – AFP

Keep the powerful accountable

Subscribe for R30/mth for the first three months. Cancel anytime.

Subscribers get access to all our best journalism, subscriber-only newsletters, events and a weekly cryptic crossword.

Glenn Chapman
Glenn Chapman
AFP technology correspondent

Related stories

WELCOME TO YOUR M&G

Already a subscriber? Sign in here

Advertising

Latest stories

Zondo dismisses Fraser’s application to cross-examine witnesses

The former head of the State Security Agency and Zuma ally did not come close to complying with the state capture inquiry’s rules for cross-examination, Zondo said

Hawks head testifies before SAHRC: Intelligence would have been ‘ideal’

No members of the police, defence force or state security have been implicated ‘at this stage’ in ongoing investigations into the July unrest in KwaZulu-Natal and Gauteng

A to Z guide on HIV: The top 10 things...

The HIV pandemic isn’t going anywhere until a cure is found. In the meantime, HIV clinicians say South Africa should protect its victories

PODCAST: How South Africa fits into the global economy, pt...

Michael Power chats to the M&G editor-in-chief and business journalists about South Africa and its place in the global economy
Advertising

press releases

Loading latest Press Releases…
×