Hacking Layer 8 - Wetware

Thursday, July 22, 2010

Ron Baklarz

91648658a3e987ddb81913b06dbdc57a

In Robert Siciliano's Infosec Island post on July 13, 2010, he discusses the upcoming Defcon Conference's hacker high jinx, capture-the-flag, social engineering contest.

http://www.infosecisland.com/blogview/5294-Hackers-Play-Social-Engineering-Capture-the-Flag-At-Defcon.html

Apparently, this contest has caused a great deal of angst in the community according to yesterday's article on www.csoonline.com by Senior Editor, Joan Goodchild.

http://www.csoonline.com/article/600163/defcon-social-engineering-contest-stirs-concerns

One can certainly see this train wreck coming with the potential for company names to be plastered all over the Internet with the embarrassing results of their social engineering-induced data leakage. 

The contest is being coordinated by social-engineer.org a web site and team dedicated to "discuss new and innovative ways to tie social engineering into your skill set".  Because of the concerns raised over the contest, Chris Hadnagy of social-engineer.org, issued the following statement:

"The contest is structured to be good, clean fun. Our goal is to show how much information companies may inadvertently divulge to individuals making regular, legal inquiries using normal channels of communication," the statement reads. "The type of information we will be asking for will be things like the number of restrooms in the building, and the sort of candy that sells out from the vending machines first."

Ms. Goodchild's article goes on to say:

Officials at social-engineer.org said they have been working with attorneys at the Electronic Frontier Foundation to ensure that the rules make clear to contestants that their game play must be lawful.

Among the rules:

  • Contestants may not ask for or obtain financial data, passwords, or personal identifying information such as social security numbers or bank account numbers;
  • Contestants may not attempt to falsify or falsify employment records;
  • The list of target organizations will not include any financial, government, educational, or health care organizations;
  • Contestants must keep it clean, for example, use of any pornography is banned.

Now, I applaud Mr. Hadnagy and the social-engineer.org team for their filling a void in our cyber-arsenal by addressing this often overlooked and underappreciated aspect of the threat matrix. 

I would urge you to visit their website (http://www.social-engineer.org/). I am now a huge fan and they have great information available on the site. However, I have to admit that the very idea of this contest creeps me out and we will have to wait and see how this plays out in the end.

 

Possibly Related Articles:
12477
Network->General
Hacking Security Management
Post Rating I Like this!
314f19f082e69886c20e31c70fe6dceb
Rod MacPherson It may be kid of creepy, but hopefully this contest will bring a little attention to the often forgotten fact that a major weakness in most networks is the people.
It doesn't matter how much technology you buy if you forget to train ALL of your staff to recognize and neutralize social engineering.
PCI-DSS calls for basic physical security needs, such as a way to quickly and easily discern who has a right to be in an area where cardholder data might be obtained, and why (are they staff or visitor? or are they trespasser?).
This is the starting point for securing against social engineering, and too many places don't yet get this far. PCI-DSS also calls for at least annual security awareness training. How many employers don't yet have this? ...I'd say more than you'd like to think. A little bit of high profile poking and prodding should help to bring this to the front of people's minds and make these issues a higher priority.
1280177575
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.