• United States



Male or female, who’s the better social engineer? Battle of the SExes!

May 29, 20125 mins
Data and Information SecurityMicrosoftSecurity

Do males or females make better social engineers? It will be put to the test at the upcoming hacking conference Defcon 20. Men and women will use their social engineering skills to compete in Battle of the SExes.

I’d be willing to bet that someone has successfully manipulated each of us at some point in our lives. If that manipulation was in regard to a love life relationship, to borrow from Living Colour, Cult Of Personality, “I exploit you, still you love me,” people will have different answers for which sex is better at hacking the head and the heart. According to the latest FBI Internet Crime Complaint Center (IC3) report [PDF], Internet romance scams were booming in 2011. Although people believed they were dating “someone decent and honest,” the scammers were so good at social engineering that victims reported romance scam losses that totaled $50.4 million.

Dark Reading relayed the tale of social engineers stealing 500,000 customer records from WHMCS, a client management billing platform, before leaking the sensitive data on Pastebin. Someone from the hacker group UGNazi was able to impersonate a WHMCS developer and dupe the web host into handing out administrative credentials which led to the breach.

While those were only a couple examples of successful social engineering attacks, anyone who can master social engineering (SE) has thereby acquired the most dangerous manipulation skills to hack the human head. That’s also why the feds tend to panic a bit when social engineers test their schmooze at Defcon. Social engineering is “lethal to corporate America.” People want to help other people; it’s a basic part of our human nature. But have you ever stopped to consider who is better at it, male or female social engineers?

According to a poll conducted by the Social Engineer team, 86% of the people voted that “women are naturally more inclined towards social engineering.” In fact, 70% of the men and 95% of the women who voted, voted that women make better social engineers. So Chris Hadnagy, aka the @humanhacker, came up with a very clever idea for the social engineering contest at the upcoming Defcon 20 security conference: “Battles of the SExes.”

Registration is now closed and the contestants are compiling dossiers on target companies. Each contestant will “gather as much information as possible using public, open source information (OSI). This includes, but is not limited to, sources such as Google, LinkedIn, your target’s own website, Facebook, Twitter, etc.”

Chris Hadnagy, who is also the author of Social Engineering: The Art of Human Hacking, was kind enough to answer to few questions about the Battles of the SExes:

How many women and how many men registered?

Hadnagy: 50% of the contestants are women – so that is 10 women against 10 men.  Awesome!

Do you have specific “target” companies? Last year you mentioned a SEORG rating index with 15 – 18 companies, is something like that in place for Defcon 20?

Hadnagy: Yes we will use a unique approach this year. Each target will get a female and male contestant. This way we can also rate which gender does better against which targets, against which industry.

For the second year, there will be a social engineering contest for kids ages 7 – 16 at Defcon. The Return of the Schmooze Kid’s SE CTF contest “is designed to use a blend of social skills, password cracking, ciphers, lock picking and good old fashion social engineering to accomplish each level of these tasks.”

How many kids aka future SE are registered?

Hadnagy: Last year the parents didn’t start signing up till mid-June, so already we have 8 kids…that is great. We hope to have MANY more.

If you are planning to take your kids to Las Vegas to vacation while you attend Defcon, you might consider registering them in the social engineering contest.

The goal of the Social Engineering CFT (Capture the Flag) contest is to raise awareness about the social engineering threat, but no one will be victimized. This is very different from real life SE attacks which often utilize every pretexting means possible, including “unethical” ones such as pretending to be from a government or law enforcement agency, or by contacting family members of targets.

Being female, it’s probably obvious that I would root for the women, especially since the women and social engineering poll had some sad stats when it came to women in security:

  • 78% of the men that took the poll knew zero women in security
  • 64% know 1-9 women
  • 11% know 10-25
  • 0% know 26-35
  • 5% know 36-50+

Who do you think is a better social engineer, male or female?

Like this? Here’s more posts:
  • Study Finds 1 in 2 Americans are ‘Clueless’ about Webcam Hacking
  • Inception-like Remee lets you take control of your dreams
  • Fight the Patriot Act and win. Next? Promise privacy, a surveillance-free ISP
  • GitHub becomes friendlier for developers using Windows
  • Trolling Terrorists with Propaganda: The US hack of al-Qaida that wasn’t a hack
  • Counterintelligence Surveillance Swelled Another 10% in 2011
  • NASA, Air Force, Harvard, Military, ESA Hacked by Gray Hats ‘The Unknowns’
  • SOPA supporters meet in secret to strangle Internet freedom & online speech
  • Microsoft Researchers say cybercrime loss estimates are a bunch of bunk
  • This is why people pirate Windows
  • NATO Summit: Chicago police ignore DOJ, but recording cops IS constitutional
  • FBI Creates Surveillance Unit to Build Backdoors into the Web

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.