Sin City was filled with plenty of people last week, and thousands of them were hackers. That's understandable, considering that Las Vegas hosted the Black Hat security conference, the B-Sides security conference, and DEF CON 21. Most of the week focused on talks, new products, creative uses of code (for defense and offence), but there was another side as well; people, and the information they possess.
Last week may have been the largest gathering of novice and professional social engineers in North America. As chance (and a pre-planned schedule) would have it, CSO got the chance to watch them in action. Our observations were made while wandering around DEF CON, as well as within the Social Engineering village, the home to the Social Engineering Capture the Flag (SECTF) contest, ran by Chris Hadnagy, from Social-Engineer Inc.
CSO joined dozens of others in the room hosting the SECTF contest just as a young woman named Christina was entering a soundproof booth ready to make her first call. Christina, who asked that her last name not be used, is a perfect example of why social engineering is something that shouldn't be taken lightly, she isn't a professional. In fact, her profession isn't even in the IT sector. Her work schedule kept her from doing any in-depth research, but in two days she compiled a report for the contest on her assigned target.
As part of the rules for the SECTF event, contestants are given the name of the target company, as well as a list containing the types of information, or flags, that need to be gathered. Each flag has a point value, and the contestant with the most points wins. Christina's target was a company in the Fortune 500; CSO is withholding the company's name, as it isn't important -- the point of the contest is that the target could be any company, anywhere in the world.
Fortunately for the company selected for the call CSO witnessed, and all of the others that were part of the contest last weekend, there are strict rules as to the type of flags obtained, and how they can be earned.
Contestants are prohibited from seeking out passwords and other sensitive data (such as SSN or credit card details). The contestants are also not allowed to pretend to be law enforcement or government officials, and at no time can the contestants present their calls or questions in a way that will make the person on the other end of the phone feel at risk.
"No one gets victimized during this contest. Social Engineering skills can be demonstrated without engaging in unethical activities," the contest rules state.
Sign up for CIO Asia eNewsletters.