Cupfighter.net

A the DefCon social engineering contest, contestants are given a list of information they have to obtain and a target company that they have to obtain it from, along with a list of phone numbers of people to get it from. They are given a limited amount of time to get as much of the information as they can.

I walked into the social engineering contest just as the second contestant was ready to start his assignment. His target was a major US automotive company. During his session he was able to speak to two people.

It is very good to hear that at least the first guy they got on the line was actually not comfortable to answer the questions ask them by the contestant.

The second victim was a person that only worked with the company (a major automobile manufacturer) for 2 months as a security engineer. He was eased into answering mundain but valuable questions like his work and break times, but also about food service at the company etc.

At the end of the call the contestant knew:

• The subjects name and function
• His working hours
• His break hours
• Which desktop os was used and which XP service pack was used
• The brand and model of the desktop
• The brand of anti-virus and the exact version used
• The internet browser version installed
• The home page of the browser
• If dual factor authentication was used
• Mail client installed and which version of outlook was used
• If wireless was used in the company
• If url filtering was in use (no)
• If there is an internal IT support group
• Which internal phone system is in use
• Which pdf reader was used and the exact version number
• How waist paper is disposed of

It was really scary to know that one of the reasons the contestant was not able to obtain all information was because his victim did not no some of the details.

The next thing for the contestant to find out was somebody’s pay schedule. With only two minutes to complete that task it would be a very close call, unfortunately he could not get the right people on the line.