DefCon contest to spotlight social engineering

This year's Defcon event will feature a contest that asks social engineers to infiltrate target companies. But the challenge is only one part of a large mission to get people thinking about social engineering.

By , Senior Editor

July 06, 2010CSO

How strong is your schmooze? That is the question participants in an upcoming contest at this year's Defcon event will attempt to answer at the end of July. The Social Engineering CTF (capture-the-flag contest) is sponsored by the group that runs the website social-engineer.org and will ask contestants to gather information and then plan a realistic and appropriate attack vector, according to Chris Hadnagy, one of the site's founders.

"We thought 'How can we showcase social engineering skills and not go over that line of what is ethical and moral?'" explained Hadnagy.

Also see "9 dirty tricks: Social engineers' favorite pickup lines"


According to the rules of the contest, each social engineer/contestant is emailed a dossier with the name and URL of a "target" company. Before the conference, the contestants are allowed to gather any type of information they can get from the internet. No phone calls, emailing or contacting the company in any way before the Defcon event is allowed.

Contestants will then store their information in a professional looking report and a judging panel will review it. At the conference, they will be given 5 minutes to explain to the crowd what they did and what their attack vector is, and then they will have 25 minutes to perform their attack. Points will be awarded for information gathered as well as goals successfully accomplished during the process. A list of approved "flags" will be given to each contestant that will not contain personal or financial data and will encourage the contestant to think out of the box, while avoiding anything illegal.

The idea is to raise awareness and highlight social engineering techniques without leaving the targets feeling violated, said Hadnagy. And the contest is only one of several efforts aimed at pumping up the awareness of social engineering dangers by Hadnagy and his team. CSO caught up with him for an overview of what social-engineering.org is all about, and the audience it serves.

CSO: Who should read the information on social-engineer.org?

Chris Hadnagy: The idea was originally geared to security professionals and industry professionals that want to secure their company from social engineering attacks. It was a framework developed to say 'Here is how a social engineer works.'

The framework is designed to go through a literal social engineering attack and all the techniques that might be used and then analyze them from a psychological and physical viewpoint.

Now that the site has evolved, I would say anyone interested in securing themselves at all should read us. We have branched out into personal security, identity theft, and even how to protect your families from these threats. On our podcast, we interviewed a guy that had intimate knowledge of how identity thieves steal someone's ID, social security numbers, credit scores and then use them maliciously. He told us, step by step, how these guys do their evil deeds. We released that publicly, to help educate people to these threats and help them see how to protect themselves.

RESOURCE CENTER