IT staffers fall victim to social engineering hacks

You’ve got your applications patched, the latest firewall enabled and your antivirus programs updated. But there are some big security holes that might still be wide open:

Your company’s users, execs, and even IT staffers.

That’s the lesson to be learned from the results of a contest held at the recent Defcon hacking conference in Las Vegas.

The event gave attendees a chance to show off their social engineering skills — and provided lessons about the need for better security training at many companies.

Contestants were placed in sound-proof booths (outfitted with microphones so the audience could hear) as they called Fortune 500 companies and attempted to extract information.

Employees at every company that was called gave up some info that could be used in a computer hack, including what browsers and operating systems the company uses (along with exact version numbers), which antivirus software they run, and even the names of local wireless networks.

The rules forbade contestants from asking for really sensitive information such as passwords and account numbers. But the event’s organizers said most folks called seemed willing to give up anything that was asked of them, ComputerWorld reports.

Participants called staff-level workers at the target companies, and had a good deal of success calling employees in the IT department — including some security professionals.

Their tactics included pretending they were conducting security audits or surveys for tech magazines.

The folks behind the contest say these social engineering tricks are the easiest way for hackers to gain access to sensitive data, and warn that all the technical security solutions in the world won’t do any good if users and tech staffers aren’t properly trained.