A Wal-Mart store manager in a small military town in Canada got an urgent phone call last month from "Gary Darnell" in the home office in Bentonville, Ark.
Darnell told the manager Wal-Mart had a multi-million-dollar opportunity to win a major government contract, and that he was assigned to visit the handful of Wal-Mart stores picked as likely pilot spots. First, he needed to get a complete picture of the store's operations.
For about 10 minutes, Darnell described who he was (a newly hired manager of government logistics), the outlines of the contract ("all I know is Wal-Mart can make a ton of cash off it") and the plans for his visit.
Darnell asked the manager about all of his store's physical logistics: its janitorial contractor, cafeteria food-services provider, employee pay cycle and staff shift schedules. He learned what time the managers take their breaks and where they usually go for lunch.
Keeping up a steady patter about the new project and life in Bentonville, Darnell got the manager to give up some key details about the type of PC he used. Darnell quickly found out the make and version numbers of the computer's operating system, Web browser and antivirus software.
Finally, Darnell directed the manager to an external website to fill out a survey to prep for the upcoming visit. The manager dutifully plugged the address into his browser. His computer blocked the connection, but Darnell wasn't fazed. He said he'd call the IT department and have it unlocked.
The manager didn't think that was a concern. "Sounds good," he answered. "I'll try again in a few hours."
After thanking the manager for his help, Darnell made plans to follow up the next day. The manager promised to send Darnell over a list of good hotels in the area.
Then "Gary Darnell" hung up and stepped out of the soundproof booth he had been in for the last 20 minutes.
"All flags! All flags!" he announced, throwing his arms up in a V-for-Victory symbol.
His audience of some 100 spectators at the Defcon conference in Las Vegas burst into applause. They had been listening to both sides of the call through a loudspeaker broadcast.
"That was insane," the person next to me murmured, shaking her head in appreciation.
Darnell is actually Shane MacDougall, the champion of this year's social engineering "capture the flag" contest. He had pinched the identity of a real Wal-Mart executive, who had no idea his name was being used in MacDougall's con.
MacDougall managed to capture every single data point, or "flag," on the competition checklist -- a first for the three-year-old event.
The hackers' playground: Held every July, Defcon is where hackers come to swap tips and show off cutting-edge technical exploits.
The social engineering hackathon is an old-fashioned display of con artistry. With nothing more than a phone line and a really good story, a hacker can pry secrets loose from America's biggest and most guarded corporations.
"Social engineering is the biggest threat to the enterprise, without a doubt," MacDougall said after his call. "I see all these [chief security officers] that spend all this money on firewalls and stuff, and they spend zero dollars on awareness."
MacDougall would know: The security firm he runs, Tactical Intelligence in Nova Scotia, specializes in a broad range of corporate espionage defense services. He regularly conducts social-engineering audits for clients, calling their employees to see what sensitive data he can extract.
In his view, it's a battle everyone is losing. MacDougall picks his victims carefully. Sales employees are a favorite target: "As soon as they think there's money, common sense goes out the window."
When asked about the "hack," Wal-Mart said it views MacDougall's exploit as a cautionary tale.
"We take the safeguarding of our business information very seriously and we're disappointed some basic information was shared," Wal-Mart spokesman Dan Fogleman told CNNMoney.
"When you're in the customer service business, sometimes our people can be a bit too helpful, as was the case here," he said. "We emphasize techniques to avoid social engineering attacks in our training programs. We will be looking carefully at what took place and learn all we can from it in order to better protect our business."
But Wal-Mart is not alone. Defcon's game takes aim at a different set of major corporations each year. This year's target list had nine other companies: UPS, Verizon, FedEx, Shell, Exxon Mobil, Target, Cisco, Hewlett-Packard and AT&T.
Every single one gave up at least a few of the data points competitors sought.
"A lot of the attacks we saw this weekend could have been thwarted just by critical thinking," contest organizer Chris Hadnagy said toward the end of the showdown. "We need to train people that it's ok to say 'no.'"
Comments