Social engineer hacks Wal-Mart from Defcon

In a contest at the hacker conference Defcon, security specialist Shane MacDougall successfully penetrated Wal-Mart. "Social engineering is the biggest threat to the enterprise, without a doubt," MacDougall said after his call. "I see all these [chief security officers] that spend all this money on firewalls and stuff, and they spend zero dollars on awareness." (via @kevinmitnick)


  1. It reminds me of the energy debate. Everyone wants to talk about sexy technologies but very few people are really investing seriously in energy efficiency, the greatest source of loss.

    1.  There’s very little money to be made in using Less power with existing equipment. Replacing equipment on the other hand, lots of money to be made there.

  2. Why spend money on awareness, that’s what the movie Hackers is for – social engineering was key to their hacking in the film. Well, it’s in every film about hackers, actually.

    What, not all low-level corporate Wal-Mart employees have seen Hackers? Pretty sure it’s in the $5 DVD bin, even!

    1. Funny you should mention that film. A few years ago on DEFCON movie night, they played Hackers with an audience of drunken hackers who MS3K’ed the hell out of it (and later, did the same thing with Swordfish and Sneakers).

  3. My company spends plenty of money on awareness, and we have refresher security training every 4-6 months. Unfortunately social engineering isn’t a problem that education alone can solve. First of all, most people genuinely want to help other people, so unless your company is staffed entirely by people who do not have  that instinct or who can willfully override it, people will sometimes give in to  rule breaking in the interest of helping a supposed colleague. Secondly, any time you require perfection from human beings (perfect attentiveness to security, perfect compliance with rules, perfect ability to discriminate legitimate vs social engineered requests) you are going to run into problems. So, sure, some education is probably better than none, but otherwise it falls into the calculus of how much you want to inconvenience your employees (via limited access to information, limited autonomy) to limit the damage caused if one of them becomes compromised.

    My company disables (unplugs or snips wires) the front USB ports of its employee’s computers, because it has decided that just relying on education is not good enough  to prevent introduction of malware or information theft via flash drives. That’s not the same thing as a social engineering threat, but the result is an example of going beyond education to solve the problem.

Comments are closed.