DEFCON 20 SECTF – Battle of the SExes

DEFCON is a not only an annual computer hacker’s/security conference, it’s also a community reunion filled with parties, talks, contests. Just understand that to walk the halls of DEFCON, use the local Wi-Fi, ATM machines, your own cell phone or any other technological device means you may very well be… hacked (or in for a very rude awakening).

If you’ve been following our coverage of DEFCON the last two years, we centered our coverage much over the SECTF contest or Social Engineering Capture the Flag contest. Social Engineering, as author and SECTF contest organizer Chris Hadnagy puts it, is “the act of influencing a person to take an action that may or may not be in the “target’s” best interest. This may include obtaining information, gaining access, or getting the target to take certain actions.”

The objective of Social Engineering Capture the Flag is to raise awareness about the risks of social engineering and the exposure organizations have. It has never been about victimizing individuals or organizations or that one organization is better than the other is.

Arguably, it is the least technical form of hacking and organizations often believe their organizations are well protected from such attacks. However after the last two rounds of SECTF, it still remains true that organizations are not prepared as they would like to believe. Social engineering can do a great deal of damage, costing organizations money, time and reputation. As Chris Hadnagy points out, many recent data security breaches at organizations or companies like Lockheed Martin, Epsilon, HBGary, CitiBank, Sony and PBS all involved some form of social engineering.

This year is DEFCON’s 20th anniversary (wow??) and to make things interesting, the battle involves a Battle of the Sexes: Which gender are better at social engineer: men or women?

Typically, how the contest works is that each contestant is given a company to social engineer. Prior to DEFCON, they submit a complete dossier filled with intelligence they have gathered from web resources such as Facebook or Linkedin. They are not allowed to engage the company directly.

This year’s contest is modified to reflect the challenge to determine which gender is the better social engineers. Each company will be given a pair of contestants: one female and one male contestant. They will be pitted against each other as they race to social engineer as much information as they can out of the organization. Like with previous years, each contestant will be provided with a list of flags to aim for and depending on their skill, be able to obtain that information through a number of phone calls or information searches.

By the end of DEFCON 20, we will know who can “schmooze” better: Men or Women.

For those interested in competing in this year’s Social Engineering Capture the Flag, visit this page for more information as well as contest rules.

About Josh