

Canadian hacker dupes Walmart to win Defcon prize - uladzislau
http://www.thestar.com/printarticle/1239150

======
MiguelHudnandez
"As security systems get increasingly difficult to crack, hackers are turning
toward a new source of information: people."

Social engineering has _almost always_ been the most productive way to gain
access. Jessica McDiarmid does her credibility a disservice by indicating that
social engineering is a new development.

~~~
sp332
For a while, you could only get info out of humans "retail", that is, one or a
few pieces of data at a time. You could easily extract data from a computer
"wholesale", thousands or millions of records per breach.

~~~
laserDinosaur
He's not saying it's the most productive way to get data, he's saying it's the
most productive way to get access.

~~~
MiguelHudnandez
Exactly. However, sp332 may have meant that worms and such are much more
effective at getting access to more systems and information quickly, but not
in a targeted way.

------
borski
Working link on mobile:
[http://m.thestar.com/business/companies/walmart/article/1239...](http://m.thestar.com/business/companies/walmart/article/1239150
--canadian-hacker-dupes-wal-mart-to-win-def-con-prize)

------
shinratdr
Isn't social engineering just conning? Why do we need a new name?

I remember a bit from The Art of The Steal which was written by Frank
Abagnale, who is the real life inspiration for Catch Me if You Can. He talked
about how to make free long distance calls in those days. Call a company via a
payphone. Ask to be transferred to the switchboard. Make up some BS about
being a part of the company and urgently needing to make an outside call. They
dial the number and connect you, the end.

Sounds like "social engineering" to me as well. Or just good old fashioned
conning, possibly re-discovered by hackers and given a new title. They're just
using the same methods we've been using to get private information since the
dawn of private information. Namely sweet-talking third parties that hold the
information and don't really know any better.

~~~
Splines
I read "Ghost in the Wires" (a book about Kevin Mitnick's life) a month or two
ago, and it's astonishing how well he knew the system. He was doing stuff like
the above, but also getting around the callback as well (I don't recall
exactly what he did, but it was something along the lines of conning the line
workers to divert an exec's phone number for testing purposes just long enough
to get the callback). That was just one of many times he pulled these sorts of
stunts for curiousity's sake.

------
DigitalSea
You can throw money at a problem like security, but it's the underpaid
employee earning $7.99 an hour that you should be throwing money at if you
want a secure company. The weak link in any security is always people.

------
paps
> _Set up an internal company security word of the day and don’t give any
> information to anyone who doesn’t know it._

I don't think it's a good idea. Imagine a social engineering attack from
inside the company, or if somehow the hacker has access to the word of the
day. When he'll say the word, the guy on the other end of the phone will be
way more relaxed and ready to give much more information...

------
1337biz
Are there anywhere some more detailed information about the challenge? I guess
the conference recordings are not going to include the social engineering live
session?

------
pervycreeper
Curious to know the precise list of information requested for this task.

~~~
mcpherrinm
This PDF has a list of flags from DEFCON 18 (this year was 20):
[http://www.social-engineer.org/resources/sectf/Social-
Engine...](http://www.social-engineer.org/resources/sectf/Social-
Engineer_CTF_Report.pdf)

I didn't watch any this year, but I've been led to believe there were more
than the 32 listed on that PDF.

~~~
laserDinosaur
Very interesting. Do they publish a list of what companies were targeted?

------
koala_advert
No video?

------
brendonjohn
so... "The Social Engineer", the sequel to "The Social network"?

