In my last post I covered some of the great work the team at social-engineer.org did with their Human Capture The Flag at Defcon this year. What better way to generate awareness about the human factor then to actually show real social engineering attacks live. What is amazing is not that all the attacks was successful, but that everyone was successful even though they had numerous legal and ethical rules and limitations applied, something no real attacker even considers. I asked Chris Hadnagy, the brains behind the event, some questions about the CTF and what he learned. This is what he had to share with the community. The one thing that surprised me the most, the success attackers had against male victims versus female. Sounds like us guys are much easier to sucker.
1. How many people participated and of those how many were successful in getting information?
We originally had about 40 people signed up and we were going to use 30 of them. But with all the press many of the companies that the contestants work for were very afraid and even a few threatened to fire them if they competed. In the end we lost many of the contestants due to that or just not being allowed to compete. We ended up with 15 contestants. Every contestant that was able to contact a live person was successful at obtaining information.
2. Was there a common method or theme that seemed to be the most effective?
Many contestants used the pretext of a customer or soon to be customer calling a call center. One of the most effective methods of getting past objections, even after being told no many times was to simply ask. Things like, "It would really help me..." or "It would make me feel better if...." those things worked amazing.
3. What was the one thing that surprised you the most?
The rules of the CTF made the actual social engineering very difficult. We had legal lines and moral lines and other lines that we imposed... none of which would have been there in a real engagement. So one thing that surprised us is that every contestant that reached a human was successful in obtaining many flags. Another thing that surprised us was how most of the
contestants were not professional social engineers and yet they did quite well.
4. What will you do differently next year?
Lots. Lots went right, but there is room for improvement, but we need to review all the results before we can say for sure one way or the other. My work with Offensive-Security.com is what helped me to plan out how this competition would go. We based it on real world penetration tests that we perform. But, next year we need to step up our game, and it will be even better than the first year. We will let the training wheels come off.
5. - What was the coolest social engineering hack / kung-fu you saw at your CTF?
We saw a couple things that really stood out. First, one contestant didn't ask any direct questions. He approached the competition by asking indirect questions. Things like, "Are you still using IE 6 or did they get you on 7 yet?". Another one was after a contestant was turned down twice to answer any questions the contestant said "If you could help me out, it would make me FEEL better..." the target gave in and gave up A TON of information. Final interesting fact, we had one contestant boldly say, "I hope I get a female because they are easier to social engineer." Yet out of the 140 phone calls we made that weekend we had only 5 people reject us or not answer questions. All 5 where women. Bravo to the women for being more security conscious.