DefCon contest to spotlight social engineering

How strong is your schmooze? That is the question participants in an upcoming contest at this year’s Defcon event will attempt to answer at the end of July. The Social Engineering CTF (capture-the-flag contest) is sponsored by the group that runs the website social-engineer.org and will ask contestants to gather information and then plan a realistic and appropriate attack vector, according to Chris Hadnagy, one of the site’s founders.

“We thought ‘How can we showcase social engineering skills and not go over that line of what is ethical and moral?'” explained Hadnagy.

Also see “9 dirty tricks: Social engineers’ favorite pickup lines”

According to the rules of the contest, each social engineer/contestant is emailed a dossier with the name and URL of a “target” company. Before the conference, the contestants are allowed to gather any type of information they can get from the internet. No phone calls, emailing or contacting the company in any way before the Defcon event is allowed.

Contestants will then store their information in a professional looking report and a judging panel will review it. At the conference, they will be given 5 minutes to explain to the crowd what they did and what their attack vector is, and then they will have 25 minutes to perform their attack. Points will be awarded for information gathered as well as goals successfully accomplished during the process. A list of approved “flags” will be given to each contestant that will not contain personal or financial data and will encourage the contestant to think out of the box, while avoiding anything illegal.

The idea is to raise awareness and highlight social engineering techniques without leaving the targets feeling violated, said Hadnagy. And the contest is only one of several efforts aimed at pumping up the awareness of social engineering dangers by Hadnagy and his team. CSO caught up with him for an overview of what social-engineering.org is all about, and the audience it serves.

CSO: Who should read the information on social-engineer.org?

Chris Hadnagy: The idea was originally geared to security professionals and industry professionals that want to secure their company from social engineering attacks. It was a framework developed to say ‘Here is how a social engineer works.’

The framework is designed to go through a literal social engineering attack and all the techniques that might be used and then analyze them from a psychological and physical viewpoint.

Now that the site has evolved, I would say anyone interested in securing themselves at all should read us. We have branched out into personal security, identity theft, and even how to protect your families from these threats. On our podcast, we interviewed a guy that had intimate knowledge of how identity thieves steal someone’s ID, social security numbers, credit scores and then use them maliciously. He told us, step by step, how these guys do their evil deeds. We released that publicly, to help educate people to these threats and help them see how to protect themselves.

What is your mission?

To raise awareness about what social engineering is and also to raise the bar, so to speak, for what social engineering auditors should be doing as part of their practices. What prompted this was as I myself am a social engineering auditor, I found there was not much useful information on social engineering on the Internet. There was no conglomeration of information that said ‘Here are some skills you can practice if you are interested in becoming a social engineering auditor’ or ‘Here are things to look out for if you are a company concerned about social engineering.’

You can find many, many resources about protecting yourself against hackers and the types of attacks they launch. But even though social engineering has been used for much longer than software hacking has as an attack vector, there were very few resources out there about it.

Our mission statement was to make a site with all of this information compiled in an easy to read and use format; all the parts of social engineering, how they are used, examples of how they have been used in the past. We wanted to eventually branch out into education courses, which we are still developing, that will help educate people about how the malicious guys think and what tools they use, so they can defend against it. Our motto is: “Security through education” and we feel this is the best way to be protected.

How do you communicate the magnitude of the social engineering threat?

There were two things I read recently that scared me to death. The first was more personal, since I have children myself. There was a case of people who were using video game systems to manipulate children into taking naked pictures of themselves and then sharing these pictures. The con was to get these kids to think if they want to be part of this club, or this group, they need to do this. Having kids myself, this was a scary piece of news. Parents may not realize that something like that is a malicious form of social engineering that is happening all the time, and, in this instance, they were using something not really expected or monitored by many parents, like a gaming system.

See more social engineering examples on CSOonline.com

The second thing I read recently was a report that stated in 2009 the average cost of a data breach was up to $6.75 million dollars per breach! Related to that another report said that from their research over 80 percent of all breaches involve social engineering. These facts where staggering to us and helped us to see why awareness was even more necessary.

The problem is, these stats only come after the fact. Security professionals talk to companies left and right and ask ‘How many of you would open a malicious pdf?’ The typical reaction from a company is ‘Of course we wouldn’t fall for that. We have these procedures in place to prevent that sort of thing from happening.’

But then I present the scenario of what if were to call you as a guy who wants to buy something from the sales department? I call your lead sales guy and say I have all my specifications laid out in this pdf. What sales guy is not going to open that?

All I do is embed some malicious code into the pdf using Metasploit or the popular tool on our site called S.E.T, do a little research about what version of Adobe he has installed and Bam! He opens it and it’s game over. I own your company. These things are happening every day and the little bits of information that are tossed in the trash or given out over the phone lead to some of these $3 million dollar breaches.

Our mission with both the site and the contest is hopefully to raise awareness that these threats are real and being used daily. By raising the awareness we also hope to encourage people to seek out education on these things so they can learn how to protect themselves and their companies.