Pro tips from social engineering hackers

I’ve spent much of the past two days watching Defcon’s social engineering “capture the flag” contest, and — wow. Every cybersecurity worker should have a chance to observe a social engineering pro at work. It’s like a free theatre performance, but with a scary undertow of “holy &^%!, this guy is strip-mining sensitive technical information from Hewlett-Packard, live.”

I’ll have a feature story coming out next week on CNNMoney about what I saw, but in the meantime, here’s what I learned from watching the best show off their skillz.

-Do your research. Defcon’s SE CTF gives contestants two weeks for “passive” information gathering on their targets — mining any intel they can online, without picking up a phone. Then they have a 20 minute slot at the show to phone the company and go to town. 

The most successful hackers compiled extensive dossiers and were able to ask for their intended targets (like store managers and local facilities administrators) by name. They also learned the lingo.

“Are you the LOD today?” contestant J.C. asked as he connected with a Target store manger. Rattling off details about the company’s external supplier software, he knew enough jargon to convincingly pass himself off as a systems administrator from Target’s Minnesotadata center (“TTC” in Target corporate-speak).

When one of his questions triggered an alarm bell — the store manager wondered why he was asking her for technical info HQ should already have — he assuaged her suspicions by offering up specifics. “This is store 8761, right?” he asked. (Not the real number; I changed it.) “Yup, you’re the one we’re supposed to check. We need to confirm everything and figure out why this software patch isn’t going through.”

I asked J.C. later how he found the store numbers for his targets — that seemed like potentially sensitive data. Was it something Target makes public? The answer:  Nope, but if you look up a location in the “store locator” on Target’s website, the URL for each store includes its number. 

-Make your problem their problem: One of the most consistently successful approaches was pretending to be someone from corporate HQ on a troubleshooting mission. You’re a stressed-out IT worker trying to figure out why a software patch isn’t working, and you need details right now on the local office’s computer. Or you’re an internal auditor who got a totally screwed-up security report from an outside vendor and you need to redo it — and you’re not thrilled.

The hackers got their targets commiserating with them. People would go out of their way and bend the corporate policies a bit to help out a colleague in a jam.

-Demand, don’t ask: One first-time competitor got nowhere posing as an outside marketer selling things like software and custodial services — people are quick to shut down sales pitches. Pretending to do a survey, even an internal one, is also a risky gambit. “Do you have time to answer a few questions?” is a question people are trained to shoot down. Most of those I saw try it got stonewalled.   

The successful attackers came in with an authoritative tone and politely but firmly demanded compliance. One contestant posed as a high-level Cisco exec and called the fitness center at a campus she said she’d be visiting next week for work. Under the pretext of finding out what workout classes would fit her busy schedule, she also extracted from the gym manager a ton of details about the Cisco campus: What you need to get on the wireless network, where various offices were located, what facilities services are contracted out and what hours those workers tend to be around, and so on.

-Be chatty and make small talk: The more trust you gain, the more your target will be willing to help out. Contestants threaded casual asides into their conversations about their kids, their wives, life in HQ and — for the Saturday crew — the misery of getting called into work on the weekend.

“I’m trying to get out of here to get to my son’s birthday party,” one told a Target worker. Another bonded with a Canadian Wal-Mart store manager by joking about the cross-cultural challenges he ran into with his Canadian wife. One competitor talked up the joys of AT&T’s security training sessions: “I like training sessions. You get free food.”

-Lie big. People who rang up customer service lines and pretended to be confused customers, or called retail stores and said they were doing surveys or checking on specific details — the local cafeteria contractor, the store’s IT systems — tended to capture a few of the details they were after. 

Those who posed as internal higher-ups — a manager from the corporate monthership, a network administrator or security analyst from the data center — usually fared better. People are trained to be deferential to authority figures.

But contestant Shane MacDougall, a professional security consultant and last year’s defending champ, blew everyone out of the water by telling the biggest whopper of all. Posing as a Wal-Mart manager of government logistics in Bentonville, Ark., he called a store manager and spun an elaborate tale of an urgent, big contract Wal-Mart was in the running for — some kind of pandemic-planning project the military wanted to work with retailers on. “Don’t know the details, don’t care; all I know is Wal-Mart can make a ton of cash off it,” MacDougall proclaimed.

MacDougall spent 10 minutes setting up his con, dropping details about the project’s last-minute nature, looming deadline and the site visit his Bentonville team would be making in the next few days. Once he had the manager hooked, MacDougall ran through a “pre-visit checklist” of all the technical and operational info he needed to confirm. He nailed every single item on the CTF checklist.

Competitor Erich pulled off the boldest lie — telling a version of the truth. Posing as an AT&T IT security manager, he called several store managers and warned them about an upcoming “social engineering competition at this thing called Defcon.” Their store had shown up on the contest’s target list, he said, and he wanted to give them a heads-up and do a pre-show security check to make sure all of their IT systems were fully patched and up to date.

One suspicious store manager immediately shut down almost all of his questions, saying she wasn’t comfortable disclosing that kind of info on the phone. But the next bought the line and answered a few queries about his operating system, browser and other software before he too got suspicious and cut off the call.

(Update: I later found out that Erich was posing as an actual AT&T infosecurity executive, using his real name. The employee happened to be two rooms away at the time, attending another Defcon session. When he heard about the stunt, he laughed, I’m told.) 

-Get lucky: One competitor had a rare success with the “I’m conducting an employee satisfaction survey” line (after a few tries) and found a retail store employee willing to play along. About 10 minutes into her interrogation, a manager walked into the office and overheard the employee giving some unknown caller a rundown on the store’s operations. The call was over seconds later.

“That’s the worst,” a nearby competitor told me. “That’s how calls often end — someone else walks into the room and breaks the trance.”  -Stacy

How to breach corporate security barriers by lying

David & I are heading to BlackHat and DefCon next month to get the latest in-the-trenches war stories from those in the cybersecurity field. One of the sessions I’m most intrigued by is DefCon’s Social Engineering “Capture the Flag” contest, a “game” that dramatically illustrates how hackers use more than just technical skills to get into protected systems.

I first heard about the contest from self-described “hacker for hire” Ryan O’Horo, who mentioned it admiringly in a talk at RSA’s security conference in March. The group behind the contest,, wrote up a report describing its exploits at last year’s DefCon — a report O’Horo likes to use as a wake-up call.

Here’s how it works: For last year’s contest, 14 contestants were each assigned a target company, including Apple, Verizon, AT&T and Oracle. They had two weeks to prowl the Internet for intel about their target, using Google, LinkedIn, Facebook, Twitter, GlassDoor and anything else they could find. 

Then came showtime. At DefCon, each contestant had a 25 minute slot to place a phone call to their assigned target and try to trick the respondent into disclosing sensitive corporate details.

Social engineers lie. They pose as a customer, an employee, a vendor — whatever makes them seem credible — and try to extract the information they’re after. Here’s the scary part: It works. Really, really well.

The DefCon 19 CTF report details some of the information the contest’s players were able to get, including technical details on various companies’ systems, employees’ phone numbers and e-mail addresses, and supposedly secret information on internal policies. One company published a PDF manual containing its entire security plan.

The DefCon contest is about raising awareness, not doing anything actually destructive.  Our in the real world, social engineering — a hard-to-detect threat that tends to be underreported — played a role in several recent attacks. ICS-CERT, a Department of Homeland Security unit that monitors digital threats to industrial infrastructure, put out an advisory in March about phone-based attempts to trick employees from at least two power companies into installing malicious software. The caller posed as a Microsoft representative calling to warn the companies about a virus outbreak.

Earlier this month, CloudFlare CEO Matthew Prince, who runs an extremely security-conscious website optimization service, posted a detailed post-mortem on how an attacker successfully gained access to CloudFlare’s systems and changed a customer’s DNS record. The attacker got into Prince’s personal Gmail account — which had two-factor authentication protection — in part by impersonating Prince and tricking an AT&T customer service representative into redirecting Prince’s voicemail box.

Back to this July’s DefCon, where the Social Engineering group will be staging its third Capture the Flag contest. This year’s version has a twist: Half of the 20 contestants will be men and half will be women.

That surprised me — plenty of women are programmers, but competitive hacking remains an overwhelmingly male-dominated sport. Are there really enough female social engineers out there and looking to play to fill out half of the game’s roster?

Contest organizer Christopher Hadnagy says the recruiting push worked: The team list is full.  “This is gonna be a great year,” he told me by e-mail. “In the last two years we have only have 3 women sign up, and 1 compete.  So this is amazing turnaround so far.”

DefCon kicks off July 26 in Vegas, with the social engineering Capture the Flag game running Friday and Saturday. I’m looking forward to following along and filing dispatches on how it goes — and what companies get breached. -Stacy

61% of Adobe Reader plug-ins are outdated on work computers

IT departments are notoriously slow when it comes to updating their companies’ workstations. But this is just ridiculous.

61% of Adobe Reader plug-ins used by corporate customers were outdated last quarter, according to the latest State of the Web security research report published by Zscaler ThreatLabZ. 52% of Shockwave plug-ins were outdated, as were 41% of Microsoft Silverlight plug-ins.

If other corporate environments are anything like CNN’s, IT administrators put up a firewall, preventing users from downloading certain updates. Rather than call IT every time there’s a Java, Quicktime, Silverlight, Shockwave, Flash, or Reader plug-in updated (you know, every single day), users just ignore those updates.

The problem: most of those updates plug security holes that are being exploited by cybercriminals. So IT departments are really aiding and abetting the destruction their policies are meant to prevent. -David

Goatse Security says iPad hack charges are bogus

Yesterday I reported on the arrest of two men accused of hacking AT&T’s website and harvesting the email addresses of nearly 120,000 iPad owners.

Remember this one? The hack took place seven months ago. In June, about one month after the iPad 3G went on sale, AT&T announced that it had fixed a security hole.

That announcement didn’t mention a hack, but it came shortly after tech blog Valleywag posted an expose of the breach. In the Valleywag article, hacker group Goatse Security said it had exploited a vulnerability on AT&T’s website to harvest the e-mail addresses iPad buyers provided to activate their devices.

Andrew Auernheimer and Daniel Spitler wrote about the classic script kiddie hack on Goatse’s blog. The men said they created a script that randomly guessed iPad ID numbers, and then it plugged those generated numbers into a a script on AT&T’s public site. When it hit a correct one, it would retrieve the user’s associated e-mail address.

Basically, it wasn’t that tough to exploit a gaping hole that AT&T left open. Oopsie.

The FBI took Auernheimer and Spitler into custody yesterday. Both men were charged with an alleged conspiracy to hack AT&T’s servers and for possession of personal information obtained from the servers.

A Goatse rep reached out to me to say the group, unsurprisingly, thinks this is bogus. Here’s the full text of the statement:

"First off, let me say that these charges will not influence Goatse Security in the future. Goatse Security will continue to release its research in an ethical manner.

Goatse Security still holds the position that no criminal act was committed. Spitler and Auernheimer acted entirely within the law, and entirely for the interests of public security. The flaw was quite literally stumbled upon; AT&T was never targeted, and upon gathering of the data, it was not sold, distributed, or used otherwise (although it certainly had the potential to be used quite maliciously).

Under no circumstances was the data ever made public. It was only given to Gawker Media under the condition that it would be redacted, just as proof that the data had been leaked and this was not a fictitious claim. Had it not been released to the media in the way it was, it would have been swept under the rug and users would never have known.

Auernheimer and Spitler are in our thoughts constantly, and we wish them the best in their court case.” -Julianne

Twitter’s Black Death problem

What was up with Twitter this morning? CNN’s tech team has the scoop here. But in a nutshell, it looks like hackers may have exploited a flaw in the system. When I tried using Twitter this morning, I was met with a black blob of text that obscured my page. It reminded me of the nefarious Death from that video game Gauntlet my brother and I used to play when we were kids. (Elf needs food. Badly.)

The good news is that Twitter fixed the problem pretty quickly. But the bad news is that as Twitter becomes more popular, there may be more issues like this in the future unless the company invests more in infrastructure and beefs up security. Needless to say, those growing pains may make Twitter less alluring as an investment if and when it ever files to go public. - Paul