In a recent post (Hackers Play “Social Engineering Capture The Flag” At Defcon), I pointed to a game in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have.
Of 135 “targets” of the social engineering “game,” 130 blurted out too much information. All five holdouts were women who gave up zero data to the social engineers.
Computerworld reports, “Contestants targeted 17 major corporations over the course of the two-day event, including Google, Wal-Mart, Symantec, Cisco Systems, Microsoft, Pepsi, Ford and Coca-Cola. Sitting in a plexiglass booth, with an audience watching, they called up company employees, trying to get them to give up information.”
Contestants had twenty minutes to call unsuspecting employees at the target companies and obtain specific bits of (non-sensitive) information about the business for additional points. Participants were not allowed to make the target company feel at risk by pretending to represent a law enforcement agency.
The players extracted data that could be used to compile an effective “attack,” including “information such as what operating system, antivirus software, and browser their victims used. They also tried to talk marks into visiting unauthorized Web pages.”
Social engineering is the most effective way to bypass any hardware or software systems in place. Organizations can spend millions on security, only to have it all bypassed with a simple phone call.
The players in this game were all men. Maybe the women didn’t give up any data because they were simply untrusting. It could be that the women were properly trained in how to deter social engineers and protect company data over the phone. Or maybe the women simply paid attention to their sixth sense, and felt they were being conned.
Any time the phone rings, a new email comes in, someone knocks on your door, or visits your office, question those who present themselves in positions of authority.
Don’t automatically trust or give the benefit of the doubt.
Within your home or business, communicate what can and can’t be said or done, or what information can or cannot be provided.
Keep in mind that when you lock a door, it’s locked, but it can be opened with a key, or with words that convince you to unlock it yourself. Always view every interaction, whether virtual or face to face, with a cynical eye for a potential agenda.
ROBERT SICILIANO, CEO of IDTheftSecurity.com is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds. His "tell it like it is" style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders to get the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace. Siciliano is accessible, real, professional, and ready to weigh in and comment at a moment's notice on breaking news.
- Stealing Secrets: Telling Lies Over the Phone
In a recent post (Hackers Play “Social Engineering Capture The Flag” At Defcon) I pointed to a game in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have. At the recent Defcon event, social engineers proved that it doesn’t take much more than asking to get
- Hackers Play "Social Engineering Capture The Flag" At Defcon
Social engineering is a fancier, more technical form of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information. Social engineering or “social penetration” techniques are used to bypass sophisticated and expensive hardware and software in a corporate network. Smart organizations train their employees
- Top 5 Business Security Risks
1. Data Breaches: Businesses suffer most often from data breaches, making up 35% of total breaches. Medical and healthcare services are also frequent targets, accounting for 29.1% of breaches. Government and military make up 16.2%, banking, credit, and financial services account for 10.5%, and 9.2% of breaches occur in educational institutes. Even if you protect your PC
- How Hackers use LinkedIn to Scam
Hackers love LinkedIn because it links them in—straight through the portal of the targeted company. Geez, how much easier could this be, what with all the publically-exposed e-mail addresses of key players (and also worker bees) in big companies that someone wants to hack. An article on blog.sungardas.com was written by a white-hatter (his job is
- Pokemon Go a Network Malware Nightmare
Pokémon Go has taken the world by storm, even though it is nothing more than a silly little game that people play on their mobile device. And it is not just child’s play, either. Plenty of adults are hooked on Pokémon Go—including college degreed professionals who conduct business on company owned devices as well as
Leave a Comment
You must be logged in to post a comment.