The Social-Engineer team is collectively wrapping up their annual post-DEF CON foggy state, unburying from their backlog, and reminiscing on the amazingness that was the SEVillage at DEF CON 26. Can we say “WOW?” This was the SEVillage’s biggest (and arguably best) year yet and, though it has taken a full two weeks to overcome basic-survival-mode and re-enter society as fully productive humans, it was a giant win thanks to the team and all the amazing, supportive attendees.
This year, DEF CON was held in Caesars Palace from August 9-12 and was preceded by Black Hat at Mandalay Bay. Black Hat brought some new fun from Social-Engineer, LLC (SECOM), as we were able to host TWO, yes, you read that, TWO separate classes at Black Hat: a four-day Advanced Practical Social Engineering (APSE) course with Chris and Cat, as well as two two-day classes of Advanced Open Source Intelligence (OSINT) with Ryan and Colin. With packed seats all around, the Advanced OSINT students learned new tricks and tools used to complete challenges. Both classes had teams that successfully completed the practical challenge, with mere nail-biting minutes to spare. These teams won the coveted 2018 Social-Engineer challenge coin. The APSE students pushed themselves out of their comfort zones to complete amazing social engineering feats. One student even commandeered a stage and microphone to recruit an entire Vegas bar to help with that night’s homework – color us impressed! But the “relaxing” week at Black Hat was met with the oncoming train called DEF CON….
Setup Day! – Wednesday, August 8
On Wednesday, the SECOM Black Hat crew migrated to Caesars Palace, while those travelling from afar landed at LAS and we all hit the ground running. We were met with our LARGEST room yet – nearly double the space from last year. What kind of trouble can a room of 500+ social engineers get into? Well, before we found out, Dan and Tim delivered a billion packages (this is a rough estimate but we believe accurate) from Billy’s house – quick shout-out to Billy. Without him, the SEVillage at DEF CON would legitimately have not been possible. THANKS BILLY!!!
So, Dan and Tim loaded ALL OF THE THINGS into our moving truck (yes, an entire moving truck that you would use for a house) and brought them to the rest of the team waiting in the loading dock at Caesars. These “things” included, but were not limited to, a HALF TON sound booth that required puzzling together.
Though it left us literally bruised and battered, we were finally able to assemble the most amazing SECTF booth ever. It was LEGEN, wait for it… DARY. More on that later…
While booth Tetris was happening front-and-center of the SEVillage, Jim worked to smooth out all of our signs, a zillion lanyards were applied to schedules, Ryan and Spencer assembled Mission SE Impossible (MSI), and team swag organized all our sweet merch!
It turns out that Spencer is a wizard but did not use his powers to assemble all the things. Way to hold out on us, Spenc.
Day 1: Opening remarks, Mission SE Impossible, and a full house! – Thursday, August 9
Thursday is the start of DEF CON, but even with it being an arrival day, the 500 seats in the SEVillage at DEF CON 26 were PACKED as of 10:15AM, and we had hundreds of people in line. WOW! We started with opening remarks at 10:30AM. Then, the Village was LIVE!
Our fearless leader, Chris, researched and found a PROFESSIONAL sound-booth to up the SECTF game to a new level, which also meant we had an upgraded “jail cell” for MSI. Jail cells? What? How does this apply to social engineering, you ask? Well, MSI is a social engineering obstacle course that poses the question: if you were caught on an engagement, could you escape the office building? In this scenario, you, the SE, have been captured, handcuffed, and leg-cuffed in an office jail cell (those are real things, after all). To escape, you must shim your handcuffs, exit the cell, pick a lock, properly identify 3 facial expressions from Dr. Paul Ekman’s micro-expressions training, and traverse a laser grid with frickin sharks with frickin lasers on their frickin heads to find your way to freedom. The SE with the fastest time wins!!
We took sign ups the day-of and the line was GIANT! We had well over a hundred names. This year, we had 20 people compete, which is 6 more than previous years. In addition to the new booth, we also had a new lock box made by friend-of-the-SEVillage Rick! It was very cleverly engineered. We had one minor hiccup where one of the locks had an unexpected mishap and Toool saved us by fixing the lock mid-competition. Those are some great people!
The SEs raced through the challenge, and we were left with one victor… Congratulations to our first-place winner – VACHE!!!
After an intense Day 1, the team concluded with dinner, beverages, and a few hours of glorious sleep, until….
The SECTF4Kids, the SECTF, and first day of talks!! – Friday, August 10
Friday the SEVillage at DEF CON 26 kicked off with the official start of the SECTF4Kids, a social engineering challenge for small humans ages 6-12. Embracing DEF CON 26’s pre-Orwellian theme, the kids participated in day of SE related tasks in the setting of Ready Player One. They had to solve ciphers, riddles, and journey as teams across DEF CON to save the world from possible collapse at the hands of an evil corporation. To do so, they worked together, used communication skills, applied social engineering tactics, and built race cars for their great escape.
Congratulations to our first-place team – The Easter Eggs, Nicholas and Brandon, and the dynamic duo of ladies on team Blue Unicorn, Athena and Sylvana.
Back in the main room of SEVillage, at DEF CON 26 where the Social Engineering Capture the Flag (SECTF) competition kicked off and featured some truly amazing calls and one exciting and surprising guest judge. Neil Fallon from Clutch judged the SECTF along-side Chris, bringing his amazing tech support skills to the SECTF stage.
The theme of this year’s SECTF was transportation companies and Friday’s targets included Delta, Old Dominion, Estes, Ryder, Budget, Heartland Express, and Southeastern. Friday brought us both of our first and second place winners. Starting with second place we have our three-year second place champion, Rachel Tobac!! You may remember her as the contestant with the most nightmare-inducing videos. This year there is one major difference than years’ past, she did not take second place to a “Chris.” Instead, Whitney Maxwell handily scooped first place with some INCREDIBLE calls. Honestly, she was able to get almost every single flag from multiple targets. It was truly impressive and the whole day underscored, once again, the validity and risk of social engineering as an attack vector.
Congratulations on your wins, ladies!! Truly amazing competition this year.
Be on the lookout for the SECTF report’s release in a couple months, detailing some statistical highlights from all of SEORG’s 2018 SECTF competitions.
After the SECTF wrapped up for Friday, the human track of DEF CON speakers began. The quality and variety of topics this year was truly awe inspiring and included:
– My Stripper Name is Bubbles Sunset: What SEO Meme Marketing Means for Social Engineering with Hannah Silvers,
– From Introvert to SE: The Journey with Ryan McDougall,
– Mr. Sinatra Will Hack You Now with Neil Fallon,
– In-N-Out – That’s What It’s All About with Billy Boatright,
– The Art of Business Warfare with Wayne Ronaldson, and
– Swarm Intelligence and Augmented Reality Gaming with Nancy Eckert.
Many of these talks will be available online, so be on the lookout.
A truly amazing talk of Friday’s was from our SEORG family; Ryan MacDougall brought the crowd to tears by sharing his journey from being introverted to a truly inspiring social engineering force. If you have the opportunity to see him speak in the future, don’t miss out! This talk got a standing ovation.
After an amazing and emotional Friday of learning and sharing, the SEVillage at DEF CON 26 team crawled to their rooms for some whiskey and chill time.
Final day of the SECTF, the SECTF4Teens, and the Innocent Lives Foundation – Saturday, August 11
For only its second year ever, the SECTF4Teens was back and met with a crowded room of excited teenagers. This year, we had twenty-two teens sign up, and a waiting list was formed of teens who wanted to join in last minute. If you’re reading this, next year sign up well ahead of time! We would love to take EVERY teen and we absolutely can if you sign up ahead of time. Registration opens in late spring and closes mid-summer.
We really upped our game for the teens this year, requiring they use many of the skills we use every day as professional SEs. The puzzles were also Ready Player One themed but, unlike the kids’ competition, they had to impersonate members of the evil corporation, Innovative Online Industries, to exfiltrate data and save the world. They solved ciphers, went dumpster diving, researched for Open Source Intelligence (OSINT), picked locks, shimmed handcuffs, and, most impressively, every teen who finished officially vished. This is particularly impressive because it required the teens collect clues and OSINT to form a valid pre-text to find necessary, missing information. Many got to experience the value of carefully selecting the right phone number for your pretext, or other creative ways to frame a request. Watching the teens attempt a call, revisit their strategy, and try again was truly awe inspiring. They were diligent, focused, and those that were ultimately successful were polite and left our “help desk support” feeling better for having met them. The first teen to successfully vish for the required username was our second-place winner, Marissa!
Vishing can take a lot of emotional strain. It requires the caller pre-text as someone else, call someone they don’t know, and risk being shut down. The fact that these teens all busted out of their comfort zones and gave it a try was wonderful.
At the end of the day the teens led a discussion on how to break into a role as an SE and the Information Security industry. They asked amazing questions.
Our first-place winner, Carter, won a 3D printer while 2nd place, Marissa, won a drone. CONGRATULATIONS TO BOTH OF THEM!!!
Teens – want to learn new things, have a lot of fun, and win cool prizes? Sign up online and early for the SECTF4Teens at DEF CON 27.
In the main room, the SECTF pushed onward targeting Alaska Airlines, United Airlines, United Rental, American Airlines, J.B. Hunt, Hertz, and Enterprise. A great showing from all the Social Engineers involved, and a particular shout-out to the SE who tackled Alaska Airlines the day after they had a plane hijacked.
The day wrapped up with another, and final, round of excellent talks including;
– Social Engineering from a CISO’s Perspective with Kathleen Mullin,
– The Abyss is Waving Back… with Chris Roberts,
– Hunting Predators: SE Style with Chris Hadnagy, Neil Fallon, and AJ Cook,
– On the Hunt: Hacking the Hunt Group with Chris Silvers, and
– Social Engineering Course Projects for Undergraduate Students with Aunshul Rege.
Notably, members of the board of the Innocent Live Foundation (ILF) including Neil Fallon, AJ Cook, and Chris Hadnagy provided an overview of why the ILF’s work is so necessary, and how progress in growing the non-profit has been over the last year.
Saturday wrapped up in a flurry of party preparation for the SE Team as we invited our students, clients, and friends, both old and new, to hang out and enjoy each other’s company.
The SEPodcast, clean up, awards, and the end of DEF CON 26 – Sunday, August 12
Oh man! We’ve reached the final day of the epicness that is DEF CON. On Sunday the team woke up sleep deprived but exited to close out another year of a wonderful DEF CON. We rallied to put on the SEPodcast with guest Neil Fallon where we discussed stories, achievements, and Q&A from all DEF CONs past and present.
After the podcast, we power packed up the Village including cataloguing swag, disassembling the half ton sound booth, and inventorying ALL THE THINGS. Finally, we all attended the awards ceremony where our 1st place winner, Whitney, won a BLACK BADGE to attend DEF CON indefinitely.
The SEVillage would not be possible without a LOT of help from friends, family, sponsors, and our amazing team. To the SEVillage team, we so appreciate you!
A huge thank you to our sponsors – KnowBe4, Pindrop Security, and Hillbilly Hit Squad. This was such a fantastic year, we can’t wait to see you all again at DEF CON 27!!!!
“Thank you to all of the SEVillage staff: Chris, Hannah, Kris, Tim, Dan, Spencer, Toby, Paul, Evan, Jenn, Erin, Colin, Jim, Kaz, Cat, Neil, Billy, Mike, Areesa, Amaya, and Chris”
*Photo credit for most photos: Amaya Hadnagy