Big Firms Flunk Social Engineering Test

Wednesday, August 11, 2010 @ 06:08 PM gHale


Security is not just about technology, it also deals with people and the social engineering contest on the second and third day of this year’s edition of Defcon showed one of the potential weak links in the security chain.
While no financial information, personal data, passwords or other sensitive information were a part of the contest, the goal of showing just how much information someone could collect using social engineering tactics was a success.
All ten targeted companies Google, Microsoft, Apple, Cisco, BP, Shell, Ford, PG&E, Coke, and Pepsi “failed” the test. “Not one company shut us down, although certain employees within the company did. But we (participants) were able to call right back and get another employee that was more willing to comply,” said Christopher Hadnagy, developer and community member of Social-Engineer.org (the organization that made the contest happen) and operations manager with Offensive Security, a penetration testing company that also offers training in that department.
Social-Engineer.org plans to release a report in a couple of weeks, in which they will reveal the results and details of the specific attacks. For now, they will not reveal which companies fared worse than others in the contest.
They did say out of some 50 employees approached via phone by the contestants, only 3 became suspicious and terminated the call without divulging any information.
Among those who failed to recognize the calls for what they are, there were those who even shared software version numbers with the attackers when prompted, something that would allow criminals to tailor further attacks to exploit known and unknown vulnerabilities in the software.



Leave a Reply

You must be logged in to post a comment.