Вы находитесь на странице: 1из 32

Page 1 of 32

http://www.social-engineer.com http://www.social-engineer.org






"#$%&'()*+%*,,-.#-+

"#$%&' )*+%*,,-%*+ /&012-, 13, 4'&+ 5,62'16

7,8$#* 9:



;,8$#*<6#$%&'(,*+%*,,-.#-+

=-%11,* >?@
/3-%61#03,- A. B&;*&+?
C A&D,6 EFG#-D&*
5,6,&-$3,-6@ 7&* "3&-0 C )-%$ H&IJ,''



All rights reserved to Social-Engineer.org, 2011

No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right
reserved to its copyright owner, including photocopying and all other copying, any transfer or transmission
using any network or other means of communication, any broadcast for distant learning, in any form or by
any means such as any information storage, transmission or retrieval system, without prior written
permission from the author(s).

Page 2 of 32
http://www.social-engineer.com http://www.social-engineer.org

1ab|e of Contents

Executive Summaiy .................................................................................................................................................. S
Piimaiy Finuings................................................................................................................................................... 4
Backgiounu anu Bistoiy of CTF Event ............................................................................................................. S
Flags................................................................................................................................................................................. S
Results anu Analysis................................................................................................................................................. 7
Companies Calleu.................................................................................................................................................. 7
Taiget Ranking....................................................................................................................................................... 8
Bossieis.................................................................................................................................................................. 1u
Infoimation Souices.....................................................................................................................1u
Calls.......................................................................................................................................................................... 17
Taigeteu Employees.....................................................................................................................17
Pietexts 0seu...................................................................................................................................17
Befenses.............................................................................................................................................19
Inuustiies Taigeteu ............................................................................................................................................... 22
Coipoiate Secuiity Spenuing........................................................................................................................ 2S
Conclusion anu Recommenuations................................................................................................................. 28
About Social-Engineei.oig& Social-Engineei.Com................................................................................... Su
Sponsois ..................................................................................................................................................................... S2




Page 3 of 32
http://www.social-engineer.com http://www.social-engineer.org
Lxecut|ve Summary
Befcon 19 maikeu the seconu yeai that the Social Engineeiing Captuie the Flag event took
place. Bubbeu "Social Engineeiing CTF - The Schmooze Stiikes Back", the event built on the
fiist yeai's success by expanuing the numbei of companies calleu, the iequiiements foi the
contestants, anu the flags that weie sought aftei.

In appioaching the oiganization of this seconu yeai, we wanteu to attempt to answei some
questions that we weie left with aftei Befcon 18's SE Captuie the Flag event. The fiist
question being, is theie any uiffeience between two companies in the same inuustiy
iegaiuing uefenses against social engineeiing attacks. Seconu, what techniques weie effective
in eliciting infoimation fiom companies anu why. Finally, what uefenses weie effective in
pieventing the leakage of infoimation fiom companies in the couise of the contest.

Last yeai's event hau the goal of iaising awaieness of how social engineeiing coulu be a thieat
to companies as well as exposing each company's vulneiabilities. The contest was a
uemonstiation of the type of attacks social engineeiing employs in geneial, as well as
commonly useu tactics that social engineeis employ. When the event concluueu, a iepoit was
geneiateu showcasing the plethoia of infoimation gatheieu by each contestant, incluuing
extiacteu company infoimation, which coulu then be useu to facilitate an attack. The multiple
high piofile hacks that occuiieu in the summei of 2u11 (BB uaiy, etc.) weie all facilitateu by
social engineeiing attacks, valiuating the conclusions that oui iepoit piouuceu aftei last yeai.
The focus of this yeai's iepoit has been to ieflect the oveiall goals of the Captuie the Flag
competition. The iepoit focuses on the social engineeiing techniques utilizeu by each
contestant as well as the ieasons behinu why each technique succeeueu oi faileu.
The competition uiew a wiue iange of contestants, fiom skilleu social engineeis to unskilleu
enthusiasts. Each contestant took pait in a wiue aiiay of ieseaich, which incluueu initial info
gatheiing, attack vectoi uevelopment, anu a twenty-five minute social engineeiing phone call
placeu to his oi hei assigneu taiget.









Page 4 of 32
http://www.social-engineer.com http://www.social-engineer.org

r|mary I|nd|ngs
As pieviously mentioneu, the goal of this yeai's iepoit is to showcase the techniques useu anu
to uemonstiate why they weie oi weie not successful. Inuustiies iepiestenteu this yeai
incluueu ietail, aiilines, foou seivice, technology, anu mobile seivices. By compaiing a cioss
section of companies fiom multiple inuustiies, an accuiate view of the state of social
engineeiing effectivness was obtaineu. Listeu below aie the basic statistics of the Captuie the
Flag contest.

Numbei of Companies Calleu: 9K
Possible Flags: LM
Numbei of Companies with Flags Captuieu: 9K
Bays Contest Was Belu: M
Companies Who Put 0p Resistance: K
Employees Who Put 0p Resistance: N

The point values listeu above uo not always inuicate a company's tiue weakness oi stiength.
The "X factoi" is the skill of the callei anu the employee they get on the phone. In this iepoit
we we will use uata collecteu uuiing the live call to ueteimine the way the companies hanuleu
the social engineeiing attack.

The companies that calleis hau the most uifficulty extiacting uata fiom weie ietail-baseu
companies. Companies like AT&T Stoies, Walmait, anu those that uealt with customeis in
ietail settings tenueu to be moie cautious anu ieluctant to answei questions anu inquiiies.
Companies that hau laige call centeis oi customei suppoit iepiesentatives such as the
Aiilines Inuustiy, Tech Inuustiies, anu othei such companies seemeu to be the weakest.
Theiefoie, we can concluue by the calls that secuiity awaieness tiaining is less pievalant anu
less effective in customei seivice aieas as opposeu to ietail settings.

Anothei pieliminaiy finuing was that in all cases wheie the callei askeu the taiget to visit a
0RL, even in the cases wheie theie was some ielucatance, the taiget enueu up visiting the
0RL. The following pages will outline this in gieatei uetail.

Page 5 of 32
http://www.social-engineer.com http://www.social-engineer.org
8ackground and n|story of C1I Lvent
The team at Social-Engineei.oig was inviteu to iun the Social Engineeiing Captuie the Flag
(SE-CTF) event foi Befcon 19. The coie giounu iules of the competition iemaineu the same as
in the pievious yeai, incluuing not collecting sensitive infoimation such as cieuit caiu
infoimation, social secuiity infoimation, oi passwoius. Like last yeai, we also avoiueu
sensitive inuustiies such as uoveinment, Euucation, anu Finance. 0nlike last yeai, this yeai's
announcements weie met with suipiising suppoit fiom coipoiations anu the meuia. What
uiun't change was the amazing suppoit fiom the community.

At the stait of the contest contestants weie assigneu a taiget company. Each contestant was
given two weeks to use passive infoimation gatheiing techniques to builu a piofile iepoit on
theii taiget company. No uiiect contact between the contestant anu the taiget was alloweu
uuiing the infoimation-gatheiing phase. The infoimation was then compileu into a uossiei
that was tuineu in anu giaueu as the contestant's scoie. This yeai each contestant was given a
sample of a piofessionally wiitten social engineei iepoit as well as a template foi him oi hei
to use in wiiting the iepoit.

Theie weie thiee ways contestants coulu scoie points uuiing this competition. This yeai, half
points weie awaiueu foi any flag captuieu uuiing the initial infoimation-gatheiing phase of
the contest. Contestants weie able to obtain many of the flags thiough this initial phase. The
seconu phase of the contest took place uuiing BefCon 19. Contestants weie alloweu 2S
minutes to call theii taiget anu collect as many flags as possible foi full points. Finally, points
weie awaiueu foi the style anu piofessionalism of the iepoit.

I|ags
The flags weie pieces of infoimation baseu on non-sensitive uata peitaining to the innei
woikings of a company. Each flag was given a point value baseu on the uegiee of uifficulty in
obtaining the infoimation. The contestant's job was to uevelop a believable pietext along with
a ieal woilu attack vectoi that wounu enable them to obtain as many flags as possible. The
attack was then peifoimeu live at Befcon 19 uuiing theii 2S-minute time slot.








Page 6 of 32
http://www.social-engineer.com http://www.social-engineer.org
Logistics Company Wide Tech
Is IT Support handled in house or outsourced? What operating system is in use?
Obtain information about the badges used What service pack/Version?
Who do they use for delivering packages?

What program do they use to open PDF documents &
what version?
What time do deliveries occur? What browser do they use?
Do you have a cafeteria? What version of that browser?
Who does the food service? What mail client is used?
Who does offsite backup? What version of the mail client?
Bonus points for identification of pick up dates Fake URL(getting the target to go to a URL)
Do they have offsite back up? Can they view flash content?
How is document disposal handled? Ports open outbound?
Do you use any kind of authentication token with your
passwords?

Do they have an intranet?
Do you use disk encryption? If so which type? Any password construction limitations?
Other Tech Employee Specific Info
Is there a company VPN? How long have they worked for the company?
What vpn software What days of the month do they get paid?
Do you block websites? (Facebook, Ebay, etc) Employee termination process?
Is wireless in use on site? ESSID Name? New hire orientation information?
What make and model of computer do they use?

Employees schedule information - (start/end times,
breaks, lunches)
What anti-virus system is used?
Do you use a key fob with a rotating number? Do they have a PBX system?
What mobile devices are used? What sort of phone system is used?
Are there public terminals open for use? When was the last time they had awareness training?
Is there network access in the conference rooms?
Can Be Used for Onsite Pretext


Where do they get copier paper? Bonus points for identification of pick up dates
What toner vendor is used? What time does the building open/close for the day?
Do you have a cleaning/janitorial service? Is there video surveillance of the location?
What is the name of the cleaning/janitorial service? Is the building protected by security systems at all?
Do you have an bug/pest extermination contract Do you have a 3rd party security guard company?
With Whom? Who is it?
What is the name of the company responsible for the
vending machines onsite?

Do they have trash handling?
Who handles their trash/dumpster disposal?






Page 7 of 32
http://www.social-engineer.com http://www.social-engineer.org
kesu|ts and Ana|ys|s
Compan|es Ca||ed
The fouiteen taiget companies this yeai weie:
1. Apple
2. AT&T
S. Conagia Foous
4. Bell
S. Belta Aiilines
6. IBN
7. NcBonalus
8. 0iacle
9. Symantec
1u. Sysco Foous
11. Taiget
12. 0niteu Aiilines
1S. veiizon
14. Walmait





Page 8 of 32
http://www.social-engineer.com http://www.social-engineer.org
1arget kank|ng
This yeai it was ueciueu to iank each taiget baseu on the following set of ciiteiia.

0nline Scoie (how much infoimation is ieleaseu online)
Numbei of flags obtaineu
Resistance to social engineeiing attempts
0bseiveu in peison - this scoie is how we felt as a team of social engineeis listening to
the call as to the state of this companies secuiity
visiteu 0RL when askeu

!"# "%&"#'( ')*+# , )*-.,/0 ),/ &#( %' 123 4 +,/5%/& *6 12 7*89: %/:%),(# (",( ("%'
)*-.,/0 ",' .+*;#/ , +#'%'(,/)# (* '*)%,9 #/&%/##+%/& ,/: ("#0 ",;# ,/ */9%/# .+#'#/)#
(",( %' /*( 9#,5%/& %/6*+-,(%*/ *+ (",( ("# %/6*+-,(%*/ 6*8/: 7*89: -,5# %( -*+# :%66%)89(
6*+ , '*)%,9 #/&%/##+ (* :#;#9*. 8',<9# ,((,)5 ;#)(*+'3

A lowei scoie inuicateu that a company was moie vulneiable to a social engineeiing attack.


The chait above shows some staitling statistics. Eveiy company was susceptible to a social
engineeiing attack with veiy little effoit by a potential attackei.




u
1u
2u
Su
4u
Su
5
&
1
%
*
+

O
;
,
I


Page 9 of 32
http://www.social-engineer.com http://www.social-engineer.org
Foi a company bieakuown on each taiget company see below:



In the above chait, the top light blue bai inuicates online leakage anu this shows the amount
of uata that was leakeu thiough passive infoimation gatheiing. In othei woius, the laigei the
section, the moie infoimation that was founu. Also in the above chait, the "Amount of flags"
section inuicates the amount of flags the company gave up uuiing the contestants call.

"Resistance" inuicates how much push back the attackei ieceiveu fiom the company uuiing
the call. The laigei the gieen bai, the moie a company iesisteu ievealing company
infoimation. The "Sites visiteu" bai inuicates the attackei's ability to tiick the company into
visiting a 0RL pioviueu by the attackei. "The obseiveu" is baseu on oui piofessional
obseivation uuiing the attack. The bettei the company uiu, the laigei the blue aiea you see.
0nline Info
Leakage
Amount of Flags
Resistance
Site visiteu
0bseiveu

Page 10 of 32
http://www.social-engineer.com http://www.social-engineer.org
Doss|ers
Each contestant was given two weeks to peifoim passive infoimation gatheiing on his oi hei
taiget using 0pen Souice Infoimation (0SI). The objective was foi the contestant to cieate a
piofessional uossiei the same way a piofessional social engineei woulu when enteiing a
piofessional engagement. To give each contestant an auvantage we pioviueu a sample social
engineei penetiation testing iepoit anu template to use uuiing theii iepoit wiiting session.
Informat|on Sources
The contestants useu many uiffeient souices foi gatheiing uata on the assigneu taigets, with a
few souices useu by almost eveiy contestant, incluuing: uoogle, LinkeuIn, Facebook anu
Naltego.

This list iepiesents the uiffeient methous of infoimation gatheiing the contestants useu.

Google Maltego FriendFinder
Bing Twitter PiPl
Bing Images Facebook Plaxo
Google Maps Wordpress Shodan
Google Images Blogspot Telnet
PicasaWeb Whois WGet
Vimeo Tineye Wayback Machine
LinkedIn Monster GlassDoor
Yelp Craigslist Jigsaw
Flickr Spokeo Misc
YouTube 4sq.com Friendster
NetCraft Wikipedia MySpace

The chait below shows how many times each of the infoimation souices was useu.

Page 11 of 32
http://www.social-engineer.com http://www.social-engineer.org

u 2 4 6 8 1u 12 14 16
uoogle
Bing
Bing Images
uoogle Naps
uoogle Images
PicasaWeb
vimeo
LinkeuIn
Yelp
Flicki
YouTube
NetCiaft
Wikipeuia
Naltego
Coipoiate
Twittei
Facebook
Woiupiess
Blogspot
Whois
Tineye
Nonstei
CiaigsList
Spokeo
4sq
Fiienustei
NySpace
FiienuFinuei
PiPl
Plaxo
Shouan
Telnet
Wuet
Wayback Nachine
ulassBooi
}igsaw
Nisc

Page 12 of 32
http://www.social-engineer.com http://www.social-engineer.org
The content a company chooses to put on its website pioves to be ciitical to oveiall secuiity.
This is not something that shoulu be hanueu off to a company's maiketing uepaitment anu
foigotten about. Regulai ieview of publisheu content shoulu be conuucteu. Companies must
unueistanu that just because content is not linkeu, uoes not mean it will not be uiscoveieu.

This yeai again showeu the impoitance of LinkeuIn fiom a coipoiate secuiity peispective anu
showeu an inciease in usage of Facebook ovei last yeai. Infoimation leakage via social meuia
is a uifficult pioblem to solve uue to how it is useu anu the fiequency it is useu in touay's
society. Baving access to social meuia fiom computeis anu cell phones means that people can
upuate theii accounts instantaneously, fiom anywheie. The ease of which an employee can
shaie uata can contiibute heavily to infoimation leakage.
The contestants weie only alloweu to use passive infoimation gatheiing techniques
leveiaging 0pen Souice Infoimation fiom the sites anu tools listeu above. None of the
contestants weie alloweu to poit scan, visit the company's physical location, call, email, oi
contact the company oi its employees in any way. Consiueiing that passive infoimation
gatheiing was the only info gatheiing alloweu, the infoimation founu was shocking.

The infoimation below will show potential thieats with only passive infoimation gatheiing as
the souice:

=#+'*/,9 >9*&'
!"#$%&'()$": An employee of one company bloggeu about veiy specific IT pioceuuies
involving what social meuia sites weie alloweu anu which ones weie blockeu. This employee
then went on to uesciibe how IT pioceuuies weie ciicumventeu. This infoimation shoulu not
be posteu on the Inteinet.

*+,($%- Finuing this infoimation woulu allow a social engineei the ability to know alloweu
sites, poits anu emails to spoof. Foi example if social meuia site NySpace is alloweu, the
attackei can spoof emails fiom that site.

/)()0'()$"- Employees shoulu be bounu by Non Bisclosuie Agieement (NBA) to pievent this
type of infoimation leakage. Secuiity staff shoulu sciape the Inteinet foi offenueis anu take
action. Awaieness of an oiganization's online piesence goes fai beyonu content that is owneu
anu contiolleu by the company.




Page 13 of 32
http://www.social-engineer.com http://www.social-engineer.org
?/6*+-,(%*/ @#,5#: A%, B*+.*+,(# C#<'%(#
!"#$%&'()$"- 0ne company inuexeu all of theii employee infoimation on theii website, making
seaiching foi complete company info a bieeze. They inuexeu employee names, titles, email
auuiesses, phone numbeis, anu even cell phones. This company also publicly uiscloseu theii
meuia uisposal policies anu piactices. Finally this same company publisheu a PBFmanual
containing theii entiie secuiity plan. Eveiy step of theii secuiity pioceuuies was outlineu foi
eveiyone to ieau anu analyze.

*+,($%- A potential attackei woulu be able to outline a veiy uetaileu attack. They woulu know
when anu how haiu uiives anu sensitive uata is uisposeu of, allowing foi inteiception. In
auuition, having the entiie secuiity plan allows foi an attackei to finu the weaknesses without
having to go onsite anu iisk the potential of being caught to iuentify the weaknesses.

/)()0'()$"- uiving this much infoimation to the public is not necessaiy anu shoulu be avoiueu
by not inuexing sensitive coipoiate uata. Knowing when anu how haiu uiives anu sensitive
uata aie hanuleu can allow the attackei to inteicept the uisposeu uata. This uata neeus to be
iemoveu fiom the coipoiate website anu gieatei caie neeus to be taken to not allow foi
ielease of these types of uata.

B*-.,/0 D#,+)" ,/: (** -8)" 6+##:*-
!"#$%&'()$": Anothei company hau a hanuy seaich scieen, which locateu an employee's
phone numbei, email auuiess (a veiy seiious social engineeiing tool) anu also an open
anonymous ftp seivei. We assume this was foi uocument uiopping, as theie was much
content left on this open anu fiee FTP seivei. The same company's employees hau a veiy laige
anu public piesence acioss all social netwoiking sites as well as heavy use of Location Baseu
seivices such as Fouisquaie. This allows an attackei to keep veiy easy tabs on the locations of
employees. Employees weie uiligent about upuating theii social meuia anu blog sites with
infoimation that peitaineu to theii woik, iole, peisonal inteiests anu hobbies.

*+,($%- Besiues the obvious vectoi wheie an attackei coulu locate employees on the website
anu all theii contact info, the FTP seivei coulu allow foi uploauing of malicious softwaie. The
heavy usage of social meuia sites allows an attackei to finu usable vectois baseu on hobbies
anu taiget the iight peison in the iight pait of the company foi maximum effect.

/)()0'()$"- We iecommenu stiict social meuia guiuelines be put into place that pievents the
employee fiom mixing social anu piofessional uata. In auuition, continual euucation on the
uangeis of phishing, scams anu social engineeiing coulu help employees balance what they
allow out on the web.

Page 14 of 32
http://www.social-engineer.com http://www.social-engineer.org

A#/:*+ ?/6*+-,(%*/ @#,5,&#
!"#$%&'()$"- 0ne company useu uozens, if not hunuieus of venuois. Each pioject they weie
involveu in was spoken about in extensive uetail by these venuois. Not only uiu they outline
many piojects they hau going on, but the specific employees anu venuois involveu as well as
specific engineeis involveu. venuois weie founu to uiscuss in gieat uetail the technology anu
othei aspects of the piojects they weie involveu in on theii sites.

*+,($%- A social engineei coulu use this uata to spoof as one of the venuois. With uetaileu
infoimation on piojects, it woulu be much easiei to pietext as one of the venuois anu gain
tiust anu builu iappoit uue to that knowleuge.

/)()0'()$"- This is a paiticulaily haiu one to mitigate. It might iequiie that a company keeps a
list of alloweu engineeis anu anyone who calls fiom a "venuoi" must be veiifieu befoie
infoimation is given.

>,:&#' ,/: B*/6%:#/(%,9%(0 >+#,)"#:
!"#$%&'()$"- 0ne company's employees posteu veiy cleai pictuies to the Inteinet containing
pictuies of theii employee bauges. The pictuies not only showeu theii bauge uesign, but theii
names anu position weie cleaily visible. A laige sample of this company's employees hau
extiemely uetaileu peisonal infoimation ieauily available. This infoimation incluueu names,
phone numbeis, ielatives, auuiesses, etc. Buiing ieseaich, a numbei of confiuential
uocuments weie uiscoveieu thiough a simple uoogle seaich. A seaich foi "|companyj
confiuential" ievealeu 61 pages of uocuments maikeu confiuential, some of which weie
taggeu "|companyj Confiuential - Bighly Restiicteu."

*+,($%- 0f couise the obvious is an onsite attack wheie an employee bauge woulu be veiy easy
to iepiouuce with little effoit anu low cost. The uocument that was maikeu confiuential
leakeu veiy sensitive uata that woulu give an attackei the infoimation neeueu to launch many
full-scale attacks.

/)()0'()$"- The mitigations heie aie obvious but neeu to be stateu. Employees neeu
iegulations within theii companies iegaiuing how much infoimation they aie alloweu to
ielease on the web, especially infoimation that can iuentify company piopeity oi bauges. In
auuition, any uocument that neeus to be maikeu as "confiuential" shoulu be piotecteu with a
high uegiee of vigilance anu skill.



Page 15 of 32
http://www.social-engineer.com http://www.social-engineer.org

C*+5 E+:#+' @#,: (* >+#,)"
!"#$%&'()$"- In one instance the contestant founu employee iesumes posteu on the Inteinet
containing specific technical uetails anu configuiations. Employee names weie embeuueu into
PBF uocuments anu posteu online. Seivei names anu piintei paths weie also exposeu. In
auuition, a massive 6u-page uocument was uiscoveieu online foi this oiganization, which
ievealeu seveial key pieces of sensitive uata such as samples of woik oiueis, logins with
useinamepasswoiu combinations anu API uocumentation.

*+,($%- Knowing this much uetail about a company anu theii infiastiuctuie will enable the
social engineei to know exactly wheie anu how to attack the oiganization. Knowing the
useiname anu passwoiu combination of employees, of couise, opens up uiiect attacks upon
the company.

/)()0'()$"- Again, the mitigation is moie vigilance in piotecting sensitive uata, as well as
coipoiate policies that give employees iules of how to conuuct themselves with
uocumentation. Cleaning out metauata fiom uocuments that will be posteu on the web is also
veiy impoitant.

=9#("*+, *6 F*)8-#/('
!"#$%&'()$": 0ne company hau a lot of its sensitive infoimation ievealeu fiom pictuies that
employees anu fans hau posteu on inteinet sites such as Flicki.com. By scanning photos taken,
we can cleaily see bauge uesign, opeiating systems in use, biowseis in use, lanyaiu uesign,
CCTv locations, RFIB scanneis, company vehicles, anu sanitation companies useu. Nany
iesumes weie also an issue foi some companies because many weie founu online, posteu by
cuiient anu foimei engineeis. They cleaily outlineu specific technologies useu.

*+,($%- The ielease of peisonal anu company uata opens the uoois wiue open. Knowing not
just the technologies useu but also what kinu of a job a peison is looking foi can give an
attackei a many usable vectois to collect all soits of peisonal uata as well as uiive taigets to
malicious sites anuoi files.

All the taigets uisplayeu vaiying levels of infoimation leakage. Below is a giaph that outlines
the peicentage of companies that leakeu uiffeient types of infoimation.



Page 16 of 32
http://www.social-engineer.com http://www.social-engineer.org


With close to 7u% of the companies leaking some foim of sensitive uata, it is not too haish to
say that full-scale social engineeiing attacks coulu be launcheu with little moie than the
passive infoimation that was gatheieu by the social engineeis.
u.uu%
1u.uu%
2u.uu%
Su.uu%
4u.uu%
Su.uu%
6u.uu%
7u.uu%
P&-+,1 O*8#-D&1%#* Q,&R&+,

Page 17 of 32
http://www.social-engineer.com http://www.social-engineer.org
Ca||s
1argeted Lmp|oyees
This section outlines the aieas within the taiget companies that weie useu in the vaiious calls.
These aieas coulu be bioken uown into thiee main sections: suppoit customei seivice,
ietails location, oi a sales office.



Suppoit anu Customei Seivice took the laigest numbei of calls. This was the most useu aiea
uue to the ease of obtaining infoimation thiough these channels. Customei Seivice
iepiesentatives aie noimally tiaineu to be helpful. The "customei is always iight" type of
attituue was pievalent anu the employees seemeu to fielu a lot of questions.

Auuitionally, many companies will tenu not to invest in much awaieness tiaining foi high
tuinovei positions. While the logic behinu that is unueistanuable, that uecision shoulu be
suppoiteu by limiting the amount of infoimation possesseu by the employee in that job anu
limiting the oveiall actions that can be taken by these high tuinovei employees.
retexts Used
The pietexts useu can be bioken uown into thiee main categoiies - Customeis, Potential
Customeis anu Employees.

P&-+,1 )D0'#?,,6
Suppoit
Retail Stoie
Sales

Page 18 of 32
http://www.social-engineer.com http://www.social-engineer.org
The laigest numbei fell unuei customeis, as this pietext allows foi a bioauei iange of
questions anu conveisation. It is easy to use anu most companies in this economy want to
please customeis to ietain them anu theiefoie aie moie willing to ueal with ouu questions.

The Potential Customei pietext is also veiy effective because most companies want to make
potential customeis feel special anu entice them to come aboaiu. uiving out little tiubits of
infoimation uoesn't feel bau oi appeai as a secuiity iisk.

The haiuest pietext, but also the most effective when peifoimeu coiiectly, is the fellow
employee. A fellow employee is giving ceitain infoimation without even asking, is alloweu
into the "innei ciicle", anu is fieely spoken to because of inheient tiust. We saw this pietext
useu moie than the potential customei one, which was suipiising uue to its uifficulty level,
but in each case it was useu to obtain laige amounts of uata.



In an actual Social Engineeiing penetiation test, the pietext may be moie complex anu neeu
moie time to builu. The contestants aie only given 2S minutes to state, builu, anu make theii
pietexts believable. Foi that ieason the pietexts tenu to be simplei. In auuition, we uiu not
allow any onsite social engineeiing, so common pietexts of ueliveiy people, seivice people, oi
suppoit iepiesentatives aie not applicable to this contest.

S-,1,I16
Customei
Employee
Potential Customei

Page 19 of 32
http://www.social-engineer.com http://www.social-engineer.org
Defenses
0ne of the most impoitant paits of this iepoit is, of couise, the level of iesistance taigets
uisplay to social engineeiing attempts, anu theii ability to peiceive social engineeiing
attempts. In auuition to the level of iesistance, we tiy to asceitain why theie was iesistance
anu use that uata to ueteimine how effective it woulu be to combat a taigeteu social
engineeiing attack. We collecteu this uata by combining what we heaiu anu saw uuiing the
Captuie the Flag event as well the amount of calls with iesistance a social engineei hau.



As the chait shows theie was absolutely no company that completely iesisteu, anu only a
small fiaction showeu any iesistance at all.

Those who uiu show iesistance uiu so in only a veiy small numbei of ways:

=,>6%1, T'#$R%*+ "#81J&-,
In only a couple of cases uiu the taiget state that they tiieu to go to a 0RL anu coulu not pull it
up uue to being blockeu. Although this methou uiu save the taiget fiom opening a 0RL, the
fact is, the employee still tiieu to visit the 0RL, showing a willingness to comply. This
willingness to comply coulu be exploiteu by a social engineei to get compliance on othei
actions that coulu cause a seiious bieach. In auuition, all the employees that tiieu anu weie
blockeu complieu with othei iequests.

This is an inteiesting concept uue to the politics that aie involveu.. 0ften times blocking
access to ianuom sites is seen as negative anu bau foi company moiale. Bowevei, the
question must be askeu: What web sites aie actually iequiieu foi business puiposes. While
5,6%61&*$, Q,U,'6
Some Resistance
No Resistance
Complete Resistance

Page 20 of 32
http://www.social-engineer.com http://www.social-engineer.org
this is not an easy question to answei, the benefit that woulu be gaineu ueploying systems
that aie engineeieu to simply accomplish company goals anu nothing else is obvious. While
costs aie highei up fiont, money is saveu in the long iun by uecieaseu iepaii (less happening,
less to bieak), uecieaseu costs, anu incieaseu piouuctivity. The wiue spieau auoption of
smait phones have, in many cases, pioviueu employees with an outlet foi peisonal inteinet
use iemoving the buiuen of caiiying that tiaffic on company netwoiks.

",$2-%1? VJ&-,*,66
In a few cases the question was piesenteu as to the level anu fiequency of secuiity awaieness
tiaining at the taiget company. In a couple cases the taiget stateu they hau fiequent secuiity
awaieness tiaining at theii company. Even though that may be the case, the taiget, oi anothei
peison at the company, answeieu all the iequests.

0n the suiface, this uiaws into question the effectiveness of awaieness tiaining. If these
taigets aie ieceiving tiaining alieauy, anu theie is no noticeable benefit in teims of incieaseu
secuiity, the conclusion is that the tiaining being pioviueu is not woith the money being
spent. Bowevei, the issue is moie complex then that. While it is ceitainly the case that bettei
engineeieu systems that make it haiu foi useis to uo the wiong thing woulu pioviue benefit,
we know that is not enough. A well-tiaineu anu euucateu human is woith fai moie than any
automateu system in teims of actual uefense.

It is iecommenueu that companies ieview the stiuctuie of the awaieness tiaining piogiams
anu how they aie actually built. Fai too often we have encounteieu companies whose solution
to awaieness tiaining has been simply puichasing a viueo package off the shelf that all
employees must ieview on an annual basis. If we aie honest with ouiselves, we know that
what shoulu be "tiaining" becomes nothing moie then a toleiateu nuisance that employees
get thiough as quick as possible, with as little attention paiu as possible.

Foi awaieness tiaining to be effective it must focus on the employees ieal job, in ieal situation
that they may encountei. When a contestant ueliveieu a pietext to an employee at a taiget
company, the employee woulu have hau a spaik of memoiy fiom when they hau encounteieu
this same, oi similai, situation in theii tiaining piogiam. That spaik of memoiy woulu have
been a cleai inuicatoi that something was wiong with this call anu caie woulu be taken.

Q&$R #8 W*#J',;+,
This paiticulai piotection methou, although miluly effective, is not ieally a methou that
shoulu be piomoteu. In a few cases the employee's lack of knowleuge into ceitain
technological aieas baiieu the callei fiom getting the infoimation they attempteu. Again, this

Page 21 of 32
http://www.social-engineer.com http://www.social-engineer.org
is not a methou we piomote as being goou, but it is something that shoulu be consiueieu as it
uiu piotect a veiy small amount of uata fiom being ieleaseu.

In many iespects this was an implementation of "neeu to know" applieu in an unintentional
basis. The iisk poseu by ueploying this out as a mouel foi uefense is that it's quite easy to go
too fai anu uamage the company moie than the uamage fiom the actual infoimation leaking
out.

This balance between secuiity anu functionality is ciitically impoitant. It is not possible to
eliminate all iisk fiom opeiating in a business situation, anu a uecision must be maue at how
much iisk the company is willing to take on. 0ntil this level is set in an oiganizeu way
eveiything is left to be one off uecisions that won't be inline with the actual company goals.

What can we leain fiom this. Although blocking oi monitoiing softwaie anu secuiity
awaieness aie goou methous of piotection, they weie not fool pioof oi consistent thioughout
the company. This means that even if 9 out of 1u employees aie secuie, one still causes a
bieach.

What we uiu not see useu at all in oui calls wheie uefenses like:
XO 3&U, 1# 1&'R 1# D? D&*&+,-Y #- 6%D%'&- 6$-%016 wheie an employee is encouiageu to give
the usei an excuse anu pass them off to a peison of highei iank. That uoes not, many times,
mean that peison is moie secuiity minueu, but that pass off anu uelay will make some
attackeis too neivous to continue.

Auuitionally, a common tactic useu by social engineeis is a false time constiaint. This leaus to
a high-piessuie situation wheie the employee is much moie likely to make a mistake uue to
not being able to think thiough the pioblem. By having a biief pause to the call, it gives the
employee a chance to catch theii bieath anu analyze the situation without these false time
constiaints.

Z0;&1,; "#81J&-,@ In the cases wheie we weie able to obtain the veisions of the softwaie
useu we saw things like IE6, IE7, Auobe Aciobat 7 anu 8, etc. 0puateu softwaie can be a gieat
uefense.

It must be iemembeieu that in many cases, the social engineeiing aspect of an attack is to
enable a follow-up technical attack. By limiting the softwaie in use anu ensuiing that it is up
to uate, the oveiall attack suiface is uecieaseu.


Page 22 of 32
http://www.social-engineer.com http://www.social-engineer.org
B%+3,- [2&'%1? &J&-,*,66 1-&%*%*+. 0ut of the companies that hau awaieness tiaining, only
one seemeu to be tiuly moie uifficult to infiltiate. Nost attackeis simply maue anothei call
anu founu a peison willing to give the attackei all the infoimation iequesteu.

Baving multiple taigets gives the social engineei tiemenuous powei. Completeness in youi
uefense is ciitical.

B&*+ 20. 0ut of the few ieps that put up a fight, none simply just hung up, iegaiuless of the
piessuie put on them by the social engineei to give up uata.
Industr|es 1argeted
This yeai we taigeteu a veiy specific subset of inuustiies: technology, telecom, wholesale
foous, aiilines, ietail, anu fast foou. We ueciueu to mix up the types of inuustiies to ueteimine
if the level of insecuiity we saw at BefCon 18 woulu exist acioss the map of inuustiies at this
yeai's BefCon.



Bow uiu companies compaie to each othei insiue the same inuustiies. Below aie chaits
showing how each company compaieu to a competitoi in the same inuustiy. The iatings aie
baseu on scoie minus the SE0Ru Inuex iating given above.

O*;261-%,6
Technology
Telecom
Wholesale Foou
Aiilines
Fast Foou
Retail

Page 23 of 32
http://www.social-engineer.com http://www.social-engineer.org
!"# "%&"#+ ("# ')*+#G ("# 9*7#+ ("# 9#;#9 *6 '#)8+%(03 !"# &*,9 %' (* <# ')*+#: ,' 9*7 ,'
.*''%<9# ,' , "%&"#+ ')*+# %' ,/ %/:%),(*+ *6 %/'#)8+%(03

We want to stiess that the success at obtaining infoimation fiom a taiget uepenus laigely on
the peison they ieacheu anu the skill of the callei.

Technology: Apple vs. Bell vs. IBN vs. 0iacle vs. Symantec



0veiall, Symantec uefineu itself as one of the most secuie companies.

Telecom: AT&T vs veiizon


u 2uu 4uu 6uu 8uu 1uuu 12uu 14uu
Apple
Bell
Ibm
0iacle
Symantec
P,$3*#'#+? /#D0&*%,6
u 1uu 2uu Suu 4uu Suu 6uu 7uu
AT&T
veiizon
P,'$#D /#D0&*%,6

Page 24 of 32
http://www.social-engineer.com http://www.social-engineer.org
In the case of the two telecom giants, AT&T was veiy iesistant to oui attempts. AT&T openly
uefieu the callei a few times anu even iejecteu the auvances in numeious settings. AT&T's
ietail stoies weie calleu, wheie as veiizon's customei suppoit lines weie calleu. The iesults
weie much uiffeient foi the callei to veiizon as shown above.

Wholesale Foous: Conagia Foous vs Sysco Foous


Even though the scoies look much uiffeient in this one, it is a close match. Both scoieu in the
miu 4uu's. Both companies neeu laige-scale impiovements to theii secuiity policies anu
awaieness tiaining foi employees. They both scoieu quite high on the iating scale, inuicating
a highei uegiee of insecuiity.

Aiilines: Belta vs 0niteu

46u 462 464 466 468 47u 472 474 476 478
Conagia Foou
Sysco Foous
=3#',6&', 4##; /#D0&*%,6
u 1uu 2uu Suu 4uu Suu 6uu 7uu 8uu
0niteu Aiilines
Belta Aiilines
V%-'%*, /#D0&*%,6

Page 25 of 32
http://www.social-engineer.com http://www.social-engineer.org

Although the scoies look veiy uiffeient, the bulk of the scoiing uiffeience comes fiom the
passive infoimation gatheiing stage of the competition. That is not to say it is not uangeious;
we just want to point out that the bulk of the insecuiity is not uue to the calls maue oi
inuiviuuals calleu.

Laige Retail: Walmait vs Taiget


Last yeai, ietail pioveu to be a foimiuable foe foi social engineeis at the CTF. This yeai ietail
again showeu it stiengths. Retail shows that it withstoou social engineeiing attempts moie
ieauily than any othei counteipait. Even AT&T's gieat scoie can be attiibuteu to the fact that
theii ietail stoies weie calleu.

Corporate Secur|ty Spend|ng
We uo not have access to the buugets anu inteinal uocuments of each taiget company, but
thiough ieseaich we weie able to obtain things like: numbei of employees, total ievenue,
level of spenuing on all IT, anu the peicentage, on aveiage, spent on secuiity.

Aimeu with this knowleuge, we can come up with a geneial iuea of what each inuustiy anu
company has spent on secuiity. This will incluue all secuiity baseu spenuing whethei it is
secuiity awaieness, haiuwaie, softwaie, penetiation testing, tiaining, anu all othei avenues of
coipoiate spenuing foi secuiity.

Below we have cieateu a simple chait to show this coipoiate spenuing on IT Secuiity.
u Su 1uu 1Su 2uu 2Su Suu SSu
Walmait
Taiget
Q&-+, 5,1&%' /#D0&*%,6

Page 26 of 32
http://www.social-engineer.com http://www.social-engineer.org

4%+2-, 9@ T&6,; #* 61&1%61%$6 8-#D G&-1*,-\
Figuies baseu off of: uaitnei IT Key Netiics Bata (Bec 2u1u. Ione-ue-Almeiua-
Tenuencias-2u11, http:www.uaikieauing.comsecuiitysecuiity-
management22S7u1261inuex.html anu Booveis.Com








$u
$Su,uuu,uuu
$1uu,uuu,uuu
$1Su,uuu,uuu
$2uu,uuu,uuu
$2Su,uuu,uuu
$Suu,uuu,uuu
",$2-%1? "0,*;%*+

Page 27 of 32
http://www.social-engineer.com http://www.social-engineer.org

Bow uo these figuies compaie to theii total ievenue.


Is theie a uiiect coiielation between IT Secuiity Spenuing anu how each company faies
against social engineeiing attempts.

We cannot, foi fact, state that theie is a uiiect link between secuiity spenuing anu how a
company faieu in this competition. What we can say is that it appeais that companies who
spent less uiu woise. AT&T, who was one of the leaueis in this yeai's competition, also hau
one of the highest spenuing on coipoiate secuiity. The seconu highest peifoiming company
was Taiget anu theii buuget was half of AT&T's. 0veiall, IT Secuiity spenuing (accoiuing to
uaitnei anu Foiiestei) is about S% foi each company.

We believe theie is a moie uiiect ielation to the style anu fiequency of secuiity euucation
than to amount spent. AT&T employees boasteu of monthly secuiity awaieness tiaining anu
the iesults showeu this to be tiue.
$u
$Su,uuu,uuu,uuu
$1uu,uuu,uuu,uuu
$1Su,uuu,uuu,uuu
$2uu,uuu,uuu,uuu
$2Su,uuu,uuu,uuu
$Suu,uuu,uuu,uuu
$SSu,uuu,uuu,uuu
$4uu,uuu,uuu,uuu
$4Su,uuu,uuu,uuu
P#1&' 5,U,*2,

Page 28 of 32
http://www.social-engineer.com http://www.social-engineer.org
Conc|us|on and kecommendat|ons
Although theie weie some inuustiies anu some companies that pioveu to stanu out fiom the
iest, in the enu, all of the companies woulu have ieceiveu a failing maik in a ieal social
engineeiing penetiation test. While theie aie many conclusions that coulu be uiawn fiom oui
iesults, the most impoitant is: Theie is ample infoimation floating out theie that malicious
social engineeis can use to taiget the aveiage company. This infoimation can be put to use by
the aveiage, inexpeiienceu social engineei to beai uevastating iesults. This is consistent
acioss all testeu inuustiies, with piofessional oiganizations appeaiing to be the most
vulneiable.

What this means is the baiiiei of entiy foi social engineeiing attacks is veiy low. Ciiminal
enteipiise is like any othei business; ietuin on investment is impoitant. The investment
iequiieu foi social engineeiing attacks is fai lowei than othei attacks, making them the most
likely appioach. Bue to lack of attention paiu to this thieat, theie is no inuication that this
situation will change soon.

In light of this infoimation you woulu expect to see companies, especially Foitune Suu1uuu
companies, iegulaily conuucting social engineeiing penetiation tests anu iisk assessments.

Sauly, that is not the case. Why.

Nany companies have the mentality of, "It won't happen to us.", oi "0ui people won't fall foi
that." The sau tiuth is, those aie the veiy people that will anu uo fall victim to these attacks,
as uemonstiateu by the contest.

What can be uone to coiiect the situation.

It woulu be impossible to list all the uiffeient things that coulu be uone to iectify the secuiity
situations in these companies, but we wanteu to name thiee things that coulu be uone.

1: Social Neuia Policies
Companies shoulu caiefully plan out how they want to manage theii employee's use of social
meuia. Cleai uefinitions of what is alloweu anu what is not alloweu shoulu be put in place. If
hobbies, vacations, anu othei paits of peisonal life aie being uiscusseu on these sites,
business shoulu not be mixeu in. uuiuelines anu policies can help the employees unueistanu
the iisks associateu with social meuia usage. In auuition, cleai uefineu policies on how, wheie,
anu what kinu of uocuments can be uploaueu to unsecuieu aiea of the Inteinet can go a long
way to safeguaiuing companies.

Page 29 of 32
http://www.social-engineer.com http://www.social-engineer.org

2: Consistent, ieal woilu euucation
The lack of quality, consistent, anu effective secuiity awaieness tiaining was cleaily seen
thiough the iesults of this yeai's Social Engineeiing CTF. In the one company that hau
monthly tiaining anu awaieness, the employees weie much moie awaie of potential thieats
anu uangeis anu theiefoie weie moie successful anu stopping social engineeiing attacks.

Secuiity awaieness tiaining neeus to be consistent, fiequent anu peisonal. It uoesn't mean
that a company neeus to plan laige events each month, but annual oi bi-annual secuiity
ieminueis shoulu be sent out to keep the topic fiesh in the employee's minus. Theie has been
success at making it a "game" wheie employees compete to finu, iuentify anu notify the
piopei channels in iegaius to social engineeiing attempts on the company. Secuiity euucation
ieally cannot be fiom a canneu, piemaue solution. Euucation neeus to be specific to each
company anu in many cases even specific to each uepaitment within the company.

S: Regulai Risk Assessment anu Penetiation Test
Still one of the most necessaiy aspects of secuiity is the social engineeiing penetiation test.
When we peifoim social engineeiing iisk assessments, we iuentify all aieas wheie a company
is vulneiable to attack. Leakeu infoimation, social meuia accounts, anu othei paits of the
company aie iuentifieu, catalogeu anu iepoiteu on. Potential vectois aie piesenteu anu
mitigations aie uiscusseu.

A social engineeiing penetiation test takes things to the next level, wheie those vectois aie
not just wiitten about but tiieu anu executeu. The iesults aie useu to uevelop awaieness
tiaining anu can tiuly enhance a company's ability to be piepaieu foi these attacks.

These aie just thiee of the many stiategies that can be utilizeu to help maintain secuiity anu
piepaie foi the attacks being launcheu on companies eveiy uay. 0ui hope is that this iepoit
helps sheu light on the thieats piesenteu by social engineeiing anu opens the eyes of
coipoiations to how vulneiable they ieally aie. If you, oi youi oiganization, have questions
iegaiuing any aspect of this iepoit please contact us at: uefconsocial-engineei.oig oi at the
contact infoimation below.


Page 30 of 32
http://www.social-engineer.com http://www.social-engineer.org
About Soc|a|-Lng|neer.org & Soc|a|-Lng|neer.Com
Social-Engineei.oig was uevelopeu to be the authoiity on the topic of social engineeiing.

Nalicious paities have always been inteiesteu in obtaining ieal ietuin on investment on
attacks. With the auvent of stiongei anu moie univeisal piotection systems in vaiious
netwoikeu systems, this has causeu an inciease in the cost iequiieu to successfully execute an
attack against mouein systems. This has causeu many attackeis to move to a lowei cost
avenue of attack, namely taigeting people.

Social-Engineei.oig has uocumenteu the mannei in which these tests aie conuucteu to
inciease awaieness of this incieasingly active attack vectoi. 0nly by unueistanuing how these
attacks aie conuucteu can we builu piopei anu effective uefense.

1+,2%)(3 (4%$204 +52,'()$"6

Social-Engineei.com is the natuial piogiession of all the woik that has been piouuceu fiom
Social-Engineei.oig. Aftei cieating the woilu's fiist web baseu social engineeiing fiamewoik,
many companies came asking foi assistance in social engineei penetiation testing, iisk
assessments, anu secuiity awaieness tiaining.

We aie piepaiing to launch the fiist evei Social Engineeiing foi Penetiation Testeis couise in
Naich of 2u12 anu will continue to pioviue, suppoit, anu manage the fiee newslettei anu
poucast that so many companies use.


Page 31 of 32
http://www.social-engineer.com http://www.social-engineer.org



Page 32 of 32
http://www.social-engineer.com http://www.social-engineer.org
Sponsors
The Social-Engineei.oig CTF event was maue possible thiough the suppoit of the following
oiganizations:

Оценить