For the past five years, Chris Hadnagy, Chief Human Hacker at Social-Engineer, Inc, has run an unusual competition at Def Con. Called Social Engineering Capture The Flag, it challenges contestants to gather information on various companies (flags, if you will). This is social engineering: the art of collecting information from targets without having to break into a building or hack a network.
In the first phase, 20 contestants work to get information on target companies from publicly-available sources. The last phase is a 25-minute marathon of phone calls where contestants pump victims for information.
This ranges from the mundane ("Do you have a cafeteria?") to the critical ("Do you use disk encryption?") to the potentially disastrous: tricking victims into visiting fake URLs. This year's competition included ten companies, including Apple, Boeing, and General Dynamics among others.
Battle of the sexes
"From the beginning we've always made a call for women to join," said Hadnagy. Adopting a "men vs. women" format and actively promoting the role of women in the competition helped bring better parity in the last two years. Hadnagy said that giving women more visibility in the project was critical, and encouraged others to join. "We had more women than we could take this year," he said.
How did women do against their male counterparts? "This year, the women not just won," said Hadnagy. "They obliterated men." Three of the top five slots went to women, and the top scoring social engineer had over 200 points more than the next highest scoring participant.
It's easy to draw a lot of conclusions from this data, but as far as women's success in social engineering is concerned, Hadnagy said there just isn't enough information. "I don't think it proves that people trust women inherently," he said. "The women winning shows something, but we have no data that shows they were women talking to men."
That said, the women had a broad range of scores compared to the men, which was noted in the contest's final report. It said: "variability in [women's scores] may be hypothesised from the fact that they were an extremely diverse group, coming from very different backgrounds and different experience levels."
Men on the other hand tended to hang around the same range of scores with fewer outliers. "Although we ensured diversity as a group, the men tended to be more homogeneous in background and experience level and perhaps this was reflected in the smaller range of scores."
I don't have the information to back it up, but I think this data shows the importance of including individuals from diverse backgrounds into any team. But that's just me.
The information is already out there
The competition's final report may be inconclusive about the role of gender, but it's clear that careful research was critical for the winners. Contestants found a shocking amount of information freely available online, and those with higher scores in the research phases tended to do much better during the actual calling.
In one case, a contestant found a public facing web portal for employees. Though it was secured with a password login, the contestant discovered that a publicly available help document provided by the target company contained a working username and password as an example. "It's 2013 and we're still seeing things like this," said Hadnagy.
But it didn't take major breaches in security to find most of the information the contestants were seeking. Much of it was available through social media, sometimes posted by individuals who linked their corporate email to a public service. One source of information surprised Hadnagy: "Myspace, believe it or not."
Better and better disguises
Hadnagy also noted that in addition to open source information gathering, contestants also used much more complex pretexts when calling companies in the final phase of the competition. Previous years saw many contestants posing as survey takers or students writing reports. Hadnagy actively discouraged that approach this year, reminding contestants that they would probably hang up on those calls themselves. "Why would anyone in a corporate environment answer these questions?" he asked.
These pretexts are attractive because they are more or less anonymous and have low risk for the caller. This year, however, saw more contestants posing as fellow employees or vendors that work with the target companies. While it carries more inherent risk, Hadnagy said that there was more inherent trust. "Automatically, contestants were trusted and given information right off the bat," he said.
Contestants' pretexts showed some interesting divergence along gender lines. Of the ten women, nine portrayed themselves as not being technically savvy and were looking for help from "fellow" employees. All the men in the competition posed as tech experts, and in some cases CEOs.
Know the threat
While it's interesting to ponder the hows and whys of the competition, the indisputable fact is that ten companies gave up a huge amount of information—either over the phone or posted publicly online. While the information that contestants were after wasn't always inherently dangerous, they do read like a solid first step in a multi-tiered attack. One day you're asking about the cafeteria, and the next day you're asking for logins.
Hadnagy pins the problem on a lack of awareness among employees, usually stemming from poor education by the higher-ups. Training employees to think critically about what they post online and what they say over the phone, said Hadnagy, can pay off with fewer successful attacks.
One of his most intriguing suggestions was that companies not punish individuals who fall for scams, and encourage consequence free-reporting of possible breaches. Hadnagy told SecurityWatch that companies that follow these practices are generally better at handling these threats.
Regardless of whether you're part of a company or just an individual at home, knowing about the dangers of social engineering is critical. So the next time someone calls or emails you asking for some help, ask a few questions before you hand over the crown jewels.