CybersecuritySocial Engineering

Social Engineering Exposes Vulnerability in Corporate Networks

Analyst 207||Source: TheRegister
Person in a corporate office speaking on phone with neutral expression.

"I built a system called 'Chal-Resp,' short for 'challenge-response,' that generated work pairings so a user could validate they were speaking with an actual employee," he told The Register.

How a phone call won root access

Brandon Dixon, now CTO and co‑founder of AI security firm Ent and formerly a penetration tester, recounted a simple but devastating social‑engineering success during a pentest. Dixon telephoned the company’s IT security team, pretended to be the head of security who had lost his password, and then said he had forgotten the answers to the challenge questions. The support staff accepted his claim, entered the new password Dixon supplied over the phone, and reset the account. Dixon was then able to access the network and operate with whatever privileges the compromised account allowed.

Three procedural failures in plain sight

The episode, as described in the column, exposes multiple discrete operational failures. First, the support agents accepted an asserted identity without validation — they took the caller at his word that he was an executive. Second, they proceeded despite failed challenge questions, which should have been a red flag triggering denial of the reset. Third, the team implemented a caller‑supplied password, giving IT personnel knowledge of a user’s password and bypassing controls that would send a reset token to the employee’s email or phone number. The column calls that practice "piss‑poor security" and contrasts it with safer options such as sending a reset to the real employee’s contact device.

How competitors exploited pharma sales teams — and Dixon's fix

Dixon also described a separate social‑engineering pattern while consulting for a pharmaceutical company. Rivals would call sales and marketing representatives pretending to be coworkers and then extract information about upcoming drugs. To blunt that threat, Dixon developed Chal‑Resp: a lightweight challenge‑response system that generated work pairings so callers and end users could validate each other. "The caller would need to say the word and the end‑user would need to respond with the proper challenge; only employees had access," he told The Register. The mechanism relied on a secret only employees could access, creating a shared authentication token for live voice interactions.

What this means for technologists, affected enterprises, and end users

  • Technologists and security teams: The story underscores the need for enforced, auditable support procedures — deny resets when challenge questions fail, never accept caller‑supplied passwords, and route resets to verified email or phone numbers. Simple in‑house systems like Chal‑Resp can harden voice channels when they are a business necessity.
  • Affected enterprises and procurement leaders (pharmaceutical sales example): Firms that rely on phone‑based coordination should require suppliers and third‑party tools to support out‑of‑band verification and consider contractual obligations around identity verification for support workflows.
  • End users and the general public: Employees should expect that legitimate IT support will not ask for current passwords or accept a new password over an unverified voice call; if they do, that is a signal to pause and escalate through verified channels.

Lessons that don't require new technology

The technical sophistication of an attack matters less here than simple human behavior: people on the phone want to be helpful to someone who sounds like an executive or a colleague. The column argues that suspicion, not blind helpfulness, is central to information security. Where controls are weak, an intruder need only "ask nicely" to cross major barriers — a cautionary fact that requires immediate procedural fixes more than exotic tooling.

Conclusion: modest fixes, disproportionate benefit

The remedy this episode suggests is modest and concrete: enforce identity verification, send resets to the account owner’s verified device, never accept caller‑supplied passwords, and adopt simple voice authentication such as the Chal‑Resp approach when phone interaction is necessary. Taken together, those measures would convert one of the easiest penetration tests on record into a frustrated failed attempt — and deny attackers the low‑effort wins they crave. As the column puts it, "suspicion is the whole root of infosec," and in practice that suspicion must be built into every helpdesk procedure.

https://www.theregister.com/security/2026/05/14/to-gain-root-access-intruder-just-had-to-ask/5239853

Emerging ThreatsPenetration TestingSocial EngineeringMfa BypassNetwork VulnerabilityChallenge-ResponseCorporate Networks
Related Intelligence

Continue Reading

Diverse group of people collaborate around a large table with laptops and notes.

AI Exposes Thousands of Open-Source Vulnerabilities

This summer is shaping up to be a wild ride, with thousands of open-source vulnerabilities exposed and a new coalition, Athena, stepping in to save the day with AI-powered solutions. Led by Chainguard, Athena brings together over two dozen major companies to tackle the problem head-on.

Analyst 207
Diverse group of people engaged in respectful conversation around a table with laptops and notebooks.

Cybersecurity Forum Opens Weekend Discussion Thread

Join the weekend Bunker Talk thread, where the community comes together for a refreshing, no-holds-barred discussion that's free from the usual toxicity - with one key rule: respectful, fact-based conversation, even when politics get involved. Share your thoughts, hash out differences, and engage with the best commenting crew on the net in a space that values civility and substance.

Analyst 207
Secret Service agent in airport terminal looks concerned at personal smartphone.

US Secret Service Exposes Agents to Cyber Risk with Lax Mobile Security

The US Secret Service is putting its agents at risk of cyber attacks by allowing them to use personal phones for work, with over 15,000 instances of unsecured calls made during critical operations. This lax mobile security leaves them vulnerable to hackers, despite having access to supposedly secure government-issued devices.

Analyst 207
Technician examines server rack with laptop in a brightly-lit network operations room.

CISA Mandates Urgent Patching for Exploited Cisco Flaw

Don't wait until it's too late: Cisco has issued a critical patch for a vulnerability (CVE-2026-20230) in its Unified Communications Manager Server, and the US Cybersecurity and Infrastructure Security Agency (CISA) is requiring urgent remediation by June 28. Act now to protect your system from potential remote exploitation.

Analyst 207