Proving once again that information viewed as harmless can often enable an attacker, the contestants in this years Social Engineering Capture the Flag (SECTF) contest at DEF CON 22 worked in teams of two in order to collect vital information from some of the nation's largest companies.
Social-Engineer.org has released the final report form the SECTF contest held at DEF CON 22 this summer in Las Vegas.
As always, the goal of the contest is awareness, using live demonstrations to provide actual examples of the techniques and tactics used by malicious attackers.
The only difference is that none of the contestants were actually causing harm; there is a strict rule against victimization. If that wasn't the case, then some of the companies in this year's contest would have had an additional layer of problems to deal with.
The most recent SECTF included firms that were already in the public spotlight due to security problems. This year's targets included Walmart, Staples, Walgreens, Macy's, Lowe's, Rite Aid, Home Depot, CVS, and Costco.
There were nine teams of two, and many of the contestants were new to the world of Social Engineering, having never attempted this sort of information gathering before. The reason that teams of two were established was to add an element of complexity to the contest, requiring that the contestants work together, and that they tagged-out at least once during each call.
Before the calls were made, the teams were given three weeks to do some reconnaissance on their target. They were then scored on the number of flags they collected. Flags, which are actionable bits of information, can be collected before the call or during, but it is also possible to do both and to collect the same flag several times.
By the time all was said and done, Lowe's was the target that gave up the least amount of flags, followed by Macy's and Walgreens. However, on the opposite end of the scale, Home Depot, followed by CVS and Walmart were the targets that gave up the most flags.
Rite Aid, Costco, and Staples remained in the center, but they gave up their fair share of points too, proving that when asked, people will usually give out seemingly innocent information to complete strangers over the phone.
When it comes to the flags collected during the reconnaissance phase of the contest, the lesson is the same for the most part - if the data isn't seen as valuable or an asset to protect, no one thinks twice about making it public.
However, while the scores make things look bad, there are some important things to remember when it comes to the flags and the points they represent, as the SECTF report explains:
"It is important to note that the reporting of a company’s overall performance is a combination of points scored by their assigned teams in both Open Source Intelligence (OSINT) gathering and live call phases of the contest. The scoring alone contained within this report does not necessarily indicate that one company is less secure than another company. However, it is an indicator of the potential vulnerabilities that exist and demonstrates that despite training, warnings and education, social engineering is still a very serious and viable threat to corporations."
In the end, the report adds, based on all the data and observations made by the staff at Social-Engineer.org, there are a few points that stand out:
"First, social engineering continues to be a security risk for organizations. This is our fifth consecutive year hosting this event; in that time and despite numerous high-profile security breaches in the retail sector, we have not seen consistent improvements that directly address the human factor for organizations. The success once again of our competitors this year clearly demonstrates that potentially damaging information can still easily be obtained both online and over the phone."