SECTF, where people compete with their social engineering skills, is a competition held only once a year in the world and you can see it only in DEF CON.
Due to the nature of the competition where contestants elicit information from existing major companies, it will be difficult to webcast the situation. Only in the venue, can you enjoy the suspense of seeing social engineering done against humans in real time.
The fifth SECTF competition was held for two days in this year’s DEF CON 22. The editorial desk of the Scan reports the state of the venue with the cooperation of Asgent, Inc., a Japanese IT security company that has a partnership relationship with Christopher Hadnagy, the founder of SECTF.
● Competition Overview
People who want to be contestants apply through the website. Each contestant who passes the process of screening will be informed of a famous leading company to be the target of the contestant’s attack. Apple, Boeing, Johnson & Johnson, and Walt Disney became the targets last year.
Each contestant makes use of only open source information obtained from the official website of the company, Facebook, LinkedIn, etc., performs research on the company, and makes a report on the information (but the contestant cannot make inquiries by mail or telephone before the start of the competition).
On the day of the event, each contestant calls the target company before the audience, and makes full use of the contestant’s social engineering skills so that the contestant can get as much information as possible within a time limit of 30 minutes.
In this competition, information to be elicited is specified in advance. The questions each contestant must ask are, for example, about information on the vending machines in the company’s cafeteria, the name of the forwarders, the OS being used and its version, Wi-Fi devices, if any, and the types of Antivirus software that the company uses. Such information is important for social engineers to decide their next move. Therefore, its contents vary in a wide range.
Points (Flags) are set for each question, and the contestant who gets the highest point will win the competition. A black badge (*) will be awarded to the winner of SECTF.
* Black badge: A badge awarded to the winner of a DEF CON contest. The owner can participate in DEF CON for free forever. While there are tens of thousands of visitors every year, it is an extremely rare chance for people to get black badges. A black badge was awarded to Chris, the organizer of SECTF, as well for his serving as an instructor who has gained a high reputation every year.
● State of Competition
This year, 18 contestants who passed the process of screening participated. In this year’s competition, each pair of male and female contestants teamed up and attacked the same company.
A soundproof booth made of glass was installed in the SECTF venue. Each pair of contestants called up the attack destination from the booth. The contestants could not hear the reaction of the audience, but the audience heard the conversation in the booth through the speakers in the venue.
The contestants made phone calls to major companies known to every American, such as leading pharmacy chain company W, which has over 8,000 stores in the United States, and famous stationery chain company S, which has branches in 26 countries of the world. They stated plausible fictional reasons, and asked questions one after another about their Internet connection environments, the employment status of their part-timers, the implementation of their security training, etc.
A distinction between the role of the male and female contestants on each team was indispensable. There is a principle in successful social engineering that says a contestant must keep in mind that the person the contestant is speaking to will reject the contestant if the contestant asks too many questions but the person will feel unpleasant if the contestant’s questions are too few. Therefore, a contestant should ask questions to some extent, and around the time the target is tired, the contestant should try to make the target feel comfortable by saying something like, “Another person will be in charge of the field from here on. I will pass the phone to him, and would you please talk with him?” Every contestant has a variety of ideas about his/her role. There was a pair of contestants making believe that they were auditors. Some pair skillfully dodged the unnaturalness of the pair by saying that they were doing joint research, because one of them was from Puerto Rico not fluent in English. Another pair tried to make believe that they were researchers at a leading research company.
Contestants were able to get some information with surprising ease, but some questions were rejected by their targets saying, “We cannot answer your questions.” In that case, some contestants made idle conversation or explained the reason why they needed the information. There were contestants asking other questions to attack the targets again.
A “Time’s Up” buzzer finishes the competition. When each contestant voices his/her appreciation and hangs up the phone, the contestant receives generous applause from the audience.
First, it was surprising that the audience at SECTF were very mature. There was no air to laugh away the blunders of the large companies. On the contrary, there were many audience members who showed some admiration of their tactful conversations and ways of fending off hard situations.
It is hard to understand what contestants are doing in usual CTF competitions, and many people say that the competitions they watched were not as exciting as they thought. SECTF as a show, however, has a high degree of completion. The appearances of the contestants who looked tense seen through the glass even made the editor’s heart beat fast.
The remaining time was digitally displayed significantly so that the audience could see it. Just before the end of the competition, the editor noticed that she was watching the contestants while praying that the answer to the contestant’s current question would come out within the last 10 seconds. It was so interesting that it could be a TV show if the company’s name and some answers were beeped out.
It was impressive that the audience and staff members were acting briskly. For visitors waiting outside the venue, the audience raised their hands to tell the staff when the seats next to them became vacant. They sat close together without any complaints. When there were visitors recording the competition, other visitors warned them softly. The editor said that it looked like every visitor was cooperating together with others to achieve their goal of a successful event.
● Contestant Interview
There was a little bit of a mishap in this year’s SECTF. One of the contestants became sick and could not participate. A male visitor was selected from the audience, and he ended up participating in the competition without time to prepare. The editor interviewed the man called Black Knight (his handle) on an anonymous basis at his request.
──Could you tell us your impression as a contestant?
I was scared... Really scared. There was a big difference between seeing and participating in it. I seriously felt tense when I entered the booth, and my fingers were like this (trembling the fingers of both his hands). Everyone was staring at me from the other side of the glass, as a matter of course. When I finally somehow got out of the booth, all I could think was “Thank God!”
──You didn’t have much time to make preparations, did you?
The contestant who was originally scheduled to participate prepared materials in advance, which helped me, but I wanted to do research by myself. So, I had a meeting with my partner in a rush.
──What strategy did you use?
I checked out company L (a major U.S. chain company dealing in home renovation and consumer electronics), and found that it has a branch in Hawaii. Now, a large hurricane is just hitting Hawaii. So, I decided to make believe that I was a researcher seriously asking about the state of their Hawaii branch. I thought that social engineering is like an actor’s job. Then I increased yes-no questions in order to avoid giving them time to be suspicious of us.
──There were some people who were saying that your tag team may win. What do you think?
Well, I would be happy if we won. What would I do if I could get the black badge? Have you ever seen it? The badge reads UBER.
──Let me ask you straight out. Are you a hacker?
Hmm. I touched a PC for the first time at the age of nine. I came to be called a hacker at the age of 11. In those days, however, hacker was not a negative word. A person manipulating systems to act differently from what they were intended was a hacker. There is no right and wrong there. In that sense, I’ve been a hackers for decades.
● Kevin Mitnick’s Visit
Not only SECTF competitions are held in the SECTF venue. Presentations on social engineering and talk shows with guests are held as well.
On the night of August 9, 2014, Kevin Mitnick, a legendary hacker, appeared in the venue. He requested and found from the audience a volunteer having no objection to the disclosure of the volunteer’s socially personal information. Then he used an open source service and demonstrated a simple method to find various personal information items (e.g., the volunteer’s address, phone number, birthday, SSN, and mother’s name) based on the name of the volunteer and the state where the volunteer lives. Kevin Mitnick gave a presentation for social engineering by satellite at a seminar entitled “Evolving Targeted Attacks and the Reality Behind Human Hacking” held in Japan in May last year (sponsored by Asgent, Inc.).
In the last question, Kevin was asked which was more effective, typical hacking or social engineering and to what extent. He replied that “social engineering usually opens the door to technical exploiting. We cannot say which one is how many percent higher”.
● In conclusion
At the end of the report, the editor would like express her personal experience while seeing SECTF. During SECTF, applause occurred from the audience when a contestant tactfully obtained points. Similarly applause occurred when the target destination did not deal with the contestant and refused the contestant by saying, “We cannot answer anything.”
The editor asked a person sitting next to the editor’s seat, “Is this applause honoring the challenge of the contestant regardless of the quality of the result?” A surprising answer was returned.
“No, the applause was for the target company that reacted correctly without being misled by social engineering.”
Each person of the audience understood the significance of learning social engineering and they were able to convey it kindly to others. The editor felt as if she was reminded once again of the height of the recognition level of people coming to the SECTF.