One of the most cherished and time-honored traditions of computer security conferences like Def Con has been the Social Engineering contest. It's a simple but satisfying hacker bloodsport — contestants sit inside a glass isolation booth in front of a live audience and call up companies to see how many network security details and other secret information they can coax from clueless customer service representatives.
Of course, the reason it's so effective — and thus, entertaining — is because social engineering bypasses firewalls and encryption to attack the most vulnerable component of any security system: humans.
Georgia-based startup Pindrop Security isn't releasing a patch for human gullibility, but it is getting $11 million of venture funding for a novel fraud detection technology which could give human operators a much-needed edge against clever con artists with far more nefarious motives than those at Def Con.
Social engineering attacks the most vulnerable part of a security system: humans
It's a bit like a re-tooled version of Caller ID, but instead of phone directories, it uses audio signal processing to authenticate calls by analyzing their acoustic properties in real time. Over time, the system builds a database of audio "fingerprints" based around those properties. The creators say it can determine a caller's location down to an area roughly the size of France, even when they're using VoIP services like Skype, with 90 percent accuracy.
The project came from the PhD thesis of Pindrop's CEO and founder, Vijay Balasubramaniyan, who realized something useful about the subtle differences in audio quality and other attributes of various countries' phone lines. For example, you can measure things that differ from country to country, like the audio cutoff frequency, to compare the declared origin of the call against audio profiles stored in the database. Vijay says those profiles are built using 147 different audio signatures across the categories of loss, noise, and spectrum, allowing the system to create a unique fingerprint for specific handsets, applications, and regions.
That means you'd be able to tell the difference between, say, a Blackberry calling from Nevada and a Skype call coming from Nigeria.
The system can create a unique fingerprint for specific handsets, applications, and regions
Pioneered by legendary phone phreaks like Kevin Mitnick, social engineering is one of the oldest strategies in the hacker playbook, yet it remains one of the most effective. Last year, Wired writer Mat Honan had his iPad remotely wiped after an attacker with just a few points of personal data was able to trick an Apple customer support representative into giving them access to his iCloud account. Even when it doesn't get results immediately, a good social engineering call can produce other useful information that hackers can utilize to get access elsewhere.
Knowing roughly where those calls originate can be useful, since fraudsters usually lie about where they're calling from, says Scott Weiss, a former Cisco security manager currently with venture capital firm Andreessen Horowitz, who just took a board seat at Pindrop after its latest funding round. "Most of this phone call fraud is coming from spook numbers out of places like Pakistan or Russia, and to know that the call is coming from one of those countries can cut down fraud almost by 75 percent," he claims. "Anytime you're calling in about a password or an ID, this technology should be applied."
Edit: A previous version of this story suggested that contestants of the Def Con Social Engineering contest earn points by acquiring passwords; points are actually earned by learning less immediately harmful information, such as network configurations and browser / OS versions.