Sensitive BP info revealed in hacking contest
If you think BP have their hands full with the oil spill and the whole environmental mess they’ve caused in the Gulf of Mexico, think again. It seems they lack all kinds of security – not only can’t they drill for oil in a safe environment, their data security is also poor.
The Defcon hacker contest organized in Las Vegas is a hacking competition that has its contestants trick employees of large companies into spilling out potentially sensitive information. The purpose is – and targeted companies should thank the organizers for that matter – to show how gullible people can be and how this becomes a major security vulnerability.
One of the contestants, Josh Michaels, made only two phone calls and got a computer support employee of BP into revealing data that could have helped launch a network attack against the oil giant. He managed to get details such as what model laptops BP used and the specific operating system, browser, anti-virus and even virtual private network software the company is using. He also won extra points for tricking the employee into visiting Social-Engineer.org.
“That was scary,” said Michaels, shortly after ending the call, in which he posed as a Louisiana-based employee handling claims stemming from BP’s massive oil spill in the Gulf of Mexico. “You never know what you’re going to get. There’s an adrenalin rush that comes with social engineering.”
What does the contest do? The Social Engineering Capture the Flag contest gives entrants 25 minutes to call a company chosen in advance by the organizers. They are free to make as many calls as they need and use what ever deceiving techniques they see fit. Awarded points depend on the types of collected “flags”: the version of Adobe Reader the company used, the garbage collector that hauled its trash, or success in getting the target to visit a website of the caller’s choosing.
Callers sat in a soundproof glass booth while about 80 people crammed into a conference room listened on, often chuckling and applauding as targets naively volunteered potentially sensitive information. Companies that were called during day one of the two-day competition included BP, Shell, Apple, Google, Microsoft, Cisco Systems, Proctor and Gamble, Pepsi, Coca-Cola, and Ford. Of the dozens of calls made to the 10 companies, only three of the targets refused to cooperate.
Contest organizers put great efforts into making sure the contest stays within legal boundaries. Requiring sensitive info such as credit card numbers or passwords is prohibited as is the strategy stating someone’s account has been compromised, or other such scenarios that might lead targets to believe they are at risk.
