Defcon hackers steal most data from Oracle

Hackers at the Defcon convention managed to trick employees at some of the largest U.S. companies to help them steal data.

The contestants in the competition, held at the world's largest hacking convention in Las Vegas this weekend, revealed the weaknesses of corporations when it comes to cyber security, particularly in training workers.

Despite a series of high-profile cyber attacks on targets ranging from Sony to the International Monetary Fund, the hackers found it easy in some cases to trick employees into revealing information that could be used in planning cyber assaults.

The company whose employees handed over the most data was Oracle, according to Chris Hadnagy, one of the organisers of the contest at the Defcon conference.

Oracle is one of the world's largest software makers and first started more than 30 years ago by selling secure databases to the Central Intelligence Agency.

Oracle spokeswoman Deborah Hellinger declined to comment.

The contestants also managed to get employees to use their corporate computers to browse websites the hackers suggested.

Had these been criminal hackers, the websites could have loaded malicious software onto the PCs.

In one case, a contestant pretended to work for a company's IT department and persuaded an employee to give him information on the configuration of her PC, data that could help a hacker decide what type of malware would work best in an attack.

"For me it was a scary call because she was so willing to comply," said Hadnagy. 

"A lot of this could facilitate serious attacks if used by the right people."

Defcon is organized by benevolent hackers, partly to promote research on security vulnerabilities in order to pressure companies to fix them.

The contest was sponsored by so-called white-hat hackers to show companies how weak their security is and encourage them to better educate their employees about the risks of hacking.

Other targets included Apple, AT&T, ConAgra Foods, Delta Air Lines, Symantec, Sysco, United Continental's United Airlines and Verizon Communications.

It was the second year that Defcon held a contest in "social engineering," where hackers con people into handing over information or taking actions such as downloading malicious software.

Social engineering is frequently used in attacks where the hackers send a "spear phishing" e-mail in which they impersonate a friend of the recipient and ask him or her to open a tainted file or visit a malicious website.

Security experts say spear phishing have led to many hacks over the past year, including ones on U.S. defence contractors, the IMF, EMC's RSA Security division and government agencies around the world.

"It's better whenever you can get data non-confrontationally," said Johnny Long, a consultant who companies hire to hack into their data networks, using tools such as social engineering, to identify weaknesses.

The contestants were charged with obtaining specific information from their targets, including information about how the company backs up and secures its data, wireless network use, and the names of companies that provide on-site security, toner and copier paper.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them