The results are out from the fifth annual Social-Engineer Capture the Flag (SECTF) contest, which was held during Def Con 22. This year, social engineers worked in tag teams to trick companies into giving up \u201cflags,\u201d or key pieces of information that could be used to penetrate the target company. Unlike bad guys in real life, the contestants did not victimize any companies.The SECTF report (pdf) includes the results of how well the target companies did; higher scores do not mean the company did better, as it indicates the targets gave up more flags. Lowe\u2019s ranked the best and Home Depot ranked the worst. The full SECTF target company rankings from this year are posted at the top of this article.\u201cHigh profile events in the last 6 months are illustrative of the fact that corporations, and specifically retail organizations, continue to be extremely poor at protecting critical information. Unfortunately, this year\u2019s SECTF supported this trend,\u201d stated Chris Hadnagy, President and Chief Human Hacker of Social-Engineer, Inc. \u201cIt is hard to overstate how quickly social engineering has gone from an individual issue to an enterprise grade security issue and boardroom priority.\u201d The key, as always, is awareness training.A social engineer\u2019s work starts well before contestants show up at Def Con, beginning with information gathering. The open-source intelligence (OSINT) tools most commonly used by contestants included: Google, Maltego, FriendFinder, Bing, Twitter, PiPL, Bing Images, Facebook, Plaxo, Google Maps, Wordpress, Shodan, PicasWeb, WhoIs, WGet, Vimeo, Tineye, WaybackMachine, LinkedIn, Monster, GlassDoor, Yelp, Craigslist, JigSaw, Spokeo, YouTube, FourSquare, Friendster, MySpace, Google Images, Telnet, EchoSec, Google Dorks, BackTrack and Kali Linux.On the plus side, companies may be wising up about posting information online as no teams scored higher on OSINT than during the live call portion of the contest. However, the SECTF report noted some major flubs by companies:In one case a major retailer had a sub-\u00ad\u2010Reddit set up that allowed their employees to post and discuss various topics; many included sensitive information and led to a deep understanding of the inner workings of this company.Another retailer had a document online that outlined the information employees would need to log into their private payment portal. This kind of list provides an attacker a clear path of information to try and obtain for an attackMany companies allowed employees to post pictures of parties, badges, computer screens, break rooms and other various employee-\u00ad\u2010only artifacts to popular social media sites.One major retailer actually listed their employee schedule on Instagram. Of course, this type of information would allow for a very personalized attack on staff.One contestant found a confidential document with the signature of the CEO.One major retailer had posted a document that openly listed their password policy as the first three letters of their company + first three letters of the employee last name and a two digit code. Of course, this means only 2 digits would need to be guessed for a compromise.One major finding was a publicly \u00adavailable instruction manual that contained an actual working username and password for part of the corporate website.One contestant found numerous public postings of very disgruntled employees. This is a major threat, as enemy companies\/groups would target the disgruntled to turn them.If you wonder how social engineer contestants convinced employees at target companies to blab specific information that bad guys would use in an attack, then the answer is clever pretexts. Social-Engineer Capture the Flag Report Impersonating internal employees was the most common pretext employed. The report points out that pretending to be a fellow employee successfully takes advantage of \u201ctribe mentality,\u201d meaning \u201cwe inherently trust people who are part of our group or tribe.\u201dWhether or not the company had a wireless network was the most commonly obtained flag this year. That information can be a used as an entry point for a technical attack or for eavesdropping on corporate networks. The SECTF report noted, \u201cEvery flag was surrendered at least once by the target companies.\u201d Social-Engineer Capture the Flag Report There were only two times this year when a person from the target company hung up or refused to answer any questions. In one case, the contestant called the same company back, and this time a different employee \u201csurrendered all the information\u201d the social engineer needed to make the call a success.This is just a drop in the bucket, so I highly encourage you to read the SECTF report (pdf) in full.