Is it really time to start preparing for DEF CON 26?! The answer to that question is, “yes.” It also means that it is time to start preparing for the Social Engineering Capture the Flag (or the SECTF for short) competition in the SEVillage at DEF CON! The SECTF is your chance to try your hand at social engineering. Whether you schmooze, vish, elicit, or smooth-talk, if you are brave enough to get into a sound proof booth in front of a large and eager audience to show off your skills, then this competition is for you! You’ll compete for not only bragging rights that you won the SECTF (which has been a black badge competition since it first started back at DEF CON 18), but you will also receive some fabulous prizes and the always amazing street cred of being, “The Champion Social Engineer.” You’ll want to prepare the bodyguards now, you might need them.
Enough of the marketing hype, this competition has a reputation to uphold. Every year, hundreds of DEF CON attendees line up outside the SEVillage for a chance to see our contest live. This competition has been a driving force behind the increased awareness of the dangers Social Engineering (SE) poses to infosec and physical security for the past eight years. All this from SE rookies (and a few veterans), like yourself, who decided to put themselves to the test. In honor of this influential tradition, SE Village strives to find those diamonds-in-the-rough in order to give them that chance to prove they are shiny. Think that describes you? Then keep reading!
The SECTF has two distinct parts, and you must participate in both to be eligible to compete.
The Pre-DEF CON Basics:
- Apply to be a part of the competition (below)
- Submit a video application (Rules and Registration guidelines here).
- If you are accepted, pay your fully-refunded-upon-arrival deposit of $20 to compete.
- Get your assigned target and instructions for the pre-DEF CON portion of the competition before DEF CON.
- Hand in your OSINT report for the judges to score.
- Take time to come up with pretexts and questions for the live-portion of the competition.
The basics of the Live Competition at DEF CON:
- Arrive at DEF CON.
- Show up for your time slot (get that twenty bucks back).
- Take your seat in the soundproof booth for 20 minutes and perform incredible SE feats while capturing as many flags as possible (see Rules for the list of Dos and Don’ts!)
- Pat yourself on the back and bask in the courage and validation of stepping up to the challenge.
READ ALL OF THIS PAGE BEFORE PROCEEDING – THE RULES ARE IMPORTANT!
Each contestant will be assigned a target company. Each contestant will be provided with flags, a sample report, and their call time. You will be given three weeks (STRICT, NO EXCEPTIONS) to work on your information gathering and reporting.
At DEF CON, during your assigned time slot, each contestant will have 20 minutes to call their target company and attempt to extract as many flags as possible.
If you are:
- At least above the age of 16,
- Willing to spend time in an awesome, fun social engineering contest,
- Wanting to win your very own SE Covert Kit, and
- Wanting to be crowned this year’s DEF CON Social Engineering CHAMPION,
Then read on….
The CTF Rules
Before you sign up, read the ALL THE RULES CAREFULLY! << We’re really not joking about the “carefully” part.
- Each social engineer is sent a dossier via email with the name and URL of their target company.
- A list will be provided for the contestants that contains all the flags and their corresponding values.
- Before DEF CON, the contestants are allowed to gather as much information as possible using public, open source intelligence (OSINT). This includes, but is not limited to, sources such as Google, LinkedIn, your target’s own website, Facebook, Twitter, etc. Contestants are prohibited from calling, emailing, or contacting the company in ANY way before the DEF CON event. We will be monitoring this, and points will be deducted for “cheating.”
- Each social engineer will be required to create a professional looking report based on the information obtained during the OSINT phase described above. Contestants will be sent a sample report that they MUST follow as a guideline. A large portion of the score will be determined by the quality of the report. Just “dumping” dozens of pages of information into a Word document is not acceptable. Discovered items and their significance must be clearly communicated. These reports are for the purposes of scoring only, and Social-Engineer.org will not be making them public.
- Any flags found and identified in your professional report are worth half the point-value of obtaining the flag during calls. It’s in your best interest to try and collect as many flags as possible during this phase as you will also be able to collect these flags again during the call for full points.
- Contestants must complete the information gathering and report writing phase detailed above by the due date given to them. Turning in a late report can disqualify you from the contest.
- During a contestant’s time slot at DEF CON, you will be placed in a sound-proof booth and given 20 minutes* to call your target and perform your call(s). During the call(s), you will attempt to capture as many flags as possible. Flags captured during this phase are awarded full points.
- Call spoofing will be available for use – THE CONTESTANT MUST PROVIDE A NEAT AND EASY TO UNDERSTAND LIST OF ALL NUMBERS TO CALL AND ALL NUMBERS TO SPOOF AT THE SECTF. ALL phone numbers must be U.S. based
1st Place – A unique and special SOCIAL ENGINEERING 1st place winner’s trophy, a numbered and limited-edition challenge coin, 1st place winner’s signed certificate, and assorted other swag.
2nd Place – A unique and special SOCIAL ENGINEERING 2nd place winner’s trophy, a numbered and limited-edition challenge coin, 2nd place winner’s signed certificate, and assorted other swag.
THE DO NOT LIST:
- The underlying idea of this CTF is that no one is victimized during this contest. Social engineering skills can be demonstrated without engaging in unethical activities. The contest focuses on the skills of the contestant, not who does the most damage. If you violate anything on this list you will receive a warning, then may be disqualified from the competition.
- Activities that are NOT allowed at any point during the contest:
- Attempting to elicit confidential, legal, or personal target data (i.e. SS#, credit card numbers, passwords, etc.).
- Use of pornography in any form. We attempt to keep the SEVillage family-friendly at all times.
- Any techniques that would make a target feel as if they are “at risk” in any manner. (i.e. “We have reason to believe that your account has been compromised,” or, “Do this or you may get fired!”).
- Pretexts that would appear to be any manner of government agency, law enforcement, or legally liable entity.
- Calling anyone that is not an employee of the target company.
- Use common sense, if something seems unethical – don’t do it. If you have questions, ask a judge.
Registration – IMPORTANT READ THIS (We mean it):
Due to the higher number of no-shows than expected in the past, we’ve instituted a fully refundable $20 deposit to compete. If you are selected for the contest, you will be required to make a deposit of $20 via PayPal.** A PayPal account is not required, and the deposit can be made via credit card. Sorry, no CryptoCurrency. When you check-in for your time slot at DEF CON (the morning of your call day), you will be handed a crisp (crisp not guaranteed) $20 bill.
Once you have been notified that you are selected for the competition, you will be given 24 hours to make your deposit. If you do not submit your deposit within 24 hours you will be replaced with another contestant, so please give us an email address you check often.
ALL REGISTRANTS MUST BE ATTENDING DEF CON ALL 3 DAYS. You can’t make the calls if you aren’t there. You can’t compete if you don’t make the calls. You can’t receive your prize if you are not there for closing ceremonies on Sunday. No exceptions.
Please bear in mind that the SEVillage is a family friendly place, and we strive to achieve that in every aspect of the competition. Please dress appropriately.
Judges for competitions held or affiliated with Social-Engineer.org, or the Social Engineering Village at DEF CON, have the final say in who can compete and may remove or bar any contestant from the competition at any time for their own reasons. So play nice.
You’ve read the above and think you are ready to sign up? Then register now!