DefCon Contest Rattles FBI's Nerves

snydeq writes "A DefCon contest that invites contestants to trick employees at 30 US corporations into revealing not-so-sensitive data has rattled nerves at the FBI. Chris Hadnagy, who is organizing the contest, also noted concerns from the financial industry, which fears hackers will target personal information. The contest will run for three days, with participants attempting to unearth data from an undisclosed list of about 30 US companies. The contest will take place in a room in the Riviera hotel in Las Vegas furnished with a soundproof booth and a speaker, so an audience can hear the contestants call companies and try to weasel out what data they can get from unwitting employees." The group organizing the contest has established a strict set of rules to ensure participants don't violate any laws. Update: 07/31 04:45 GMT by S : PCWorld has coverage of one of the day's more successful attacks.

Re:Dumbasses @ FBI

[msauve]

Well, that leaves retail.

"Do you have Prince Albert in a can?"

Okay, be honest.

[peacefinder]

Who here clicked the link to www.social-engineer.org before thinking about the potential consequences?

Have you just been had? :-)

Re:This is refreshing

[al0ha]

Yeah - social engineering used to be called grifting. But I guess grifting is not as cool a buzzword as anything associated with engineering. Social engineering, puhleez; like it takes a lot of brains to grift a rube.

Not-so-sensitive?!

[zyxwvutsr]

What participants can do is collect data on less sensitive subjects such as, "who does your dumpster removal; who takes care of your paper shredding," Hadnagy said.

"If you don't tell me, I'll look at the dumpster behind your building and read the name on it!"

Re:This is refreshing

[Hatta]

I prefer to beat the password out of the mark after 5 minutes of brute force.

The information they want is almost too innocuous.

[yakovlev]

Given that the information they want is so innocuous (see their examples,) the way I would probably handle it is:

1.) Get a list of past DefCon attendees from the company.
2.) Find prior attendees NOT attending the current DefCon.
3.) Call those prior attendees up and say "DefCon this year is doing a social engineering CTF, can you help me out by providing some silly and innocuous data about your company/building?"

This could work surprisingly well, so long as you got somebody willing to play along and help you "cheat."

In fact, this approach (or something similar) would probably be so common and so effective that there might be a rule added against it.

What would be particularly funny is if you didn't actually check if they were attending this year, and the "victim" was sitting in the audience!