http://talk.hope.net/

Interesting details in terms of Social Engineering:
1- He setup a server on his laptop.
2- He connected to the company network using the company VPN client, so connecting was easy, but so was tracing him.
3- Wrote out an official-looking email to the security mailing list! (around 200 people)
4- The company recently had a SS theft (I believe). Syn used that as the story in his email and asked the list to sign up with the companies ID theft insurance vendor. This reminds me of Storm Worm’s Tactics - use of recent events to play on people’s emotions.
5- People who followed the link were displayed a box that prompted to log in using domain credentials. Whether they hit submit or cancel, they were directed to a page that explained that this was a phish and gave various advice. This was the only awareness-raising part, as the company kept the incident down, and made no mention of it at all after everything was over.
6- Result: Syn estimates that 10% of the email recipient followed the link. Of course, there is no knowing how many people faked the credentials just to see what the server is.
7-His downfall: one of the managers was on the list and raised an alarm after an hour.

Why such a high success rate? He made it convincing - possession of the VPN client, knowledge of the security mailing list, knowledge of current events, pretext of trying to help the recipients with their troubles and good writing skills helped him pull it off.

Background:
Syn is a security contractor at some company. He is not satisfied with the security and enforcement policies in place (specifically the fact that they do not sign their email), so he provides education by phishing their credentials. He does not warn anyone. He makes it easy for IT to trace him by putting comments in html code of the phishing site and by using corporate VPN. He does not get fired.

Overall the line up of speakers was hit or miss. I suppose thats to be expected from most conferences, however, I do think there were some good original presentations.

Although the keynote speaker couldn’t make it, his graduate student Alex Halderman presented on work done at Princeton regarding an electronic voting machine. They were able to demonstrate exploiting the system to alter votes which is scary considering how many of these machines are still in use.

H1kari’s talk on GSM exploits was frightening. Guess I will have to trade in my iPhone if the new 3G version ever comes into existence, or better yet, how about a 700Mhz phone.

I caught Tim Vidas’s talk on Solaris shellcode. For those of you who took part in CSAW, Tim was the forensics winner this year. He did a great job presenting at Shmoocon and demonstrating how to create shellcode on x86.

I always enjoy layer 2 talks as well. Enno Rey and Daniel Mende presented on layer 2 protocol fuzzing and found some issues with some of the newer protocols that should keep some Cisco engineers busy for a while.

Josh Wright and Brad Antoniewicz gave a dynamic talk on Protected EAP and some new attacks to reveal authentication information. While the discussion was technically solid, their energy on stage definitely kept the crowds attention.

I do agree with you guys, this was probably my least favorite of the 3 Shmoocons I’ve attended. It won’t stop me from returning next year to hear Mr. Guido’s talk though!

HOPE 7 is this summer, lets make it exiting