At the request of contest organizers, IDG has agreed to remove the two named victims of the Defcon social engineering contest. The story has been corrected on the wire and paragraphs five to eight now read:
Wayne, a security consultant from Australia who wouldn't give his last name, was first up Friday morning. His mission: Get data from a major U.S. company. (IDG News Service has chosen not to report which companies fell for which attacks because of possible security risks.)
Sitting behind a sound-proof booth before an audience, he connected with an IT call center and got an employee talking. Pretending to be a KPMG consultant doing an audit under deadline pressure, Wayne got him to spill details, big time.
Wayne ignored a request for an employee number and launched immediately into a story about how his boss was on his back, and how he really needed to get this audit finished. He worked his Aussie charm on the worker, who'd only been with his new employer for a month. Within minutes, it seemed he was willing to give Wayne pretty much any information he wanted -- at one point he even visited a fake KMPG Web page that Wayne had set up.
He ended the call promising to buy the employee a beer.
Paragraphs 18 and 19 now read:
Contestants were given only 25 minutes to work. So with the clock ticking, MacDougall lucked out on his next mark -- a contract employee in the security engineering department who had been with the company for two months. After a few softball questions about job satisfaction and the quality of the cafeteria food, he went for the hard data.
The mark delivered: operating system: Windows XP, service pack 3; antivirus: McAfee VirusScan 8.7; e-mail: Outlook 2003, service pack 3; browser: IE 6.