DefCon Contest Rattles FBI's Nerves 136
snydeq writes "A DefCon contest that invites contestants to trick employees at 30 US corporations into revealing not-so-sensitive data has rattled nerves at the FBI. Chris Hadnagy, who is organizing the contest, also noted concerns from the financial industry, which fears hackers will target personal information. The contest will run for three days, with participants attempting to unearth data from an undisclosed list of about 30 US companies. The contest will take place in a room in the Riviera hotel in Las Vegas furnished with a soundproof booth and a speaker, so an audience can hear the contestants call companies and try to weasel out what data they can get from unwitting employees."
The group organizing the contest has established a strict set of rules to ensure participants don't violate any laws. Update: 07/31 04:45 GMT by S : PCWorld has coverage of one of the day's more successful attacks.
Dumbasses @ FBI (Score:4, Interesting)
What dumbasses at the FBI and in the financial industry:
"The list of target organizations will not include any financial, government, educational, or health care organizations;"
Re:Dumbasses @ FBI (Score:3, Interesting)
Well then the contest isn't hardly impressive, is it?
Because those are the very places that real black-hats would target, so those are the ones with the measures in place to intercept attempts at social-engineering exploits.
How hard is it to talk your way into a grocery store's customer list?
Re:Rules and Do-Not-Do list (Score:4, Interesting)
Can they spoof CallerID? (Score:4, Interesting)
On my desk phone at work, if someone calls from their desk or a number that is currently listed in the directory, their name and number shows up on the display. It's pretty obvious if someone calls up from an outside line. Now if the contestant is allowed to try to spoof my company's phone system into thinking they are from say, HR, more power to them..
Re:If they go to my bank... (Score:4, Interesting)
Sometimes that info comes from places you'd rather it not. I got a letter a couple years ago from the VA (United States Veterans Affairs). I was in the military for about a month, almost 20 years ago. (It was a preexisting disqualifying medical condition, for anyone who really wonders.) They sent it to a friends house where I frequently got mail. It stated that my personal information may have been compromised due to a breach of the VA computers. I had seen the news story about it about a month before and didn't think it would apply to me. It's so comforting that I was in a system I shouldn't have been in, and they lost my information to unknown parties, who could be doing almost anything with it. Since they knew a valid address for me, nowhere near where I lived when they collected the data, I have to assume they kept addresses updated from another source.
Ya, I'd rather not do business with the VA, but apparently they know about me.
Sometimes I wonder about banks that I've done business with in the past. Some have closed and merged so many times, I have no clue who they are now. A friend of mine got a nasty letter from a bank a couple years ago. He had closed his account with them over 20 years before that. Apparently when they merged with other banks, to fluff their "account holders" numbers, they reopened closed accounts. After the mergers, they started assessing fees to the accounts. He was now on the hook for all kinds of fees they assessed the closed account plus interest. When he tried to straighten it out, the bank couldn't find the record, other than the fact that he owed the money. He still gets calls from collections every once in a while asking for the money.
Re:Dumbasses @ FBI (Score:3, Interesting)
Because those are the very places that real black-hats would target, so those are the ones with the measures in place to intercept attempts at social-engineering exploits.
I work at one of those places, and I gotta say... those "measures" aren't as stringent as I'd like them to be. That is to say - we get employee training (CBT) once a year to refresh our knowledge of various procedures, and it touches briefly on social engineering (a single slide).
Now - I'm in the IS department, so it may be that those in lending ops, etc have a different story. For us the "measures" in place rely solely on the common sense of each employee.
Scary, isn't it?
Re:I feel sorry (Score:3, Interesting)
Re:Dumbasses @ FBI (Score:2, Interesting)