The results are out from the fifth annual Social-Engineer Capture the Flag (SECTF) contest, which was held during Def Con 22. This year, social engineers worked in tag teams to trick companies into giving up “flags,” or key pieces of information that could be used to penetrate the target company. Unlike bad guys in real life, the contestants did not victimize any companies.
The SECTF report (pdf) includes the results of how well the target companies did; higher scores do not mean the company did better, as it indicates the targets gave up more flags. Lowe’s ranked the best and Home Depot ranked the worst. The full SECTF target company rankings from this year are posted at the top of this article.
“High profile events in the last 6 months are illustrative of the fact that corporations, and specifically retail organizations, continue to be extremely poor at protecting critical information. Unfortunately, this year’s SECTF supported this trend,” stated Chris Hadnagy, President and Chief Human Hacker of Social-Engineer, Inc. “It is hard to overstate how quickly social engineering has gone from an individual issue to an enterprise grade security issue and boardroom priority.” The key, as always, is awareness training.
A social engineer’s work starts well before contestants show up at Def Con, beginning with information gathering. The open-source intelligence (OSINT) tools most commonly used by contestants included: Google, Maltego, FriendFinder, Bing, Twitter, PiPL, Bing Images, Facebook, Plaxo, Google Maps, Wordpress, Shodan, PicasWeb, WhoIs, WGet, Vimeo, Tineye, WaybackMachine, LinkedIn, Monster, GlassDoor, Yelp, Craigslist, JigSaw, Spokeo, YouTube, FourSquare, Friendster, MySpace, Google Images, Telnet, EchoSec, Google Dorks, BackTrack and Kali Linux.
On the plus side, companies may be wising up about posting information online as no teams scored higher on OSINT than during the live call portion of the contest. However, the SECTF report noted some major flubs by companies:
- In one case a major retailer had a sub-‐Reddit set up that allowed their employees to post and discuss various topics; many included sensitive information and led to a deep understanding of the inner workings of this company.
- Another retailer had a document online that outlined the information employees would need to log into their private payment portal. This kind of list provides an attacker a clear path of information to try and obtain for an attack
- Many companies allowed employees to post pictures of parties, badges, computer screens, break rooms and other various employee-‐only artifacts to popular social media sites.
- One major retailer actually listed their employee schedule on Instagram. Of course, this type of information would allow for a very personalized attack on staff.
- One contestant found a confidential document with the signature of the CEO.
- One major retailer had posted a document that openly listed their password policy as the first three letters of their company + first three letters of the employee last name and a two digit code. Of course, this means only 2 digits would need to be guessed for a compromise.
- One major finding was a publicly available instruction manual that contained an actual working username and password for part of the corporate website.
- One contestant found numerous public postings of very disgruntled employees. This is a major threat, as enemy companies/groups would target the disgruntled to turn them.
If you wonder how social engineer contestants convinced employees at target companies to blab specific information that bad guys would use in an attack, then the answer is clever pretexts.
Impersonating internal employees was the most common pretext employed. The report points out that pretending to be a fellow employee successfully takes advantage of “tribe mentality,” meaning “we inherently trust people who are part of our group or tribe.”
Whether or not the company had a wireless network was the most commonly obtained flag this year. That information can be a used as an entry point for a technical attack or for eavesdropping on corporate networks. The SECTF report noted, “Every flag was surrendered at least once by the target companies.”
There were only two times this year when a person from the target company hung up or refused to answer any questions. In one case, the contestant called the same company back, and this time a different employee “surrendered all the information” the social engineer needed to make the call a success.
This is just a drop in the bucket, so I highly encourage you to read the SECTF report (pdf) in full.