January 05, 2011, 1:56 PM — There were some disturbing results from a capture-the-flag-style contest held at this summer's DefCon security conference. The CTF exercise--called "How Strong Is Your Schmooze?"--was an attempt to raise awareness about social engineering, or human manipulation in order to commit a crime. It challenged contestants to attempt to breach (in an ethical and legal way) information about target companies that could be used for a hypothetical attack.
Also read about basic social engineering tactics and ploys and how to prevent them
Contestants made 140 phone calls to employees at target companies seeking information. Almost all gave the callers the information they were looking for; only five employees did not. And 90% of targeted employees opened up a URL sent to them by contestants--even though they really didn't know the person who had sent it. The numbers reveal social engineering is a huge problem for all organizations, said Chris Hadnagy, who organized the contest.
Hadnagy, also co-founder of social-engineer.org and author of Social Engineering: The Art of Human Hacking, noted a quick glance at the news each month will show it's often the human element that leads to a security breach, and 2010 was no exception. Here are four successful social engineering attacks that took place last year.
An important chapter of the Wikileaks' saga that got so much attention in 2010 involves social engineering, according to Hadnagy. That's because the leaks to Wikileaks founder Julian Assange started with a sneaky ploy to gather government information.
U.S. Army soldier Bradley Manning was serving an assignment as a support battalion with the 2nd Brigade Combat Team, 10th Mountain Division, based at Contingency Operating Station Hammer, Iraq. Manning is accused of passing classified information to Assange; including video of a July 2007 helicopter airstrike in Baghdad, a video of the Granai airstrike, and several diplomatic cables. Manning obtained the material through his access to the Secret Internet Protocol Router Network used by the U.S. Department of Defense and Department of State to transmit classified information.