Social engineer tag teams to capture the flags at Def Con 22 contest

If one social engineer can be lethal to a corporation, what can a social engineering tag team do to their target? We'll find out at Def Con 22 as SECTF video submissions are open.

Want to learn how to con people? Perhaps you want to become a politician or penetration tester? Or maybe you'd like to learn which eye cues and micro-expressions can warn people that you are lying? Whether you want to be a spy, scammer or sales person - or study how to spot one - the social engineer framework is where you can learn everything from psychological to physical aspects of social engineering. And now it's easier than ever, because (SEORG) was redesigned to become the ultimate one-stop research resource.

With the five-year-old site side-by-side with the new site, it's easy to see a difference, but the redesign is more than cosmetic changes. The biggest change is in the search feature. After the SEORG team tagged every piece of information on the site, now a search by keyword will bring up every piece of research, blog, newsletter, podcast and framework page that deals with that keyword. A few other features include improved navigation and a professional editor for SEORG podcasts.

The ability to easily ferret out the social engineering gold nuggets that most interest you couldn't have come at a better time. The launch of the new SEORG site happens to coincide with announcement of the social engineer capture the flag (SECTF) contest for Def Con 22. Although the contest changes a bit every year, SECTF 2014 is a doozy because the social engineering will be done in tag teams.

Tag teams as in tagging in and out during the contest? Oh yes. But before you grab the best fibber you know to form a team, Chris Hadnagy, aka @HumanHacker, wants you to know that SECTF organizers, not you, will be in charge of choosing your partner. Contestants are required to tag out at least twice during a 30 minute call; together this team will try to trick Fortune 500 companies into giving out specific information, or flags.

Those "flags" are pieces of information that could be used to penetrate the target company, info like the specific operating system and browser in use. That might not sound like a big deal, but it tells attackers what malware can pwn the OS, or what exploits to use against a company's vulnerable browser. Target companies have also given out information on corporate wireless access, VPNs, make and model of PCs, what phone system is being used and even if IT support is handled in-house or outsourced. Social engineering is usually a part of most big hacks, many of those breaches start with targeted phishing attacks. As always, the SECTF contest is about raising awareness of just how lethal social engineering can be.

Another change to SECTF this year is in how-to register as applicants must submit a video. If you want to compete at Def Con 22, then you want to snag the SECTF organizers' attention, but Hadnagy said, "No nudity." You can cuss if you must, but only if the language is kept to a "PG-level. If we need to bleep out every other word you say, it does not inspire confidence that you will represent social engineers well at the live competition."

Your cool and creative 90-second video should try to knock their "socks off," but "if you videotape yourself social engineering anyone, please make sure it's legal! Any illegal activities in the form of video submission will gleefully be submitted to this year's Darwin Awards and the proper authorities."

Lastly, all traffic is logged so don't try to impress them by hacking, harming or otherwise accessing the servers in any way except to upload your video. You would not only be disqualified, but also potentially qualify for further legal action.

Good luck with those videos and may the best SE team win! If you aren't entering the contest, then you might be interested in surfing over to to check out the newly redesigned website that not only looks better, but functions better as well.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2014 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022