Not long ago a man calling himself Gary Darnell made telephone contact with the store manager of a Wal-Mart in a small military town in Canada. When Darnell told him that his store had the opportunity to win a major multi-million dollar government contract, the store manager couldn’t quite believe his luck.
Darnell explained that he was a recently hired manager of government logistics, explained some of the outlines of the contract (“all I know is Wal-Mart can make a ton of cash off it”) and told the store manager of his plans to visit.
He asked the store manager for details about the store; staff-shift schedules, employee pay cycles, its janitorial contractor and cafeteria food-service provider, etc. He even managed to find out what times the store managers took their breaks and where they would frequent on these breaks!
Next he discovered what kind of PC the store manager used, his operating systems, web browser and the type of antivirus software he used…
Does this sound suspicious to you yet? Well, if it doesn’t, then it definitely should!
Anyway, on with the tale, the store manager continued to pump out information to Darnell, who eventually asked him to fill out a survey in preparation for his forthcoming visit.
The website address given to the store manager by Darnell was flagged by his antivirus software. Calm as you like, Darnell told the store manager that he would call his IT department and get the site unlocked for him. The store manager said, “sounds good” and told Darnell he would try to fill out the survey again a little later.
Darnell and the store manager spoke a little more about good hotels in the area, a list of which the manager promised to send over to Darnell before he finally hung up and stepped out of the soundproof booth where he had been for the entire 20 minute duration of the phonecall!
An audience of more than 100 people at the Defcon conference in Las Vegas, who had been listening to the phonecall cheered him as he shouted “All Flags!”
Gary Darnell, is actually Shane MacDougall, the winner of this year’s social engineering “capture the flag” contest. MacDougall marauding as Darnell, had managed to get the Wal-Mart manager to give him every single data point, or “flag” as they are referred to, on the competition checklist! This is the first time a contestant has managed to get all of the flags in the competition’s 3 year history!
The social engineering hackathon at Defcon is where experienced hackers use old-fashioned cunning and con-artistry to get top-secret, closely guarded information from some of America’s largest corporations.
After his winning phone call, MacDougall said: “Social engineering is the biggest threat to the enterprise, without a doubt…I see all these [chief security officers] that spend all this money on firewalls and stuff, and they spend zero dollars on awareness.”
This is a subject MacDougall knows a lot about, for he himself manages the security firm Tactical Intelligence in Nova Scotia. Tactical Intelligence deals with a range of corporate espionage defense services and MacDougall often conducts “social engineering” audits for his clients. Regularly pulling the same kind of stunt that he pulled on the Wal-Mart manager on his clients’ employees to find out what kind of information he can get out of them!
McDougall thinks that it is battle that everyone is losing, he said that sales employees were his number one target because “As soon as they think there’s money, common sense goes out the window.”
When Wal-Mart were asked for their views on the ease of which McDougall managed to pry sensitive data from their organization, a spokesman that they saw it as a “cautionary tale”, he said they take the safeguarding of their business information very seriously and do “emphasize techniques to avoid social engineering attacks” in their training programs. However he pointed out that because they were in the customer service business, sometimes their “people can be a bit too helpful.” No shit…
At least Wal-Mart can rest assured that they weren’t the only major corporations to give up sensitive information. Several others like UPS, Verizon, FedEx, Cisco and Hewlett-Packard also pulled down their pants and flashed their underwear to the Defcon hackers.
Competition organizer Chris Hadnagy said: “A lot of the attacks we saw this weekend could have been thwarted just by critical thinking…We need to train people that it’s ok to say ‘no.’”