As Defcon 21 approaches we asked one of our youngest contestants ever to write about her experience as a Social-Engineer Capture The Flag Contestant at Defcon 20… here is her story:

I am a social engineer. We all are, actually, but my title is official now.

A social engineer is someone who hacks people like hackers hack computers. Any child who has talked his parents into buying him his third Milky Way from the candy aisle is a social engineer like Frank Abagnale, Jr. Getting someone to act in a way that they otherwise wouldn’t– usually not in their self-interest – is social engineering.

I earned my stripes as an official social engineer at the 20th anniversary of the largest hacking convention in the world, DEFCON 20, hosted in Las Vegas at the end of the summer each year. For the past several years, Chris Hadnagy, author of Social Engineering: The Art of Human Hacking, has hosted a Social Engineering Capture the Flag contest (SECTF). This past summer, the contest was a Battle of the Sexes. My dad, an internet security professional, and I both entered the contest as one of the ten representatives of each gender. The contest consisted of a two-week information gathering stage at the beginning of the summer and a twenty-minute phone call opportunity at the actual convention.

My designated slot was 10:40 on Friday, July 27. I remember waking up far too early that morning. I was wishing desperately to be anywhere but in the Las Vegas hotel room with neon signs blinking through the curtains, albeit for much different reasons than people usually regret a similar situation. As excited as I was to finally compete in an official contest at DEFCON, adrenaline sabotaged my nerves. The walk to the convention center was a blur of faces and badges. I don’t even remember walking into the room where the contest was taking place. Odd little pieces of the time leading up to my turn in the soundproof booth stick out of the haze: the surprising chill of the metal chair on my legs, the crunch of the apple someone behind me was munching, that one piece of blonde hair going the wrong way on Chris’ head. I was trying my best to think of anything except that intimidating glass booth when my name was called and my heart dropped through my stomach to the floor.

Once I got settled in the booth, I bounced my foot and avoided eye contact with anyone through the glass. I was racking my brain for meditation techniques and deep breathing patterns when Chris started the stopwatch.

I started my time in the booth with five minutes of hold music. I was losing confidence by the second when a representative finally picked up. I took a deep breath, then plunged into my pretext. I was just a college kid stuck doing the grunt work of a group project for a business class, my worst subject. The quiver that crept from my nerves to my voice made the story of the timid English major even more believable, so instead of steadying my voice, I let it shake. The woman on the phone was trying her best to help the distressed college student, giving me valuable flags in the process, when she abruptly ended the call. I spent the rest of the twenty minutes bouncing back and forth between lines, listening to awful hold music and my own heartbeat pounding in my ears.

I stepped out of the booth to a smattering of applause. I’m positive my face was absent of all color, but I smiled and waved at the room, simply happy to be out of the booth. Out of the corner of my eye, I saw a man in a bright orange camera crew vest step into the room. He made his way to the front table and spoke in a low voice to the coordinator of the contest. I watched Chris’s eyes widen, and he nodded vigorously as the camera man left the room.

Chris stood up and announced that the Director of the NSA would be arriving soon to check out the contest. The room exploded into a buzz of conversation. This was the first year the NSA had sent anyone to DEFCON; a government agency recognizing a convention of hackers was laughable before. But not only did the NSA send a representative, it sent the director, General Keith B. Alexander. And now he wanted to know what was going on in the Social Engineering room.

Minutes later, the General walked in with the orange-vested camera crew hot on his heels. I wouldn’t have been able to pick him out in a crowd, dressed as he was in a t-shirt and jeans. He waved at the enthusiastic applause and shook hands with Chris, asking about the contest. Instead of explaining it himself, Chris told him, “Well, our youngest contestant just had her turn in the booth. Why don’t you ask her?”

My stomach dropped through the floor as I realized he meant me. I stood up and waved at the General, then realized when my dad pushed me that he wanted me to come to the front of the room. I scrambled over the people in my row and walked to the front of the room as quickly and as steadily as I could.

For the next five minutes, with a camera in my face and the eyes of the room glued to me, I talked with the General about the contest. He shook my hand and told me that it was lovely to meet me. Then he surprised everyone in the room, especially me, by presenting me with a personal challenge coin. I told him thank you and made my way back to my seat before my knees gave out.
From there, the day is a blur in my memory. I had heard of challenge coins, but never even seen one before.

Ownership of the director of the NSA’s personal coin is understandably rare.

Over the next few days of the conference, I caught a glimpse of how much my entering the contest was going to affect the rest of my life. All of a sudden, people knew my name. Strangers stopped me in the hotels and wanted to talk, see the challenge coin, or just shake my hand. Hosts of smaller conferences wanted my advice for implementing a similar contest at their conferences.

When the new.social-engineer.org podcast was recorded live, the seventeen-year-old girl who met General Keith B. Alexander was the first highlighted story. CNNMoney even ran a story on the contest, although my interview was cut from the final segment.

Since the summer, I have attended various meetings and conferences with my dad to spread the word about social engineering. I’m even editing articles for a website my dad’s friend administers that sells social engineering tools. If you had asked me at the end of last year whether I would be able to keep from breaking down into hysterics in that glass box, I would have offered to drill air holes in your skull. But those twenty minutes and the effects have drastically changed my life, and I’m not looking back.

Hannah

 

From the crew at Social-Engineer.Org – Thank you Hannah, your example is motivating and inspirational.

critical thinking CTF DEF CON