http://www.darkreading.com/insider-threat/167801100/security/attacks-breaches/240007096/retail-fail-walmart-target-fared-worst-in-defcon-social-engineering-contest.html By Kelly Jackson Higgins Dark Reading Sep 10, 2012 Walmart was the toughest nut to crack in last year's social engineering competition at the DefCon hacker conference in Las Vegas, but what a difference a year makes: this year, the mega retailer scored the worst among the ten major U.S. corporations unknowingly targeted in the contest. The third annual DefCon Social Engineering Capture the Flag Contest held at the DefCon 20 conference in late July featured 20 men and women contestants going head-to-head to squeeze as much specific information, or "flags," out of employees at Walmart, AT&T, Verizon, Target, HP, Cisco, Mobil, Shell, FedEx, and UPS, in cold-calls. For the first time, men and women were pitted against one another at the event to compete for the most flags they could get from a specific company, and their individual scores were then tallied along with the dossiers they submitted prior to DefCon. The dossiers are reports created by the contestants using intel they gathered prior to the live event using passive information-gathering methods like Google searches, social networks, and other online research. "Last year, the retailers just shut us down big-time, but this year, retail was the most forthcoming," says Chris "Logan" Hadnagy, a professional social engineer with social-engineer.org who heads up the contest. Walmart and Target ended up with the highest scores, which means they did the worst, he says, with Walmart gaining the dubious distinction of performing the worst by exposing the most information both online and when its employees were cold-called by the social engineering contestants. Contestants posed as everything from fellow employees to office-cleaning service providers, using these phony personae as pretexts to schmooze the employees to give up seemingly benign but actually very valuable information that can expose an organization to attack. One disturbing trend: every employee who was asked to visit a URL during the call did so. "Not every company was asked, but every one that was, went there. It was a crazy thing: [even if] they were staunch in not answering questions, but if the caller asked them to go to this URL and said something like 'I assume you're using IE7,' they would say yes or no and go to the URL," Hadnagy says. [...] -- #HITB2012KUL - The 10TH ANNUAL HITB Security Conference in Malaysia with no keynotes, no labs - just three tracks filled with our most popular speakers from the last decade: http://conference.hitb.org/Received on Tue Sep 11 2012 - 00:09:21 PDT
This archive was generated by hypermail 2.2.0 : Tue Sep 11 2012 - 00:08:08 PDT