Modern field guide to security and privacy

Chris Hadnagy on the Def Con hackers posing as your coworkers

At a conference famous for its hackers, one of the most popular events requires no technical skill whatsoever. Rather than breaking into computers, contestants try to trick companies' well-meaning employees to give out valuable information. 

|
Reuters staff
The most vulnerable part of a company's network might be a trusting employee with a phone.

At a conference famous for its hackers, one of the most popular events requires no technical skill whatsoever.

Instead of hacking computers, Def Con Social Engineering Capture the Flag contestants will hop on the phone next week to call employees of randomly-selected companies and try to trick them into giving out useful information that could be used to circumvent their network's security.

The practice is just one tactic used in social engineering. And while tech vulnerabilities may make headlines, exploiting people's trust is actually one of the most common ways people and companies are hacked. Security firm Trend Micro has found phishing e-mails, which use false pretenses to get users to open malware, give out log in credentials, or disclose other information, were the first move in 91 percent of large, targeted cyberattacks.

At the Def Con competition, experienced and first-time social engineers compete to see who can get the most people to volunteer useful information. It has become so popular the crowds that come to see it have violated fire codes. "We had to call the conference's goons in to take people out," Chris Hadnagy, who runs the competition, told Passcode. 

Mr. Hadnagy, who literally wrote the book on what he calls "human hacking," has run the contest each year since 2010. The rest of the year, he consults with businesses about how to protect their networks from employees with loose lips.

Passcode spoke to him about the upcoming competition, social engineering strategies, and how anyone – including him – can be a target.  Edited excerpts follow.

Passcode: Def Con devotees mostly associate the social engineering contests with you as their leader. But Def Con had them before you took over. Why was yours the one that took off?

Hadnagy:  Def Con had one previously. But it was really close to just being a bunch of people on stage getting credit card numbers from college girls. So it wasn't something that was going to be sustainable for the long haul. Especially nowadays.  

After Def Con 17 [in 2009] I was asked if we could make a better social engineering contest. One of our big rules was: Nobody gets embarrassed. If Jane answered the phone, we didn't get Jane's personal info, or her credit card number. We didn't get anything about Jane at all.

That was the big difference from other, previous social engineering competitions. We weren't just trying to show that people are stupid, because that's not our motto. This was about how corporate America handles social engineering threats, not about the individual on the phone.

The first two years went great. After the third year, I got invited to the Pentagon after the competition was over. The year after that, the head of the National Security Agency at the time, General [Keith] Alexander came into Def Con, listened to a contestant make a call, awarded me with a Director of NSA Challenge Coin and said, "Godspeed, keep doing what you're doing. We need it in this country." And that blew it up. It just freakin' blew it out of the water.

Passcode: How have people outside the conference reacted to the contest? I can't imagine it's all kudos from intelligence agencies – especially from the businesses that were targeted.

Hadnagy: In the beginning, the response from businesses was not very positive. 

We had done a lot of media hype, of course, around the first competition. We described the competition and what it was going to do – and that we pick targets randomly, and don't announce them until Def Con.

But a couple of big companies called the Department of Justice and basically said, "Look, this guy's publicly saying he's going to hack us and humiliate us."

I got called by the FBI. But the FBI basically said, "Look, we can't give you approval, because that's not what we do, but we can tell you that you're not outside of your rights."

People kept e-mailing me constantly saying, "Man, there are posters going up all over our offices saying, 'Watch out for this competition.'" They had all these emails, saying things like, “This weekend, the competition is starting – Don't answer any questions.”

People were always upset. We've been threatened to be sued a couple times.

I would say in the last two years though, the companies have come around to us. Almost all of them call and ask for copies of the formal report we write about the contest each year. We always give them everything we got for free. We even spend an hour on the phone with them, telling them what we would do to fix the problem. So they even get some free consulting on top of that.

We've offered that from day one – from way back at Def Con 18. Back then, only, like, one company we targeted called us back. The last two years, every company but one has called us afterwards.

 

Passcode: What's the response been during the competition? Do companies ever realize that they're being socially engineered during the competition? 

Hadnagy:  We had a guy who came up with the idea – and I don't know why he thought this was a good idea – that he’d go to a company’s website and look for an employee that looks like him, thinking maybe if they looked the same, they’d sound the same, and people would believe they were the same. He found a page with all the higher-ups in the company, and found an IT director named Josh. And he decided, "Okay, I'm going to be Josh." 

So he got on the phone, and pretending to be Josh is working really well. He kept telling people that there was this contest going on at Def Con, so to make sure all the computers were safe, he needed to know what their operating system was.  But he hit one guy who shut him down. It turned out he knew the real Josh.

So the real Josh gets a text message saying, "Hey, Josh, are you calling around telling people about a contest at Def Con? Because if not, someone's calling as you – and we're being attacked."

It turns out Josh – the real Josh – was at Def Con, three doors away from us.

So he left his presentation to figure out what was going on, immediately came across us, and saw someone else pretending to be him.

We have photos of the fake Josh and real Josh meeting after the contest. 

Chris Hadnagy / social-engineer.com
The two Joshes meet at Def Con.

Passcode: People act like phishing is this goofy thing that only suckers fall for, like a Nigerian scam. But it's actually really common. 

Hadnagy: That whole t-shirt that says, "There's no patch for human stupidity," I don't go for that. This is not about stupidity. This is about opportunity, and the [attack] vectors getting better.

I’ll give you an example. Even I’ve been phished. We were heading out to Vegas, and that requires a ton of stuff to happen. My office looks like a tornado hit it. There are boxes everywhere, supplies, and things that need to be shipped. It's a mess. And I ordered a million things from Amazon. So I get an email that says, "One of your recent orders from Amazon will not be shipped due to a declined credit card."

I didn't look at it. I just clicked the email. The only thing that saved my life was I looked up at the URL bar, and I saw that it was a Russian site. Not Amazon.com, but it looked just like an Amazon log in.

I went back looked at the e-mail, and it showed a George Foreman grill and Lee Press On Nails. I've never ordered either of those.

If I had taken ten seconds to read the email, I would've realized that it definitely was fake. But this is what social engineers prey on – that we're all busy.

So when a guy who's sitting in his office, stressed – who maybe got in an argument with his wife last night, who on the way to work got a flat tire, and now his boss is chewing him out because he's got three reports due and a meeting in fifteen minutes – gets an email that says, "Boss wants you to read this Excel file on end-of-year budgets." 

He’ll just click it.

Passcode: They almost got you with Lee Press On Nails? I sort of assumed it took more finesse.

Hadnagy: We keep statistics on how new and experienced social engineers perform every year. And new ones perform almost as well.

The only difference is that experienced people are less likely to panic when people are shutting them down. Also, new people often try to convince people they're doing a survey. But who actually stays on the line to take surveys?

Passcode:  How could I turn this conversation into a social engineering attempt? 

Hadnagy: Here's the thing: I get an email that says, "Hey, a reporter wants to talk to you." I don't even know who you are. I willingly get on the phone. I pour my heart out to you about being phished, about this and that. You got all this information on me.

Now, let's just say you were really an attacker. So now you go, "Hey, Chris, I'm going to write about this. Where about you from?"

I might say: "Oh, I'm from Pennsylvania, just north of Scranton." And we'd go from there. 

"Oh really? I used to live in Pennsylvania, what town you live in?"

"Brooklyn."

"Brooklyn, Pennsylvania. I didn't know there was a Brooklyn, Pennsylvania. Where is that?" 

"Oh that's cool, well, that sounds like a quiet place. Do you have a family out there?"

"Yeah, yeah, I got two kids, you know, it's a really nice place. It's quiet out here."

Now, think about what you just did. You know where I live. You know I have two kids. You know I like Amazon and wrote a book. You know where I'm from. All of this in a normal conversation. You haven't attacked me – but you could use all of this to do so.

And that's exactly what nation states do all the time. It's called elicitation, but it just looks like a normal conversation. There are no deep down, Jedi mind tricks.

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Chris Hadnagy on the Def Con hackers posing as your coworkers
Read this article in
https://www.csmonitor.com/World/Passcode/2015/0731/Chris-Hadnagy-on-the-Def-Con-hackers-posing-as-your-coworkers
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe