Aussie blue chips breached in RSA-style attacks.

Some of Australia's top 100 companies have been compromised under penetration tests using the same tactics that struck down RSA and HB Gary Federal this year.

The paid attacks were a series of infiltration tests designed to evaluate the effectiveness of corporate security.

It included penetration tests against IT security and physical security, along with social engineering attacks against staff.

Almost all of the companies tested fell to social engineering attacks where staff were tricked into handing over sensitive corporate data during a convincing phone call or by clicking on specially-crafted malicious links which gave the assessors access to the corporate networks.

In April, security company RSA was compromised after a staff member opened malicious email attachments. Social engineering was also used to bring down HB Gary Federal.

"When we started this we though it would take weeks to own them," said Drazen Drazic, director of penetration testing firm Securus Global. "But it took less than a few hours."

Less than a dozen companies were prepared to be tested under Red Cell Assessments, a name which borrows US military parlance for security examinations.

But each of those tested were global household names and were compromised to the extent that offshore sites could be breached.

"We would call up pretending to be someone with access. We haven't had to break in - it's just taken a couple of phone calls, or a crafted web site," Drazic said.

Vectors of attack included redirecting CCTV cameras, duplicating and hacking smart cards and tailing staff.

While clients may request that tests be dropped once the first breach was made, one of the largest companies requested that the attacks continue until executive managers were compromised.

"That was a large global corporate and we owned management," Drazic said.

The social engineering and IT security boffin involved in the attacks, who asked not to be named, had a history of social engineering.

He successfully breached one of the world's largest food and drink companies at a social engineering contest at the DefCon hacking conference last year after its staff, thinking him to be an auditor, had handed him corporate usernames and passwords.

Drazic said the companies were not sore after the intrusions because the results were used to educate staff aware of the threats.

He said some companies had used budget normally spent on new hardware to pay for the costs which he said was more effective at reducing risk.

"It is much cheaper and more productive to train your people than throw squillions at new firewalls," he said.

Copyright © SC Magazine, Australia