DEF CON 25: The SEVillage Wrap-Up

It’s been 3 weeks (give and take a few days) since DEF CON 25. As a team we’ve been living on copious amounts of caffeine and DayQuil, working through our ConFlu. Now that the fevers have lowered we have finally put ourselves together enough to start reliving all the amazing moments we had at DEF CON. 

DEF CON 25 was held on July 27-30, at Caesars Palace. However, some of the SE team prefaced DEF CON with an awesome APSE class at Black Hat. With over 25 students in our class, we left with some amazing stories, one that even includes one of our quietest students showing up to a class debrief wearing a tutu and a bachelorette party banner! For further details (and possibly pictures) you’ll have to scour Twitter

Wednesday, July 26 – Setup, Hulking Out, and all those lanyards

Before Chris and Michele could leave Black Hat, they had to make one more stop for Chris to join a Dark Reading panel on how attackers can use OSINT (open source intelligence) to further attacks on companies. 

While that was going on, the rest of the SE team was touching down in Las Vegas. As usual, they all hit the ground running. Splitting up, Dan, Spencer and Tim headed to rent a U-Haul (yes, you read that right, a U-HAUL!) to pick up the 987,345,876 packages (that may be slightly exaggerated by 1 or 2) that we had sent/stored at the ever-generous, immortal Billy Boatright’s home. While that was going on the rest of the team headed to Caesars and with the help of Zant and the lovely daughter of Zant we were able to get into the SEVillage and start prepping.
All things were calm in the world of SEVillage prep until this happened….

dscn3646

And then the madness began.

With those 987,345,876 packages needing to be sorted, unpacked, and everything put together there was no shortage of work.

dscn3665

Getting all the badges ready to be put onto thousands of lanyards. (Literally, 2,000 lanyards)

dscn3699

Did we mention there were thousands of lanyards? 

dscn3735

The amazing Areesa (A.K.A. Mrs. HumanHacker) sorting, counting, and getting the swag table ready.

dscn3772

And last, but certainly not least, getting Mission SE Impossible (MSI) ready for the events of Thursday!  

With the exhaustion and jet lag upon all of us we headed for some good food, good drink, and a long sleep to prepare for the next day.

Thursday, July, 27 – Freaking Sharks with Freaking Lasers on Their Freaking Heads 

Thursday started with an early team meeting, sound check and a quick run through to make sure MSI was ready to go. With the rumbling outside the SEVillage getting louder, we took a peek outside to see what was going on.

We were met with this:
dscn3813

In case you are wondering…that line went all the way down the end of the hallway and started to wrap around.  

Not wanting to leave everyone in the hallway we opened our doors to let everyone in. They were treated to an on the spot Q&A session with Chris where he told some of his favorite SE stories.  

img_3722

After that the sign-ups for MSI were opened and we took over 178 names!! With only 14 spots available we put everyone’s name into a lottery and at random their names were pulled. With our 14 contestants selected MSI was officially started!

What is MSI you ask? Well for anyone who has been around DEF CON long enough to remember the old Gringo Challenge, it’s a lot like that, except created by the minds in the SEVillage. With handcuffs, leg cuffs, lock picking of multiple locks with varying degrees of difficulty, a test on micro expressions using the test created by the one and only Dr. Paul Ekman, AND a laser array that has freaking sharks with freaking lasers on their freaking heads. (Bonus points to anyone who can tell us how many times Chris said that while MC-ing MSI). If you’re still confused then check out some of the highlights below!  

dscn3990

dscn4005

dscn4057

dscn4210

dscn4215

dscn4264

dscn4275

In second place with a time of 5:14 was Vincent!  

dscn4279

And with an amazing time of 3:08 our first place winner, Tyler!  

With Thursday ending we took the time to pack up MSI and start setting up for not only the SECTF competition, but also the SECTF4Kids! While that was going on the REAL batman showed up! 

img_3726-2

Chris is still bitter that he isn’t really batman…

Friday, July 28th – The SECTF kickoff, retro gaming for kids, and the Innocent Lives Foundation  

Friday started off bright and early at 9:15am with the SE team meeting with the youngest minds at DEF CON. With kids ages 7-12 we kicked off the SECTF4Kids.

This year the SECTF4Kids kept to the retro gaming theme. With only 90 minutes to finished over 10 tasks, the kids were let loose on DEF CON to social engineer their way through as many as they could before the time was up, including trying to play Bop-It for as long as they could handle (FYI, the shortest time was 43 seconds before it was thrown down in frustration).

Some of the highlights from the SECTF4Kids included watching our oldest and youngest kids join as team and forming a dynamic duo that tied for second place. We watched the kids learn with fascination how to shim their way out of handcuffs for the first time, taught them what a handheld game was, and at the end of the day only one of the teams managed to get a selfie with the Human Hacker.

image

image

Our second place winners were William and Brandon!  

A special note about Brandon: He has taken all that he has learned at the SECTF4Kids and made his own mini CTF where he trained young kids at his father’s place of work. He created ciphers and puzzles for them to solve as well as taught them how to pick locks! He even managed to stump adults, who felt pretty confident in their cipher solving skills, with some of the tasks he had created! We are so proud of you Brandon, keep up all the good work!

image_3

First place winners were James and Cadence!  

While all that was going on, the SECTF was in full swing in the SEVillage. This year our judges were joined by a guest judge, Shawn Hall from Pindrop, who has sponsored the SEVillage from the very beginning! With the announcement that we were going to be targeting gaming companies this year, we kicked off our calls for the day. The targets for the day were, in alphabetical order, Activision Blizzard, Bandai Nanmco Entertainment, Bethesda, Disney, Electronic Arts, Sega, Ubisoft.  

The full SECTF report will be out in a few months, as well as the free webinar for recap.  But let’s suffice it to say, the SECTF once again proved that social engineering is a very valid vector, companies are not properly educating against it, and even novices can get tons of flags while sitting in front of hundreds of their fellow con goers. 

dscn4419

dscn4469

dscn4487

dscn4531

dscn4594

With the SECTF wrapped up for the day, the SEVillage quickly changed into the “Human Track”. Some of our speakers on Friday were: 

dscn4689

Robert Wood with Thematic Social Engineering  

dscn4720

Fahey Owens with Beyond Phishing – Building and Sustaining a Corporate SE Program  

dscn4774

Helen Thackray discussed Hackers Gonna Hack – But do they know why? 

dscn4811

Brent White and Tim Roberts entertained the SEVillage with Skills for a RedTeamer 

dscn4841

Yaiza Rubio and Felix Brezo ended our night with Heavy Diving for Credentials: Towards Anonymous Phishing 

dscn4761

One of the highlights of the SEVillage this year was a special speech given by Social-Engineer’s own Chris Hadnagy. With his speech SE Vs. Predator: Using Social Engineering in Ways I Never Thought… he announced a very special foundation created to help unmask those who prey upon young children.  If you would like to learn more, or to donate towards this foundation, please visit The Innocent Lives Foundation website.  

The day ended late, so the team needed some much-deserved food, drink and sleep! 

Saturday, July 29 – SECTF4Teens Launch and the rise of Chris Kirsch 

Saturday started with a very special event. For the first time, we launched the SECTF4Teens competition. As we watched the kids from the SECTF4Kids get older we felt the need to make another event that they could get involved in, so this event was geared towards those who are in the 13-17 age group. With the older group means harder tasks. This year we put them to the test. With lock picking, some tough ciphers, and even some dumpster diving (!), we put the kids through a competition that lasted them all day. Though they would probably say the hardest part of the competition was figuring out how to use a rotary phone, we enjoyed watching these amazing teens meet every challenge we put before them.  

dscn4902

img_3811

img_3812-2

dscn4954

image001

The awesome second place SECTF4Teens winner, Justin!

20170730_094453

The first place SECTF4Teens winner, Hank, who won an amazing prize of a 3D printer!  

While our teens were running all over DEF CON, we kicked off our second day of the SECTF. For Saturday our targets were, in alphabetical order: 2K games, Hasbro, Mattel, Nintendo, Rockstar Games, Sony, and Warner Brothers.

Saturday saw a lot of excitement that got everyone in the SEVillage involved. When one contestant struggled to find people to answer their calls, the audience pulled out their phones and started doing some onsite OSINT while shouting out new numbers for the contestant to call!  

Saturday also saw the calls of not only our second place winner, but our first place winner as well. We all remember Rachel Tobac from last year; some of us still have nightmares from her video. She came back this year better (and scarier) than ever. Stepping into the booth mid-morning, she went through her calls like a fresh summer breeze, getting flags right and left. However, with one phone call, Chris Kirsch rose from the ranks to take first place. In an amazing 20 minutes Chris easily got all but one flag on just one call! He handled this with such amazing grace that as he ended his call he was met with a standing ovation, even bringing all 3 judges to their feet!  

img_3760

Also we had one contestant no-show (our first in 3 years), and one audience member stepped up into the booth with only 20 minutes to prepare.  Although her calls did not gather tons of flags, she proved a very vital point – even unprepared, even new to this – she got a couple flags.  Social engineering is powerful! 

Some of the contestants from Saturday 

dscn4988

dscn5033

dscn5040

dscn5081

dscn5113

dscn5158

With the SECTF officially over it was time for the second day of speeches in the “Human Track”. 

dscn5235

John Nye delivered The Human Factor: Why are we so bad at Security and Risk Assessment?

dscn5279

Michele Fincher, “the sultry Asian”, asked Are you Killing your Security Program?

dscn5307

Billy Boatright gave us ….Not lose the Common Touch

dscn5353

Jayson Street gave How to Protect your Banks and Enterprises (a talk given by someone who robs banks and enterprises)

dscn5367

And Keith Conway gave us How to Effectively Influence Intractable Corporate Cultures

With the speeches coming to an end we prepared, not for sleep, but for the SE private party with many close friends, students, clients and new friends.  

Since Saturday is our longest day by the end of it we all need a hug from Mike.  

dscn4979

Sunday, July 30 – The end is in sight…

Sunday started bright and early as the SE team dragged their tired selves in to get ready for our last day with DEF CON. Kicking things off with a live recording of our podcast. This year we were joined by Tim Larkin, who taught us how situational awareness can not only protect ourselves but also others.  

dscn5689

And with that the SEVillage was over.  

dscn5724

After packing up and shipping all 987,345,876 boxes back to Billy’s we were off to closing ceremonies.  

dscn5820

We got a very far away glance at what the uber badge looks like, all $13,000 in gold that it was made from!  

dscn5838

And after showing off some of the special trophies the SECTF winners received, we were done.

dhpcaeuu0aamgdz-jpg_large

CONGRATS again Chris and Rachel!  

And with that we were done with DEF CON for another year. With a big family/team dinner we ended with good sushi, some good drinks, and hugs all around.  

Final Thoughts…

What did we learn this year? That yet again social engineering proves to be one of the biggest threats facing organizations today. That when you put some of the biggest tasks before kids and teens they do their all and more to finish it. And that the people who come and sit in the village every day are some of the best people at DEF CON.  

dscn5741

And that when you put this crazy crew together…Chris, Michele, Kaz, Amanda, Mike, Laurie, Colin, Dan, Hannah, Kris, Areesa, Amaya, Spencer, Toby, Billy, Jim, Evan, Paul, Tim and Ryan…they might not look pretty by the end of it, but they are the hardest working team there is.  

Until next year Vegas!  

*Photo credit for most photos: Amaya Hadnagy

Leave A Reply