It’s been 3 weeks (give and take a few days) since DEF CON 25. As a team we’ve been living on copious amounts of caffeine and DayQuil, working through our ConFlu. Now that the fevers have lowered we have finally put ourselves together enough to start reliving all the amazing moments we had at DEF CON.
DEF CON 25 was held on July 27-30, at Caesars Palace. However, some of the SE team prefaced DEF CON with an awesome APSE class at Black Hat. With over 25 students in our class, we left with some amazing stories, one that even includes one of our quietest students showing up to a class debrief wearing a tutu and a bachelorette party banner! For further details (and possibly pictures) you’ll have to scour Twitter!
Wednesday, July 26 – Setup, Hulking Out, and all those lanyards
Before Chris and Michele could leave Black Hat, they had to make one more stop for Chris to join a Dark Reading panel on how attackers can use OSINT (open source intelligence) to further attacks on companies.
While that was going on, the rest of the SE team was touching down in Las Vegas. As usual, they all hit the ground running. Splitting up, Dan, Spencer and Tim headed to rent a U-Haul (yes, you read that right, a U-HAUL!) to pick up the 987,345,876 packages (that may be slightly exaggerated by 1 or 2) that we had sent/stored at the ever-generous, immortal Billy Boatright’s home. While that was going on the rest of the team headed to Caesars and with the help of Zant and the lovely daughter of Zant we were able to get into the SEVillage and start prepping.
All things were calm in the world of SEVillage prep until this happened….
And then the madness began.
With those 987,345,876 packages needing to be sorted, unpacked, and everything put together there was no shortage of work.
Getting all the badges ready to be put onto thousands of lanyards. (Literally, 2,000 lanyards)
Did we mention there were thousands of lanyards?
The amazing Areesa (A.K.A. Mrs. HumanHacker) sorting, counting, and getting the swag table ready.
And last, but certainly not least, getting Mission SE Impossible (MSI) ready for the events of Thursday!
With the exhaustion and jet lag upon all of us we headed for some good food, good drink, and a long sleep to prepare for the next day.
Thursday, July, 27 – Freaking Sharks with Freaking Lasers on Their Freaking Heads
Thursday started with an early team meeting, sound check and a quick run through to make sure MSI was ready to go. With the rumbling outside the SEVillage getting louder, we took a peek outside to see what was going on.
We were met with this:
In case you are wondering…that line went all the way down the end of the hallway and started to wrap around.
Not wanting to leave everyone in the hallway we opened our doors to let everyone in. They were treated to an on the spot Q&A session with Chris where he told some of his favorite SE stories.
After that the sign-ups for MSI were opened and we took over 178 names!! With only 14 spots available we put everyone’s name into a lottery and at random their names were pulled. With our 14 contestants selected MSI was officially started!
What is MSI you ask? Well for anyone who has been around DEF CON long enough to remember the old Gringo Challenge, it’s a lot like that, except created by the minds in the SEVillage. With handcuffs, leg cuffs, lock picking of multiple locks with varying degrees of difficulty, a test on micro expressions using the test created by the one and only Dr. Paul Ekman, AND a laser array that has freaking sharks with freaking lasers on their freaking heads. (Bonus points to anyone who can tell us how many times Chris said that while MC-ing MSI). If you’re still confused then check out some of the highlights below!
In second place with a time of 5:14 was Vincent!
And with an amazing time of 3:08 our first place winner, Tyler!
Chris is still bitter that he isn’t really batman…
Friday, July 28th – The SECTF kickoff, retro gaming for kids, and the Innocent Lives Foundation
Friday started off bright and early at 9:15am with the SE team meeting with the youngest minds at DEF CON. With kids ages 7-12 we kicked off the SECTF4Kids.
This year the SECTF4Kids kept to the retro gaming theme. With only 90 minutes to finished over 10 tasks, the kids were let loose on DEF CON to social engineer their way through as many as they could before the time was up, including trying to play Bop-It for as long as they could handle (FYI, the shortest time was 43 seconds before it was thrown down in frustration).
Some of the highlights from the SECTF4Kids included watching our oldest and youngest kids join as team and forming a dynamic duo that tied for second place. We watched the kids learn with fascination how to shim their way out of handcuffs for the first time, taught them what a handheld game was, and at the end of the day only one of the teams managed to get a selfie with the Human Hacker.
Our second place winners were William and Brandon!
A special note about Brandon: He has taken all that he has learned at the SECTF4Kids and made his own mini CTF where he trained young kids at his father’s place of work. He created ciphers and puzzles for them to solve as well as taught them how to pick locks! He even managed to stump adults, who felt pretty confident in their cipher solving skills, with some of the tasks he had created! We are so proud of you Brandon, keep up all the good work!
First place winners were James and Cadence!
While all that was going on, the SECTF was in full swing in the SEVillage. This year our judges were joined by a guest judge, Shawn Hall from Pindrop, who has sponsored the SEVillage from the very beginning! With the announcement that we were going to be targeting gaming companies this year, we kicked off our calls for the day. The targets for the day were, in alphabetical order, Activision Blizzard, Bandai Nanmco Entertainment, Bethesda, Disney, Electronic Arts, Sega, Ubisoft.
The full SECTF report will be out in a few months, as well as the free webinar for recap. But let’s suffice it to say, the SECTF once again proved that social engineering is a very valid vector, companies are not properly educating against it, and even novices can get tons of flags while sitting in front of hundreds of their fellow con goers.
With the SECTF wrapped up for the day, the SEVillage quickly changed into the “Human Track”. Some of our speakers on Friday were:
Robert Wood with Thematic Social Engineering
Fahey Owens with Beyond Phishing – Building and Sustaining a Corporate SE Program
Helen Thackray discussed Hackers Gonna Hack – But do they know why?
Brent White and Tim Roberts entertained the SEVillage with Skills for a Red–Teamer
Yaiza Rubio and Felix Brezo ended our night with Heavy Diving for Credentials: Towards Anonymous Phishing
One of the highlights of the SEVillage this year was a special speech given by Social-Engineer’s own Chris Hadnagy. With his speech “SE Vs. Predator: Using Social Engineering in Ways I Never Thought…” he announced a very special foundation created to help unmask those who prey upon young children. If you would like to learn more, or to donate towards this foundation, please visit The Innocent Lives Foundation website.
The day ended late, so the team needed some much-deserved food, drink and sleep!
Saturday, July 29 – SECTF4Teens Launch and the rise of Chris Kirsch
Saturday started with a very special event. For the first time, we launched the SECTF4Teens competition. As we watched the kids from the SECTF4Kids get older we felt the need to make another event that they could get involved in, so this event was geared towards those who are in the 13-17 age group. With the older group means harder tasks. This year we put them to the test. With lock picking, some tough ciphers, and even some dumpster diving (!), we put the kids through a competition that lasted them all day. Though they would probably say the hardest part of the competition was figuring out how to use a rotary phone, we enjoyed watching these amazing teens meet every challenge we put before them.
The awesome second place SECTF4Teens winner, Justin!
The first place SECTF4Teens winner, Hank, who won an amazing prize of a 3D printer!
While our teens were running all over DEF CON, we kicked off our second day of the SECTF. For Saturday our targets were, in alphabetical order: 2K games, Hasbro, Mattel, Nintendo, Rockstar Games, Sony, and Warner Brothers.
Saturday saw a lot of excitement that got everyone in the SEVillage involved. When one contestant struggled to find people to answer their calls, the audience pulled out their phones and started doing some onsite OSINT while shouting out new numbers for the contestant to call!
Saturday also saw the calls of not only our second place winner, but our first place winner as well. We all remember Rachel Tobac from last year; some of us still have nightmares from her video. She came back this year better (and scarier) than ever. Stepping into the booth mid-morning, she went through her calls like a fresh summer breeze, getting flags right and left. However, with one phone call, Chris Kirsch rose from the ranks to take first place. In an amazing 20 minutes Chris easily got all but one flag on just one call! He handled this with such amazing grace that as he ended his call he was met with a standing ovation, even bringing all 3 judges to their feet!
Also we had one contestant no-show (our first in 3 years), and one audience member stepped up into the booth with only 20 minutes to prepare. Although her calls did not gather tons of flags, she proved a very vital point – even unprepared, even new to this – she got a couple flags. Social engineering is powerful!
Some of the contestants from Saturday
With the SECTF officially over it was time for the second day of speeches in the “Human Track”.
John Nye delivered The Human Factor: Why are we so bad at Security and Risk Assessment?
Michele Fincher, “the sultry Asian”, asked Are you Killing your Security Program?
Billy Boatright gave us ….Not lose the Common Touch
Jayson Street gave How to Protect your Banks and Enterprises (a talk given by someone who robs banks and enterprises)
And Keith Conway gave us How to Effectively Influence Intractable Corporate Cultures
With the speeches coming to an end we prepared, not for sleep, but for the SE private party with many close friends, students, clients and new friends.
Since Saturday is our longest day by the end of it we all need a hug from Mike.
Sunday, July 30 – The end is in sight…
Sunday started bright and early as the SE team dragged their tired selves in to get ready for our last day with DEF CON. Kicking things off with a live recording of our podcast. This year we were joined by Tim Larkin, who taught us how situational awareness can not only protect ourselves but also others.
And with that the SEVillage was over.
After packing up and shipping all 987,345,876 boxes back to Billy’s we were off to closing ceremonies.
We got a very far away glance at what the uber badge looks like, all $13,000 in gold that it was made from!
And after showing off some of the special trophies the SECTF winners received, we were done.
CONGRATS again Chris and Rachel!
And with that we were done with DEF CON for another year. With a big family/team dinner we ended with good sushi, some good drinks, and hugs all around.
What did we learn this year? That yet again social engineering proves to be one of the biggest threats facing organizations today. That when you put some of the biggest tasks before kids and teens they do their all and more to finish it. And that the people who come and sit in the village every day are some of the best people at DEF CON.
And that when you put this crazy crew together…Chris, Michele, Kaz, Amanda, Mike, Laurie, Colin, Dan, Hannah, Kris, Areesa, Amaya, Spencer, Toby, Billy, Jim, Evan, Paul, Tim and Ryan…they might not look pretty by the end of it, but they are the hardest working team there is.
Until next year Vegas!
*Photo credit for most photos: Amaya Hadnagy