News24

Smooth talk a slick hacker tool

2011-08-08 07:26

Las Vegas - Hackers at DefCon have long understood that there is no patch for human stupidity.

Skills honed by software renegades at the renowned hacker gathering that ended on Sunday included the art of talking workers into revealing information that can be used to crack into computer networks.

A "Schmooze Strikes Back" contest challenged hackers to test their "social engineering" skills on companies such as Apple, Oracle, Symantec, and Walmart. The contest debuted at the annual DefCon gathering in Las Vegas in 2010.

"The results are worse than they were last year," said Chris Hadnagy, a social engineering specialist running the contest.

"From what we found, we would own everyone on of these companies."

Hackers were able to talk workers at various companies into disclosing anything from the versions of software used in networks to who provided cafeteria food service.

Knowing specifics about software in company computers lets hackers figure out weaknesses to exploit, and sharing operational information could enable someone intent on corporate espionage to sneak into facilities.

The most effective ruses involved calling companies and posing as a potential customer out to be reassured about the safety of doing business together, according to Hadnagy.

Pretending to be calling from another department in a company, or a remote technical support team, proved to be another effective tactic for hackers.

Retail operations were consistently harder targets, possibly because they are more accustomed to interacting with customers, according to Hadnagy.

"Women seemed to be more security conscious," he said of the contest findings, which will be published in a report later this year.

"We call back and get a guy on the phone and we get everything we want," continued Hadnagy, who runs the social-engineer.org website.

Comments
  • ihatum - 2011-08-08 08:06

    Interesting. You can build firewalls around your systems but the weakest link is the human factor. Hence the importance of security training for all staff including support staff like cleaning etc. Know how much information one can get from waste bins?

      Julian - 2011-08-08 08:26

      Absolutely true ihatum. Dumpster Diving is a known technique. I'm based at a bank, and confidential documentation has to be shredded. There are even special bins to put the docs for shredding.

  • Johan van Zyl - 2011-08-08 08:08

    OMW!

  • Christo - 2011-08-08 08:17

    Brilliant intro!

      umlaut - 2011-08-08 08:28

      Maybe a patch over their mouths.

  • preshengovender69 - 2011-08-08 10:23

    IBM : Idiot behind machine

  • pages:
  • 1