The public perception of hacking involves a shadowy figure in a hoodie hunched over a laptop, tapping furiously while a waterfall of glowing green text fills the screen. Also he’s probably listening to industrial music. First off, that’s a ridiculous caricature, and more important, not all intrusions are the result of someone banging away on a keyboard to “hack the network.” Exploiting the vulnerabilities of a company can simply involve picking up a phone, chatting with a few people or memorizing a few tones.
At this year’s Def Con, the Telephreak team organized a hacking challenge that played out like an alternate reality game (ARG). It was the brainchild of Telephreak members TProphet and Lion Templin. After a few weeks of plotting and scheming, the two brought it to life and unleashed it on the unsuspecting attendees of Def Con.
The main thrust of the event: Why spend days or weeks trying to bust into a network when you could pick up a phone? You could pretend you’re a helpless co-worker and talk someone into giving you access to the company network or figure out a person’s login credentials based on her personal information.
While crypto-puzzles and capture-the-flag events are standard at Def Con, this year the Telephreak team went with a game that involved breaking into the fictitious organization Ellingson Mineral Company (from the movie Hackers) by pretending to be a wayward employee.
This type of approach is far more prevalent that many are aware. In fact, “social engineering” is how journalist Mat Honan’s digital life was compromised. It’s also why losing an employee badge with details like your name, ID and various company phone numbers can be a huge security problem. Logging into a remote computer is hard, talking an operator into sharing confidential information is often just a matter of how charming the caller is.
The deep study and, sometimes, exploitation of telephone systems for fun and profit (known as phreaking) started in the 1950s — decades before the average person got their hands on a computer. In addition to figuring out how to get free long-distance phone calls and routing calls through multiple switching stations around the globe, phone phreakers also figured out how to exploit vulnerabilities in PBX systems.
Social engineering, though (often the key ingredient in successful phreaking) — that’s been around as long as humans have communicated. Phishing is the most common use of the method, but sometimes it simply involves talking to people. Often the person trying to get information from an operator is working from a script that’s undergone hours and hours of trial and error. Other times it’s just a matter of sounding like you know what you’re doing. Or, better yet, pretending you don’t know what you’re doing and you need help. It’s tough to turn down a co-worker in distress.
The Def Con game started with TProphet dropping 50 Ellingson Mineral “employee badges” around the conference. On the back of each badge was a series of phone numbers that contestants would call and try to swindle the operators to share information about the company and, eventually, to take down the company’s power distribution unit.
The Telephreak team went as far as setting up a call center in Minnesota with people who would adjust their replies to the callers based on the amount of Twitter chatter around the company. The more people tweeted about the contest, the tougher it would be to get info from the “employees.”
The contest was scheduled to run until Sunday evening at 6PM PT, but the company was successfully hacked by a team called Psychoholics late Saturday night. In addition to getting kudos from the Telephreak organizers, the winning team got an “Uber” badge from Def Con — which means it’ll have free access to the conference for life. That part wasn’t expected by TProphet. “It was a total surprise to us when Def Con named it a black-badge competition. We weren’t even an official Def Con contest,” he said.
De facto Psychoholics team-leader Jason Thor Hall said he handled most of the social-engineering work, but by the end of the challenge even some of the shy team members were getting into it and picking up on social cues. “Being able to read other people is huge in any walk of life, so I am glad they got to experience it and see how social engineering works in practice,” he said.
But his team’s involvement wasn’t planned. In fact, they didn’t even know a challenge was happening. “We had actually never interacted with the Telephreaks before this and didn’t even know the challenge existed. Someone walked by and threw a badge in my lap when I was sitting down in a hallway and said ‘You dropped your badge’ and ran away,” Hall said.
During the challenge, the would-be phreakers had to do more than just make phone calls and remember dial tones; they also had to figure out voicemail passwords. One was an employee’s birthdate. Another was the last four digits of an employee ID. Sadly, these are typical mistakes made by actual people in the real world. That alone should frighten the security team of any company.
While the Telephreaks challenge was a great piece of nostalgia (who doesn’t love Hackers?) wrapped in an immersive game, it pulls directly from how things are done in the real world today. An IT department might bolster its software security, yet practically ignore the colleagues who have access to it — a company is only as secure as its chattiest employee. Phishing tests are all the rage, but maybe it’s time to speak to employees about what they should and shouldn’t talk about over the phone and encourage good password practices.
Hall loves puzzles and was impressed by the level of detail of the challenge. “They kept it very realistic throughout the experience. This story can be and has been played out all over the world many times, employees losing their badges/accounts and getting owned through social engineering.” Remember, like the challenges at Def Con, to the person on the other end of the phone trying to access your company, you’re just another riddle to be solved.