I’ve spent much of the past two days watching Defcon’s social engineering “capture the flag” contest, and — wow. Every cybersecurity worker should have a chance to observe a social engineering pro at work. It’s like a free theatre performance, but with a scary undertow of “holy &^%!, this guy is strip-mining sensitive technical information from Hewlett-Packard, live.”
I’ll have a feature story coming out next week on CNNMoney about what I saw, but in the meantime, here’s what I learned from watching the best show off their skillz.
-Do your research. Defcon’s SE CTF gives contestants two weeks for “passive” information gathering on their targets — mining any intel they can online, without picking up a phone. Then they have a 20 minute slot at the show to phone the company and go to town.
The most successful hackers compiled extensive dossiers and were able to ask for their intended targets (like store managers and local facilities administrators) by name. They also learned the lingo.
“Are you the LOD today?” contestant J.C. asked as he connected with a Target store manger. Rattling off details about the company’s external supplier software, he knew enough jargon to convincingly pass himself off as a systems administrator from Target’s Minnesotadata center (“TTC” in Target corporate-speak).
When one of his questions triggered an alarm bell — the store manager wondered why he was asking her for technical info HQ should already have — he assuaged her suspicions by offering up specifics. “This is store 8761, right?” he asked. (Not the real number; I changed it.) “Yup, you’re the one we’re supposed to check. We need to confirm everything and figure out why this software patch isn’t going through.”
I asked J.C. later how he found the store numbers for his targets — that seemed like potentially sensitive data. Was it something Target makes public? The answer: Nope, but if you look up a location in the “store locator” on Target’s website, the URL for each store includes its number.
-Make your problem their problem: One of the most consistently successful approaches was pretending to be someone from corporate HQ on a troubleshooting mission. You’re a stressed-out IT worker trying to figure out why a software patch isn’t working, and you need details right now on the local office’s computer. Or you’re an internal auditor who got a totally screwed-up security report from an outside vendor and you need to redo it — and you’re not thrilled.
The hackers got their targets commiserating with them. People would go out of their way and bend the corporate policies a bit to help out a colleague in a jam.
-Demand, don’t ask: One first-time competitor got nowhere posing as an outside marketer selling things like software and custodial services — people are quick to shut down sales pitches. Pretending to do a survey, even an internal one, is also a risky gambit. “Do you have time to answer a few questions?” is a question people are trained to shoot down. Most of those I saw try it got stonewalled.
The successful attackers came in with an authoritative tone and politely but firmly demanded compliance. One contestant posed as a high-level Cisco exec and called the fitness center at a campus she said she’d be visiting next week for work. Under the pretext of finding out what workout classes would fit her busy schedule, she also extracted from the gym manager a ton of details about the Cisco campus: What you need to get on the wireless network, where various offices were located, what facilities services are contracted out and what hours those workers tend to be around, and so on.
-Be chatty and make small talk: The more trust you gain, the more your target will be willing to help out. Contestants threaded casual asides into their conversations about their kids, their wives, life in HQ and — for the Saturday crew — the misery of getting called into work on the weekend.
“I’m trying to get out of here to get to my son’s birthday party,” one told a Target worker. Another bonded with a Canadian Wal-Mart store manager by joking about the cross-cultural challenges he ran into with his Canadian wife. One competitor talked up the joys of AT&T’s security training sessions: “I like training sessions. You get free food.”
-Lie big. People who rang up customer service lines and pretended to be confused customers, or called retail stores and said they were doing surveys or checking on specific details — the local cafeteria contractor, the store’s IT systems — tended to capture a few of the details they were after.
Those who posed as internal higher-ups — a manager from the corporate monthership, a network administrator or security analyst from the data center — usually fared better. People are trained to be deferential to authority figures.
But contestant Shane MacDougall, a professional security consultant and last year’s defending champ, blew everyone out of the water by telling the biggest whopper of all. Posing as a Wal-Mart manager of government logistics in Bentonville, Ark., he called a store manager and spun an elaborate tale of an urgent, big contract Wal-Mart was in the running for — some kind of pandemic-planning project the military wanted to work with retailers on. “Don’t know the details, don’t care; all I know is Wal-Mart can make a ton of cash off it,” MacDougall proclaimed.
MacDougall spent 10 minutes setting up his con, dropping details about the project’s last-minute nature, looming deadline and the site visit his Bentonville team would be making in the next few days. Once he had the manager hooked, MacDougall ran through a “pre-visit checklist” of all the technical and operational info he needed to confirm. He nailed every single item on the CTF checklist.
Competitor Erich pulled off the boldest lie — telling a version of the truth. Posing as an AT&T IT security manager, he called several store managers and warned them about an upcoming “social engineering competition at this thing called Defcon.” Their store had shown up on the contest’s target list, he said, and he wanted to give them a heads-up and do a pre-show security check to make sure all of their IT systems were fully patched and up to date.
One suspicious store manager immediately shut down almost all of his questions, saying she wasn’t comfortable disclosing that kind of info on the phone. But the next bought the line and answered a few queries about his operating system, browser and other software before he too got suspicious and cut off the call.
(Update: I later found out that Erich was posing as an actual AT&T infosecurity executive, using his real name. The employee happened to be two rooms away at the time, attending another Defcon session. When he heard about the stunt, he laughed, I’m told.)
-Get lucky: One competitor had a rare success with the “I’m conducting an employee satisfaction survey” line (after a few tries) and found a retail store employee willing to play along. About 10 minutes into her interrogation, a manager walked into the office and overheard the employee giving some unknown caller a rundown on the store’s operations. The call was over seconds later.
“That’s the worst,” a nearby competitor told me. “That’s how calls often end — someone else walks into the room and breaks the trance.” -Stacy