The Social Engineering CTF v2.0

Recently, I was discussing how social engineering skills are used last year the CTF really shocked a lot of people.  This was primarily due to how easy it was for many non-professional social engineers to obtain such valuable information from seemingly secure companies.

The question arose:  after producing a contest which seemingly broke all the rules, stretched the limitations of all the contestants, bordered on the line of legitimacy, and broke attendance records for Defcon’s 18 year history -  how is this first year contest the ONLY one to ever be awarded a ‘Black Badge’?  How can you top this accomplishment and make another contest fun, yet different?

It’s been a little over a week since we launched the news of the Defcon 19 Social Engineering CTF and the registrations for potential contestants are pouring in. I wanted to take this opportunity to go over what will be new and talk a little bit about this year’s competition.

Target Selection
Last year, we chose targets that we thought would be interesting to call.  This year, a lot of effort is being put into target choices. We want to make sure that the targets chosen showcase different types of businesses as well as a wide range of industries.

This year, we introduce the idea of premier targets.  These are companies that have agreed to work with us, allowing us to target them, and try to obtain our flags.  In addition to having some premier targets, we will be disclosing all targets publicly at the SE CTF event. Our goal is to show the dangers that social engineering poses in the corporate world - across all industries from education, manufacturing, financial, and retail.

Last year, we allowed the contestants to submit whatever format they wanted and what we got back ranged from 80 pages of copy/paste to finely detailed reports. This year, we are giving contestants a sample report that will show them exactly what we want from them. In addition, this report will give them ideas and some detail on how the pros perform their tasks. In addition, a large portion of the contestants score will come from their reports.

Reports that contestants turn in will be scored by the judges and this value will be added to their overall score. Flags will have a point value in this report as well as over the phone. Additionally, the presentation and composition of the report will be graded. Discovered findings are worthless if they are not communicated appropriately and this will play a part in the scoring.

We hope that by giving the contestants some ideas, samples of good information gathering, and attack vector planning, this will even the playing field and help give us data that will help our reporting after the CTF is over.

On the subject of reporting, we are really going to pump up our report this year. I know we spoke about this in the blog, but we really are going to do things different this year. Besides naming each company we call, we will have an index reporting number that will, in essence, “score” each of them. This score will indicate how they ranked and how they fared in the SE CTF.

We hope this report will become a reference for companies to use in their security awareness programs by helping them combat the threat of social engineering.

Flags and Rules
Last year, we had a very long list of strict rules that the contestants had to follow to keep them, and the contest, clean as possible. This year, that list will still be present, but with some additions. 

Our flags will be broken down into sections, allowing a contestant to tailor his/her attack vector to cover a certain section of those flags. We are adding some new flags to the list that we feel will add some challenges for them, as well as removing some of the flags we felt ended up being unrealistic.

The Contestants
This year, we are only accepting 16 contestants, but we are allowing up to 60 people to sign up. Why the large difference? We feel that instead of a first come, first serve attitude, we will chose people who truly demonstrate a desire to compete. We are asking each contestant to tell us WHY he or she feels they deserve to be picked.  In addition, we are asking the contestants to tell us where they work so that we don’t have conflicts with the targets we assign to them.

We feel these changes will allow for a more interesting CTF. One thing we are asking – to all the female social engineers out there – we would love to see more of you compete this year.

The Goal
As stated above, the goal of this contest is to raise the awareness of the dangers that malicious social engineering poses to businesses. We believe that by focusing on this goal, the contest will take on a life of its own and as long as that is our focus, we won’t fall into the trap of doing something just for laughs or shock value.

This is what we do for a living, so we see it every day and we see the terrible effects of malicious attacks. For us, this is a driving force to make this contest the best.

Do you want to compete, but you are nervous or feel you might not qualify? I can understand that, but consider what happened last year. When some contestants’ took their turn, not all of them were smooth, skilled, or even fully prepared.  Some started off really rough and even flubbed up the first few tries. The room full of audience members never heckled callers, never laughed at failures, and never seemed to take joy in mistakes. Instead, we heard loud applause for all attempts and cheers for contestants/companies that were successful. The spirit in the room captured the feeling we have towards the purpose of this contest; the very mission of this CTF.

If you are even considering it, put your name in and give it a try. If you don’t feel you can or would be able to compete then feel free just to join us at the event. We have been told by Jeff Moss himself, that the room we are being given this year will be much larger so you won’t have to sit on Re1ks lap.   (unless you want to)

We also plan on having better communications this year with twitter and our website to keep those of you who can’t make it, in tune with what is happening.

Whether you compete or you come to watch, we look forward to seeing you this year in Vegas. Stay tuned for more info soon.

Written by Christopher Hadnagy

The Social Engineering CTF 2 – A Contestant’s Guide

 With the registration for contestants to sign up for this year’s SE CTF well underway, I thought it would be a good idea to give some advice to contestants on how to prepare for the contest. Consider these some lessons learned from last year.

 Make sure you have permission

Last year before the CTF started, there was a lot of press coverage and various warnings coming from different organizations. On one hand, this was great in accomplishing our goal of raising awareness about social engineering attacks, but on the other hand, there was a ton of concern being thrown around by many un-informed parties. The result, we had a number of contestants told by their employers that they were not allowed to participate in the competition.  In a couple cases, perspective participants were threatened with firing if they even attended the event.

Although we don’t think this contest is worth losing your job over, it would really suck to make plans, spend money, and put off work just to find out you can’t take part. Or even worse, take part then come back and find that you have lost your job. True, we don’t release any information about our contestants, but remember, you will be in front of a whole room of people; word may (any probably will) get out.

Set aside the time you will need

This contest is more than just showing up at DefCon and making a few calls. There is a lot of prep involved prior to the competition to be successful.  Last year, everyone that scored high marks spent a considerable amount of time in information gathering. The people that just turned in some whois and copy/paste from LinkedIn did not do nearly as well.

This year, we are raising expectations and asking more from everyone. The report turned in before the contest will be a sizable portion of the score. More information of how that is being done will be sent to contestants with the target assignments, but for now, know that a real report will need to be submitted.  This will matter. If you don’t set aside the time to do a reasonably good job on this report, it may be very hard to get enough points to win.

Ensure you have a number to call that someone will answer

There is no way around it; some contestants will have better time slots than others. Because of the times the contest is running, there will be calls made on Saturday. It’s going to be the contestants’ job to ensure that they have numbers to call where a real live human is on the other end to answer the call. Last year, this was a major issue for some contestants and it really hurt their overall score.

Also, take into consideration how long it will take to get someone on the line. The more you are transferred, the more time you lose out on trying to collect flags.

Learn from the past

Be sure to read the wrap up report from last year. This is one of the best sources of information for things that did and did not work last year. Build off of that source of knowledge; there is no reason to start from scratch.

Understand that this is not the same as the average SE pentest

There are a lot of differences between this CTF and a normal SE pentest. The time limits, the flags, and the limitations are just a few of these differences. In a lot of ways, this is harder than what you normally have to contend with. Knowing this will help you plan your attacks and give you a greater advantage in your overall score.

Be ready for a crowd

Last year, there was a standing room only audience to watch the CTF take place. This year, we have been promised a larger room. What this means is be ready to make your calls in front of a large number of people. This can be intimidating for some.  No one is attending to watch you fail or make fun of you. Last year, the crowd was very supportive of all the contestants and we expect the same this year. Don’t be scared of the crowd; they are on your side.  Think of it this way, you have the guts to sit up there; they are just watching.

Follow the rules

Be sure you read and understand the rules. When we say that the idea of this contest is “NO ONE GETS VICTIMIZED”; we MEAN it. We will not hesitate in dropping you from the contest if you do something that breaks these rules. We expect everyone to be professional about this contest and understand that there will be a lot of attention given to it.

If anyone screws up, there will be many parties ready to throw the whole event under the bus and talk about how evil everyone is that took part in it.  We all have to be protective of the integrity of the event to maintain the strong reputation that we earned last year.

Have fun

Don’t forget to have fun. The contest is a lot of work, but it’s worth it. This is a chance for you to learn from your peers, show off your skills, and all the while, have fun doing it. If you are taking part in the contest this year, thanks again for your support and we look forward to seeing you there!

Written by James O'Gorman