Richard Marcinko, founder of Seal Team Six believed in hard realistic training. “The more thou sweat in training the less thou will bleed in combat.”, was one of his favorite sayings. He wanted his training exercises to mimic what happens in real life. It seems that a recent contest at Defcon may have been taken from a page of Marcinko’s training manual.
According to an article on The Register, a two day social engineering contest was set up, where contestants called ten industry leading companies and tried to trick them to give up information about their internal network. Contest organizer Chris Hadnagy, Operations Manger of Offensive-Security (Well known for creating Backtrack 4) said, “We assumed that if we can make a person open up their browser, tell us the version of their browser they had, and then visit a website, in essence if we were malicious, terrible hackers, we could have driven them to a site that had some kind of malicious file on it and that most likely the person would have downloaded it and accepted the malicious file.”
Companies including Cisco, Microsoft, Apple, Pepsi and Coca-Cola were called dozens of times and only three times did the attacker strike out. Contestant Josh Michaels was very successful in obtaining information from BP Oil. According to the article:
“With just two phone calls, entrant Josh Michaels managed to dupe a computer support employee at BP into spilling details that could have proved crucial in launching a network attack against the global oil company. The information included what model laptops BP used and the specific operating system, browser, anti-virus and virtual private network software the company used.”
Michaels even tricked the employee into visiting a social engineering site. “That was scary,” Michaels said as he hung up the phone. Scary indeed, humans will always be the weakest link in security.
How do you defend against these types of attacks? This is very tough, because humans naturally want to help people in binds. Having and posting policy on giving out system information needs to be posted where employees can see it. Having documentation “employees” can be pointed to on an internally assessable only system will help too. Sometimes just saying that you need to check on something and asking for the suspicious caller’s phone number to call them back will end many social engineering attempts.