How to steal corporate secrets in 20 minutes: Ask

Participants in a Defcon social engineering contest had no problem getting data from Fortune 500 companies.

Share

He conceded that he'd lucked out by getting such a green employee. But new employees make the best sources. "If you pick someone who's a high-up person in the company, you'll get nothing," he said. "They've got a lot to lose."

Contestant number two, Shane MacDougall, decided to skip the call center and go right for the security staff at another well-known company. He took a more buttoned-down approach, claiming to be conducting a survey for CSO Magazine.

The first person he reached knew what he was doing, and firmly but politely shut MacDougall down after refusing to answer a few questions, saying, "These are specific questions that I don't feel comfortable answering."

Contestants were given only 25 minutes to work. So with the clock ticking, MacDougall lucked out on his next mark, Ryan -- a contract employee in the security engineering department who had been with the company for two months. After a few softball questions about job satisfaction and the quality of the cafeteria food, he went for the hard data.

Ryan delivered: operating system: Windows XP, service pack 3; antivirus: McAfee VirusScan 8.7; e-mail: Outlook 2003, service pack 3; browser: IE 6.

MacDougall then told him to visit a website to collect his US$25 survey coupon, and Ryan complied.

The contest runs at Defcon through Sunday. The winner gets an iPad.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is [email protected]