To Ring or Not To Ring?
So it’s been a few weeks since Def Con 2014 and I’m still impressed with the year-over-year draw in attendance for the Social Engineering CTF. What started out a few years ago as a small “show and learn” regarding social engineering (aka hackers’ confidence game) and Corporate America’s general unpreparedness in the face of it, has blossomed into a busy hub of capture-the-flag comings and goings with few, if any, seats left available when a session is on-going. And the sessions themselves? Also better. Perhaps it’s the practice and social maturity of the contestants, perhaps it’s the consistency and refinement from the contest organizers/sponsors, or perhaps it’s a bit of luck of the draw as some people “gush” after all, in any setting, especially those in certain organizations targeted every year for their information bounty. Regardless, it got me thinking more about what I saw, what I’ve experienced in my own professional and personal life and where things are/might be headed.
First a quick diversion – a little bit about me to help set the stage about where I’m coming from in this blog perspective – I like ideas, especially when they’re still relatively new and not yet fads, especially those that pertain to the human condition, even the bad ideas. So it was with phishing when most people *yawn*. [Yeah, it’s still like that today. <smile>] But I digress….
When I first heard about the annual hackers’ con setting up a social engineering contest formally back at DefCon 18, I knew I had to attend. There had been talk online about one for a year or two prior. I wasn’t disappointed. It was like a car accident that you can’t avert your eyes from even though you know you have no business watching. Unfortunately in those early days, the social engineers were mostly being carried out on the stretchers, rather than doing the carrying. I wasn’t sure I wanted to go back, it was sometimes that bad. I knew I would.
Fast forward to April of this year. Some former colleagues of mine were talking about going to DefCon 22 and how we were all looking forward to it. The subject of social engineering and the contest came up. One of my former colleagues in his early twenties panned the idea of attending. His response was somewhere between an eye-roll and a “that sucks/boring” comment. When I pressed him more, he admitted that he didn’t like the phone and rarely called anybody. This of course piqued my interest. I pressed him more; let’s call him “Sam”. Sam stated that he never used voice mail and didn’t ever leave voice mail for anyone. After the first of what would be many internal “huh” moments, I asked him to explain the why of it. Sam stated if he couldn’t reach anyone by e-mail, he didn’t bother. He also said most of his friends felt and acted the same.
Per usual I was intrigued and wanted to know if this was isolated to just Sam and his friends. I started to ask around whenever the opportunity presented itself, or allowed for a casual “by the way” insertion into the conversation. Apparently a lot of ’90s generation feel the same way. It’s not that they’re averse to the phone, they just find it an obsolete technology. Conversely most have smart phones; chiefly for the apps and text. So my question to you then, whether you’re ’90s generation or not, do you feel the same way? Is your stance to avoid voice mail and calling on the phone in favor of e-mail? Please let us know your thoughts in the comments section below.
So naturally, I started to apply Sam’s approach to his generation at large and looked for correlation. It would certainly explain the younger days of the social engineering contest at DefCon. Most of the participants were (and for the most part still are) younger men and women. They all seemed to struggle mightily with simple shifts or redirections in the conversation. “Engineers” were at a loss to rationally explain or steer the conversation away from what I viewed as simple conundrums – “why doesn’t your phone number show up in our company directory? What’s your badge number? Why do you need to know that information, isn’t it there on your computer?” Yet before I gloated too much, I recalled all the questions I asked of my younger colleagues on smart phone how-to’s. Sure the phone dialing and talking was a cinch for me, but pulling up e-mail and GPS at the same time without dropping the call was a bit of a learning curve at first.
I guess it just comes down to what you grew up with from a technology standpoint. Yet it leads me to my next pondering – is communicating on the phone a lost art? It certainly shows signs of heading that way. In my personal life for every single call I receive with an actual human on the other end, I easily receive two to three times as many automated calls. I’m not sure about you, but my whole demeanor and tolerance changes when that happens. It makes me wonder what happens to us as a society and to our social skills when everything is automated and human-to-human interaction becomes even briefer? Do hackers switch to hacking the systems to make them more human than human, or don’t they bother at all? I just don’t know. I’ll leave all the science fiction to Asimov, Le Guin, Longyear, and the other experts of their craft.
A development at this year’s Social Engineering CTF saw the engineers operating in tandem. A pair, usually male-female, took turns with the target company. Their pretexts were often quite good albeit a little contrite – the female assumed the role of a Human Resources staff member, or comparable, while the male pretended to be in the information technology department. Despite this slant toward stereotyping and natural role division seen in some larger companies, the results were for the most part quite good. The skill sets of the contestants continue to improve. Again, my natural curiosity wondered if it didn’t help the cause to work as a pair. There’s potentially less pressure on the individual social engineer that way, as he or she has another individual to fall back on if something goes a little awry, or from whom a lead or additional angle can be drawn or explored as part of the follow on.
I heard very few mistakes in this year’s contestants that I was fortunate enough to see in action. The mistakes I did hear were minor and might have been attributed by the target company’s marks to be potentially inherent cultural differences or “melting-pot” anomalies. For instance, one engineer kept asking the individual what his company thought and what his company did for this or that despite her pretext being that of the HR rep for that same company. She did speak with an English accent, so perhaps the target in Kentucky just chalked this one up to a more formal business approach. Again, minor to be sure, but to the trained or guarded, a definite warning sign. Which leads me to my next evolutionary question – given this success of the contestants, what would happen if they actually leveraged more team members to engage the target company’s employee to take an exercise or attack to the next level?
Let’s say an install or script runs while the mark is simultaneously engaged in a series of questions as a distraction or redirection technique. While it’s likely not going to happen in the Social Engineering CTF due to the level of control placed on the event, nothing precludes actual, in-the-field social engineers from pursuing this attack vector. Given the proliferation of company data on websites, on social media and on personnel sites and blogs, the success rate can only be helped rather than hindered in this approach.
So what’s next? Where does it go from here? We at Emagined Security would love to hear your thoughts on the matter. Do you agree with the above, or do you see things differently? Has your experience been the same or dissimilar? Either way, let us know. We’d love to hear your thoughts on the future of social engineering and the benefits of human condition blogs pertaining to information security topics. Thanks for reading!