There’s something for everyone at DEF CON. Last week the security conference, now in its 23rd year, welcomed attendees, speakers, and press from around the world to LAS Vegas to partake in talks, contests, games, and parties — lots of parties.
However, what is perhaps the conference’s most interesting event is not about flashy code or networking jokes or hardware hacking. It’s just people, hacking…people.
Since its inception at DEF CON 18, the Social Engineering Capture the Flag (SECTF) contest has been capturing the attention of conference attendees, media, and yes, even the Feds. Chris Hadnagy, Chief Human Hacker at social-engineer.org and one of the organizers of the Social Engineering Village at DEF CON, stated in Vegas that the contest has been awarding winners a black badge from year one, a prize usually reserved for more established competitions that have been around for years. What does a coveted black badge get you? It’s a lifetime pass to DEF CON, and a status symbol in the security community.
So what is social engineering, and why has it captured the imagination of so many at DEF CON, and in the wider security industry? Social-engineer.org defines it as “any act that influences a person to take an action that may or may not be in their best interest.”
Social engineers exploit the largest weakness in an organization’s security posture: people. Unlike other malicious attacks, human hacking requires very little technical knowledge. Of course, the more you know, the more information you can potentially get from an unsuspecting target. With valuable data in the hands of an unsuspecting company manager or associate, all it takes is a phone call or seemingly innocuous conversation to compromise security — and not just over the phone. Pen testers and criminals alike use social engineering to find their way into restricted areas, even gaining physical access to machines containing sensitive data.
The ease of infiltration was on stunning display at DEF CON 23, as the sixth annual SECTF commenced. The contest rules are simple. Contestants are assigned a target company, and a list of “flags” or pieces of information that they need to collect to score points. They then have three weeks to compile an open source, intelligence only report on the company — they “are prohibited from calling, emailing, or contacting the company in ANY way before the DEF CON event.” Once at DEF CON, the participant enters a soundproof booth and has 30 minutes to call into the target company and capture the assigned flags.
This year, the black badge winner was Jen Fox, Senior Security Consultant at VioPoint, who masterfully worked her target to achieve not only the highest points in the contest, but perhaps some of the day’s best reactions from the crowd watching. We asked her a few questions about her success in the competition, as well as her opinions on social engineering as a point of compromise:
How did you get into Social Engineering, and what led you to compete in the DEF CON SECTF?
JF: My work in the IT world always had a strong focus on people or processes, so this was a natural evolution as I moved into security. My husband, Steven Fox, convinced me to compete in the SECTF for the first time a few years ago. I did not find the idea of making a phone call in a booth in front of a room full of people at all appealing! I thought the whole process was fascinating, though. It is incredible how much information can be found about a company solely by doing Internet research. Besides the required flag information, I have found badge photos, executive signatures, cultural information, and more.
You won this year’s black badge (congrats!). What set you apart from the other contestants?
JF: Thank you! This was the third year I’ve competed, and I believe the other contestants had limited experience with the competition itself. Based on the other calls I listened to, I think I cut to the chase more quickly and was focused on maximizing flags within the time constraint. Twenty-five minutes seems like plenty of time, but it runs out quickly. I made sure that the pretext I chose could support all of the flags I needed to get on the call, that I could reference the common language and culture of the company in order to seem more credible and build rapport, and that I had answers to possible questions or objections. All of that came from the research and prep I did over the seven weeks between receiving the initial dossier and getting in the call booth at DEF CON.
How has the competition evolved over the three years you’ve been involved?
JF: Every year is different, thematically. So while the flags have been pretty consistent, the industries have shifted and so do the challenges or constraints each year. The loopholes for racking up points get smaller each year. For example, in order to get points for a flag more than once, we had to have separate calls. But the rule didn’t say that it had to be a different human. So one contestant called the same person back a second time and got them to re-confirm information flags. (I see a new rule coming!) In previous years, we could get credit multiple times for a flag on the same call with the same person. So as the contestants “hack” the rules within the competition, the competition rules evolve.
As evidenced by the results of the DEF CON SECTF, it’s fairly apparent that gender often plays a role in social engineering. Why do you think this is the case?
JF: I’ve seen social engineers of both genders do skilled work – I think it’s more about how the person relates to and interacts with the target that predicts success. That being said, men and women generally have different ways of interpreting and communicating information and relating to others, and so may end up with an edge in certain social engineering situations. Women – come on out and join these contests! It’s a great opportunity to learn and participate!
Generally speaking, why has social engineering risen to prominence in the security industry?
JF: High visibility breaches are in the news almost constantly, and social engineering figures into many of those breaches. Plus, one thing that all security professionals seem to agree upon is that humans are the most porous part of our security perimeters. So where we can tell a tool to never allow a “.exe” attachment through and it won’t, humans get distracted, make mistakes, want to be helpful, and on and on. This is what social engineers take advantage of.
What can people do to protect themselves from malicious social engineers?
JF: If you’re being solicited for information that seems odd or intrusive, find a way that is comfortable for you to say “no,” or create a break in the process by asking to call back after you verify details of the request or caller. Companies can use this as an opportunity to create “scripts” for employees to decline or escalate certain types of requests while maintaining their brand or customer service approach.
What advice do you have for people who would like to get involved in social engineering?
JF: I highly recommend the SECTF as a great learning experience; there are SECTFs at other conferences, too, so check around. I think [they] are great learning opportunities because they’re realistic but also structured. There are also classes, as well as a number of good books on the topic. A couple great ones to start with are “Social Engineering: the Art of Human Hacking” by Chris Hadnagy and “It’s Not All About Me: The Top Ten Techniques for Building a Quick Rapport with Anyone” by Robin Dreeke.