Last week’s DEF CON revealed just how easy it is for hackers to obtain critical business information from cheerfully unsuspecting help desk services. In a demonstration, “Wayne,” a top social hacker from Australia, managed to acquire enough information that could ruin the Fortune 500 company’s IT systems through an obliging call center operator. He came second in a close race of “capture the flag,” in which hackers raced to get the 30 flags, the answers to 30 questions that can devastate organization security. Wayne accomplished this within a 20-minute phone call.

Wayne is a white-hat hacker (security tester) for the Sydney-based consultant firm Securus Global. The hacking event was run by social-engineer.org, a group that warns how human employees can be liable to reveal confidential company information. Despite improved computer security, people can still be an exploitable liability within the system. The event was overseen by the U.S. FBI.

“Big companies are very protective about their brand and corporate secrets and this is a perfect way to exploit that quickly,” said Wayne. “With the information I gathered on that day, we could have easily broken into the company in a matter of minutes.”

“You need to think [on the help desk], why does the caller need to know what browser I’m running? People are so worried about whether they’ll lose their job they’re so happy to help. The guy I spoke to was fresh off his security training and he didn’t question anything, he wanted to believe what I was saying.”

Wayne’s attack on the company security was well-planned and researched in advance. The competition

allowed for two week’s worth of research leading up to the attempt. On the help desk line, Wayne masked himself as someone new to the company. “I was at the head office and had just had a meeting with the vice president and I was told the IT desk was the first place to call – the IT guy was pretty chuffed,” Wayne says.

Wayne conversed in a lighthearted, easygoing way that disarmed the help desk operator. Wayne managed to obtain information that there was no need for any new employee to know, such as browser and mail client versions running in the organization, anti-virus security, and the radio-frequency identification badges needed to gain access. “The guy on the phone told me what badges, firmware, brand and model number they were running. He told me who their cleaners were; do they shred their rubbish or throw it in the bin? Their data backup and how it works and how the tapes go to the data processing and archiving company.”

Help desk security tips:

• Be suspicious of callers with unusual demands or questions

• Don’t be intimidated by the caller’s claimed organization status; check caller credentials with their manager

• Ring the caller back using details from the internal phone book

• For confidential questioning such as audits, the caller should come in person to show his identification

• If in doubt, transfer the caller to the help desk manager

Justin Gasparre, a specialist of IT infrastructure management on the board of the IT Service Management Forum, says that help desk workers should be more alert and not take what callers say for granted. Representatives shouldn’t be so intimidated or overeager to help just because of the authority the caller claims.

Wayne hopes that this exhibition will make companies think more about IT protection and do more security audits on its employees. As cyber-terrorism becomes more of a reality, companies will have to test their help desk staff to make sure their training holds against malicious hackers.