For almost 3 years the team at Social Engineer has been bringing you the best in Social Engineering information and education.  Social Engineering information, tips, tricks, research, which eventually has branched off and created live, in-person, intensive training classes. As the new year gets into full swing we wanted to highlight some of our upcoming events and announcements.

Chris “loganWHD” Hadnagy will be conducting a round table open discussion at RSA this year. The topic of his panel is “Social Engineering – Is it the Biggest Threat?” Social Engineering (SE) is a hot topic that has gained a lot of notoriety in recent attacks.

Anonymous claims it is using SE in all of its attacks, yet despite the wake of devastation, companies are still reluctant to accept Social Engineer Penetration Tests. Is SE a big threat? If so what NEEDS to be done to protect business from this threat? Find out at RSA!

RSA Conference – March 1st, 2012 @ 2:10pm – Moscone Center, San Francisco, CA

This year also marks the start of Social-Engineer.Com’s exciting new 5-day, intensive, live, hands-on classes dubbed Social Engineering for Penetration Testers. We are excited to announce that just 1 month after going live with our dates, our April classes in Bristol, UK are completely SOLD OUT! Seats for this groundbreaking class and certification are going fast!

If the class sells out and you don’t get in – we don’t want to hear any whining. This course is not simply a set of lectures, it’s a hands-on, interactive class led by two of the industry’s most knowledgeable and trusted sources for all things Social Engineering, Chris Hadnagy and Robin Dreeke. This class will give you the skills necessary to take on the Social Engineering Pentest Professional (S.E.P.P.) certification. (as well as give you 40 CPE credits) The Social Engineering for Penetration Testers course will be held in the following locations at dates specified:

March 5th – 9th, 2012 – Seattle, WA, USA
April 9th – 13th, 2012 – Bristol, UK – SOLD OUT
July 21st – 24th, 2012 – Black Hat Conference, Las Vegas, NV, USA
August 20th – 24th, 2012 – Bristol, UK
November 12th – 16th, 2012 – Columbia, MD, USA

Eric “Urbal” Maxwell will present full analysis of the data collected during the 2011 Social Engineer Capture the Flag contest held at Defcon 19. This data includes an in-depth look at the contest, the targets, the attackers, and everything in between. Data analyzes how individual companies performed against the attacks, differences in industry defense, types of attacks, tools used, pretexts, attack vectors, and what could have been done to mitigate such attacks. This presentation can be heard at the following events:

2600 – PHX2600 – Feb 3rd, 2012

BSides Phoenix – February 18th, 2012 – Dave & Busters, Tempe, AZ

Also, in January 2012, the SEORG team took over PenTest Magazine and authored 5 articles on Social Engineering!

Mastering the Behavioral Techniques for Quick Rapport and Elicitation – Robin Dreeke
Primer on Priming – Eric Maxwell
Neuro-Linguistic Hacking – Chris Hadnagy
The Power of the Ultimate Social Engineer – Chris Hadnagy
Selling Social Engineering Services – Jim O’Gorman
The Top Five Social Engineering Mitigation Tips – Chris Hadnagy

Of course, we can’t fail to mention that Defcon 20 rapidly approaches.  The SE CTF will be bigger, badder, and sexier than ever. This year (SPOILER ALERT) the SE CTF will be a “Battle of SExes”.  Want more details than that?  You’ll have to wait.  But we are presently searching for willing companies who want to work with us as sponsors, targets and supporters.  We will be announcing the events soon.

In addition, we have been asked to come up with another year of the SE CTF for Kids!  If you thought last year was crazy, this year will prove to be even more amazing.  There will be some serious changes in how this event is structured – it will be more challenging, more fun, and even crazier than last year.

2012 is shaping up to be an exciting year for computer security, social engineering, and especially Social-Engineer.org! Stay tuned for everything you have come to expect… informative blogs, hard-hitting newsletters, engaging podcasts, automated toolkits, world-renowned Capture the Flag contests, and industry standard how-to books… and even things you never saw coming… 5-Day LIVE classes taught by the pros! Stay tuned to Social-Engineer, we’re just getting started!

Not too long ago the announcement about an Internet Sponsorship Law, SOPA, basically caused the Internet to blow up with people voting, supporting, and showing how much they disliked this proposed bill. The way the “Internet Community” came together is a lesson in mass influence itself, but we are going to focus on a different aspect of this drama.

The hacktivist group Anonymous reared its head in this debate to show it’s disdain for any law that would censor or prohibit the use of the Internet, and they do so using a form of social engineering.

One of the less influence based forms of social engineering involves drawing people to a website that is either loaded with malicious software/code or has downloads that are dangerous or infected. Apparently, Anonymous used this form of social engineering to create, in essence, one of the world’s largest botnets full of unsuspecting participants.

How?
Anonymous used its legions of faithful supporters to spread shortened links that drew interested parties to certain links. Since a user can’t possibly know what to expect when they load a URL, Anonymous capitalized on this to create it’s botnet.

As users went to the list of URL’s, their browsers were hijacked and then some code was executed. Once executed it causes the users browser to make a massive amount of requests to the targets websites (in this case DOJ and FBI). When you get hundreds or thousands or even more people hitting these malicious URL’s so much traffic is sent that it DDoS’ the sites in question.

What are the implications of this type of attack? This form of social engineering is pretty malicious. Even simple curiosity can make the site visitor an unwilling participant in an act that could be considered terrorism. This, of course, is a very serious matter as traffic from home or work users becomes inundated with this malicious traffic.

In the age of shortened URL’s, this kind of a story just makes it ever more clear that the user needs to take responsibility before clicking a link. These types of attacks are how people’s computers get hacked and how accounts are compromised. Now, it’s how massive botnets are created.

Unless you are starring in the next “Planet of the Apes” this Holiday season, you will undoubtedly find yourself surrounded by humans. Many situations may arise from company parties, family get-togethers, to year end celebrations. These events provide you with a perfect test bench to try out your social engineering skills. Take advantage of the fact you will be submerged into groups of people, some familiar, some not.

Sadly, your family will insist you not be on IRC during the holiday festivities. I know, crazy, right? It is what it is, so make the best of it. In this blog we will recap some previously explained techniques and give you handy suggestions on how you can put these skills and knowledge to the test. You can even make a game out of it!

Holiday Season Social Engineer Game #1
In October 2011 we taught you about the power of nonsexual touch and how impactful it can be in increasing compliance up to 70%!!  Research shows that just a simple, nonsexual touch to the upper arm of your target increases compliance, increases helping behavior, increases the level of attraction your target has to you, and signals to your target that you are powerful. These effects are compounded, meaning subjects that were touched twice showed increased compliance over those subjects only touched once.

While the rest of the group is sipping Eggnog and talking about what diet they are going to start after the new year, pick two groups of individuals from the pool of people at the event. Pick 3 to 4 people to represent Group A and 3 to 4 people for Group B. Just make sure both groups contain the same amount of people. Now pick a task, say retrieving something from your car, or have some pre-determined quiz ready. Maybe take a subset of the IQ exam, just a few questions will do. Now ask both groups of people to do your bidding. When asking Group A, make sure to touch each individual on the arm briefly and gently. Then, for Group B, issue the request with no physical touch. See which group complies more.

The trickiest part of this game will be to pick a task that the groups won’t just automatically do because you are who you are (as well as not making it sexual touch). For instance, don’t ask subordinates to go make a copy of something for you because they will all do it, you’re their boss. Instead, try to devise something they feel comfortable opting out of.

Holiday Season Social Engineer Game #2
For a lot of families, cards is a long time holiday tradition. We all know that family card games are mostly just for fun. We also know how fun it is to manipulate people and situations to your advantage, especially if it means beating Uncle Dick in a game of 5 card. In November 2011 we taught you how to bluff like a pro in Vegas. There is no reason you can’t use these skills in a warm and cozy home in Barrington, IL instead of Las Vegas. (And you have a greater chance of leaving with both knee caps too!)

Try to really trick and confuse the table. Know your opponents. If you are playing Hold’Em with a bunch of statisticians or mathematicians, chances are, they know a little about the game and you should employ some advanced social engineering here. Layer your scams and really try to obfuscate your position. Perhaps try to fabricate microexpressions to confuse your opponents. If you’re just playing a friendly game with your cousins, you can lower your game a little bit and enjoy yourself. Reverse your tells, or even better, double reverse your tells. Try to make people think you’re a great card player, then act excited when you have a good hand and sad when you have a bad hand. Because your opponents think you’re a good player, they expect you to seem sad when you have a good hand.

Holiday Season Social Engineer Game #3
In March of 2011 we launched what proved to be one of our most popular and widely read blog posts to date, on a real life example of reading microexpressions.

In this post we analyzed how microexpressions will show what a person is really feeling.  This game will take a little skill but can be really rewarding in the end.  First pick a topic that you know some will not like, don’t make it too offensive, but something that should elicit either anger or disgust.  For example, something like “On the way here tonight I saw this poor deer get smeared by a car.  Dang its guts where everywhere…”  That should elicit the proper level of disgust in your listeners.

Watch the faces of those you are talking to and see if you can pick out disgust.  Once you get your “juice” on and you are ready to start reading some faces, now sit back and see if you can pick out what people are feeling in conversations across the room.  Then get with in earshot and see if what you thought was right.

Holiday Season Social Engineer Game #4
Back in December of 2009 we launched a blog post all about using the language of the hands to detect honesty or untruth in a person.

This can be a really great time when it comes to large rooms of family all trying to be happy and make the time together enjoyable.  There are 8 tips in that blog post on how you can see if someone is lying or not.   This game can be a little uncomfortable but it can also really help you practice some valuable SE skills.

Ask a family member for their version of a story and then try to pick out these 8 tips and see if you can catch someone in a lie.  You don’t have to call them on it, just play along and see if you can get them to further the story and see if the body language tips become even more evident.

Final Tip for the Social Engineering Games
Remember, the holidays are all about having fun and relaxing with family and friends. Take this time, away from the IRC channel and SEORG, to practice on real people in an unassuming setting. Hone the skills that will make you a professional social engineer.

We hope we have given you some ideas to have some fun this holiday season. Stay tuned to Social-Engineer.org in 2012, there will be a lot of changes and some exciting new developments around the corner. We’re coming strong in 2012 (we want to get as much info out there as possible before the world ends) with more blogs, more newsletter content, epic podcasts, worldwide training, and much, much more!

We have previously written about how to read other poker players and determine the strength of their hand by using various Social Engineering techniques. In this article we will discuss ways to use Social Engineering to trick and deceive the other players to give yourself an advantage on the table.

Poker is a unique game at a Casino. Unlike every other game in the Casino, in poker, you are playing against the other players as opposed to playing against the house like in Black Jack, Craps, Roulette, etc. As you analyze the game and really understand poker, you quickly realize that it’s not a card game, it’s a people game.

Here are some famous quotes from Poker players, professional and amateur:

“If, after the first twenty minutes, you don’t know who the sucker at the table is, it’s you.”  ~David Levien and Brian Koppelman, Rounders

“The commonest mistake in history is underestimating your opponent; it happens at the poker table all the time.”  ~David Shoup

“In a game of poker, I can put the players’ souls in my pocket.”  ~Beausourire

“Poker is… a fascinating, wonderful, intricate adventure on the high seas of human nature.”  ~David A. Daniel

Great poker players know and understand that poker, while played using cards, is essentially war of the psyches. While you are actively studying your opponents, your opponents are also actively studying you. Knowing that you have their utmost and undivided attention, what can you do to mislead them?

This is where our nonverbal communication comes in.  Think of this, you are sitting at the park with your kids and as you look across the park to see a young girl eating an ice cream cone.  She looks like this:

Does she like the ice cream or hate it?

Or if she looked like this?

We can tell a lot about a person by the way their nonverbal communication portrays their emotions.  So why not use this in the casino, how?

When a poker player at a table has a good hand, are there “tells” that they have to indicate they have a good hand? If the player has a bad hand, what are the tells? Often rookie players will subconsciously give immediate tells when a certain action happens on the table such as a flop. Often happiness or sadness is conveyed by nonverbal communications. An experienced poker player will be watching his opponent for these nonverbal “tells”, watching for the emotions that sneak out unintentionally.

This is were your social engineering skills can come in handy.  Knowing that the experienced players will be watching you, plant subtle tells when you have a bad hand.  Bid, then lose.  If you do this one or two times, then when you have a great hand be careful!  Show those same nonverbal tells that indicate a bad hand. If you are successful the players will assume you have a bad hand and gladly bet all their money against you.

A good Social Engineer can fabricate these micro expressions and forge the immediate response. Fake a subconscious sadness when you’ve got four of a kind and see how far you can string your opponent along for.

Poker can get extremely intense with layers upon layers of persuasion techniques and bluffs designed to obfuscate the reality of your hand. Rookies often attempt to show the table the opposite of reality by doing things such as looking away during a flop or feigning disinterest. So when a rookie has a bad hand, the rookie will attempt to convince the table that he has a good hand. The experienced players are on the lookout for these things. What if you, the experienced Social Engineer, plays the role of a rookie making rookie mistakes and doing rookie things?

Social Engineering is great for the game of poker but we strongly caution you in using these skills – Casino’s do not take kindly to any one who even appears to be cheating.  Use these skills with caution.

Often when we think about Social Engineering we think about manipulating individuals by speaking to them. We think of talking the call center employee into doing our bidding or posing as a delivery representative and talking our way onto the facilities. We rely on our eyes and ears as we navigate the world but we often forget about, or don’t give enough credit to, the power of nonsexual touch. Let’s explore the role of nonsexual touch in communication and see how it can benefit the Social Engineer.

Research shows how simple touching can increase compliance, helping behavior, attraction, and can be used to signal power. Even the slightest touch can influence the way someone thinks about you or perceives the situation. Knowing how touch can influence your target is vital information every Social Engineer should be familiar with.

A 2003 study from the Université de Bretagne-Sud in Vannes, France showed that a simple light touch on the arm increased the likelihood of strangers helping an individual from 63% up to 90%.  Similar techniques can be used to increase compliance. As an example, a study by Willis and Hamm asked individuals to sign a petition. 81% of those touched signed the petition compared to 55% who were not touched. A second and similar study asked people to fill out a questionnaire. Simply touching the individuals asked to take the questionnaire increased their compliance from 40% to 70% – How would you like those results on your next social engineering pentest?

As it turns out, we can compound the positive effects of nonsexual touch by increasing the amount of touch administered. A study by Vaidis and Halimi-Falkowicz showed that touching an individual twice increased the likelihood that the individual would complete a survey over those individuals touched only once.  Not surprisingly, when men were touched by a female, the effects were strongest. Even if the touch was nonsexual, it may be interpreted, subconsciously, by the individual to illicit even more favorable response.

It’s important to understand that these techniques can have vastly different results depending on the culture involved. In cultures where there is a high level of homophobia, a male touching a male on the arm will generate far less compliance than the same action in a different culture. In Poland, where high levels of homophobia exist, a 2010 study showed far less compliance between two men than a similar study conducted in 2007 in France, where touching is acceptable between men. Generally, a male to female or female to male touch will generate the most compliance, but it’s important to properly gauge your environment.

A position of dominance can be immediately achieved by light, nonsexual touch. Observations by Henley showed that people who touch others are of a higher status than those being touched.  Summerhayes and Suchner showed that, in general, we look at people who touch others as having more power in our society.  By simply touching someone on the forearm, we establish dominance over them which will increase compliance.

A 2007 study conducted by French researchers, Erceau and Gueguen, showed that touching someone for just one second makes them view you as more sincere, friendly, honest, agreeable, and kind. It is amazing that simply touching someone’s arm for one single second can make them think more favorable toward you.

Utilize the power of touch on your next Social Engineering engagement. When standing next to someone and attempting to gain access to an area or while attempting to extract information, reach out and gently touch their arm for a brief second while you are making your request. This simple action, when performed appropriately, will make your target think you’re more sincere, more dominant, more honest, and will increase compliance. Try two brief touches for even better results!

*** CAUTION:  It is important to note that touching is not always appropriate and will not always yield positive results. Each situation must be interpreted as an isolated case. Use your best judgement by assessing the situation.***

When touching is appropriate, touch lightly on the upper arm as this is the safest place to touch someone that you don’t know.  A simple light touch of your target’s arm can be the difference between a successful Social Engineering attack and an unsuccessful attack.

Using as a Social Engineer

As a Social Engineer, one can not run around touching everyone, or you may end up in trouble with the law. There are ways a Social Engineer can use the power of touch to create an endearing atmosphere that will turn your target into putty for your shaping.

Imagine this scenario…. you want to gain access to a building and, thanks to their Twitter status updates, you know the HR staff is out of town for a conference. You come in to the office, looking disheveled, with a coffee dripping resume.

You approach the desk and tell the front desk person you are here to see Mr. <Out of Town> but just need a minute to compose yourself.  She looks at you, almost sad for you and says, “I’m sorry but he’s not here, he’s out of town.”

With a sadness, you look at her and say, “What?  I thought he said his trip to Miami was next week?”

“No honey, its this week.”

“Oh my god, please don’t tell him what a fool I am.  I am so embarrassed. At least I don’t have to use this coffee soaked resume.”

She leans over and says, “It’s OK, we all have bad days”

You now reach up and touch her arm lightly and say, “Thank you so much ma’am.  You really make this day just a little better.  Would I be able to use your restroom before I go to my next interview, which I hope I didn’t screw up?”

The pretext, the emotional investment and the touch all greatly increases her chances of compliance, allowing you to plant your USB drives in the hallway and bathroom.

This is just one of many scenarios that allow for touch to enhance your chances of success.  Can you think of others?  Send us in your ideas to contribute@social-engineer.org

Yes, it has been a long time since we had a social engineering poll.  But we are ready to release the results of one of most successful so far, as well as start a new poll.

Endearment vs Authority

This poll as based on two different stories.  The first showed how the principle of endearment and how it may be used by a malicious social engineer.

The second story involved a social engineer employing the authority principle.  By simply carrying a clipboard and acting in charge could a social engineer manipulate people into giving up valuable data?

These two scenarios where presented with a third option that neither of them would work.  How did the results turn out?

We allowed for a long period of time to collect as much data as possible.  The only thing we asked for was Gender, Field Worked In and their choice.  The statistics can give us some insight into not only which is more popular but also which is more popular based on the gender.

Our first data set is the most simplistic and sets a baseline for the poll, Gender.

Again, as in most of our polls there was substantially more males than females participating.  (Yes we need to find a way to motivate you ladies to vote… we think we have it in this months Social Engineering Poll) Although this doesn’t necessarily skew the results that there is more males, what we find interesting is how the results came out knowing there is more males.

 Endearment seemed to take the largest portion of chosen methods they felt would work.  Endearment is defined as “a term or act expressing affection.”  We would have guessed that most would have chosen authority, but in fact we agree that endearment works in more cases over authority.  A simple word or action that can make someone feel you care can go a long way into building rapport, trust and a relationship that will cause that person to want to give you the information you seek.

Even though we feel that way and it seems the large majority of people as a whole feel that way we wanted to see if the results would be the same with in the same gender.

 Endearment still took first place in both men and women as the method they felt would be the most effective technique.  Authority was much further behind with the males, which we found interesting too.

Why?  Humans are naturally trusting creatures.  We want to help those in need, we want to believe there is good in all people, we want to provide answers to those doing the asking.  Not only that but we do all of this with more emphasis and zeal for those we consider our friends.  So a social engineering that can endear themselves to us can create an environment that will make it next to impossible to say “no” to any request.

It is that trusting attitude that has lead many to unfortunately being hacked.  What can you do?

We are not saying to not be trusting, but just to become a critical thinker.  The requests that are being laid upon you, the questions being asked – do they make sense?  Is it really needed to answer those questions to this individual?  Critical thinking can go a long way.  Secondly, get educated.  Be aware of the attack vectors that are being used and learn how they are being facilitated.  That can keep you aware.

Now get over to our new social engineering poll and vote.

After returning from Defcon 19 and another successful Social Engineering Capture the Flag competition, the team at Social-Engineer.org decided it was time to add a few staff members to help grow the business and to help promote Social Engineering. We put a call out for interns and the response was overwhelming. Literally hundreds of people responded to the call with resumes and letters asking to be part of the team.

The first choice was easy. Enter Dan aka “miNG”, a long time slave, errand boy, Defcon gimp, and information gatherer for Social-Engineer.org. Dan has been helping Social-Engineer.org for over three years now. When asked what he loved about Social Engineering, Dan cited the power and flexibility of the craft along with it’s everyday practical uses. His help to the organization has been invaluable and to recognize that, Social-Engineer.org would like to officially welcome Dan to the team! Dan will continue his duties as a slave and will assist in information gathering, as well as keeping order on the IRC channel and various other duties to be announced.

The second member of the team was selected after an arduous application process prompted by a Twitter post (mentioned above) which declared that Social-Engineer.org was hiring an intern. After whittling down the impressive resumes that came in, we were left with just a handful of people that fit the needs. We asked them to write a sample blog post and from that we had two amazing contestants left.

We thought maybe a cage match, or a duel would be appropriate, but, instead we opted for a team meeting and discussion about all we learned about the contestants.

Eric aka “Urbal” was no stranger to SEORG. He competed in this year’s SECTF and came in 4th. Additionally, Eric’s writing assignment really topped the charts. Eric will be crafting blogs, assisting with sponsorships, assisting with information gathering, and doing everything else the lowest point of a totem pole does.  So expect a lot more content about social engineering to be on the site more often.

Continue to check out the new services and SE training we are offering on the Social-Engineer.Com Site.

You can find both mING and Urbal in IRC on our channel, #social-engineer (irc.freenode.net). Both of them will be joining us in Vegas this year for a very special event. More on that very soon!

When HP made their announcement last week followed by the announcement that there would be a massive reduction in their pricing for their tablets every tablet junkie on earth was clicking their refresh button at amazing speeds. While most tablet junkies started to get excited, so did the social engineers.

Where there is need and desire there are scammers – and this is no different.

Let me start off by saying that HP is offering their tablets at $99 USD.  That is not a scam, but check out this URL that looks innocuous enough on the http://www.hewlett-packard.org.uk site.

Notice first off that this site looks and feels legit.  All the right logos, all the right graphics.  Then comes the bait:

The HP Tablet is being offered for $49!  How many people would be so fast to click?  How many would be want to make sure they don’t miss out on the deal like before?

Lets analyze how one could have found that this was a scam site.

1)  The URLs:

When did HP become a non-profit? .org?  That should make most people a little leery. In addition, every link on the site goes to something.hp.com not hewlett-packard.

2)  WHOIS Info:

A quick WHOIS on that domain show us

whois hewlett-packard.org.uk

Domain name:
hewlett-packard.org.uk

Registrant:
Phillip Sullivan

Registrant type:
Non-UK Individual

Registrant’s address:
4966 Edsel Road
Los Angeles
CA
90017
United States

Registrar:
eNom, Inc. [Tag = ENOM]
URL: http://www.enom.com

Relevant dates:
Registered on: 23-Aug-2011
Renewal date:  23-Aug-2013
Last updated:  23-Aug-2011

Registration status:
Registration request being processed.

Name servers:
ns1.he.net
ns2.he.net
ns3.he.net
ns4.he.net
ns5.he.net

WHOIS lookup made at 18:24:26 23-Aug-2011

A UK site with a LA registrar?  Made today?  Nice – but doubt HP moves that fast.

3)  The Images

Take a look at the UK link and the real HP.  The images on the UK link are pixelated and grainy.  Not clear, crisp and beautiful like in the real site.  This is a common tell on scamming sites/emails.

4)  Try to buy?

Yes and the final piece was if you try to buy the pad at $49.

RICK ROLL!!!  Well of course whom ever set up this page meant it as a joke and no mlaicious intent…

But lets take a moment and reflect.  If this were actually a malicious scammer how many people would have clicked?

How many would have inserted credit card info?

How many would have put in name, address, phone and email info?

How many more attacks would be launched by those seeking for a cheap tablet pc?

The Lessons We Can Learn

In the end of the day lets use this as a learning lesson.  Common sense, critical thinking and taking the time to review could have save many from this “scam”.  Thankfully this one is just a joke put on by some stranger, but how many are not?  Phishing in combination with malicious links is a growing threat that one report indicates, as of Jan of this year grew in some areas as much as 50% and in others over 100% from the previous year.

Think criticaly, educatae yourselfs and do not be so fast to click before thinking.

The Internet is a Dangerous Place – Be Safe.

Thanks to Chris Nickerson for helping me find this link!

As Defcon came rolling around we knew that this year would be different.  Being the second year of the SE CTF as well as the first ever Defcon Kids event with a special Social Engineering CTF for Kids, we knew this year would be special.

We wanted to take a minute to recap some of the events and lessons learned from Defcon 19 and talk about our plans for next year.

Defcon 19′s new venue really was a few dozen steps above the Riv.  Our room set up and everything went ultra smooth.  Pyr0, Grifter and the crew did an amazing job with the organization as well as the layout of the events.  These guys know how to make stuff happen, and it did.  When we got to the room we had no walls, or chairs or tables and with in an hour we were set up.  Really an amazing job.  The fact that our feet didn’t stick to the floor when we walked down the hallway or bathrooms was an added bonus.

The room that they gave us this year was easily 5-10 times bigger than last year.  Our first concern was of course keeping it interesting enough to keep the room packed.  The first day we had to announce that our premier target for the CTF couldn’t participate this year, so Kevin Mitnick and Chris who planned on making that call couldn’t do it.  Kevin came in and did a nice 30-40 speech on SE and answered some Q&A.  It was an excellent speech and good way to kick off the event.

The callers this year where excellent and really made a great effort to do a highly professional job, following all the rules.  Unfortunately on Friday we had quite a few people cancel by not even showing up.  So we put a call out to the public to see if anyone wanted to step up and make a call.  We had quite a few respond to that call.

Mark stepped up and did his first ever social engineering call and really did an amazing job.  Next we had a guy step up that called himself “mud”.  He was an interesting guy and a tad bit sure of himself, but was promising a good call – and he delivered.  Energetic and lively and often more funny than anything else, he got the company to hand over a ton of information.  We later found out that “mud” is really the well-known, hubris from backtrace security.

Saturday opened up with Johnny Long giving a Q&A session about SE and his work.  That was really lively and got the crowd stirred up.  Johnny stayed and heard one of our newer contestants on the phone and was inspired by his work and asked to come back in the afternoon and do a call of his own.  The rest of Saturday went with out a hitch and was amazing.  The ending of the day was Johnny Long doing one of his first public SE calls – and wow was that amazing.  He hit it out of the park and showed that all his time in Africa did not affect his amazing SE Skills.  Great Job Johnny!

Sunday came and it was time to have our live podcast.  As the room filled up we had some people in there from the Anonymous group that asked some very intelligent and conversation sparking questions.  The line for audience questions filled up and 2 hours shot by quickly.

Lesson Learned
There are few take away lessons that we will use to improve the experience next year.

Firstly, this year we had our room open to anyone, including press.  Due to that some of the comments we made where mis-used in some very prominent articles.  This caused some problems for us and our sponsors.  Remember, although we are “hackers” our jobs is to help secure and educate companies.  We thrive when companies succeed. We rejoice when they fight SE and malicious hacking.  So although we are happy to see the competition do well, we are careful to not publicly release info that could damage or embarrass a company, but sensational headlines sell.  Stating that a certain company was “hacked” or totally “wiped” is damaging to the work we are doing, to the company and to the caller.  I would say our first lesson is probably to close the doors to press for the competition next year.  This will ensure that they cannot misquote, or use a comment made from excitement that will lead to damaging some one in the competition.

Secondly, we had a lot of cancellations this year, we still haven’t decided how to handle this.  But when people cancel last minute it skews our results and can be frustrating.  We thought about making a REFUNDABLE deposit for all contestants, like $20, that they get back when they show up for their call with a Tee and some other schwag.  Something like this we feel would help ensure that if a contestant signs up they will show, of course it is not about cash so we are not looking to get paid but something that would make them more prone to show and not “forget”.

I think another lesson is that not even the house sound is safe.   Mid CTF someone hacked the sound system and nearly wrecked a good call, if it wasn’t for the cool calmness of the contestant that call would have been wrecked.  So I think next year we keep to our own sound.

The kids… how can we forget the kids.  The first ever Defcon Kids went off amazing.  The group here at Social-Engineer.Org put on the first ever Kids Social Engineering CTF.  A mixture of ciphers, lock picking, elicitation, facial expressions and more was taught and used to race the clock and be the first to finish.  What did we learn?  The kids in this community are smart, amazing and entertaining.  They love life, they learn fast and they have an amazing ability to hack.  Most importantly, they have AWESOME parents.  These kids are lucky to have parents that care so much, support them and show them a good, clean and fun way to manage and practice these skills.

Congrats to Edward and Tim – Team FlimFlam for taking first place and Jack and Max Team Python for taking Second place.  Really congratulations to all the kids that completed this years event and tried harder!

Finally, on the data itself, we are working on the report as we speak.  It seems from an initial overview that security has not increased in this country in the last year.  As a matter of fact, it may be worse.

The results are scary and the ease of which info was gathered and compliance was made really scared us.  Esepcially after seeing so many high profile targets fall this year we expected to see a heightened level of security and awareness, but yet again it is proven that humans are the biggest weakness in any network.

We also where awarded another black badge for the winner of this years CTF.  Congrats to Shane for taking 1st place and Chris for taking 2nd.

Next Year?
We already have been asked back for the Defcon Kids SE CTF as well as the Social-Engineering CTF for Defcon 20.  We are going to be planning and working on these events now so we can make them even better for next year.

We already are working on the next years Kids CTF to make it bigger, better and yes, a little harder. (so get your game on kids.)

The SE CTF will have some changes too.  We were contacted by a few companies saying they may be up for being a willing target in next years CTF.  Please, if you are a company and want information on how you can show that you are truly concerned about security contact us at defcon@social-engineer.org.

There is going to be a lot going on between now and next year, we will be releasing information as we can during the year.  Feel free to send us your ideas or suggestions and thank you all for your support and a great year!

Till next year!

We love reporters, we really do.  We have a great relationship with many reporters from all over the globe.  We understand that sensational titles and stories are what sells.  With that in mind we wanted to take a minute to address some of the false conclusions that are being made based on some of the data coming out of this year’s Social Engineering Capture the Flag contest.

As part of the contest, we make a point to never embarrass a company due to the results of the contest. There are a number of quotes that are being attributed to Chris that are inaccurate, as we would never name one company or another as doing the “worst” as part of the competition.  During our press conferences at Defcon we were asked about this and we declined answering for this very reason.

Additionally, we caution anyone from declaring that one company is more or less secure than another based only on the calls. The structure of the contest is such that one contestant calls one company for a limited period of time. There are far too many variables in that arrangement to say that any single company did worse than another.  (i.e. the skill of the caller, the person they get on the phone, the pretext used, etc)

At this point, the only conclusion that we can confidentially make is that the state of defense against social engineering attacks in corporate America is very poor. All companies contacted did poorly, even against amateur social engineers. Our goals are to educate and help companies, as we have said numerous times on our podcast, newsletters and new site we launched www.social-engineer.com.  We do not do that by embarrassing or humiliating the same companies we want to help.

If a member of the press or any company has questions at all please contact us at logan@social-engineer.org