Archive for September, 2010

Hacking: Pretexting and Social Engineering

Friday, September 3rd, 2010

A very interesting article was published by IDG News Service on September 3rd, 2010 by Robert McMillan.

The article was about the outcome of a contest recently hosted by and at Def Con in Las Vegas NV. If you are not familiar with Def Con, it is considered to be one of the worlds premier hacker conventions. It is held yearly in Las Vegas the day after the Black Hat www.blackhat.com hacker conference. The Black Hat conference is more oriented towards computer industry network administrators and hardcore computer security types. There is a steep entry fee.

Besides this and many other  interesting articles that were generated out of the fruits of Def Con, the conference itself is a very unusual and interesting event. Check it out at www.defcon.com .

Anyway, the contest was to see if conference participants would be able to cold call fortune 500 companies (in front of the live Def Con audience) and get a hold of a person who would give out company information that might help a hacker with a computer or network attack on that company later (read full article). Unbelievable results! 17 major corporations were targeted. 90% of the corporations are house hold names.  The Def Con callers were amazingly successful in getting receptionists, managers and other employees to give up information about things like what kind of web browser were they using, what kind of operating system, what kind of anti-virus etc. The contest participants were not allowed to ask for things like pass words, etc.

Only one company did not give up any of the information the contestants were told to try and uncover, and that is because the contestant could not a live person on the line!

The technical name for what the contest participants were doing is called ‘Pretexting” or “social Engineering”. Hackers will normally deploy some sort of social engineering attack to learn some basics about the targets computer infrastructure. That is why the callers were asking for thing like what type of operating system are you using? After, the hacker can probe the company network to see if the operating system is missing any security patches, and if so, exploit those openings. Any information gained during pretexting can be useful to the hacker.

The most troubling thing, is that most of the information was given up by the companies employees willingly. One of the assign tasks for the partipants was to try to get the company employee to visit a strange website. Most did.

Of the 135 fortune 500 employees, only 5 refused to give up any information at all. And all 5 were women.

This exercise shows that even companies that take security seriously can become undone by unwitting (or witting) employees who say things and do things that they should not. Receptionists are the front line of defense in the battle against social engineering. A skilled social engineer will extract information by engaging the target in seemingly innocent conversation. You really must see a skilled hacker at work to truly understand how effective some one with knowledge of human nature and some charm can be.

After the event, the sponsors of the competition met with the FBI in Washington DC to discuss their findings. It might surprise you to know that the FBI and the DHS attend many different hacker conventions, to learn, recruit and look out for bad guys (?).

In closing, it is important to remember that the software sales person on the phone asking all those questions might be a sales person or something more sinister. It a Social Engineer’s job to come across as pure and clean as the driven snow. Please read the article, it outlines preventative measures that some companies deploy on a daily basis.