Organizers of a contest to highlight the dangers of social engineering said that employees of some of the top U.S. corporations were eager to cough up private data to contestants, exposing a serious lack of investment in user education about the dangers of scams and other human-focused attacks.
The contest, held Friday and Saturday at the annual Defcon hacking conference in Las Vegas, was organized by social-engineer.org, a nonprofit founded to raise awareness about the dangers of soft attacks that use phone calls, email, and in-person persuasion to target individuals and employees of corporations.
[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
The capture-the-flag-style event allowed contestants to research a list of high-profile target companies, including Microsoft, Cisco, Apple, BP, Shell, Google, Proctor & Gamble, Pepsi, Coke, and Ford. The contestants were then given the assignment to retrieve specific "flags" -- pieces of nonsensitive information, such as the version of a particular operating system or the contractor responsible for picking up the firm's garbage.
The results were not encouraging, said Chris Hadnagy, operations manager at consulting firm Offensive Security and a contest organizer. Contestants were able to extract information from every one of the ten U.S. firms targeted, and only a tiny minority of employees contacted by contestants hung up or refused to give up information the contestants were looking for.
In order to get employees to cough up information, contestants posed as journalists reporting a story, researchers conducting a poll, technical support specialists, potential customers, or merely needy strangers. The employees were often surprisingly trusting -- even pointing their Web browsers to the social-engineer.org website at the suggestion of the stranger on the phone.
"Most people are trusting and really want to help," said Hadnagy. And he said that contestants would have likely had more success in person than over the phone. "It would be even easier in person, because you can use body language and facial expressions to help you gain trust," he said.
