DefCon Contest Rattles FBI's Nerves 136
snydeq writes "A DefCon contest that invites contestants to trick employees at 30 US corporations into revealing not-so-sensitive data has rattled nerves at the FBI. Chris Hadnagy, who is organizing the contest, also noted concerns from the financial industry, which fears hackers will target personal information. The contest will run for three days, with participants attempting to unearth data from an undisclosed list of about 30 US companies. The contest will take place in a room in the Riviera hotel in Las Vegas furnished with a soundproof booth and a speaker, so an audience can hear the contestants call companies and try to weasel out what data they can get from unwitting employees."
The group organizing the contest has established a strict set of rules to ensure participants don't violate any laws. Update: 07/31 04:45 GMT by S : PCWorld has coverage of one of the day's more successful attacks.
This is refreshing (Score:5, Insightful)
It's nice to see the hacker community making a move to acknowledge its roots. Social engineering is the oldest and easily the most challenging/rewarding form of real hacking.
What's more gratifying, beating the password out of a hash after weeks of brute force or having the mark just tell you in a five-minute phone call?
Re:Rules and Do-Not-Do list (Score:3, Insightful)
If they aren't going after confidential data, then what exactly is the point here? What I mean is, why would a company care about non-sensitive data, so what protections/security/whatever are they supposedly penetrating here?
I feel sorry (Score:5, Insightful)
I feel sorry for the poor fish in the barrel that gets shot on this one.
Unwittingly, right now, some guy/gal is sitting in their cubical and is on the cusp of getting the phone call that thrusts them into the international spotlight when the tape of the winning team's efforts is played. They might even lose their job for doing nothing more than, well, doing their job, or answering a harmless set of questions.
Re:Rules and Do-Not-Do list (Score:5, Insightful)
Not everything needs to be about obtaining damaging information. Imagine talking to a random stranger and trying to solicit information from them. It's not as easy as it sounds.
Seriously, try this some time, just go up to a stranger and get their middle name. It will be harder than you think in most cases, if not impossible.
Social Engineering is a skill. You have to be very good to go under the "what the fuck does this guy want" radar. You have to be able to read people without seeing them and be able to think very quickly in a very dynamic situation. Again, all while staying under their radar.
Getting confidential, personally sensitive, or business critical information isn't the point nor appears to be the goal. Merely being good with your social skills (and we're talking a special breed of nerds here, no offense to them though), no great with them, is the point. Having a laundry list of weird and/or "not normally given out" information and trying to gain it, that's going to be hard.
Re:If they go to my bank... (Score:4, Insightful)
And yet you continue to do business with them. It's pretty obvious why they don't have to do much.
No, this is good (Score:4, Insightful)
ahem... (Score:3, Insightful)
"The group organizing the contest has established a strict set of rules to ensure participants don't violate any laws. "
I think what REALLY scares these guys (the Feds and the Banks) is that they know damn well that MOST hackers out there do not limit themselves with any silly, self-imposed rules.
Just imagine what the contestants could do without legality/illegality issues hindering them. Anything learned here will simply be repeated, by someone, with no such hindrances in place.
Is this what the cyberczar wants? (Score:3, Insightful)
Just the other day we had a submission about how we aren't prepared for the "cyberwarz" because we can't get people who knows this sort of stuff, or thinks along these lines.
Well, damn, seems to me this would be a great excerise for the fbi/ hls, and whoever else to see about hiring/training peeps for those sort of jobs.
Of course, that makes sense and wouldn't be used.
Re:I can verify this (Score:3, Insightful)
Wait, so what do the higher-ups expect you do on ordinary days when Defcon isn't running? Be less vigilant and answer any and all questions posed? What silly advice. What's a good precaution in the week of Defcon should be good *all*of*the*time*.
All they're really trying to avoid is potential embarrassment if something gets in the news.
Re:Rules and Do-Not-Do list (Score:4, Insightful)
[ignores you like a homeless guy asking for a dollar for more booze and walks away]
Good try.
"Excuse me sir, I'm with the [state] joint anticrime taskforce." [flashes official looking id printed up not long before] "We're performing random checks on the citizens in this area. May I see a photo ID?"
[citizen hands him his drivers license].
"Thank you Mr " [reads last name from ID] ". We've already had several instances today where criminals have attempted to run when asked for their identification. Have a wonderful day. We appreciate your cooperation."
His middle name was Henry. He was born October 28, 1955.
I know, in the game you're not allowed to pretend to be from a government agency. It just made this easier. If you're digging for personal information, you just have to craft "who" you are to be something where they'd want to hand over the information without asking too many questions.
Re:I can verify this (Score:5, Insightful)
That doesn't mean it's not worth occasionally reiterating, especially when there's a specific reason to believe there may be an increased chance of something happening.
It's not like they're spending millions of dollars to defend it or something, just sending a few emails.
Re:Dumbasses @ FBI (Score:3, Insightful)
Unfortunately - yes! Hide the head in the sand, that seems to be the answer nowadays for any- and everything? For a long time, excuse me - started in 60's, I was either responsible of or designing systems and infrastructures for safe and secure, often global environments - can't say that they were perfect, nothing ever is. Time to time (often) the hired security testing groups / companies were able to find some problems, even if documents in wastebaskets - in IT(?) which should have known better, but the main thing was to find the problems, not to hide them!
You look companies / corporations today, they use much, much more money and time to hide the problems, trying to recover from problems, paying to public and/or government the fines, whatever than preventing the problems? Nothing (much) wrong, business as usually, but sometimes wonder why the stockholders / owners are willing to throw good money - and sometimes good reputation, away? Just wondering - LOL!