DEF CON, one of the world's largest annual hacker conventions, was held again in Las Vegas this year. This convention is bustling with various events every year, and many people are probably aware of the Capture the Flag (CTF) contest, which is a hacking event considered the largest centerpiece of the events.
Japanese people, however, may not be quite so familiar with the Social Engineering CTF (SECTF), an annual event, held for the fifth time this year. As its name suggests, SECTF is a competition in which contestants contend using their skills in social engineering. How do they make full use of human psychology rather than technology and compete with their social engineering capabilities?
With cooperation from Asgent, Inc., a Japanese IT security company that has a partnership relationship with Christopher Hadnagy, the founder of SECTF, and who created the world’s first framework for social engineering, the editor interviewed Chris and asked about social engineering in detail as well as the purpose and history of both the competition and social engineering.
Two days before the opening of SECTF, Chris frankly answered with a smile the editor’s questions at the DEF CON 22 venue, where preparations for competitions were underway.
■ What is SECTF?
──Thank you for taking the time today to speak with us. I’m a little nervous because this is going to be the first article to introduce SECTF to Japan. Please go easy on me.
Thank you for coming. Don’t be so nervous. Social engineering may be scary to you, but it’s not really. Komase (Security Center Fellow, Asgent, Inc.) and I are both friendly.
──Thank you. Let me get straight to the point. Could you explain the overview of SECTF?
A variety of hacking competitions will take place in DEF CON 22. SECTF, which will start this Friday (editorial note: August 8, 2014), is a competition to make socially engineered attacks on existing U.S. companies.
First, each contestant will be informed of the name of his or her target company in advance. The contestant will make use of only open source information, investigate the company, and make a report. On the day of the competition, each contestant must enter an onsite soundproof booth made of glass, call the target company before the audience, and get a variety of information.
──The names of the target companies haven’t been announced yet, have they?
Yeah, it’s still a secret. This screen will display them on the day of competition.
──How do you decide on the contestants?
People who want to be contestants apply through the website. Usually, there are 70 to 100 applicants, but 200 to 300 applicants applied this year. For this year, we collected videos from the applicants talking about the reason for their participation, and selected the top 18 applicants.
──I’d like to ask you about the history of SECTF.
I don’t know where I should say the exact starting point was.... We spent a lot of time wondering about the content before starting this competition. We thought of how we could make it fun and exciting, and do it legally (laughs). We spent a long time planning the competition while considering those things. As for the history of the competition, a lot of people were scared during the first year. Even the FBI contacted us over the phone and said, ‘Is it a legitimate event?,’ and we were a little nervous. Five years have passed since the first SECTF was held, and the situation has been improved fantastically over this time. For example, the first SECTF was held in a room that was able to accommodate an audience of only 30 people. This year’s SECTF will be held in here, which can accommodate several hundred people. The attitudes of companies have changed. In the first year, a lot of companies showed a nervous reaction. Last year, however, nine out of ten companies that were targeted asked us for help, saying, “How can we improve our security problems?”
──It’s a very interesting episode.
It is. Their reaction was quite different from that in the first year. Now, they are open to us. So, I am very positive in this respect.
──In this contest, please tell us what you consider to be the most important purpose?
That’s a good question. Social engineering is the simplest method of hacking attacks on companies. A lot of hackers take time in writing exploit codes. In fact, they can get information by simply making phone calls instead. Many companies, however, don’t know that social engineering is that dangerous and they are not aware of the magnitude of the damage, either. So, we show here how easily people with no skills can make successful social engineering exploits. For most contestants, social engineering is not their jobs. They are ordinary people who have different jobs. Even those people can make successful social engineering attacks after they are trained for a little while. We would like to show it to the audience.
──Have you made any improvements over the period that the SECTF has been held?
We change the method every time. For example, the first time around, only one contestant used to enter the booth at a time and make telephone calls. Last year, each pair of male and female contestants attacked the same company so that it would be a male versus female competition. At that time, female contestants got better performance records. It’s a tag team match this year. Each pair of contestants enters the booth and elicits information jointly. This mimics a method that has been frequently used recently. Recently, a number of people have been cooperating to get information in many cases.
──How will the competition change in the future?
That’s what I don’t know. For example, many hacktivists cooperated and attacked companies last year. From that, we devised the tag team match. We want to hold competitions that will match the evil social engineering that is happening in reality so that people can learn something from the competitions. We are thinking about what kind of social engineering is more realistic and we want to make it better. In other words, we want people to learn more about how to defend attacks more nicely. How the competition will be next year depends on what will happen in the world from now on.
──Have you ever held SECTF in other countries?
We’ve been giving social engineering training in various countries, but SECTF has been held only here at DEF CON in Las Vegas once a year. DEF CON is the world’s largest hacker convention and it’s comparatively easy to hold it. We have the audience and energy....
──Do you want to hold SECTF in other countries or several times a year.
SECTF involves a lot of work to do. We must give scores and consult our lawyers while we solicit contestants and determine target companies. There are a lot of things that require teamwork, and it may be difficult to hold SECTF twice a year. Let’s see.... Let me check. (To Michele, an assistant who passed through by chance) Hey, do you want to do it twice a year? (Looking at Michele's scowl) Ah, her answer is no. It's impossible, because she’s the boss (laughs).
■ Legality and Status of SECTF in the United States
──This will be the fifth SECTF. What has been the most difficult matter up to now?
In the first year and second year, several large companies called up the U.S. Department of Justice and reported about us, saying that we seemed to be doing something very bad. So, I was called by the FBI and the Justice Department, and I had to clarify what we were doing. I could say it was a problem, because they were scary. I was afraid if I would be arrested and what would happen.
──Well...why didn’t you stop then?
That’s a good question (laughs)! Because I was stubborn or just not too smart? I don’t know. I really enjoy what I’m doing. That’s why I’m continuing. So, why didn’t I stop?... I’ve never thought of it up to now (laughs).
──On the contrary, do the federal police or FBI ever ask you for cooperation?
Yes. After the second’s year’s SECTF, the FBI called me, and I made a briefing on what SECTF was doing to an FBI team. They used it for their study. After the third year’s SECTF, I was invited to the Pentagon, and I was able to teach them what our success was. The police and government agencies are trying to learn from these activities. We are now working in close association with them. We are not hiding detailed information from them. As long as their purpose is defense, I’d like to cooperate with them.
──I think the competition is in a gray legal area. Isn’t it against the law?
This competition is perfectly legal (laughs). For example, it’s illegal to elicit credit card numbers and SSNs (social security numbers) in the States and many other countries. Eliciting passwords and IP addresses can be illegal. So, we don’t ask about them. The questions each contestant asks each company are: Who manages the removal of the company’s waste, which manufacturers’ vending machines are installed in the cafeteria, what types of computers are used with information on the OS and its versions, what types of browsers are used.... Answering such questions is dangerous in fact, because the answers serve as important information for the social engineering side to think of what to do next. Asking them is not against the law. We are making efforts to keep us outside the gray zone (in the white zone).
──Haven’t you ever been sued by targeted companies?
We have never been sued, not even once. During one of the SECTF competitions, information on a major software company was elicited over the phone, and their security was very poor. They talked about everything. Then they became very mad, and they said they would sue us. Our lawyers talked with their lawyers then, and there’s no problem now.
──Did you announce the results at that time?
We announce the results, but disclose only the scores without the details of which company told what information. If we tell so-and-so company disclosed so-and-so information, the information can be exploited.
──I believe that you hire excellent lawyers.
I hire a business lawyer and a hacking lawyer.
──A hacking lawyer?
That’s right. Most cases she handles are related to hacking, and I rely on her entirely about the legality of penetration tests and hacking. She is a professional in examining the law from the angle of matters necessary to my work. She tells us the rules that prevent us from getting into trouble and makes us not enter suspicious areas. Originally, she was a lawyer for the EFF (Electronic Frontier Foundation), and she has a lot of experience because she’s been learning various matters.
──Are there many such lawyers in the United States?
No, no (laughs), very rare. She’s really valuable.
■ Worldwide Social Engineering Learning
──I’d like to ask you about the specific benefits of your social engineering training.
Yes. Most people taking my course are working in the field of security. Some of them are engaged in penetration testing. A company once let several staff members of their company take my course and learn how to make use of their social engineering skills. Phishing, interaction, body language.... The staff members increased their ability to understand these techniques. As a result, the success rate of their penetration test increased to as high as 99 percent while their rate was 57 to 60 percent before.
So, a lot of people take my course. However, they learn not only social engineering but also communication skills that they can use in their real life. They tell me after the course that a lot of things in their life have changed.