We are extremely excited about the Social-Engineer.org CTF at Defcon 18. However, in the excitement some have expressed concern that contestants might act improperly or that government, companies or individuals might be adversely impacted. We want to put these concerns to rest. Our jobs at Social-Engineer.Org are to ensure the security of our clients, and our reputation is built on that promise.
The purpose of the contest is to (1) raise awareness on the threat of social engineering, and (2) challenge contestants to come up with creative, legal ways of obtaining information from companies. The contest is structured to be good, clean fun. Our goal is to show how much information companies may inadvertently divulge to individuals making regular, legal inquiries using normal channels of communication. The type of information we will be asking for will be things like the number of restrooms in the building, and the sort of candy that sells out from the vending machines first.
We have been working with attorneys at the Electronic Frontier Foundation to ensure that the rules make clear to contestants that their game play must be lawful:
• Contestants may not ask for or obtain financial data, passwords, or personal identifying information such as social security numbers or bank account numbers;
• Contestants may not attempt to falsify or falsify employment records;
• The list of target organizations will not include any financial, government, educational, or health care organizations;
• Contestants must keep it clean, for example, use of any pornography is banned.
These are just a subset of the rules that we have reviewed with the EFF to ensure participants keep this contest above board. Contestants that do not follow the rules will be disqualified.
We hope our CTF will raise awareness and provide information that shows companies what they need to educate their workers about malicious social engineering attacks. Malicious social engineers never hold contests, never do press releases and never warn the world they will be calling, and they also never have rules. To some extent, we feel that our goal has been advanced already by this discussion, and we hope that with the information we will gather during the CTF we will be able to assist many companies to becoming more secure. Since the beginning, www.social-engineer.org has been all about “Security Through Education” and this CTF is an extension of that.
If there are any questions or concerns please feel free to contact us directly. We would be happy to discuss this specific social engineering contest, or social engineering threats in general with you and your organization. We are here to help the community, please let us know how we can help you.
If you would like to discuss this please contact Chris Hadnagy at [email protected]