Sign of the times: Social engineering contest at Defcon
It is a well known fact that Defcon regularly organizes capture-the-flag-style contests that see hackers pitted against each other in an effort to protect their own systems while gaining access to those of other participants.
A lesser known fact is that the attendees of this year’s edition of the conference will be able to witness for the first time a CTF contest that will focus on social engineering techniques. Sponsored by Social-Engineer.org, the contest should do a lot for raising the awareness about just how often these techniques are successfully used by hackers in their attacks and about the need of learning how to spot and deflect them.
Before the conference starts, the contestants will receive an email containing the name and URL of their target company, and they are allowed to gather any type of information they can get their hands on by using the Internet (the target’s website, Google searches, other passive information gathering techniques). At this point, it is expressly forbidden to call, email or in any way contact directly the targeted company.
Armed with this information, the participants will each be given 20 minutes to call employees of the company and try to cajole them into sharing specific bits of information. While doing this, the contestants are not allowed to pose as an employees of any “government agency, law enforcement, or legally liable entity”, are not allowed to use techniques that would “make a target feel as if they are at risk in any manner”, and are not allowed to call anyone outside the company (relatives or friends of employees).
Prior to making the call, the contestants will be given 5 minutes to explain to the public what information they have unearthed by passive gathering, how did they do it, and what will be the attack vector used in the phone call.
For those of you who are wondering if this is legal, the contest rules clearly explain that there will be no gathering of very confidential data such as Social Security numbers, credit card numbers or passwords. Also, among the items that are not allowed to be targeted during the contest: “Nothing that can get Social-Engineer.org, Defcon, or the participants in the contest sued.”