Volume 02 Issue 19
In this issue
If you want to see the reviews of the book Social Engineering: The Art of Human Hacking you can check it out and let us know your thoughts
The Feb-March SE Poll is almost ended, get your vote in now!
Offensive Security is about to launch an amazing new PWB class location. As subscribers to this newsletter you get the news first.
Finally, Spy Associates continues to send us cool devices to test. Please visit their page to check out some of the coolest devices around.
Check out the awesome music of Dual Core - IT geek, Rapper and all around awesome guy...
Want to say thank you to our sponsors this month
Spy Associates for continually giving us some awesome products to test out.
The EFF for supporting freedom of Speech
Offensive Security for their continual Support. Are you looking for world class security training? Offensive Security has live classes scheudled now. Sign up before they fill up!
A special thanks to our Editor: John 'J' Trinckes, Jr
Offensive Security Live classes constantly sell out - register early to make sure you don't miss out of the next class.
Email Chris anytime at firstname.lastname@example.org
The Social Engineering CTF v2.0
Recently, I was discussing how social engineering skills are used last year the CTF really shocked a lot of people. This was primarily due to how easy it was for many non-professional social engineers to obtain such valuable information from seemingly secure companies.
The question arose: after producing a contest which seemingly broke all the rules, stretched the limitations of all the contestants, bordered on the line of legitimacy, and broke attendance records for Defcon’s 18 year history - how is this first year contest the ONLY one to ever be awarded a ‘Black Badge’? How can you top this accomplishment and make another contest fun, yet different?
It’s been a little over a week since we launched the news of the Defcon 19 Social Engineering CTF and the registrations for potential contestants are pouring in. I wanted to take this opportunity to go over what will be new and talk a little bit about this year’s competition.
This year, we introduce the idea of premier targets. These are companies that have agreed to work with us, allowing us to target them, and try to obtain our flags. In addition to having some premier targets, we will be disclosing all targets publicly at the SE CTF event. Our goal is to show the dangers that social engineering poses in the corporate world - across all industries from education, manufacturing, financial, and retail.
Reports that contestants turn in will be scored by the judges and this value will be added to their overall score. Flags will have a point value in this report as well as over the phone. Additionally, the presentation and composition of the report will be graded. Discovered findings are worthless if they are not communicated appropriately and this will play a part in the scoring.
We hope that by giving the contestants some ideas, samples of good information gathering, and attack vector planning, this will even the playing field and help give us data that will help our reporting after the CTF is over.
On the subject of reporting, we are really going to pump up our report this year. I know we spoke about this in the blog, but we really are going to do things different this year. Besides naming each company we call, we will have an index reporting number that will, in essence, “score” each of them. This score will indicate how they ranked and how they fared in the SE CTF.
We hope this report will become a reference for companies to use in their security awareness programs by helping them combat the threat of social engineering.
Flags and Rules
Our flags will be broken down into sections, allowing a contestant to tailor his/her attack vector to cover a certain section of those flags. We are adding some new flags to the list that we feel will add some challenges for them, as well as removing some of the flags we felt ended up being unrealistic.
We feel these changes will allow for a more interesting CTF. One thing we are asking – to all the female social engineers out there – we would love to see more of you compete this year.
This is what we do for a living, so we see it every day and we see the terrible effects of malicious attacks. For us, this is a driving force to make this contest the best.
Do you want to compete, but you are nervous or feel you might not qualify? I can understand that, but consider what happened last year. When some contestants’ took their turn, not all of them were smooth, skilled, or even fully prepared. Some started off really rough and even flubbed up the first few tries. The room full of audience members never heckled callers, never laughed at failures, and never seemed to take joy in mistakes. Instead, we heard loud applause for all attempts and cheers for contestants/companies that were successful. The spirit in the room captured the feeling we have towards the purpose of this contest; the very mission of this CTF.
If you are even considering it, put your name in and give it a try. If you don’t feel you can or would be able to compete then feel free just to join us at the event. We have been told by Jeff Moss himself, that the room we are being given this year will be much larger so you won’t have to sit on Re1ks lap. (unless you want to)
We also plan on having better communications this year with twitter and our website to keep those of you who can’t make it, in tune with what is happening.
Whether you compete or you come to watch, we look forward to seeing you this year in Vegas. Stay tuned for more info soon.
Written by Christopher Hadnagy
The Social Engineering CTF 2 – A Contestant’s Guide
With the registration for contestants to sign up for this year’s SE CTF well underway, I thought it would be a good idea to give some advice to contestants on how to prepare for the contest. Consider these some lessons learned from last year.
Make sure you have permission
Last year before the CTF started, there was a lot of press coverage and various warnings coming from different organizations. On one hand, this was great in accomplishing our goal of raising awareness about social engineering attacks, but on the other hand, there was a ton of concern being thrown around by many un-informed parties. The result, we had a number of contestants told by their employers that they were not allowed to participate in the competition. In a couple cases, perspective participants were threatened with firing if they even attended the event.
Although we don’t think this contest is worth losing your job over, it would really suck to make plans, spend money, and put off work just to find out you can’t take part. Or even worse, take part then come back and find that you have lost your job. True, we don’t release any information about our contestants, but remember, you will be in front of a whole room of people; word may (any probably will) get out.
Set aside the time you will need
This contest is more than just showing up at DefCon and making a few calls. There is a lot of prep involved prior to the competition to be successful. Last year, everyone that scored high marks spent a considerable amount of time in information gathering. The people that just turned in some whois and copy/paste from LinkedIn did not do nearly as well.
This year, we are raising expectations and asking more from everyone. The report turned in before the contest will be a sizable portion of the score. More information of how that is being done will be sent to contestants with the target assignments, but for now, know that a real report will need to be submitted. This will matter. If you don’t set aside the time to do a reasonably good job on this report, it may be very hard to get enough points to win.
Ensure you have a number to call that someone will answer
There is no way around it; some contestants will have better time slots than others. Because of the times the contest is running, there will be calls made on Saturday. It’s going to be the contestants’ job to ensure that they have numbers to call where a real live human is on the other end to answer the call. Last year, this was a major issue for some contestants and it really hurt their overall score.
Also, take into consideration how long it will take to get someone on the line. The more you are transferred, the more time you lose out on trying to collect flags.
Learn from the past
Be sure to read the wrap up report from last year. This is one of the best sources of information for things that did and did not work last year. Build off of that source of knowledge; there is no reason to start from scratch.
Understand that this is not the same as the average SE pentest
There are a lot of differences between this CTF and a normal SE pentest. The time limits, the flags, and the limitations are just a few of these differences. In a lot of ways, this is harder than what you normally have to contend with. Knowing this will help you plan your attacks and give you a greater advantage in your overall score.
Be ready for a crowd
Last year, there was a standing room only audience to watch the CTF take place. This year, we have been promised a larger room. What this means is be ready to make your calls in front of a large number of people. This can be intimidating for some. No one is attending to watch you fail or make fun of you. Last year, the crowd was very supportive of all the contestants and we expect the same this year. Don’t be scared of the crowd; they are on your side. Think of it this way, you have the guts to sit up there; they are just watching.
Follow the rules
Be sure you read and understand the rules. When we say that the idea of this contest is “NO ONE GETS VICTIMIZED”; we MEAN it. We will not hesitate in dropping you from the contest if you do something that breaks these rules. We expect everyone to be professional about this contest and understand that there will be a lot of attention given to it.
If anyone screws up, there will be many parties ready to throw the whole event under the bus and talk about how evil everyone is that took part in it. We all have to be protective of the integrity of the event to maintain the strong reputation that we earned last year.
Don’t forget to have fun. The contest is a lot of work, but it’s
worth it. This is a chance for you to learn from your peers, show off your
skills, and all the while, have fun doing it. If you are taking part in the
contest this year, thanks again for your support and we look forward to
seeing you there!
Written by James O'Gorman