Pro tips from social engineering hackers

I’ve spent much of the past two days watching Defcon’s social engineering “capture the flag” contest, and — wow. Every cybersecurity worker should have a chance to observe a social engineering pro at work. It’s like a free theatre performance, but with a scary undertow of “holy &^%!, this guy is strip-mining sensitive technical information from Hewlett-Packard, live.”

I’ll have a feature story coming out next week on CNNMoney about what I saw, but in the meantime, here’s what I learned from watching the best show off their skillz.

-Do your research. Defcon’s SE CTF gives contestants two weeks for “passive” information gathering on their targets — mining any intel they can online, without picking up a phone. Then they have a 20 minute slot at the show to phone the company and go to town. 

The most successful hackers compiled extensive dossiers and were able to ask for their intended targets (like store managers and local facilities administrators) by name. They also learned the lingo.

“Are you the LOD today?” contestant J.C. asked as he connected with a Target store manger. Rattling off details about the company’s external supplier software, he knew enough jargon to convincingly pass himself off as a systems administrator from Target’s Minnesotadata center (“TTC” in Target corporate-speak).

When one of his questions triggered an alarm bell — the store manager wondered why he was asking her for technical info HQ should already have — he assuaged her suspicions by offering up specifics. “This is store 8761, right?” he asked. (Not the real number; I changed it.) “Yup, you’re the one we’re supposed to check. We need to confirm everything and figure out why this software patch isn’t going through.”

I asked J.C. later how he found the store numbers for his targets — that seemed like potentially sensitive data. Was it something Target makes public? The answer:  Nope, but if you look up a location in the “store locator” on Target’s website, the URL for each store includes its number. 

-Make your problem their problem: One of the most consistently successful approaches was pretending to be someone from corporate HQ on a troubleshooting mission. You’re a stressed-out IT worker trying to figure out why a software patch isn’t working, and you need details right now on the local office’s computer. Or you’re an internal auditor who got a totally screwed-up security report from an outside vendor and you need to redo it — and you’re not thrilled.

The hackers got their targets commiserating with them. People would go out of their way and bend the corporate policies a bit to help out a colleague in a jam.

-Demand, don’t ask: One first-time competitor got nowhere posing as an outside marketer selling things like software and custodial services — people are quick to shut down sales pitches. Pretending to do a survey, even an internal one, is also a risky gambit. “Do you have time to answer a few questions?” is a question people are trained to shoot down. Most of those I saw try it got stonewalled.   

The successful attackers came in with an authoritative tone and politely but firmly demanded compliance. One contestant posed as a high-level Cisco exec and called the fitness center at a campus she said she’d be visiting next week for work. Under the pretext of finding out what workout classes would fit her busy schedule, she also extracted from the gym manager a ton of details about the Cisco campus: What you need to get on the wireless network, where various offices were located, what facilities services are contracted out and what hours those workers tend to be around, and so on.

-Be chatty and make small talk: The more trust you gain, the more your target will be willing to help out. Contestants threaded casual asides into their conversations about their kids, their wives, life in HQ and — for the Saturday crew — the misery of getting called into work on the weekend.

“I’m trying to get out of here to get to my son’s birthday party,” one told a Target worker. Another bonded with a Canadian Wal-Mart store manager by joking about the cross-cultural challenges he ran into with his Canadian wife. One competitor talked up the joys of AT&T’s security training sessions: “I like training sessions. You get free food.”

-Lie big. People who rang up customer service lines and pretended to be confused customers, or called retail stores and said they were doing surveys or checking on specific details — the local cafeteria contractor, the store’s IT systems — tended to capture a few of the details they were after. 

Those who posed as internal higher-ups — a manager from the corporate monthership, a network administrator or security analyst from the data center — usually fared better. People are trained to be deferential to authority figures.

But contestant Shane MacDougall, a professional security consultant and last year’s defending champ, blew everyone out of the water by telling the biggest whopper of all. Posing as a Wal-Mart manager of government logistics in Bentonville, Ark., he called a store manager and spun an elaborate tale of an urgent, big contract Wal-Mart was in the running for — some kind of pandemic-planning project the military wanted to work with retailers on. “Don’t know the details, don’t care; all I know is Wal-Mart can make a ton of cash off it,” MacDougall proclaimed.

MacDougall spent 10 minutes setting up his con, dropping details about the project’s last-minute nature, looming deadline and the site visit his Bentonville team would be making in the next few days. Once he had the manager hooked, MacDougall ran through a “pre-visit checklist” of all the technical and operational info he needed to confirm. He nailed every single item on the CTF checklist.

Competitor Erich pulled off the boldest lie — telling a version of the truth. Posing as an AT&T IT security manager, he called several store managers and warned them about an upcoming “social engineering competition at this thing called Defcon.” Their store had shown up on the contest’s target list, he said, and he wanted to give them a heads-up and do a pre-show security check to make sure all of their IT systems were fully patched and up to date.

One suspicious store manager immediately shut down almost all of his questions, saying she wasn’t comfortable disclosing that kind of info on the phone. But the next bought the line and answered a few queries about his operating system, browser and other software before he too got suspicious and cut off the call.

(Update: I later found out that Erich was posing as an actual AT&T infosecurity executive, using his real name. The employee happened to be two rooms away at the time, attending another Defcon session. When he heard about the stunt, he laughed, I’m told.) 

-Get lucky: One competitor had a rare success with the “I’m conducting an employee satisfaction survey” line (after a few tries) and found a retail store employee willing to play along. About 10 minutes into her interrogation, a manager walked into the office and overheard the employee giving some unknown caller a rundown on the store’s operations. The call was over seconds later.

“That’s the worst,” a nearby competitor told me. “That’s how calls often end — someone else walks into the room and breaks the trance.”  -Stacy

How to breach corporate security barriers by lying

David & I are heading to BlackHat and DefCon next month to get the latest in-the-trenches war stories from those in the cybersecurity field. One of the sessions I’m most intrigued by is DefCon’s Social Engineering “Capture the Flag” contest, a “game” that dramatically illustrates how hackers use more than just technical skills to get into protected systems.

I first heard about the contest from self-described “hacker for hire” Ryan O’Horo, who mentioned it admiringly in a talk at RSA’s security conference in March. The group behind the contest, Social-Engineer.org, wrote up a report describing its exploits at last year’s DefCon — a report O’Horo likes to use as a wake-up call.

Here’s how it works: For last year’s contest, 14 contestants were each assigned a target company, including Apple, Verizon, AT&T and Oracle. They had two weeks to prowl the Internet for intel about their target, using Google, LinkedIn, Facebook, Twitter, GlassDoor and anything else they could find. 

Then came showtime. At DefCon, each contestant had a 25 minute slot to place a phone call to their assigned target and try to trick the respondent into disclosing sensitive corporate details.

Social engineers lie. They pose as a customer, an employee, a vendor — whatever makes them seem credible — and try to extract the information they’re after. Here’s the scary part: It works. Really, really well.

The DefCon 19 CTF report details some of the information the contest’s players were able to get, including technical details on various companies’ systems, employees’ phone numbers and e-mail addresses, and supposedly secret information on internal policies. One company published a PDF manual containing its entire security plan.

The DefCon contest is about raising awareness, not doing anything actually destructive.  Our in the real world, social engineering — a hard-to-detect threat that tends to be underreported — played a role in several recent attacks. ICS-CERT, a Department of Homeland Security unit that monitors digital threats to industrial infrastructure, put out an advisory in March about phone-based attempts to trick employees from at least two power companies into installing malicious software. The caller posed as a Microsoft representative calling to warn the companies about a virus outbreak.

Earlier this month, CloudFlare CEO Matthew Prince, who runs an extremely security-conscious website optimization service, posted a detailed post-mortem on how an attacker successfully gained access to CloudFlare’s systems and changed a customer’s DNS record. The attacker got into Prince’s personal Gmail account — which had two-factor authentication protection — in part by impersonating Prince and tricking an AT&T customer service representative into redirecting Prince’s voicemail box.

Back to this July’s DefCon, where the Social Engineering group will be staging its third Capture the Flag contest. This year’s version has a twist: Half of the 20 contestants will be men and half will be women.

That surprised me — plenty of women are programmers, but competitive hacking remains an overwhelmingly male-dominated sport. Are there really enough female social engineers out there and looking to play to fill out half of the game’s roster?

Contest organizer Christopher Hadnagy says the recruiting push worked: The team list is full.  “This is gonna be a great year,” he told me by e-mail. “In the last two years we have only have 3 women sign up, and 1 compete.  So this is amazing turnaround so far.”

DefCon kicks off July 26 in Vegas, with the social engineering Capture the Flag game running Friday and Saturday. I’m looking forward to following along and filing dispatches on how it goes — and what companies get breached. -Stacy