This year's social engineering 'capture the flag' competition at the DefCon hackers' conference was won by a contestant who does social engineering for a living. In the course of a 20 minute phone call, he successfully fooled a Wal Mart employee into revealing all the pieces of information he was after, even getting him to visit a website to 'complete a survey'. Read about the con here.
Aside from the Wal Mart story itself, the comments on the CNN article are just as telling. Even allowing for the fact that only certain people were inspired enough to want to read and respond to the article, some of them appear almost unbelievably naïve about social engineering. They don’t appreciate how straightforward these attacks are, and how sneaky and resourceful real social engineers can be when they have the flags in their sights. They don’t understand that they might be targets, having access to all manner of information and systems that would be of interest to the black hats. They don’t know how to spot, nor how to deal with suspected attacks. They think that social engineering is illegal, and that therefore protects them.
Like I said, naïve.
Wal Mart’s official response to the con was pretty good as such PR fluff goes – acknowledging they were fooled and agreeing to do something about it is a good start. I wonder what they will actually do, though, to improve their ‘staff training’. I rather suspect they are also naïve but hopefully they are learning quickly and changing fast.
I hope Wal Mart's security people, if not general management, are familiar with books such as The Art of Deception, The Art of Intrusion and Ghost in the Wires by Kevin Mitnick, or Spies Among Us by Ira Winkler. I hope they have absorbed Johnny Long's No Tech Hacking and David Lacey's Human Factor books. Most of all, I hope they are actually using Rebecca Herold's Managing an Information Security and Privacy Awareness and Training Program to build an awareness program that covers social engineering, just one of many issues where awareness helps.
Gary Hinson CISSP (and security awareness pro)