READ ALL OF THIS PAGE (that means every word on this page) BEFORE PROCEEDING – THE RULES ARE IMPORTANT!
This truly unique event will challenge you and test your abilities to use social engineering skills to gather small amounts of data from unsuspecting companies over the phone. Each contestant will be assigned a target company. Each contestant will be provided with flags, a sample report and their call time. You will be given three weeks (STRICT, NO EXCEPTIONS) to work on your information gathering and reporting.
At DEF CON, during your assigned time slot, each contestant will have 25 minutes to call the target company and attempt to extract as many flags as possible. Then the true battle begins to determine “WHO IS THE SOCIAL ENGINEER CHAMPION.”
If you are:
- Either Male or Female of the Human Species (if you have a problem with this statement do not apply!)
- Willing to spend time in an awesome, fun social engineering contest
- Wanting to win your very own SE Covert Kit
- Wanting to be crowned the DEF CON 25 Social Engineering CHAMPION
Then read on….
The CTF Rules
Before you sign up, read the ALL THE RULES CAREFULLY(Get the hint yet???)! Breaking these rules can lead to IMMEDIATE DQ – SO KNOW THEM!
- Each Social Engineer is sent a dossier via email with the name and URL of their target company
- A list will be provided for the contestants that contains all the flags and its corresponding value.
- Before DEF CON, the contestants are allowed to gather as much information as possible using public, open source intelligence (OSINT). This includes, but is not limited to, sources such as Google, LinkedIn, your target’s own website, Facebook, Twitter, etc. Contestants are prohibited from calling, emailing, or contacting the company for the purpose of OSINT before the DEF CON event. We will be monitoring this and points will be deducted for “cheating.”
- You MAY call the numbers you obtain to ensure they will be answered on the day and time of your call.
- Each social engineer will be required to create a professional looking report based on the information obtained during the gathering phase described above. Contestants will be sent a sample report that they SHOULD follow as a guideline. A large portion of the score will be determined by the quality of the report. Just “dumping” dozens of pages of information into a Word document is not acceptable. Discovered items and their significance must be clearly communicated. Information gathered in this phase of the contest will both set the stage for your success in the later calls as well as establish the baseline for your initial score. These reports are for the purposes of scoring only and Social-Engineer.org will not be making them public. The content of the reports will, upon request by a valid representative, be made available to the target companies.
- Any flags found and identified in your professional report will be awarded half-points. It’s in your best interest to try and collect as many flags as possible during this phase as you will also be able to collect these flags again during the call for full points. Combined, you have the potential to get 1.5x points per flag.
- Contestants will have THREE weeks to complete the information gathering and report writing phase detailed above.
- Contestants will submit their dossiers for review to the judging panel on or before the date given on the dossier. Turning in a late report can disqualify you from the contest or even worse be forced to spend time with Jim Manley in a dark closet.
- During a contestant’s time slot at DEF CON, you will be placed in a sound-proof booth and given approximately 25 minutes* to call your target and perform your call(s). During the call(s), you will attempt to capture as many flags as possible. Flags captured during this phase are awarded full points. * time may be adjusted according to the number of contestants. but all contestants will receive equal time.
- Call spoofing MAY be available for use – THE CONTESTANT MUST INCLUDE ALL NUMBERS TO CALL AND ALL NUMBERS TO SPOOF IN A CLEARLY MARKED SECTION OF THEIR REPORT.
- All phone numbers must be USA-based numbers (No Canada, South America or anything across the Atlantic or Pacific Oceans).
- Scoring will consist of the pre-DEF CON report and half-point flags, full-point flags captured during the call, and a subjective score given by the judges.
- TARGET RECALL: We will NOT allow a contestant to recall a target to get the SAME information they just obtained. For instance, you call a particular target and then hang up call back and say “Sorry I just lost all that info can I get it again?” You may call a target more than once and get new information.
- No offer of any GIFT, BRIBE or REWARD for participating in your pretext is allowed.
Flags: “Flags” are a custom list of specific bits of information, which you will have to discover during the information gathering stage and during your phone calls. The judging panel creates the list and points will be awarded for each item correctly found (and documented) from the list. This list will be presented to you with your information packet if you are selected to compete.
1st Place – A unique and special SOCIAL ENGINEERING 1st place winner’s toolkit, a numbered and limited edition challenge coin,1st place winner’s trophy, and assorted other swag.
2nd Place – A unique and special SOCIAL ENGINEERING 2nd place winner’s toolkit, a numbered and limited edition challenge coin, 2nd place winner’s trophy, and assorted other swag.
THE DO NOT LIST:
- The underlying idea of this contest is: No one gets victimized during this contest. Social engineering skills can be demonstrated without engaging in unethical activities. The contest focuses on the skills of the contestant, not who does the most damage. Our goal is to raise awareness of the threat that social engineering poses to corporations today. If you violate anything on this list, you will receive a warning, then may be disqualified from the competition.
- Activities that are NOT allowed at any point during the contest:
- Attempting to elicit confidential, legal, or personal target data (i.e. SS#, credit card numbers, passwords, etc.).
- Use of pornography in any form. We attempt to keep the SE Village family-friendly at all times.
- Any techniques that would make a target feel as if they are “at risk” in any manner. (i.e. “We have reason to believe that your account has been compromised.” or “Do this or you may get fired!”).
- Pretexts that would appear to be any manner of government agency, law enforcement, or legally liable entity.
- Calling anyone that is not an employee of the target company.
- Calling an employees personal home or mobile number
- The use of threats or foul language
- Use common sense, if something seems unethical – don’t do it. If you have questions, ask a judge.
Registration – IMPORTANT READ THIS
Due to the higher than expected no-shows in the past, we’ve instituted a fully refundable $20 deposit to compete. If you are selected for the contest, you will be required to make a deposit of $20 via PayPal.** A PayPal account is not required and the deposit can be made via credit card. Sorry, no BitCoins. When you check-in for your time slot at DEF CON (the morning of your call day), you will be handed a crisp (crisp not guaranteed) $20 bill.
Once you have been notified that you are selected for the competition, you will be given 24 hours to make your deposit. If you do not submit your deposit within 24 hours you will be replaced with another contestant, so please give us an email you check often.
**If you INSIST on making our lives miserable and you absolutely refuse to use PayPal or a credit card for your deposit because you’re paranoid and need professional help, talk to us if you’re selected.
ALL REGISTRANTS MUST BE ATTENDING DEF CON ALL 3 DAYS. You can’t make the calls if you aren’t there. You can’t compete if you don’t make the calls. No exceptions.
If you choose to send in a video and you are chosen you will get an 10 pt addition for submitting a video.
All contestants must be appropriately attired while participating in any competitions held or affiliated with Social-Engineer.org or the Social Engineering Village at DEF CON. This doesn’t mean we care what style of clothing you wear, as long as you wear enough of it to cover yourself in such a way that you do not make us or the audience uncomfortable. Many pictures are taken and we do not want any unflattering pictures of our contestants ending up on the Internet.
As with just about any other competition out there, judges for competitions held or affiliated with Social-Engineer.org or the Social Engineering Village at DEF CON have the final say in who can compete and may remove or bar any contestant from the competition at any time for their own reasons. So play nice.