Social engineering has evidently earned a new level of respect from hacker community: For the first time, this year's Defcon gathering in Las Vegas will feature a contest in which participants will compete to gather nuggets of information from unsuspecting target companies -- over the telephone instead of the Internet.
Social engineering has enjoying an increasingly effective and prominent role in effective online attacks. The term itself is a big one, encompassing targeted surveillance and information-gathering techniques that early hacking stars such as Kevin Mitnick mastered (and went on to write about), down to the ubiquitous phishing and spam email message.
[ Also on InfoWorld: Facebook has proposed one security solution: Require developers to have verified accounts. Will it help? | Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]
These days, we hear lots about the centrality of social engineering in advanced attacks by what we at The 451 Group calls "adaptive persistent adversaries." These were the kinds of attacks leveraged at more than 100 Western firms in the so-called Aurora attacks. Much of the press coverage of the Aurora attack focused on the IE vulnerability used to gain access to systems in Google, Adobe, and other companies, as well as the Hydraq Trojan that siphoned data from them. However, social engineering was a critical -- but overlooked -- component in those attacks: Attackers targeted high-level employees with malicious Web links that provided an entry for the attackers' malware and remote administration tools.
The potency of social engineering has garnered new respect in the hacker world. Witness: Social-Engineer.org is partnering with Defcon to present spotlight social-engineering techniques in the form a new capture-the-flag (CTF)-style contest.