Chris Hadnagy on the Def Con hackers posing as your coworkers

At a conference famous for its hackers, one of the most popular events requires no technical skill whatsoever. Rather than breaking into computers, contestants try to trick companies' well-meaning employees to give out valuable information. 

At a conference famous for its hackers, one of the most popular events requires no technical skill whatsoever.

Instead of hacking computers, Def Con Social Engineering Capture the Flag contestants will hop on the phone next week to call employees of randomly-selected companies and try to trick them into giving out useful information that could be used to circumvent their network's security.

The practice is just one tactic used in social engineering. And while tech vulnerabilities may make headlines, exploiting people's trust is actually one of the most common ways people and companies are hacked. Security firm Trend Micro has found phishing e-mails, which use false pretenses to get users to open malware, give out log in credentials, or disclose other information, were the first move in 91 percent of large, targeted cyberattacks.

At the Def Con competition, experienced and first-time social engineers compete to see who can get the most people to volunteer useful information. It has become so popular the crowds that come to see it have violated fire codes. "We had to call the conference's goons in to take people out," Chris Hadnagy, who runs the competition, told Passcode. 

Mr. Hadnagy, who literally wrote the book on what he calls "human hacking," has run the contest each year since 2010. The rest of the year, he consults with businesses about how to protect their networks from employees with loose lips.

Passcode spoke to him about the upcoming competition, social engineering strategies, and how anyone – including him – can be a target.  Edited excerpts follow.

Passcode: Def Con devotees mostly associate the social engineering contests with you as their leader. But Def Con had them before you took over. Why was yours the one that took off?

Hadnagy:  Def Con had one previously. But it was really close to just being a bunch of people on stage getting credit card numbers from college girls. So it wasn't something that was going to be sustainable for the long haul. Especially nowadays.  

After Def Con 17 [in 2009] I was asked if we could make a better social engineering contest. One of our big rules was: Nobody gets embarrassed. If Jane answered the phone, we didn't get Jane's personal info, or her credit card number. We didn't get anything about Jane at all.

That was the big difference from other, previous social engineering competitions. We weren't just trying to show that people are stupid, because that's not our motto. This was about how corporate America handles social engineering threats, not about the individual on the phone.

The first two years went great. After the third year, I got invited to the Pentagon after the competition was over. The year after that, the head of the National Security Agency at the time, General [Keith] Alexander came into Def Con, listened to a contestant make a call, awarded me with a Director of NSA Challenge Coin and said, "Godspeed, keep doing what you're doing. We need it in this country." And that blew it up. It just freakin' blew it out of the water.

Passcode: How have people outside the conference reacted to the contest? I can't imagine it's all kudos from intelligence agencies – especially from the businesses that were targeted.

Hadnagy: In the beginning, the response from businesses was not very positive. 

We had done a lot of media hype, of course, around the first competition. We described the competition and what it was going to do – and that we pick targets randomly, and don't announce them until Def Con.

But a couple of big companies called the Department of Justice and basically said, "Look, this guy's publicly saying he's going to hack us and humiliate us."

I got called by the FBI. But the FBI basically said, "Look, we can't give you approval, because that's not what we do, but we can tell you that you're not outside of your rights."

People kept e-mailing me constantly saying, "Man, there are posters going up all over our offices saying, 'Watch out for this competition.'" They had all these emails, saying things like, “This weekend, the competition is starting – Don't answer any questions.”

People were always upset. We've been threatened to be sued a couple times.

I would say in the last two years though, the companies have come around to us. Almost all of them call and ask for copies of the formal report we write about the contest each year. We always give them everything we got for free. We even spend an hour on the phone with them, telling them what we would do to fix the problem. So they even get some free consulting on top of that.

We've offered that from day one – from way back at Def Con 18. Back then, only, like, one company we targeted called us back. The last two years, every company but one has called us afterwards.

 

Passcode: What's the response been during the competition? Do companies ever realize that they're being socially engineered during the competition? 

Hadnagy:  We had a guy who came up with the idea – and I don't know why he thought this was a good idea – that he’d go to a company’s website and look for an employee that looks like him, thinking maybe if they looked the same, they’d sound the same, and people would believe they were the same. He found a page with all the higher-ups in the company, and found an IT director named Josh. And he decided, "Okay, I'm going to be Josh." 

So he got on the phone, and pretending to be Josh is working really well. He kept telling people that there was this contest going on at Def Con, so to make sure all the computers were safe, he needed to know what their operating system was.  But he hit one guy who shut him down. It turned out he knew the real Josh.

So the real Josh gets a text message saying, "Hey, Josh, are you calling around telling people about a contest at Def Con? Because if not, someone's calling as you – and we're being attacked."

It turns out Josh – the real Josh – was at Def Con, three doors away from us.

So he left his presentation to figure out what was going on, immediately came across us, and saw someone else pretending to be him.

We have photos of the fake Josh and real Josh meeting after the contest. 

Passcode: People act like phishing is this goofy thing that only suckers fall for, like a Nigerian scam. But it's actually really common. 

Hadnagy: That whole t-shirt that says, "There's no patch for human stupidity," I don't go for that. This is not about stupidity. This is about opportunity, and the [attack] vectors getting better.

I’ll give you an example. Even I’ve been phished. We were heading out to Vegas, and that requires a ton of stuff to happen. My office looks like a tornado hit it. There are boxes everywhere, supplies, and things that need to be shipped. It's a mess. And I ordered a million things from Amazon. So I get an email that says, "One of your recent orders from Amazon will not be shipped due to a declined credit card."

I didn't look at it. I just clicked the email. The only thing that saved my life was I looked up at the URL bar, and I saw that it was a Russian site. Not Amazon.com, but it looked just like an Amazon log in.

I went back looked at the e-mail, and it showed a George Foreman grill and Lee Press On Nails. I've never ordered either of those.

If I had taken ten seconds to read the email, I would've realized that it definitely was fake. But this is what social engineers prey on – that we're all busy.

So when a guy who's sitting in his office, stressed – who maybe got in an argument with his wife last night, who on the way to work got a flat tire, and now his boss is chewing him out because he's got three reports due and a meeting in fifteen minutes – gets an email that says, "Boss wants you to read this Excel file on end-of-year budgets." 

He’ll just click it.

Passcode: They almost got you with Lee Press On Nails? I sort of assumed it took more finesse.

Hadnagy: We keep statistics on how new and experienced social engineers perform every year. And new ones perform almost as well.

The only difference is that experienced people are less likely to panic when people are shutting them down. Also, new people often try to convince people they're doing a survey. But who actually stays on the line to take surveys?

Passcode:  How could I turn this conversation into a social engineering attempt? 

Hadnagy: Here's the thing: I get an email that says, "Hey, a reporter wants to talk to you." I don't even know who you are. I willingly get on the phone. I pour my heart out to you about being phished, about this and that. You got all this information on me.

Now, let's just say you were really an attacker. So now you go, "Hey, Chris, I'm going to write about this. Where about you from?"

I might say: "Oh, I'm from Pennsylvania, just north of Scranton." And we'd go from there. 

"Oh really? I used to live in Pennsylvania, what town you live in?"

"Brooklyn."

"Brooklyn, Pennsylvania. I didn't know there was a Brooklyn, Pennsylvania. Where is that?" 

"Oh that's cool, well, that sounds like a quiet place. Do you have a family out there?"

"Yeah, yeah, I got two kids, you know, it's a really nice place. It's quiet out here."

Now, think about what you just did. You know where I live. You know I have two kids. You know I like Amazon and wrote a book. You know where I'm from. All of this in a normal conversation. You haven't attacked me – but you could use all of this to do so.

And that's exactly what nation states do all the time. It's called elicitation, but it just looks like a normal conversation. There are no deep down, Jedi mind tricks.