Social Engineering CTF Update

It has been only a week since we launched the registration for the Social-Engineer.Org First Social Engineering CTF – How Strong is Your Schmooze. What has happened in over a week?

The awareness that has been raised is just amazing. There has been many stories written and podcasts discussing the contest and what the rules are. People are wondering and very curious about what it will entail. There has been numerous alerts issued from various agencies about the contest. I will post one of them below.

How Strong is Your SchmoozeWe are very happy with all the awareness this is raising for social engineering threats. At the end of the contest we are going to release a detailed report that will help all who are interested see what attacks worked.

Our Contest registration is full 100% and there is even a small overflow list. We are excited to see how the contest progresses and we wish all the contestants good luck. We are giving points for this things that you probably never even thought of gathering during normal social engineering gigs.

Stay tuned for more information.

As promised here is one of those warnings below:

Advisory ID: 2010-06-016
Date/Time Reported (GMT): 6/7/2010 8:14 PM
Title: DEFCON Social Engineering Capture The Flag Contest

Risk: 2
Audience: Analysts
Core Members
Premier Members
Standard Members

Type of Threat: Social Engineering

Summary: Hacker Conference DEFCON is hosting a Capture The Flag (CTF) contest that aims to test participants’ social engineering skills. The contest’s specific ground rules state that participants must legally socially engineer their way into a target company, and they are not allowed to get credit card numbers, social security numbers, passwords, involve porn, or
make the target feel “at risk.” Participants cannot use government agencies, law enforcement, or legal entities as a ruse to get inside, nor can they contact relatives of the targeted firm’s employees.
DEFCON 18 will take place July 30th – August 1, 2010 at the Riviera Hotel & Casino in Las Vegas, Nevada. Financial institutions should be aware of this upcoming contest, and should brief their personnel, especially call centers and legal departments regarding this event.

Business Impact: Social Engineering

Severity: 1 – Informational (Normal)

Urgency: 1 – Information Only

Credibility: 3 – Single Source

The CTF Rules
<our rules where posted here>

Recommendations: Financial Institutions are recommended to proactively brief their personnel, especially call centers and legal departments regarding this event.

Legal reminders for Financial Institutions: Any attempt to solicit information about an FI customer/client is considered an attempt at unauthorized access to customer information under

GLBA and Bank Secrecy Act provisions and may require submission of a Suspicious Activity Report.

Regulatory guidance:

In New York State criminal impersonation is a misdemeanor: S 190.25 Criminal impersonation in the second degree: A person is guilty of criminal impersonation in the second degree when he:
1. Impersonates another and does an act in such assumed character with intent to obtain a benefit or to injure or defraud another; or
2. Pretends to be a representative of some person or organization and does an act in such pretended capacity with intent to obtain a benefit or to injure or defraud another; or
3. (a) Pretends to be a public servant, or wears or displays without authority any uniform, badge, insignia or facsimile thereof by which such public servant is lawfully distinguished, or falsely expresses by his words or actions that he is a public servant or is acting with approval or authority of a public agency or department; and (b) so acts with intent to induce another to submit to such pretended official authority, to solicit funds or to otherwise cause another to act in reliance upon that pretense.

Criminal impersonation in the second degree is a class A misdemeanor.