DEF CON, one of the world's largest annual hacker conventions, was held again in Las Vegas this year. This convention is bustling with various events every year, and many people are probably aware of the Capture the Flag (CTF) contest, which is a hacking event considered the largest centerpiece of the events.
Japanese people, however, may not be quite so familiar with the Social Engineering CTF (SECTF), an annual event held for the fifth time this year. As its name suggests, SECTF is a competition in which contestants contend using their skills in social engineering. How do they make full use of human psychology rather than technology and compete with their social engineering capabilities?
Asgent, Inc., a Japanese IT security company that provided back-up support for the coverage of the SECTF and the editor’s interview with Christopher Hadnagy, has been actively engaged in seeking measures for social engineering along with activities to enlighten systematic social engineering in Japan. The editor interviewed Chris, who has given presentations on social engineering to Japanese people, and asked about the difference between Japan and the United States in culture.
■ Japan and Social Engineering Learning ──Are there any difficulties in overseas training caused by differences in the country?
In the case of the United Kingdom, for example, it’s difficult for many British people to go out and talk out of the blue with someone they don’t know, and it was a bit hard getting them to relax and have them go out. People participating in my class in the States are international. Japan, Singapore, Germany, Portugal, Spain.... They are from all over the world basically, but they live in the States, and training for them was a little different from that for British people. However, it’s true that people receiving training are from various countries, such as China, Thailand, Russia....
──Do people overseas understand your theory?
They do. Changes in body language are necessary though, because it greatly varies with each country. The basic theory, however, does not change. A way of communication will work in any country as long as you understand the difference of the country in culture.
──In fact, when I heard about SECTF for the first time, I thought it would be impossible to hold SECTF in Japan because the difference in culture between both countries is so great. However, you said a while ago that everyone was scared at first (in the United States as well). How have you been addressing the problem?
For example, in the first year, every company that was attacked was scared. So, I offered that we would show them all our data if they wanted to see it, and showed the data unconditionally. I wanted to show the company people that we were friendly and we were not doing the competition to humiliate them. It was effective and it helped.
──What about people’s reactions though? If you hold the same event in Japan, for example, I don’t think the possibility that the event is exposed to criticism will be low.
That difference is big. Japanese people are kind and they strongly tend to believe others. For example, there were bad guys trying to steal money by taking advantage of the tsunami disaster that hit Japan recently. It’s horrible that credulous and kind people pass money and their IDs to such guys. Considering the background of Japanese culture, it may be subject to criticism. What should we do? It’s a difficult problem.... After all, only education is a way to improve things.... We often discuss this regard with Asgent.
──In general, social engineering is little known in Japan. If we explain the learning of social engineering in Japan, people may think it is outrageous and say that you’re just training fraudsters. I think it is difficult to explain the difference between Japan and the United states in this respect. Were there any reactions similar to those in the United States?
Maybe the reactions are not the same as those in the States. However, there is a criticism from some people here in the States as well, because we hold a competition for children, too (see information on SECTF for Kids below). There may be people who wonder why we teach such a bad thing to children. That’s why we are telling them. It is important for people to have critical thinking skills, and it is not possible for them to have critical thinking skills without proper education. I’m thinking that this kind of event is most effective for such education. For example, no matter how much you read cookbooks, you won’t be able to cook unless you have experienced cooking in the kitchen. I think it’s best for people to not only know the theory but also learn it through exercise experience.
──What made you start SECTF for Kids?
DEF CON planned an event for kids four years ago. We taught things like hacking, programming, and computer restoration to children (editorial note: Children had to be accompanied by adults). At that time, I was asked if I wanted to do social engineering for children. So, we planned a treasure-hunting game. Each child walked around the DEF CON venue to find a different target. Children love that kind of thing, don’t they? Four years has passed since then, and even now, we hold SECTF for Kids as an official event of DEF CON. I feel that it is very important to teach critical thinking skills to children because people are not very positive to give critical thinking skills to children in the States. It is necessary to think without being trapped by existing ideas, face problems, and find their own solutions. They should learn them by hand and with their brains instead of calculating them by using computers. This event is going very well. Children learn a variety of skills without using computers at all. Some parents coming with their children are long-time visitors to DEF CON. They have homes and come with their children. Some other parents, however, come just to bring their children.
──There may be parents who don’t know what their children are doing.
You are right, but they come (laughs).
──Japan will hold the Tokyo Olympics in six years. The Japanese government and companies are making technical investments and taking a variety of measures, but it seems that they are not paying much attention to social engineering. I'd like to have advice about that.
Get educated right now! You only have six years left, but it’s not too late. Of course, technical improvements are important to prevent attacks. However, technical improvements cannot solve human problems. In the case of big events like the Olympics, in particular, the pockets, credit cards, and wireless call information of a lot of people are subject to attacks. It is necessary for people to know about it. ID thieves are apt to target this kind of opportunity as a great chance to steal data. So, it is really important to learn from now on. Think of what you should do, who you should believe, and how you should protect data.... You have six years. You surely can make it.
──I wish that social engineering related education could spread in Japan.
You're right. It would be nice. However, it may require some efforts. In other words, certain steps will be necessary before Japanese people accept it. I think it will be successful finally. Asgent and I are aiming at it, and that’s why we are closely exchanging information with them.