If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(CNN)   100 spectators at the Defcon conference in Las Vegas observe as 'contestant' manages to hack Walmart. To be fair, what else is there to do in Vegas?   (money.cnn.com) divider line 29
    More: Interesting, Wal-Mart, social engineers, Las Vegas, Sounds Good, data points, anti-virus software, corporate website, version numbers  
•       •       •

4283 clicks; posted to Geek » on 09 Aug 2012 at 9:47 AM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



29 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread
 
2012-08-09 10:00:47 AM
Yeah, that's not hacking
 
2012-08-09 10:00:56 AM
Setec astronomy
 
2012-08-09 10:30:09 AM

save russian jews: Yeah, that's not hacking


Tell that to the Wired columnist who has been all over the news after his iCloud got hacked - what happened to him was essentially the malicious version of this. SE is probably the single most valuable skill for an aspiring blackhat by a wide margin.
 
zez
2012-08-09 10:30:14 AM
Isn't that the kind of stuff Kevin Mitnick went to jail for?
 
2012-08-09 10:32:15 AM

save russian jews: Yeah, that's not hacking


Not directly, but once you have all that information it makes hacking a damn sight easier.

Most hacks are about social engineering, why do you think most reputable webites state that an employee will NEVER ask you for your password? That's the simplest way of getting into a system, why bother with hours and hours of trying buffer overflows or trying to find a backdoor in when you can just convince some rube to give you his login details?
 
2012-08-09 10:35:25 AM

Chabash: Setec astronomy


Rat cootys semen
 
2012-08-09 10:39:02 AM

zez: Isn't that the kind of stuff Kevin Mitnick went to jail for?


No, Mitnick went to jail for what he *did* with the information he acquired. Also, the "flags" in SE CTF are not terribly sensitive information in and of themselves - uniform vendor company names, trash pickup, etc. All information that could theoretically be leveraged in some circumstances, but not exactly top secret.

Mitnick actually gave a talk in between some of the social engineering contest rounds. One of the stories he told was about dressing up as the UPS man and delivering a (doctored) software update to a mark, after first acquiring said update through social engineering the software vendor.
 
2012-08-09 11:03:00 AM

China White Tea: Mitnick actually gave a talk in between some of the social engineering contest rounds. One of the stories he told was about dressing up as the UPS man and delivering a (doctored) software update to a mark, after first acquiring said update through social engineering the software vendor.


Wow that's pretty clever.
 
2012-08-09 11:18:59 AM
Heh. Some people from my hackerspace went to Defcon this year. I went to Canada instead.

This makes me feel like I should have gone to Vegas.

/certified American hoser
 
2012-08-09 11:22:10 AM

rhiannon: China White Tea: Mitnick actually gave a talk in between some of the social engineering contest rounds. One of the stories he told was about dressing up as the UPS man and delivering a (doctored) software update to a mark, after first acquiring said update through social engineering the software vendor.

Wow that's pretty clever.


That is pretty cool.
 
2012-08-09 11:24:49 AM
Done in one.

Seriously, it's Walmart. They use off the shelf routers for the local store's back office. Corporate might be low end networking/security since Walmart is all about the profit.
 
2012-08-09 11:26:14 AM

China White Tea: save russian jews: Yeah, that's not hacking

Tell that to the Wired columnist who has been all over the news after his iCloud got hacked - what happened to him was essentially the malicious version of this. SE is probably the single most valuable skill for an aspiring blackhat by a wide margin.


This. SE is how the real damage gets done and opens the door for the more traditional aspect of hacking. Do it well enough and you can get to places where you can do permanent damage... not just to information or software, but the hardware those things sit on.
 
2012-08-09 11:26:18 AM

Chabash: Setec astronomy


Reindeer Flotilla
 
2012-08-09 11:29:41 AM
Users, always the single point of failure.
 
2012-08-09 11:58:38 AM
There is no firewall for human stupidity.
 
2012-08-09 12:06:47 PM

Gen. Chicken's Tso: There is no firewall for human stupidity.


Well, a good education might be one but I'm guessing Walmart doesn't pay enough to get that.
 
2012-08-09 12:19:18 PM
I wouldn't be overly hard on Walmart. This is the third? year, I think, that they've had the SE CTF at Def Con and the target companies are pretty much always crushed. I didn't see every round this year, but of the ones I did see, the only companies that didn't get owned hard were the ones where the caller couldn't actually get a human being on the phone (not always easy on a late Friday afternoon or a Saturday). Cisco was pretty thoroughly spanked by both contestants who called them. The woman who called didn't even have to be particularly tricky about it - she pretty much just asked, at one point, "Soooo... when's payday?"
 
2012-08-09 01:09:55 PM

save russian jews: Yeah, that's not hacking


It most definitely is. You're bypassing security safeguards to access restricted information. It doesn't matter what medium was used to accomplish it. It's just a different method of entry to the system. As mentioned, Mitnick is the most prolific social hacker(now they call them social engineers, because hackers are sensitive and we must be politically correct around them). Hell, Stuxnet was basically a social hack in the initial phase, as getting people to use the infected USB sticks on protected machines was the only point of entry to the network
 
2012-08-09 01:19:01 PM

China White Tea: I wouldn't be overly hard on Walmart


I was impressed that the Walmart filters stopped the browser from opening the URL the "contestant" provided. So at least they've got that going.

My job makes me paranoid about this sort of stuff; I've called my manager over what ended up being a legitimate need for information. When my credit card company called with a fraud alert, I told them I'd call them back in 2 minutes.
 
2012-08-09 01:58:49 PM

Gig103: China White Tea: I wouldn't be overly hard on Walmart

I was impressed that the Walmart filters stopped the browser from opening the URL the "contestant" provided. So at least they've got that going.

My job makes me paranoid about this sort of stuff; I've called my manager over what ended up being a legitimate need for information. When my credit card company called with a fraud alert, I told them I'd call them back in 2 minutes.


Which is what you should always do. Never trust the person on the other side to be who (s)he says (s)he is when they call you and start talking (bank) accounts and fraud prevention.
 
2012-08-09 03:31:38 PM
It's all fun and games until it's your privacy, security and identity being raped.
 
2012-08-09 04:24:32 PM

bhcompy: save russian jews: Yeah, that's not hacking

It most definitely is. You're bypassing security safeguards to access restricted information. It doesn't matter what medium was used to accomplish it. It's just a different method of entry to the system. As mentioned, Mitnick is the most prolific social hacker(now they call them social engineers, because hackers are sensitive and we must be politically correct around them). Hell, Stuxnet was basically a social hack in the initial phase, as getting people to use the infected USB sticks on protected machines was the only point of entry to the network


its probably one of the easier hacks to do, if you are good at research and lying...
 
2012-08-09 06:11:57 PM
I do small business IT support and I'm amazed sometimes at what just saying I'm the computer guy can do. I've walked into offices with new front desk people who have never met me before, to do something on a client's server and just walk right in and back into the offices and they don't even blink. And I've done that when I wasn't expected so I know a boss didn't say the computer guy is coming today.
 
2012-08-09 07:25:42 PM

aka_mrcam: I do small business IT support and I'm amazed sometimes at what just saying I'm the computer guy can do. I've walked into offices with new front desk people who have never met me before, to do something on a client's server and just walk right in and back into the offices and they don't even blink. And I've done that when I wasn't expected so I know a boss didn't say the computer guy is coming today.


In my office we recently got new computers and switched to Windows 7. This was a big task, so we got an outside contractor to help out. His job was to call users (from some out of area number) and set up an install time. So that he could get some of the account setting set up before the meeting, he also asked for your account login and password. I was one of only two people who refused to give my password.

/I don't work for a small company
//anyone who needs to know your password either already knows it or can reset it to whatever they want
 
2012-08-09 07:27:30 PM
CPE1704TKS
 
2012-08-09 09:08:47 PM

aka_mrcam: I do small business IT support and I'm amazed sometimes at what just saying I'm the computer guy can do. I've walked into offices with new front desk people who have never met me before, to do something on a client's server and just walk right in and back into the offices and they don't even blink. And I've done that when I wasn't expected so I know a boss didn't say the computer guy is coming today.


I do the same at grocery stores when something I want is out of stock on the shelf. Walk in to the storeroom, grab what I want, head to the checkout. Not exactly the same thing, but if you act like you own the place, people tend to think you do.
 
2012-08-09 09:13:58 PM

bhcompy: aka_mrcam: I do small business IT support and I'm amazed sometimes at what just saying I'm the computer guy can do. I've walked into offices with new front desk people who have never met me before, to do something on a client's server and just walk right in and back into the offices and they don't even blink. And I've done that when I wasn't expected so I know a boss didn't say the computer guy is coming today.

I do the same at grocery stores when something I want is out of stock on the shelf. Walk in to the storeroom, grab what I want, head to the checkout. Not exactly the same thing, but if you act like you own the place, people tend to think you do.


Nice clothes, a clipboard, and confidence will get you into a surprising number of places.

Now, if only I could get my boss to understand why I change all the passwords when he gives them out to people who do not need them.

/Yes, I tried not giving them to him too
 
2012-08-09 10:41:22 PM

RogermcAllen: //anyone who needs to know your password either already knows it or can reset it to whatever they want


Words of wisdom.
 
2012-08-10 05:45:04 AM
Kinda off topic but,

What ever happened to the good ole days... When viruses were designed to do damage and "cull" the community of newbs?


Without that natural bacteria in place, we are doomed to emails with FW:FW:FW FW:FW:FWFW:FW:FW:,RE: as the subject line, and 90 billion "share this on your wall for my friends monkey who has cancer", etc...

Will someone whip one of those up real quick?

/Please.
 
Displayed 29 of 29 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report