Hard to believe that BH and DEFCON are only 2 months away. In gearing up for the annual trek to Sin City, here's a cool expose on the SE CtF. I'm sure this will generate some questions on your end. Please ask away as Chris would be happy to answer what he can.

Permanent link: [Article]-An Insider`s Look at the Social-Engineer.Org SE CtF at DEFCON


Don

Its not necessarily stupidity that is the flaw but the need to be helpful.  You can get very intelligent people to disclose information if you know how to work the discussion.  If you can get the mark to relate to you or vice versa, then you develop a sort of bond that makes them feel they could trust you.  You are essentially finding exploits in humans as you would find in applications.  The only real patch to this is education and awareness.  In the case of the CtF, better classification of company information as well as educating the employees would probably help reduce the numbers show in the report.  Eventually a good SE will find the proper way to pull the information they require. 

For instance reading the DEFCON 18 report and looking at the flags, I figured to get something like "On Site Wireless" and "ESSID" I could pose as a new employee at a remote site (provided the target has remote sites).  Use the pretext that I am at my new office but no company phone has been installed so I am reduced to my cell phone to make all my calls.  Then lead into "they didn't even set my laptop up all the way..." and proceed to ask for Wireless information.   Giving the mark signs of stress and frustration, they may think, hey I was new once and man I feel for this guys...

Knowing all this about SE, I think back to my earlier years in IT and wonder if I may have fallen for these tactics ever.  I am sure I may have since I tend to like being helpful.  But now-a-days I am much more aware.