READ ALL OF THIS PAGE (that means every word on this page) BEFORE PROCEEDING – THE RULES ARE IMPORTANT!
This truly unique event will challenge you and test your abilities to use social engineering skills to gather small amounts of data from unsuspecting companies over the phone. Each target company will be assigned a TAG TEAM. Your team will be assigned by the SOCIAL-ENGINEER SECTF PANEL of Judges. Each team will be provided with flags, a sample report and their call time. They will be given three weeks(STRICT NO MORE TIME) to work separately on their information gathering and reporting.
At DEF CON, during their assigned time slot, each team will have 30 minutes to call the target company and attempt to extract as many flags as possible. Then the true battle begins to determine “WHO IS THE TAG TEAM CHAMPION”
If you are:
· Either Male or Female Human Species
· Willing to spend time in an awesome, fun social engineering contest
· Want to win your very own SE Covert Kit
· Want to prove that your gender is the best
· Want to crowned the DEF CON 22 Social Engineering TAG TEAM CHAMPIONSHIP
Then read on….
The CTF Rules
Before you sign up, read the ALL THE RULES CAREFULLY. (get the hint yet???)
- Each Social Engineer Team is sent a dossier via email with the name and URL of their target company
- A list will be provided for the contestants that contains all the flags and their corresponding flag value.
- Before DEF CON, the contestants are allowed to gather as much information as possible using public, open source information (OSI). This includes, but is not limited to, sources such as Google, LinkedIn, your target’s own website, Facebook, Twitter, etc. Contestants are prohibited from calling, emailing, or contacting the company in ANY way before the DEF CON event. We will be monitoring this and points will be deducted for “cheating”.
- TEAMS will be required to create a professional looking report based on the information obtained during the gathering phase described above. Contestants will be sent a sample report that they MUST follow as a guideline. A large portion of the score will be determined by the quality of the content of the report. Just “dumping” dozens of pages of information into a word document is not an acceptable report. Discovered items must be clearly communicated. Information gathered in this phase of the content will both set the stage for your success in the later calls as well as establishing the baseline for your initial score. These reports are for the purposes of scoring only and Social-Engineer.org will not be making them public.
- Any flags found and identified in your professional report will be awarded half points. It’s in your best interest to try and collect as many flags as possible during this phase as you will also be able to collect these flags again during the call for full points. Combined, you have the potential to get 1.5x points per flag.
- Contestants will have THREE weeks to complete the information gathering and report writing phase detailed above.
- Contestants will submit their dossiers for review to the judging panel on or before <DATE>. Late hand-in can disqualify a contestant from the contest. Or worse, you may be forced to hang with nick8ch all night in a dark closet.
- During a contestant’s time slot the contestant will be placed in a sound-proof booth and given approximately 30 minutes* to call their target and perform their attack(s). During the attack the contestant will attempt to capture as many flags as possible. Flags captured during this phase are awarded full points. (* time may be adjusted according to the amount of contestants, but all contestants will receive equal time)
- YOU MUST TAG OUT, that is tag your partner using a believable pretext, at least 3x’s during the 30 minutes.
- Call spoofing will be available for use – THE CONTESTANT MUST INCLUDE ALL NUMBERS TO CALL AND ALL NUMBERS TO SPOOF IN A CLEARLY MARKED SECTION OF THEIR REPORT.
- All phone numbers must be USA Based numbers. (No Canada, South America or anything across the Atlantic or Pacific Oceans)
- Scoring will consist of the pre-DEF CON report and half point flags, flags captured during the call, and a subjective score given by the judges.
“Flags” are a custom list of specific bits of information, which you will have to discover during the information gathering stage and during your phone call. The judging panel creates the list, and points will be awarded for each item present on the list. This list will be presented to you with your information packet if you are selected.
1st Place – A unique and special SOCIAL ENGINEERING PENTEST 1st place winner’s toolkit. (more details soon), a numbered and limited edition challenge coin, and 1st place winner’s signed certificate
2nd Place – A unique and special SOCIAL ENGINEERING PENTEST 2nd place winner’s toolkit (more details soon), a numbered and limited edition challenge coin, and 2nd place winner’s signed certificate
THE DO NOT LIST:
- The underlying idea of this contest is: No one gets victimized during this contest. Social Engineering skills can be demonstrated without engaging in unethical activities. The contest focuses on the skills of the contestant, not who does the most damage. Our goal is to raise awareness to the threat that social engineering poses to corporations today.
- Items that are not allowed to be targeted at any point of the contest:
- No going after very confidential data. (i.e. SS#, Credit Card Numbers, etc). No Illegal/Sensitive Data
- Nothing that can get Social-Engineer.org, DEF CON, or the participants in the contest sued
- No use of pornography – it cannot be used during the CTF in any form
- At no point are any techniques allowed to be used that would make a target feel as if they are “at risk” in any manner. (ie. “We have reason to believe that your account has been compromised.”)
- No targeting information such as passwords.
- No pretexts that would appear to be any manner of government agency, law enforcement, or legally liable entity.
- The social engineer must only call the target company, not relatives or family of any employee Use common sense, if something seems unethical – don’t do it. If you have questions, ask a judge
- If at any point in the contest it appears that contestants are targeting anything on the “No” list, they will receive one warning. After the one warning they are disqualified from the contest.
- All phone numbers MUST be US Based
Registration – IMPORTANT READ THIS
Due to the higher than expected no-shows in the past, we’re instituting a fully refundable $20 deposit to compete. If you are selected for the contest, you will be required to make a deposit of $20 via PayPal*. A PayPal account is not required and can be done via credit card. Sorry, no BitCoins. When you check-in for your time slot (30 minutes prior to your assigned time slot), you will be handed a crisp (*crisp not guaranteed) $20 bill and your free shirt
You will be given 24 hours to complete this step, then you will be replaced with another contestant. Please give us an email you check often.
*If you INSIST on making our lives miserable and you absolutely refuse to pay via PayPal or Credit Card because you’re paranoid and need professional help, talk to us if you’re selected.
IMPORTANT NEW RULE: To even be considered you must submit a video explaining why you want and deserve to be chosen for this competition. CONVINCE US you deserve a slot. Rules and guidelines will be sent after registration.
ALL REGISTRANTS MUST BE ATTENDING DEF CON ALL 3 DAYS
This years SECTF is being sponsored by these amazing companies:
If you can comply with all the above and think you have the skills to become the winning social engineer then register below: