Thank you for your interest – Registration is now closed. The contestants will be notified shortly.
Welcome back to the second year of Social-Engineer.Org’s CTF at Defcon. This truly unique event will challenge you and test your abilities to “Schmooze”. Before you sign up, read the ALL THE RULES CAREFULLY.
The CTF Rules
- Each Social Engineer is sent via email a dossier with the name and URL of their target company chosen from the pool of submitted names.
- Pre-Defcon the contestants are allowed to gather any type of information you can glean from their websites, Google searches and by using other passive information gathering techniques. Contestants are prohibited from calling, emailing or contacting the company in any way before the Defcon event. We will be monitoring this and points will be deducted for “cheating”.
- The goal is to gather points for the information obtained and plan a realistic and appropriate attack vector. A list of flags will be provided, and points will be awarded for discovered items. All information should be stored in a professional looking report – Contestants will be sent a sample report that they MUST follow as a guideline. A large portion of the score will be determined by the quality of the content of the report. Just “dumping” dozens of pages of information into a word document is not an acceptable report. Discovered items must be clearly communicated. Information gathered in this phase of the content will both set the stage for your success in the later calls as well as establishing the baseline for your initial score. These reports are for the purposes of scoring only and Social-Engineer.org will not be making them public.
- Contestants will submit their dossiers for review to the judging panel on or before June 1st. Late hand in can disqualify a contestant from the contest.
- Contestants will be sent their time slot (day/time) to perform their attack vector at Defcon after the reports are reviewed, at least 1 week prior to Defcon.
- Contestants are then given 20-25 minutes to perform their attack vector and points are awarded for information gathered as well as goals successfully accomplished during the process. (More time may be allotted based on the number of contestants, however all contestants will be allowed the same amount of time).
- A scoreboard will be kept and at the end some excellent prizes will be awarded.
1st Place – A 16GB iPad 2 or maybe a Xoom preloaded with BT5, Winners Plaque and a spot on the Social-Engineer.org Podcast
2nd Place – An 8gb iPod and 2nd Place Winners Plaque
THE DO NOT LIST:
The underlying idea of this contest is: No one gets victimized in the duration of this contest. Social Engineering skills can be demonstrated without engaging in unethical activities. The contest focuses on the skills of the contestant, not who does the most damage. Our goal is to raise awareness to the threat that social engineering poses to corporations today.
Items that are not allowed to be targeted at any point of the contest:
- 1) No going after very confidential data. (i.e. SS#, Credit Card Numbers, etc). No Illegal/Sensitive Data
- 2) Nothing that can get Social-Engineer.org, Defcon, or the participants in the contest sued
- 3) No pornography – it cannot be used during the CTF in any form
- 4) At no point are any techniques allowed to be used that would make a target feel as if they are “at risk” in any manner. (ie. “We have reason to believe that your account has been compromised.”)
- 5) No targeting information such as passwords.
- 6) No pretexts that would appear to be any manner of government agency, law enforcement, or legally liable entity.
- 7) The social engineer must only call the target company, not relatives or family of any employee
- 8) Use common sense, if something seems unethical – don’t do it. If you have questions, ask a judge
If at any point in the contest it appears that contestants are targeting anything on the “No” list, they will receive one warning. After the one warning they are disqualified from the contest.
Submitting Target Companies
- Submit the urls of two Fortune 500, USA Based companies you feel would make a good target
- Please avoid government agencies and defense contractors
- It is NOT a given that you will receive one of the companies you suggest as your target, so recommend wisely
- Companies must have a telephone number available in the USA for the attack to be launched at Defcon
- The “flag” is custom list of specific bits of information, which you will have to discover during your phone call.The judging panel created the list, and points will be awarded for each item present on the list. This list will be presented to you on the day of the event
ALL REGISTRANTS MUST BE ATTENDING DEFCON 19 ALL 3 DAYS
If you can comply with all the above and think you still have the skills to become the winning social engineer then register below:
(filling out this form does not guarantee that you will be chosen to participate in this years CTF)