DEF CON 24 SECTF Rules and Registration

SECTF-2016WebGFX-1024x455_v2B

READ ALL OF THIS PAGE (that means every word on this page) BEFORE PROCEEDING – THE RULES ARE IMPORTANT!

By now you should know what the SECTF is, if not then why are you even here registering?

Synopsis: This truly unique event will challenge you and test your abilities to use social engineering skills to gather small amounts of data from unsuspecting companies over the phone. Each contestant will be assigned a target company.  Each contestant will be provided with flags, a sample report and their call time. You will be given three weeks` (STRICT, NO EXCEPTIONS) to work on your information gathering and reporting.

At DEF CON, during your assigned time slot, each contestant will have 25-30 minutes to call the target company and attempt to extract as many flags as possible. Then the true battle begins to determine “WHO IS THE SOCIAL ENGINEER  CHAMPION”

If you are:

  • Either Male or Female of the Human Species
  • Willing to spend time in an awesome, fun social engineering contest
  • Want to win your very own SE Covert Kit
  • Want to be crowned the DEF CON 24 Social Engineering CHAMPION

Then read on….

The CTF Rules

Before you sign up, read the ALL THE RULES CAREFULLY(Get the hint yet???)!

  • Each Social Engineer is sent a dossier via email with the name and URL of their target company
  • A list will be provided for the contestants that contains all the flags and its corresponding value.
  • Before DEF CON, the contestants are allowed to gather as much information as possible using public, open source information (OSI). This includes, but is not limited to, sources such as Google, LinkedIn, your target’s own website, Facebook, Twitter, etc. Contestants are prohibited from calling, emailing, or contacting the company in ANY way before the DEF CON event. We will be monitoring this and points will be deducted for “cheating.”
  • Each social engineer will be required to create a professional looking report based on the information obtained during the gathering phase described above. Contestants will be sent a sample report that they MUST follow as a guideline. A large portion of the score will be determined by the quality of the content of the report. Just “dumping” dozens of pages of information into a word document is not acceptable. Discovered items and their significance must be clearly communicated. Information gathered in this phase of the contest will both set the stage for your success in the later calls as well as establish the baseline for your initial score. These reports are for the purposes of scoring only and Social-Engineer.org will not be making them public.
  • Any flags found and identified in your professional report will be awarded half-points. It’s in your best interest to try and collect as many flags as possible during this phase as you will also be able to collect these flags again during the call for full points. Combined, you have the potential to get 1.5x points per flag.
  • Contestants will have THREE weeks to complete the information gathering and report writing phase detailed above.
  • Contestants will submit their dossiers for review to the judging panel on or before the date given on the dossier if you are chosen. Turning in a late report can disqualify you from the contest; or worse, you may be forced to hang with nick8ch all night in a dark closet.
  • During a contestant’s time slot at DEF CON, you will be placed in a sound-proof booth and given approximately 30 minutes* to call your target and perform your call(s). During the call(s), you will attempt to capture as many flags as possible. Flags captured during this phase are awarded full points.
    * time may be adjusted according to the number of contestants but all contestants will receive equal time.
  • Call spoofing MAY be available for use –  THE CONTESTANT MUST INCLUDE ALL NUMBERS TO CALL AND ALL NUMBERS TO SPOOF IN A CLEARLY MARKED SECTION OF THEIR REPORT.
  • All phone numbers must be USA-based numbers (No Canada, South America or anything across the Atlantic or Pacific Oceans – not following this rule WILL lead to disqualification).
  • Scoring will consist of the pre-DEF CON report and half-point flags, full-point flags captured during the call, and a subjective score given by the judges.

 

Flags: “Flags” are a custom list of specific bits of information, which you will have to discover during the information gathering stage and during your phone call. The judging panel creates the list and points will be awarded for each item correctly found (and documented) from the list. This list will be presented to you with your information packet if you are selected to compete.

Prizes

1st Place – A unique and special SOCIAL ENGINEERING  1st place winner’s toolkit. (more details soon), a numbered and limited edition challenge coin, and some other SE Schwag

2nd Place – A unique and special SOCIAL ENGINEERING  2nd place winner’s toolkit (more details soon), a numbered and limited edition challenge coin

THE DO NOT LIST:

  • The underlying idea of this contest is: No one gets victimized during this contest. Social Engineering skills can be demonstrated without engaging in unethical activities. The contest focuses on the skills of the contestant, not who does the most damage. Our goal is to raise awareness of the threat that social engineering poses to corporations today.
  • Items that are not allowed to be targeted at any point of the contest:
    • No going after very confidential data (i.e. SS#, Credit Card Numbers, etc). No Illegal/Sensitive Data
    • No use of pornography – it cannot be used during the CTF in any form
    • At no point are any techniques allowed to be used that would make a target feel as if they are “at risk” in any manner. (ie. “We have reason to believe that your account has been compromised.” or “Do this or you may get fired!”)
    • No targeting information such as passwords
    • No pretexts that would appear to be any manner of government agency, law enforcement, or legally liable entity
  • The social engineer must only call the target company, not relatives or family of any employee. Use common sense, if something seems unethical – don’t do it. If you have questions, ask a judge
  • If at any point in the contest it appears that contestants are targeting anything on the “No” list, they will receive one warning. After the one warning they are disqualified from the contest.
  • All phone numbers called MUST be US-based

 

Registration – IMPORTANT READ THIS

Due to the higher than expected no-shows in the past, we’ve instituted a fully refundable $20 deposit to compete. If you are selected for the contest, you will be required to make a deposit of $20 via PayPal.** A PayPal account is not required and the deposit can be made via credit card. Sorry, no BitCoins. When you check-in for your time slot at DEF CON (The morning of your call day), you will be handed a crisp (crisp not guaranteed) $20 bill and your free shirt.

Once you have been notified that you are selected for the competition, you will be given 24 hours to make your deposit. If you do not submit your deposit within 24 hours you will be replaced with another contestant,   so please give us an email you check often.

**If you INSIST on making our lives miserable and you absolutely refuse to use PayPal or a credit card for your deposit because you’re paranoid and need professional help, talk to us if you’re selected.

IMPORTANT NEW RULE:  To even be considered you must submit a video explaining why you want to compete and why you deserve to be chosen for this competition.  CONVINCE US you deserve a slot.  Rules and guidelines will be sent after registration.

ALL REGISTRANTS MUST BE ATTENDING DEF CON ALL 3 DAYS. You can’t make the calls if you aren’t there. You can’t compete if you don’t make the calls. No exceptions.

All contestants must be appropriately attired while participating in any competitions held or affiliated with Social-Engineer.Org or the SEVillage at DEF CON. This doesn’t mean we care what style of clothing you wear, as long as you wear enough of it to cover yourself in such a way that you do not make us or the audience uncomfortable. Many pictures are taken and we do not want any unflattering pictures of our contestants ending up on the Internet.

Judges have the final say in this matter and can refuse to allow participants to compete based on this qualification.

As with just about any other competition out there, judges for competitions held or affiliated with Social-Engineer.Org or the SEVillage at DEF CON have the final say in who can compete and may remove or bar any contestant from the competition at any time for their own reasons.

Still interested?

Thank you for your interest in the SECTF. Registration is now closed. See you at DEF CON!


Comments

  1. Leia England says

    Is it too late to register for the social engineering contest? I would really like to participate in this.

Trackbacks

Leave A Reply