The Social-Engineer Village

This page will host the schedule for the Social-Engineer.Org Crew CTF’s, Speeches and Events at DEF CON. Check back for updates:

The Social-Engineer Village at DEF CON 23

Brought to you this year by:

TS

 

 

 

 

 

 

 


 LOCATION:      Bally’s Palace Room 3-4-5

Wednesday – Aug 5

SET UP

Thursday – Aug 6
MISSION SE IMPOSSIBLE

Thursday morning we will take a very limited number of on-site sign ups to be the first ever contestants to take part in this amazing new contest.  Starting in the shortly after lunch, the contestants will be part of a unique challenge that will test them in a live environment.

Each contestant will be “arrested” then locked in an interrogation room.  They will have to battle the clock to release themselves and then follow the path of the master SE to eventually get the top secret codes from the safe and escape without harm.

Friday – August 7

SECTF Day 1: Each call will be 25 mins with 15 mins Q&A in between
1000 SECTF Call 1
1040 SECTF Call 2
1120 SECTF Call 3
1200 Lunch
1240 SECTF Call 4
1320 SECTF Call 5
1400 SECTF Call 6
1440 SECTF Call 7
1520 Small break

SE SPEECHES
1600 Noah Beddome Title: Yellow Means Proceed With Caution -Applied De-escalation for social engineering

1700 Michele Fincher Title: I Didn’t Think it was Loaded” and other Mental Derps

1800: Ian Harris Title: Understanding Social Engineering Attacks with Natural Language Processing

1900: John Ridpath Title: I am not what I am: Shakespeare and social engineering

2000: Heng Guan Title: Classify targets to make Social Engineering easier to achieve

Saturday – August 8

0900 SECTF4Kids Launch
1000 SECTF Call 1
1040 SECTF Call 2
1120 SECTF Call 3
1200 Lunch
1240 SECTF Call 4
1320 SECTF Call 5
1400 SECTF Call 6
1440 SECTF Call 7
1520 Small break

1600: Jayson Street Title: Breaking in Bad! (I’m the one who doesn’t knock)

1700: Tim Newberry Title: Twitter, ISIL, and Tech

1800: Chris Hadnagy Title: “A Peek Behind the Blue Mask: The Evolution of the SECTF”

1900: Dave Kennedy Title: Understanding End-User Attacks – Real World Examples

2000: Adam Compton & Eric Gershman Title: Phishing: Recon to Creds with the SpeedPhishing Framework

 

—————-


1600 Noah Beddome Title: Yellow Means Proceed With Caution -Applied De-escalation for social engineering

Abstract: Directing the nature and dynamic of social interactions is at the heart of social engineering. One of the most impactful forms of this is being able to make a functional interaction out of a hostile or uncomfortable one. During this talk we will look at the different levels of intensity within interactions and ways to manage them.

BIO: Noah Beddome is Former Marine and a present security consultant. His professional focus is on attack simulation with special emphasis on physical and interpersonal social engineering.


1700 Michele Fincher Title: “I Didn’t Think it was Loaded” and other Mental Derps

Abstract: How many of you have ever yelled “Hey, watch this!” and lived to tell the tale? This year’s exciting glimpse into psychology and its application to security is around the fun topic of decision-making. Psychologists estimate that we make thousands of decisions a day. THOUSANDS. Now, many of these are trivial, but at least some of them have the potential to impact the security of your organization. We all think we’re great decision makers, and we’re all wrong at some point in our lives. Join me to get a better understanding of how and why we make our choices, and what you can do to improve your skills and guide your users to a happier (and safer) place!

BIO: Michele Fincher is the Chief Influencing Agent of Social-Engineer, Inc., possessing over 20 years experience as a behavioral scientist, researcher, and information security professional. Her diverse background has helped solidify Social-Engineer, Inc.’s place as the premier social engineering consulting firm.

As a US Air Force officer, Michele’s assignments included the USAF Academy, where she was a National Board Certified Counselor and Assistant Professor in the Department of Behavioral Sciences and Leadership. Upon separating from the Air Force, Michele went on to hold positions with a research and software development firm in support of the US Air Force Research Laboratory as well as an information security firm, conducting National Security Agency appraisals and Certification and Accreditation for federal government information systems.

At Social-Engineer, Inc., Michele is a senior penetration tester with professional expertise in all facets of social engineering vectors, assessments, and research. A remarkable writer, she is also the talent behind many of the written products of Social-Engineer, Inc., including numerous reports and assessments, blog posts, and the Social-Engineer Newsletters.

Michele has her Bachelor of Science in Human Factors Engineering from the US Air Force Academy and her Master of Science in Counseling from Auburn University. She is a Certified Information Systems Security Professional (CISSP).


1800: Ian Harris Title: Understanding Social Engineering Attacks with Natural Language Processing

Abstract: Social engineering attacks are a growing problem and there is very little defense against them since they target the human directly, circumventing many computer-based defenses. There are approaches to scan emails and websites for phishing attacks, but sophisticated attacks involve conversation dialogs which may be carried out in-person or over the phone lines. Dialog-based social engineering attacks can employ subtle psychological techniques which cannot be detected without an understanding of the meaning of each sentence.

We present a tool which uses Natural Language Processing (NLP) techniques to gain an understanding of the intent of the text spoken by the attacker. Each sentence is parsed according to the rules of English grammar, and the resulting parse tree is examined for patterns which indicate malicious intent. Our tool uses an open-source parser, the Stanford Parser, to perform parsing and identify patterns in the resulting parse tree. We have evaluated our approach on three actual social engineering attack dialogs and we will present those results. We are also releasing the tool so you can download it and try it for yourself.

BIO: Ian G. Harris is currently Vice Chair of Undergraduate Education in the Computer Science Department at the University of California Irvine. He received his BS degree in Computer Science from Massachusetts Institute of Technology in 1990. He received his MS and PhD degrees in Computer Science from the University of California San Diego in 1992 and 1997 respectively. His field of interest includes validation of hardware systems to ensure that the behavior of the system matches the intentions of the designer. He also investigates the application of testing for computer security. His group’s security work includes testing software applications for security vulnerabilities and designing special-purpose hardware to detect intrusions on-line.


1900: John Ridpath Title: I am not what I am: Shakespeare and social engineering

Abstract: Teeming with experts in manipulation – from Machiavellian villains like Iago and Richard III, to more playful tricksters like Puck and Viola – William Shakespeare’s plays offer a surprising and fresh perspective on the art of social engineering. Via a deep analysis of the language and actions of these characters, we will explore Shakespeare’s skill in pretexting, spearphishing and baiting. With his mastery of the English language and appreciation of human psychology, there’s still a lot to learn from Shakespeare.

BIO: John Ridpath is Head of Product at Decoded. Most recently, he has worked on creating Hacker in a Day: a one day course designed to initiate non-technical audiences into the world of cybersecurity. Having studied an MA in Shakespeare at UCL, his early career spanned software development, journalism and lecturing.


2000: Heng Guan Title: Classify targets to make Social Engineering easier to achieve

Abstract: There are so many factors (culture, age, gender, level of vigilance, when to choose…) will affect the realization of each Social Engineering action. Since information gathering is needed, why not classify the targets first to increase the success rate? When people get trained, how to accomplish social engineering once more? This is a discussion about how to bypass the human WAF according to different characteristics, as a complement to existing research.

BIO: I am one of the few women security researcher & engineer working at TOPSEC, a leading company ranked first in Chinese information security market firewalls and hardware more than 10 consecutive years, having approximately 2000 workers. Graduated from Nanjing University of Aeronautics and Astronautics, one of China’s leading universities of science and engineering. Bachelor of Computer Science and Technology.


1600: Jayson Street Title: Breaking in Bad! (I’m the one who doesn’t knock)

Abstract: I start off the talk describing each one of the below listed attack vectors I use. I tell a story from each of them I show video of me breaking into a bank in Beirut Lebanon. I show video of gaining access to USA State Treasury office. The most important part of my talk is not that at all. I spend the entire last half of the talk creating a security awareness talk! Where I go into ways to spot me (or any attacker) I show the different tools and devices users should be aware of. I show how users should approach a situation if someone like me is in the building or interacting with them online. I basically use this talk to entertain the security people in the audience enough that they will take this back to their work and share my PowerPoint and video of my talk with their executives and co-workers.

BIO: Jayson E. Street is an author of Dissecting the hack: The F0rb1dd3n Network and Dissecting the hack: The V3rb0t3n Network from Syngress. Also creator of http://dissectingthehack.com He has also spoken at DEFCON, DerbyCon, UCON and at several other ‘CONs and colleges on a variety of Information Security subjects. His life story can be found on Google under Jayson E. Street *He is a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time’s persons of the year for 2006.


1700: Tim Newberry Title: Twitter, ISIL, and Tech

Abstract: There is a concerted effort by researchers to understand how the Islamic State of Iraq and Levant (ISIL) is capable of influencing and radicalizing socially vulnerable audiences around the world via digital means. These efforts are demonstrated in a limited body of research that are often times rooted in conventional processes, therefore, having limited direct application to today’s dynamic, open-source digital environment. This environment affords a challenging, yet unique, opportunity to employ open source machine learning techniques guided by social learning and routine activities theory from the criminological field of study. This presentation will discuss a human driven, but machine assisted framework for identifying ISIL methods and victims in order to facilitate an effective counter-narrative for engaging the victims prior to influence happening. The framework utilizes historically based research designs to develop the frameworks, but machine learning to train classification algorithms utilizing data pulled from the Twitter API for modern application. The Scikit-Learn set of tools for Python were used to rapidly prototype tools for data mining and data analysis.

BIO: Timothy Newberry is a former Naval Officer and subject matter expert in digital training design and adversarial use of the internet. As a co-founder of White Canvas Group, Tim was selected to create, design, and implement a program for the CIAs Counter Terrorism Center producing measurable results against global terror networks. Tim has provided countless hours of subject matter expertise and creative design support to US Special Operations Forces (SOF) in developing alternative technical solutions for existing mission requirements within SOF. Since founding WCG, Tim has built technologies like GridMeNow, a location-based service for enhanced situational awareness, which has since been spun off into its own company. Tim has also been a noted speaker at venues such as the Global Information Operations conference in London and the World Wide Information Operations conference in Washington DC.

Prior to White Canvas Group, Tim was a Submariner for eight years of active duty service while completing various assignments in the Pacific, Iraq and Washington DC areas. He is a 2000 graduate from the United States Naval Academy where he earned a B.S. in Computer Science and graduated with distinction. He has an M.S. in Engineering Management from Catholic University of America, a masters level equivalent in Nuclear Engineering for US Naval Nuclear Power Plant operations, and is currently a PhD candidate at the University of New Haven where his focus is on the intersection of new age digital challenges and criminal justice.


1800: Chris Hadnagy Title: “A Peek Behind the Blue Mask: The Evolution of the SECTF”

Abstract: Join HumanHacker in an in-depth exploration of the mysterious world of the SECTF. From a small competition demonstrating a live compromise of fortune 500 companies to a full-scale village, how has the Social Engineering CTF evolved? What are the greatest takeaways from hosting 6 years of CTF competitions? It’s not often you get to hear what goes on behind the scenes. This informative talk will help social engineers, pentesters and future SECTF contestants alike understand how the Social Engineering CTF works. How are results calculated? What attack vectors have the highest success rate? What’s in a theme? What implications does the contest have for the world of SE and the state of corporate security? He’ll discuss expectations from the highest caliber social engineers and how he’s seen social engineering attacks evolve throughout the years. Part education, part documentary, this presentation is an ode to all things SE from the man who started it all.

BIO: When struck by lightning Chris Hadnagy was transformed into loganWHD and infused with the power of social engineering and the ability to identify the weak point in any physical security system. Countering the natural instinct to use his powers for self gain, Chris has spent his time teaching others in the lost arts of many security topics and spreading knowledge through articles and interviews published in local, national, and international magazines and tv shows and books. Hidden amongst normal mortals as the Chief Human Hacker of Social-Engineer, Inc, Chris currently lives a hidden life as the lead developer of Social-Engineer.Org and is the author of a few books on social engineering. If you are in trouble, and no one else can help, you can contact Chris online at www.social-engineer.com or twitter at @humanhacker.


1900: Dave Kennedy Title: Understanding End-User Attacks – Real World Examples

Abstract: From our own analysis, phishing attacks for the first time are the number one attack vector superseding direct compromises of perimeter devices. Endpoints are now subjective to a number of different types of attacks and it’s all around targeting the user. This talk will walk through a number of targeted attacks that elicit social engineering aspects in order to gain a higher percentage of success against the victims. Additionally, we’ll be covering newer techniques used by attackers to further their efforts to move laterally in environments. Social engineering is here to stay and the largest risk we face as an industry – this talk will focus on how we can get better.

Bio: Dave Kennedy is founder of TrustedSec and Binary Defense Systems. Both organizations focus on the betterment of the security industry from an offense and a defense perspective. David was the former Chief Security Officer (CSO) for a Fortune 1000 company where he ran the entire information security program. Kennedy is a co-author of the book “Metasploit: The Penetration Testers Guide,” the creator of the Social-Engineer Toolkit (SET), and Artillery. Kennedy has been interviewed by several news organizations including CNN, Fox News, MSNBC, CNBC, Katie Couric, and BBC World News. Kennedy is the co-host of the social-engineer podcast and on a number of additional podcasts. Kennedy has testified in front of Congress on two occasions on the security around government websites. Kennedy is one of the co-authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. Kennedy is the co-founder of DerbyCon, a large-scale conference in Louisville Kentucky. Prior to Diebold, Kennedy was a VP of Consulting and Partner of a mid-size information security consulting company running the security consulting practice. Prior to the private sector, Kennedy worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions.


2000: Adam Compton & Eric Gershman Title: Phishing: Recon to Creds with the SpeedPhishing Framework

Abstract: This presentation will quickly explore some of the common phishing attack tools and techniques. Additionally, there will be a demo of a new tool, which can assist penetration testers in quickly deploying phishing exercises in minimal time. The tool can automatically search for potential targets, deploy multiple phishing websites, craft/send phishing emails, record the results, generate a basic report, among other bells and whistles.

Bio: Adam Compton currently works as a penetration tester and has over 20 years of infosec experience, 15 years as a penetration tester. He has worked in both the government and private sectors for a variety of customers ranging from domestic and international governments, multinational corporations, and smaller local business.

Eric Gershman is currently working on the security team for a group that manages large systems that enable researchers to do “Big Science”. Prior to working in security Eric pursued a bachelors degree in Information Technology at the University of Central Florida. During his time at UCF, he worked as a technician on a large help desk, research intern for an Anti-Virus company and finally as a Linux Systems Administration for several Department of Defense projects.