Defcon is over and after the long treks home we take some time to review the past few days and there is so much to say it seems like I have to write a book to get it all out. Most of it can be summed up by saying, “Security Through Education.”
The Social-Engineer.Org CTF took off with a bang that I think was heard around the world. We have counted just a tad under 100 articles that have been printed about the CTF in magazines, newspapers and media journals around the globe. Companies, people and governments are very curious about the results of the contest and the report that is soon coming.
To recap some of the highlights:
- We had about 15-17 contestants that stuck with it, out of the 45 that signed up. Many had to quit the competition due to pressure from their companies, some even being threatened with being fired if they competed.
- Every company that was called and had a real human answer besides ONE failed. The only reason the one did not fail is because at the time the call was placed there was no one on staff to help.
- The pretexts used ranged from being a very technical person who needed help to a user that had zero technical skill at all. All where successful.
- The data collected will be very useful as companies see that the risk is real and the information was easily obtained.
- In the end, we learned a lot and had a great time.
We held two press conferences while at Defcon as there were some 30 news reporters that wanted coverage on the event. We worked hard to make sure that none of the target companies or their employees were named next to flags they fell for. This was to keep the targets and their employees from feeling victimized.
Many of the reports where excellent truly representing what the CTF was all about. All the press, all the attention and all the good information obtained surely made for an exciting weekend at Defcon.
The end results will be put into the Social-Engineer.Org report that will be posted hopefully in 3-4 weeks. The Defcon weekend really blew us away.
From the first day we didn’t know what to expect when it came to the contestants as well as the room and the audience. We were given a smaller room, but as we set it up it looked huge to us. Just a short time after starting, we were amazed to see the room filling up. By mid-day there was standing room only. Not only where we shocked, but humbled to see how many stuck out through out the day.
Then on Saturday it was even fuller. The room was packed all day long, even a line forming outside before we arrived. On Sunday, the same thing but the podcast went great. We will be editing that and getting it online soon.
After a short break we went to the closing ceremonies. Never before have we seen so many people packed into a room. They had such overflow they had to set up an auxiliary room.
In the end, the Defcon staff told us they wanted to do something that hasn’t been done in 18 years of Defcon history – Give a first year contest a coveted black badge. The black badge which gives the holder free access to Defcon for life, as well as the honor and prestige of winning one of the few that are given away, is usually only given to popular contests once they are around for 2 or 3 or more years. Defcon does this to ensure the contest will have longevity and not give it away to contests that will disappear quickly.
There was a catch though; Defcon didn’t want to break the rules without seeing what the audience thought. The end result was that they were going to ask the audience if they thought social-engineer.org and the CTF deserved one to be given away to its winner. After our introductions, Pyr0 asked the audience what they thought. The response was truly an amazing and humbling experience. Horns where blown, people clapped, screamed, hooted, hollered, stomped their feet and yelled in support. After about 20-30 seconds of that from both rooms, the Defcon staff said, “You have your answer” and for Defcon, as well as Social-Engineer.Org history was made.
Handing the black badge to the winner was a joyful experience because he was as shocked as we were. Our top two winners where amazing in skill and really showed what can be accomplished through social engineering. Congrats to Scott and Wayne and thanks to Defcon, Offensive Security and CWC for their support. Thank you again to the EFF for the constant advisement, and thank you to the FBI for not judging without all the facts and treating social-engineer.org and the CTF event with such respect.
This is not the end however, but rather just the beginning. With the live recording of the one-year anniversary of the social-engineer.org podcast, the ever growing framework, a much talked about newsletter, and the forthcoming report detailing the analysis of the CTF, we have our hands full.
Thank you everyone for playing a part, supporting us, and the constant words of encouragement. There will be plenty more news as we get closer to releasing the report.
Thank you for standing with us. And just keep thinking, “Security Through Education.”