Some of Canada’s Largest Companies Fall Prey to Hackers – Spill Secrets Over the Phone

CBJ Newsmakers

QUEBEC CITY, Nov. 15, 2018 (GLOBE NEWSWIRE) — On November 2nd and 3rd, Hackfest, Canada’s largest computer hacking conference, held its second iteration of its Social Engineering Capture The Flag, a competition that pits some of Canada’s top hackers against each other, and against some of Canada’s largest companies. The contest, designed to test the security of companies against social engineers (hackers who specialize in eliciting sensitive information from strangers by phone), once again showed that high profile organizations with advanced security systems in place, still fall prey to talented attackers.

The companies randomly selected for this year’s event were Bell Canada, Hydro Quebec, Shell Canada, Canada National Railway, National Bank of Canada, Bank of Montreal, Metro Inc, and Tele Quebec. All were asked about sensitive information ranging from information about passwords, to locations of security cameras, versions of operating systems, mail clients, web browsers, and other information used by hackers to effectively target victims.

The results of this year’s contest were quite eye opening. Of the eight companies targeted, all gave out information that would give an attacker an advantage for a remote attack, on-site attack, or both. Specific breakdowns of interesting results include:

  • 75% visited a URL provided by their attacker
  • 100% gave information about what version operating system/service pack version they were running
  • 88% gave detailed information on what internet browser they were using
  • 75% divulged information about Wi-Fi within their network
  • 63% divulged information about secure document shredding, including their provider and the schedule for disposal
  • 63% divulged detailed information about their email client
  • 75% gave detailed information about the internal computer network
  • 75% shared personal information about themselves and their work history with the company

All this information would have allowed a criminal to compromise the security of these organizations!

“Social engineering remains the top threat to Canadian business,” says contest organizer Shane MacDougall, a security researcher who has been specializing in these types of attacks since 1989. “You can have all the firewalls and security appliances in the world. But if you don’t train your employees properly and frequently, one phone call can make all that expense useless.” Hackfest organizer, and security consultant Patrick Mathieu agrees. “Until we can get Canadian companies to recognize the real threat, we are going to continue to see massive data breaches and hacks. Our mission here at the conference with this contest is to raise awareness within the Canadian business community to step up and take action.”

A full report on the competition’s results is being prepared, and company specific reports will also be released upon request to all the targeted companies.

Contact: Patrick Mathieu / media@hackfest.ca

Recommended