DEFCON Contest Exposes Fortune 500 Security Vulnerabilities

Las Vegas, NV – The room is completely packed with guests. Chairs are packed closely together with guests nestled together like sardines. The room floor is littered with bodies, squeezing in, trying to get a close up view of the stage. The back of the room is packed, overflowing, with the door just barely closing.

The room is quiet, silent. The sounds of a telephone is inputted. The phone rings. “Hello, my name is John, and I’ll be your customer care representative today. How may I help you?”

This was one of hundreds of calls placed at DEFCON 18. The contest objective: Social Engineering.

Social Engineering is the act of manipulating a person, whether it be building a rapport or using another aspect of their relationship to divulging sensitive, and confidential information. Sometimes computers and networks have been secured so well they can not be compromised. However, as the old adage goes, the problem lies between the keyboard and the chair. The human component is usually the weakest link.

Contestants were given 25 minutes to make phone calls, in a room filled with a huge audience, to gain selected pieces of information.

This year’s social engineering contest faced a series of uphill battles and challenges. First came from many of the Fortune 500 companies who were quite alarmed at being potential targets. These companies alerted the FBI, who in turned started asking many questions with DEFCON and the organizers of this contest. After many lengthy discussions, and having the FBI walk with them through the process the last three months, the FBI, in a sense, gave their blessing.

“The FBI said ‘We won’t endorse you, but we also will not step on your first amendment rights'” said Christopher Hadnagy, operations manager for Offensive Security, a training and penetration testing company. “They were valuable partners in making this weekend possible, and they pointed out the GLBA (Gramm-Leach-Bliley Act) laws (which made pretexting financial institutions illegal). Without them, we’d probably be up the creek this weekend.”

The second of many challenges came from space in the room. This year marks its second appearance of social engineering in a contest format, but the room was overflowing at times. There were times where, regrettably, people had to be turned away on fire safety. Christopher briefly mentioned Saturday that the DEFCON management look forward to bringing them back, and hopefully in a bigger venue.

The last of many challenges hit contestants. Many employers threatened write ups, and severe reprimands if they participated n the contest. One employer gave their employee a pink slip, threatening that if they returned on Monday, that slip would be signed.

Contest Time
Over a period of two days, each contestant targeted a specific company they were assigned. The companies include: Cisco, BP, Shell, Apple, Microsoft, Oracle, Google, Proctor and Gamble, Pepsi, Coke, Ford Motors, Symantec, McAfee, Phillip Morris USA, and Wal-Mart. In all, 15 companies were targets of social engineering. Their assignment was to gather specific information. Normally, social engineering would be a free for all gathering of information, whether it be usernames, passwords, or other sensitive information that could be used to compromise critical information systems. However, the intention of this contest was not to create panic, incident-reports, write-ups, firings or problems. It was simply to create awareness about the vulnerabilities of social engineering.

“The point isn’t to shame anyone. It’s to bring awareness to this attack vector, which is probably the easiest way to hack a corporation today,” said Mati Aharoni. “We really don’t want to see anyone get harmed or get in trouble.”

For the purposes of this contest, contestants were restricted and prohibited from asking certain kinds of questions, such as information that would violate laws. Furthermore, contestants were given a specific set of ‘target information’ in which they were given points to if the information was successfully achieved.

They include:

  1. Do they do IT support in house?
  2. Do they have trash handling?
  3. Who handles their trash/dumpster disposal?
  4. How is the document disposal handled?
  5. Do they have offsite backup?
  6. Who does offsite backup? (Bonus Points for dates of Pick Up)
  7. Employee Schedule Information (Start, End Times, Breaks, Lunches)
  8. Do they have a VoIP based phone system?
  9. Employee Termination Process
  10. New Hire Orientation Information
  11. Getting them to visit
  12. What operating system is in use?
  13. what service pack is installed?
  14. what mail client is used?
  15. what version of mail client is used?
  16. What antivirus solution is used?
  17. What toner vendor is used?
  18. Where do they get copier paper?
  19. What is the make and model of the computer they use?
  20. Is wireless in use on site?
  21. ESSID name?
  22. What days of the month do they get paid?
  23. How long have they worked for the company
  24. What do they use for delivering packages
  25. What time are deliveries done?
  26. What browser do they use?
  27. What version of that browser?

The verdict and conclusion: 100% success rate. Pwned.
The results were astonishing, especially the tools utilized to build a corporate profile. Common applications such as Facebook, LinkedIn and Google Maps were used to acquire a wealth of information that could be utilized against a company. Even a simple Google search itself provided nuggets of information. Building a proper search string led to users to being able to locate PDF documents containing information needed.


Fixing the Human Factor:

During a followup call with Chris and his team, we learned that a few companies approached Offensive Security to build a comprehensive Social Engineering Education program, however the vast majority were unusually silent.

What’s next? Well, should DEFCON invite Chris back, the social engineering capture the flag will return with a brand new competition.



About ManagerJosh